If anyone has had any experience or knows anything about the following
scenario, please could you get in contact with me as we're not sure what
happens when you run ipsvcs.exe.
Scenario:
It looks as though one or two of our servers have been hacked at some point
(anytime between now and last August). Someone has just sent us an e-mail
saying that there was a file in the CFIDE directory called iindex.cfm,
written by Kevin Klinsky. Calling it appears to display a browsable folder
view, allowing people to delete files.
I did a search for the same file on the other servers and found a copy in
another CFIDE directory. Along with it was reg.cfm which used CFREGISTRY
(enabled on that server) to disable the Admin and Studio passwords. A third
file called spawn.cfm ran CFX_Spawnl, passing it the attribute
ARG0="C:\winnt\ipsvcs.exe", presumably executing the file. The template then
displayed Spawnl and SpawnlError.
The .exe was in the WINNT directory on that server. Does anyone know what
happens when it's run?
The CFX doesn't appear in the CF Administrator on that box and searching the
registry for "spawnl" didn't find anything.
And is it a native NT file or has it been uploaded? ipsvcs.exe also appeared
in a WINNT directory on another server.
Thanks for any help you can give to point us in the right direction.
--
Aidan Whitehall <[EMAIL PROTECTED]>
Netshopper UK Ltd
Advanced Web Solutions & Services
http://www.netshopperuk.com/
Telephone +44 (01744) 648650
Fax +44 (01744) 648651
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
