This sounds very similar to an infection one of my servers had recently. Make sure you check not only the html/cfm pages but also the javascript pages. The one I had appended to the head of html pages and to the end of .js files. Also, chances are the code injection happened because a system with ftp access to HOF is infected.
On Tue, Sep 15, 2009 at 2:30 PM, Michael Dinowitz < [email protected]> wrote: > > I appreciate the offer but it's all grunt work at the moment. Download > the whole site, run some regex, look for holes and patch them, upload > the whole thing, go live. Just time. > > On Tue, Sep 15, 2009 at 2:25 PM, Dana <[email protected]> wrote: > > > > ick. Let me know if i canhelp you with that. > > > > On Tue, Sep 15, 2009 at 10:40 AM, Michael Dinowitz < > > [email protected]> wrote: > > > >> > >> It looks like every .cfm file on the box has had a malware link added > >> to it. Actually, from what I can see, only those sites that actually > >> are 'open' have them. Old sites and mapped directories are all safe. > >> > >> On Tue, Sep 15, 2009 at 11:54 AM, Casey Dougall > >> <[email protected]> wrote: > >> > > >> > On Tue, Sep 15, 2009 at 11:16 AM, Earl, George <[email protected]> > >> wrote: > >> > > >> >> > >> >> My Firefox 3.5.3 blocks houseoffusion.com when I have the option to > >> >> 'Block reported attack sites' checked under Options\Security. Is this > >> >> happening for anyone else? Thanks. > >> >> > >> >> George > >> >> > >> >> > >> >> > >> > oops... yeah same here. > >> > > >> > > >> > > >> > >> > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-community/message.cfm/messageid:304065 Subscription: http://www.houseoffusion.com/groups/cf-community/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5
