Yeah I had figured out what the code did. My main concern is figuring out how they did it and preventing it in the future. I had already done the lockdown stuff many months ago which is why I am kind of baffled. I checked the FTP logs and see nothing in there for those files so the attack would have most likely come in via CF somewhere.
-----Original Message----- From: Dave Watts [mailto:[email protected]] Sent: Saturday, February 02, 2013 11:49 AM To: cf-talk Subject: Re: Possible Hack? > I noticed my CF server started timing out a lot lately. Then I looked at the > code and on the Application.cfm page at the > top was this code that I didn't put there. Anybody know what this is and how > it might have gotten on the Application.cfm > pages of the sites on this VPS? Not sure how it got there. Any help in > plugging this hole would be appreciated. The code fetches your page, outputs it, then fetches something from somewhere else and outputs that also. The "somewhere else" is this URL: http://199.19.94.194/cfset2.txt The content of that URL is: <script language="JavaScript">function zdrViewState() { var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a]; t=z=''; for(v=0;v<m.length;){t+=m.charAt(v++); if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState(); </script> followed by a snippet of spam for payday loans. There are many things that could have allowed this to be injected. I recommend that you configure CF to run as a specific user account, and give that user account read/execute permissions to your CF files. By default, CF runs as SYSTEM on Windows, which has full control of all local files. It doesn't need this level of permissions. Doing this won't close the vulnerability used to inject the code in the first place, but it will prevent it from doing anything. Then, once you've done that, read the CF 9 Lockdown Guide and follow its instructions as best you can. You should do this as a matter of course for any CF server install. http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
