This same thing happened to us, I traced it back to two cfm files that were created in CFIDE/adminapi/customtags. The first file was created at 9:28AM the second at 1:03AM. The files were named adss.cfm and fusebox.cfm. fusebox.cfm is what scans for application.cfm, index.php, index.html, and index.htm then injects the code in them. I can post the source for the files if anyone wants to look at it. I still have no idea how they managed to create them though.
> From our side this hack appears to have been inserted yesterday during > the Superbowl. The offending IP seems to have come from China. It got > three of our sites on different servers. Only sites with an > application.cfm file were hit. Sites using application.cfc were > untouched. > > > Robert Harrison > Director of Interactive Services > > Austin & Williams > Advertising I Branding I Digital I Direct > 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 > T 631.231.6600 X 119 F 631.434.7022 > http://www.austin-williams.com > > Blog: http://www.austin-williams.com/blog > Twitter: http://www.twitter.com/austin_williams > > > -----Original Message----- > From: Robert Harrison [mailto:[email protected]] > Sent: Monday, February 04, 2013 9:49 AM > To: cf-talk > Subject: RE: Possible Hack? > > > Checking, all of the sites we have that use an application.cfm file > appear to have gotten this hack. The newer sites that use the > application.cfc file appear to be untouched. We had at least three > servers hit with this. > > > > Robert Harrison > Director of Interactive Services > > Austin & Williams > Advertising I Branding I Digital I Direct > 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 > X 119 F 631.434.7022 http://www.austin-williams.com > > Blog: http://www.austin-williams.com/blog > Twitter: http://www.twitter.com/austin_williams > > > -----Original Message----- > From: Robert Harrison [mailto:[email protected]] > Sent: Monday, February 04, 2013 9:38 AM > To: cf-talk > Subject: RE: Possible Hack? > > > We got hit with that exact hack on Sunday, and we have all patches and > updates installed up to date. > > > Robert Harrison > Director of Interactive Services > > Austin & Williams > Advertising I Branding I Digital I Direct > 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 > X 119 F 631.434.7022 http://www.austin-williams.com > > Blog: http://www.austin-williams.com/blog > Twitter: http://www.twitter.com/austin_williams > > -----Original Message----- > From: Mike K [mailto:[email protected]] > Sent: Sunday, February 03, 2013 8:10 PM > To: cf-talk > Subject: Re: Possible Hack? > > > I have had this same code added to one of my sites too. (I'm checking > now to see if it's just one) > > Did you find out yet where the access point was to modify your code? > > Cheers > Mike Kear > Windsor, NSW, Australia > Adobe Certified Advanced ColdFusion Developer AFP Webworks > http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET > hosting from AUD$15/month > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354273 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
