Donnie, Mark, Our research so far seems to support marks's analysis of this problem. There are still some unknowns here so that may change. But, changing your FTP accounts and setting your FTP server to ban IPs after a certain number of failed login attempts will prevent most brute force attempts on FTP. Our server admin didn't do that which appears to have been a mistake.
Nick ............................................................................ ..... > -----Original Message----- > From: Mark Kruger [mailto:[email protected]] > Sent: Monday, April 13, 2009 1:14 PM > To: cf-talk > Subject: RE: Question about hack > > > Donnie, > > I believe this is the same attack I have been helping another > customer with and it does not appear to be related to CF. > Instead, it appears to start with a malware install of some > kind on the server (and possibly a root kit) and then > progress to the creation of accounts and the changing of file > permissions. Another theory gaining weight (and illustrating > that we don't know much yet) is that this attack is an agent > on a client computer that piggybacks onto FTP - which > explains a few things but not everything. I'm guessing some > combination at this point. > > Anyway, I agree that cfexecute is a dangerous tag that needs > to be controlled, but it does not appear to be the cuprit. > All of this advice is good, but the only place that CF comes > into play on this particular hack happens to be the > propensity to use "index.cfm" as the home page script. The > attack targets "index.*" files and affects (on the server I > am working with) Index.cfm, index.html and index.php etc. > > -Mark > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321557 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
