Thank You... that was useful. We have the server locked, but these files have been here for some time. Now we have to scan everything for some of the strings in the files.
Robert Harrison Director of Interactive Services Austin & Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -----Original Message----- From: Pete Freitag [mailto:[email protected]] Sent: Friday, September 06, 2013 10:03 AM To: cf-talk Subject: Re: Hacking? Yes, it certainly can be used by hackers. It can be used to manipulate the file system, upload files, execute exe's, and run database queries against your datasources. This file is most commonly found via the adminapi Hack widely exploited in Dec/Jan 2012 (eg /CFIDE/h.cfm, etc), but I've also seen this particular file on hacked servers sprinkled through the file system (eg 20-30 instances, using random file names). Also I've found in many cases that a server had patched the adminapi issue and blocked /CFIDE/adminapi but never cleaned up files that attackers placed, so they keep getting hit. You will want to take a close look at the server, and consider moving to a fresh server after you have cleaned up. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:356715 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
