> Three of my CF7-driven sites just got hit this morning with an exploit that > I'm having trouble > finding information on. > > The attack did the following: > 1) wrote 0 KB Application.cfm file to the web-root of the sites > 2) wrote an onRequestEnd.cfm file (also to the web-root) that contained a > script src > pointing to a site that looks to have been turned into a bot. > > The net result was that anyone who entered a keyword in a search engine that > directed > them to a page on our sites would be re-directed to > http://c-car.co.cc/s/search.php?q= > [search keywords] where [search keywords] = the search term used by the > person to > reach our site. > > I'm trying to find the vector for this attack, and haven't had luck yet. It > doesn't look like the > application.cfm and onRequestEnd.cfm files were written via FTP (no unusual > activity > today), and while these sites do have some public-facing file upload forms, > the > permissions on those are pretty well locked down. > > Has anyone out there seen this type of attack before, or is this something > new?
I'm not aware of any specific new attack that does exactly this, but I suspect that your web server's log files will have the specific URLs used to launch the attack. If you're running CF on Windows, and CF is running as SYSTEM (which is the default), then CF can rewrite .cfm files. So, if it doesn't look like an FTP problem, that's the most likely vector. Did you apply the recent security patches for FCKEditor from Adobe? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:328378 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
