Hi Mark, I only mentioned cfexecute because of the permissions set on our specific case. Your info seems most likely. I did notice that there was a cfm file created with a call to cfexecute on the webroot so this should be a check as well.
best regards Donnie On 4/13/09, Nick Gleason <[email protected]> wrote: > > Donnie, Mark, > > Our research so far seems to support marks's analysis of this problem. > There are still some unknowns here so that may change. But, changing your > FTP accounts and setting your FTP server to ban IPs after a certain number > of failed login attempts will prevent most brute force attempts on FTP. Our > server admin didn't do that which appears to have been a mistake. > > Nick > > ............................................................................ > ..... > > >> -----Original Message----- >> From: Mark Kruger [mailto:[email protected]] >> Sent: Monday, April 13, 2009 1:14 PM >> To: cf-talk >> Subject: RE: Question about hack >> >> >> Donnie, >> >> I believe this is the same attack I have been helping another >> customer with and it does not appear to be related to CF. >> Instead, it appears to start with a malware install of some >> kind on the server (and possibly a root kit) and then >> progress to the creation of accounts and the changing of file >> permissions. Another theory gaining weight (and illustrating >> that we don't know much yet) is that this attack is an agent >> on a client computer that piggybacks onto FTP - which >> explains a few things but not everything. I'm guessing some >> combination at this point. >> >> Anyway, I agree that cfexecute is a dangerous tag that needs >> to be controlled, but it does not appear to be the cuprit. >> All of this advice is good, but the only place that CF comes >> into play on this particular hack happens to be the >> propensity to use "index.cfm" as the home page script. The >> attack targets "index.*" files and affects (on the server I >> am working with) Index.cfm, index.html and index.php etc. >> >> -Mark >> > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321565 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
