I looked into this a bit more this morning, and have realized that I may have gotten very lucky.
In going through the logs again, I see that there were no POSTs to h.cfm. So the hacker never logged into h.cfm. And I see no GETs with a fuseaction, as described in Charlie's post. I ran the hacker's script again to confirm that logging in shows a POST in my logs. I also tried a some of the non destructive actions he could take, and found that those caused either a POST or GET+fuseaction. I think I dodged a bullet here. ---------- Forwarded message ---------- From: Robert Rhodes <rrhode...@gmail.com> Date: Thu, Jan 3, 2013 at 12:00 AM Subject: Re: New Security Issue with CF To: cf-talk@houseoffusion.com Thanks. I saw that afterwards. I was freaking out a bit there. Still am. :( I have gone through the logs on that server (windows 2008 R2 server running IIS7.5 and CF9.02) and the hacker loaded his script 1 time each on 15 different sites. They all look like this: 2013-01-02 00:15:15 192.168.55.129 GET /CFIDE/h.cfm - 80 - 178.170.124.210 python-requests/0.14.2+CPython/2.7.3+Linux/3.2.0-32-generic 200 0 0 171 But on 3 of the sites, he also loaded: help,cfm, administrator.cfc, mappings.cfm, scheduleedit.cfm, and scheduletasks.cfm but there are no scheduled tasks showing in the administrator. I checked the CF Administrator log and found nothing. Fortunately, he missed the one site (none of his crap shows up in its logs) where there was sensitive information, so assuming he could not traverse directories, I am hoping I am ok there. I ran his file (after renaming it), and none of my datasources showed up (it was an empty <select>). I am hoping I am good there too. It looks like his script it needs to be driven by a human (a lot of it is a form). So I am hoping that the one hit I see on most of those sites is an automated hit to see if the script is there, then he was going to come around later and do his damage -- and he never did. Wishful thinking right? I don't see any other signs of trouble anywhere, but am very worried that something bad has happened that I have just not stumbled on yet. Any suggestions or advice? Any place else I should be looking? Am I fooling my self to think I got lucky here? I have shut down CF on that server and am now searching all other servers for h.cfm. So far nothing. Tomorrow, I will completely wipe that server and reload it. -RR ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353742 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
