The issue with formatting is that it will likely come back when we move our sites back onto the server.... >From what I am gathering it is actually being ran manually, not on a scheduled task and likely remotely.
I "Believe" this is coming from ASP and not coldfusion itself, due to articles like this: http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://q.163.com/lianglimi/blog/hhl...@126/669001092009320624566/&ei=B7bwSfuPDcWFtgfP7YW-Dw&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3Dcscript%2Bscan.vbe%26hl%3Den%26rlz%3D1C1GGLS_enUS324US324%26sa%3DG (originally in Chinese or something and used google to translate it). On Thu, Apr 23, 2009 at 10:02 AM, Mark Kruger <mkru...@cfwebtools.com>wrote: > > Nate, > > Excellent ...thanks for this. > > -mark > > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -----Original Message----- > From: ALL [mailto:thegreat...@gmail.com] > Sent: Thursday, April 23, 2009 3:34 AM > To: cf-talk > Subject: Re: Question about hack > > > Not sure if any more info on this subject has came up, but here is the > contents of the file gm.vbs that was doing all the dirty work: > http://paste-it.net/public/v22f672/ > > I have also noticed a new file named: > > 1.exe in the c:\ root directory. It has an icon of "BMW" (the car company), > not sure if that has something to do with it either. > > -Nathan > > On Thu, Apr 16, 2009 at 7:56 PM, Al Musella, DPM > <muse...@virtualtrials.com>wrote: > > > > > A few ideas: > > 1. Set the ftp security to only allow connections from specific IP > > addresses. If the user has a dynamic ip, then use his entire range.. > > better than letting the entire world in 2. Your blog shows why I said > > to Michael to reformat the drive and reinstall everything when he was > > attacked. Once you let someone else get access to your server, there > > is no way you can ever trust it again. It has to be reformatted. > > 3. I know it isn't the right way to fight an attack, but for this > > specific attack, just put your index.cfm file into a different file, > > then have your index.cfm file just do a cflocation to that page. If > > the hack adds stuff to the index.cfm page, nothing will happen to the > > users. > > > > > > At 03:31 PM 4/16/2009, you wrote: > > > > >For those interested I have compiled all I know about this attack > > >into a blog post: > > > > > >http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.ha > > >ck > > > > > >Again, we have not specifically identified the attack but we have > > >lots of information and a stop gap measure :) > > > > > >-Mark > > > > > > > > >Mark A. Kruger, CFG, MCSE > > >(402) 408-3733 ext 105 > > >www.cfwebtools.com > > >www.coldfusionmuse.com > > >www.necfug.com > > > > > >-----Original Message----- > > >From: Mark Kruger [mailto:mkru...@cfwebtools.com] > > >Sent: Tuesday, April 14, 2009 5:37 PM > > >To: cf-talk > > >Subject: RE: Question about hack > > > > > > > > >Thanks... I'll add that to my list. > > > > > >I have a pretty hefty blog post coming out on this tomorrow (or > > >hopefully tomorrow :). > > > > > >-mark > > > > > > > > > > > > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321898 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
