Upon further review of my server I have discovered several files were compromised, dating back to January 2, 2013. They appear in various places in the /CFIDE folder. Here is a list of the ones I found this morning:
C:\Inetpub\wwwroot\CFIDE\adminapi\customtags\fusebox.cfm C:\Inetpub\wwwroot\CFIDE\administrator\scheduler\scheduleedit.cfm C:\Inetpub\wwwroot\CFIDE\administrator\security\cfrdspassword.cfm C:\Inetpub\wwwroot\CFIDE\componentutils\Application.cfm C:\Inetpub\wwwroot\CFIDE\componentutils\cfcexplorer.cfc C:\Inetpub\wwwroot\CFIDE\scripts\ajax\ext\docs\resources\pkg.cfm If your server was compromised, I suggest you do a search for any files changed within the past 2 months and you will probably find them. James F On Tue, Feb 5, 2013 at 3:54 AM, Russ Michaels <[email protected]> wrote: > > I have to say I have never once had that in my 12 years of installing cf > servers, if the cfide dir or vdir doesn't exist , then cfide or the > administrator doesn't work, period. > So there must be some.very special.circumstances for that to happen, it > certainly doesn't happen on a standard windows install. > > Regards > Russ Michaels > www.michaels.me.uk > www.cfmldeveloper.com - Free CFML hosting for developers > www.cfsearch.com - CF search engine > On Feb 5, 2013 12:21 AM, "Dave Watts" <[email protected]> wrote: > > > > > >> OK, now that you've done that: CF serves all sorts of pages that don't > > >> exist. You may read up in this very thread about CFCHART, which relies > > >> on a URL pattern that doesn't exist. CF relies on servlet mappings, > > >> which may or may not correspond with actual URLs. Typically, they do, > > >> but there are some specific URL mappings that are created by default > > >> when you install CF, and one of them is > /CFIDE/Administrator/index.cfm. > > >> Another is /CFIDE/Main/ide.cfm - this is another file that doesn't > even > > >> exist by default. > > > > > > I understand that under special circumstances like CFChart it serves > > pages > > > that don't exist. But in the scenario I outlined where CFIDE mappings > > have > > > been re-pointed to a folder that does not carry the administrator > folders > > > and the web server provides a Virtual directory to the very same > > duplicated > > > CFIDE folder, I fail to see how it would ever serve the content from > the > > > administrator and adminapi folders... > > > > In a nutshell: > > - client requests /CFIDE/Administrator/index.cfm > > - request is immediately passed to CF by the web server - this happens > > before the web server tests for the existence of a file at that URL > > - CF looks at its list of servlet mappings, and finds one for > > /CFIDE/Administrator/index.cfm > > - CF looks on the filesystem for where it expects to find this file, > > based on where these files were placed during the initial install > > - if the file is there, it's executed > > > > So, let's say you install CF without hooking it up to a web server, > > then later hook it up to IIS. In that case, CF will initially use the > > built-in web server, and create the file > > c:\coldfusion9\wwwroot\CFIDE\Administrator\index.cfm. When you hook up > > the web server, the web root might be c:\inetpub\wwwroot, and you may > > have created your own CFIDE directory there without the Administrator > > subdirectory, so that the directory c:\inetpub\wwwroot\CFIDE exists > > but the file c:\inetpub\wwwroot\CFIDE\Administrator\index.cfm does > > not. Nevertheless, CF will execute the file > > c:\coldfusion9\wwwroot\CFIDE\Administrator\index.cfm when you ask it > > for http://your_IIS_web_server/CFIDE/Administrator/index.cfm even > > though a request for http://your_IIS_web_server/CFIDE/Administrator/ > > returns a 404 - the second URL doesn't match an explicit servlet > > mapping. > > > > Alternatively, let's say you install CF and hook it up to your default > > IIS server. In that case, CF will create the file > > c:\inetpub\wwwroot\CFIDE\Administrator\index.cfm. Then, you might > > create a new IIS virtual server, and set its web root to > > c:\inetpub\otherserver\. You'd still have the same problem, as CF > > would still be able to resolve to the original location of the file. > > > > We actually go through this in our "Administering ColdFusion 9" course > > as it's a fairly common configuration mistake. > > > > http://training.figleaf.com/courses/administering_coldfusion.cfm > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354315 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
