http://stackoverflow.com/questions/13099802/cfml-strange-script-found-in-hosting- Seems that someone has dealt with this a few months ago.
On Thu, Jan 3, 2013 at 2:22 PM, Mahcsig <[email protected]> wrote: > > It also has an option for cfexecute, and filesetlastmodified, so they could > have covered some of their tracks that way. > > If CF is running as local system, they could have done some really bad > things to the system... > > ~Mahcsig > > > On Thu, Jan 3, 2013 at 11:05 AM, Dave Watts <[email protected]> wrote: > > > > > > My company is running CF8 on IIS. We have a website that doesn't get > > much use inbetween biannual meetings. > > > I just noticed the following code that was inserted into one of the > > subfolder's index.cfm files. I'm not seeing any > > > other changes in any other file (yet) and the server doesn't appear to > > have taken a hit, but I'm not even sure what > > > this code is doing, how it got there, and whether it's harmful. > > > > Any code that can write to your server's filesystem is potentially > > harmful. This code appears to do that, along with listing files on > > your filesystem and allowing viewers to download them. Both of these > > things are potentially harmful, unless you explicitly want to do that. > > > > > Next steps (other than yanking out the code, which I've already > done)??? > > > > Why is CF allowed to write to the web root? If you prevent CF from > > writing files where it generally shouldn't, you can prevent a lot of > > these types of vulnerabilities. Preventing this may involve changing > > CF's login from SYSTEM to a non-privileged user in addition to setting > > filesystem permissions. > > > > I would recommend that you read the excellent CF 9 Lockdown Guide, > > which I think is still on the Adobe site. Then, do the things it says > > to do. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353747 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
