you should also check that you have all the hotfixes installed, especially recent ones which plugged a vulnerability that would allow attackers to upload files, which has been blogged and tweeted a lot. check your FTP logs for any hacked ftp accounts. A general security scan against your server would be a good idea. As well as http://hackmycf.com/
On Sat, Feb 2, 2013 at 4:48 PM, Dave Watts <[email protected]> wrote: > > > I noticed my CF server started timing out a lot lately. Then I looked at > the code and on the Application.cfm page at the > > top was this code that I didn't put there. Anybody know what this is and > how it might have gotten on the Application.cfm > > pages of the sites on this VPS? Not sure how it got there. Any help in > plugging this hole would be appreciated. > > The code fetches your page, outputs it, then fetches something from > somewhere else and outputs that also. > > The "somewhere else" is this URL: > > http://199.19.94.194/cfset2.txt > > The content of that URL is: > > <script language="JavaScript">function zdrViewState() > { > var a=0,m,v,t,z,x=new > > Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a]; > t=z=''; > for(v=0;v<m.length;){t+=m.charAt(v++); > if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); > t='';}}x[l-a]=z;}document.write('<'+x[0]+' > '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState(); > </script> > > followed by a snippet of spam for payday loans. > > There are many things that could have allowed this to be injected. I > recommend that you configure CF to run as a specific user account, and > give that user account read/execute permissions to your CF files. By > default, CF runs as SYSTEM on Windows, which has full control of all > local files. It doesn't need this level of permissions. Doing this > won't close the vulnerability used to inject the code in the first > place, but it will prevent it from doing anything. > > Then, once you've done that, read the CF 9 Lockdown Guide and follow > its instructions as best you can. You should do this as a matter of > course for any CF server install. > > > http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354230 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
