Brad, Many thanks for your response. We'll take a look at those things.
It appears that the code is in the actual index.cfm pages on the web server. There are some old sites on this server that may be vulnerable, so that is a theory. However, I would expect that kind of vulnerability to result in a database injection, which is not what we are seeing. So, I guess one question is whether an XSS type hack can result in code being added to a file on the web server. Thoughts? N > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Monday, April 06, 2009 3:46 PM > To: cf-talk > Subject: RE: Question about hack > > > Is the malicious string in the actual index.cfm page on the > server, or is it being output on the page when CF processes > it as part of a variable from the form/url or database? > > If the actual files on your web server have been modified, > change all your FTP and remote admin passwords immediately > and run an antivirus scan. > Also, check your FTP logs, and date/time modified on the > files to determine when and how they were modified. Run an > extended find a replaced to clean your .cfm files. > > If the string is being appended into a url or form field and > then output on the page, htmleditformat or jsstringformat all > user-entered data and read up on XSS attacks. > > If the string has been appended into your database variables > and is being output on the page that way, look for un > paramaterized SQL statements, run a queryparam scanner, > change your SQL Server login passwords, and read up on SQL > injection attacks. Update your database to remove the > malicious values. > > ~Brad > > -------- Original Message -------- > Subject: Question about hack > From: "Nick Gleason" <[email protected]> > Date: Mon, April 06, 2009 1:19 pm > To: cf-talk <[email protected]> > > > Hi there. We've just seen a hack attempt that we haven't seen > before and I wanted to get feedback. > > The symptom is that some script code is inserted at the > bottom of certain pages (e.g. index.cfm). The script (which > has been scrubbed) looks like > this: > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321365 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
