Jason, look for a file named logs.asp or log.asp or one named top.aspx if you see either of those files on your computer look at them and possably delete them. Those where the files that where where the infection was being told what to do. also, will you tell me what Content Management System any of you guys that have the infection use? because I am starting to think the only thing that is relating this to ColdFusion is that CMS that is very unsecure and very old.
Also, seens how the info we are experiancing is the same i figured i'd post the IP address of what infected us in the first place: 61.236.71.195 check your log files see if that ip address turns up and see what happened for yourself, the ip address turns out to be something in china i believe. On Fri, Apr 10, 2009 at 2:04 PM, Dave Watts <[email protected]> wrote: > > > We are having to scrub our files to remove the injected code (which is > being written directly > > to the files as the result of the hack allowing "FULL CONTROL" for the > Everyone user on the > > machine. > > > > Have you determined a solution for removing/preventing this? > > First, audit your code to find any scripts that can write to the > filesystem. > Second, audit your code to find any scripts that pass unfiltered user > input to the database. > Third, fix that code. > Fourth, configure filesystem permissions properly to prevent CF or > your database from writing to the web server's webroot. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321520 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
