I wonder if this has anything to do with the new CF security issue? If so, look for an h.cfm in your cfide directory. Charlie Airehart has an article about it...there is also an article on Adobe's website. I don't have the info handy...it was posted on the cf-community site earlier.
-----Original Message----- From: Mahcsig [mailto:[email protected]] Sent: Thursday, January 03, 2013 1:22 PM To: cf-talk Subject: Re: What is this code doing? Is it harmful? It also has an option for cfexecute, and filesetlastmodified, so they could have covered some of their tracks that way. If CF is running as local system, they could have done some really bad things to the system... ~Mahcsig On Thu, Jan 3, 2013 at 11:05 AM, Dave Watts <[email protected]> wrote: > > > My company is running CF8 on IIS. We have a website that doesn't > > get > much use inbetween biannual meetings. > > I just noticed the following code that was inserted into one of the > subfolder's index.cfm files. I'm not seeing any > > other changes in any other file (yet) and the server doesn't appear > > to > have taken a hit, but I'm not even sure what > > this code is doing, how it got there, and whether it's harmful. > > Any code that can write to your server's filesystem is potentially > harmful. This code appears to do that, along with listing files on > your filesystem and allowing viewers to download them. Both of these > things are potentially harmful, unless you explicitly want to do that. > > > Next steps (other than yanking out the code, which I've already done)??? > > Why is CF allowed to write to the web root? If you prevent CF from > writing files where it generally shouldn't, you can prevent a lot of > these types of vulnerabilities. Preventing this may involve changing > CF's login from SYSTEM to a non-privileged user in addition to setting > filesystem permissions. > > I would recommend that you read the excellent CF 9 Lockdown Guide, > which I think is still on the Adobe site. Then, do the things it says > to do. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA > Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353752 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
