Thanks... I'll add that to my list. I have a pretty hefty blog post coming out on this tomorrow (or hopefully tomorrow :).
-mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Gerald Guido [mailto:[email protected]] Sent: Tuesday, April 14, 2009 4:08 PM To: cf-talk Subject: Re: Question about hack Mark, I can confirm that there has been FTP related 'sploits going around. I received a message from a hosting company warning that: "There is a potential security exploit within the FTP software that we use on your account." Just a 411 G! On Mon, Apr 13, 2009 at 1:13 PM, Mark Kruger <[email protected]> wrote: > > Donnie, > > I believe this is the same attack I have been helping another customer > with and it does not appear to be related to CF. Instead, it appears > to start with a malware install of some kind on the server (and > possibly a root kit) and then progress to the creation of accounts and > the changing of file permissions. Another theory gaining weight (and > illustrating that we don't know much yet) is that this attack is an > agent on a client computer that piggybacks onto FTP - which explains a > few things but not everything. I'm guessing some combination at this point. > > Anyway, I agree that cfexecute is a dangerous tag that needs to be > controlled, but it does not appear to be the cuprit. All of this > advice is good, but the only place that CF comes into play on this > particular hack happens to be the propensity to use "index.cfm" as the home page script. > The > attack targets "index.*" files and affects (on the server I am working > with) > Index.cfm, index.html and index.php etc. > > -Mark > > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -----Original Message----- > From: Donnie Bachan (Gmail) [mailto:[email protected]] > Sent: Monday, April 13, 2009 8:30 AM > To: cf-talk > Subject: Re: Question about hack > > > Hi Nick, > > I know this post is a bit late but to your original question, that > attack is as a result of incorrect file/iis permissions and is not an > XSS attack. I would even bet that you are on a shared server (at HMS) > since one of my client sites had this exact same problem. The attacker > would have gained access to the file system (possibly via FTP) and > executed code that injected the code into all index.* files on the > server (not just your hosting account). We have had a lot of problems > trying to get this sorted out. It appears that the issue was with > security related to the windows script host and/or CFEXECUTE. The only > thing you can do to prevent this is work with your hosting provider to > secure the system or move to a VPS or dedicated account and make sure > your FTP accounts are secure. > > HTH > > Donnie Bachan > "Nitendo Vinces - By Striving You Shall Conquer" > ====================================================================== > The information transmitted is intended only for the person or entity > to which it is addressed and may contain confidential and/or > privileged material. Any review, retransmission, dissemination or > other use of, or taking of any action in reliance upon, this > information by persons or entities other than the intended recipient > is prohibited. If you received this in error, please contact the > sender and delete the material from any computer. > > > > On Mon, Apr 13, 2009 at 1:30 PM, Richard White <[email protected]> wrote: > > > > hi dave, i have scripts that write to the file system as well. what > > would i need to do to secure them, do you have a link that i could > > read in relation to this as i am a little lost as to what to do > > > > thanks > > > >> > We are having to scrub our files to remove the injected code > >> > (which > >> is being written directly > >> > to the files as the result of the hack allowing "FULL CONTROL" > >> > for > >> the Everyone user on the > >> > machine. > >> > > >> > Have you determined a solution for removing/preventing this? > >> > >> First, audit your code to find any scripts that can write to the > >> filesystem. > >> Second, audit your code to find any scripts that pass unfiltered > >> user input to the database. > >> Third, fix that code. > >> Fourth, configure filesystem permissions properly to prevent CF or > >> your database from writing to the web server's webroot. > >> > >> Dave Watts, CTO, Fig Leaf Software > >> http://www.figleaf.com/ > >> > >> Fig Leaf Software provides the highest caliber vendor-authorized > >> instruction at our training centers in Washington DC, Atlanta, > >> Chicago, Baltimore, Northern Virginia, or on-site at your location. > >> Visit http://training.figleaf.com/ for more > > information! > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321598 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
