Is the malicious string in the actual index.cfm page on the server, or is it being output on the page when CF processes it as part of a variable from the form/url or database?
If the actual files on your web server have been modified, change all your FTP and remote admin passwords immediately and run an antivirus scan. Also, check your FTP logs, and date/time modified on the files to determine when and how they were modified. Run an extended find a replaced to clean your .cfm files. If the string is being appended into a url or form field and then output on the page, htmleditformat or jsstringformat all user-entered data and read up on XSS attacks. If the string has been appended into your database variables and is being output on the page that way, look for un paramaterized SQL statements, run a queryparam scanner, change your SQL Server login passwords, and read up on SQL injection attacks. Update your database to remove the malicious values. ~Brad -------- Original Message -------- Subject: Question about hack From: "Nick Gleason" <[email protected]> Date: Mon, April 06, 2009 1:19 pm To: cf-talk <[email protected]> Hi there. We've just seen a hack attempt that we haven't seen before and I wanted to get feedback. The symptom is that some script code is inserted at the bottom of certain pages (e.g. index.cfm). The script (which has been scrubbed) looks like this: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321361 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
