Tom, Stop and go back to the CF Admin and check the setting for Missing Template Handler. Make sure its blank or is actually pointing to a valid missing template handler page that you setup. This blog post is why I mention that.
http://www.coldfusionmuse.com/index.cfm/2013/12/5/attack.vector.missing.template.handler Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com [email protected] www.trunkful.com On Nov 12, 2014, at 3:12 PM, Tom McNeer <[email protected]> wrote: > > One more followup: whatever this is, it isn't related to CF. I jumped to > the wrong conclusion. > > The problem reappeared when I was in the CF admin page, long after I'd > logged on. > > But then I opened another browser and purposely asked for a local page that > didn't exist. The IIS error page contained ads. > > Again, this doesn't make me feel a whole lot better. But folks should know > that this is not a new CF attack. > > On Wed, Nov 12, 2014 at 3:56 PM, Tom McNeer <[email protected]> wrote: > >> I appreciate all the suggestions - and I especially appreciate when you >> step in, Dave. >> >> Certainly, I'm considering a clean installation. >> >> But as a followup: Dave's comment about "the problem is almost certainly >> in the browser itself or some other piece of malware installed on the >> client" brings up lots of other possibilities. >> >> To be clear (since some other folks have misunderstood this), I can't say >> that this hack appears *only* in the CF Admin login page, or only in the >> CF Admin. I have the browser on the server set to the CF admin as a >> default, because that's what I use the browser for - administering CF. So >> the hacks appeared immediately after the browser was started and the first >> page loaded -- which *happened* to be the CF Admin. >> >> It's entirely possible, as Dave suggests, that the problem isn't related >> to CF at all, now that we've discussed it. >> >> That doesn't make it less of a problem. In fact, it means there are lots >> of other possible vectors. >> >> On Wed, Nov 12, 2014 at 3:29 PM, <> wrote: >> >>> >>>>> One is that, while it doesn't show >>> up in the view source for a given page, a JS library referenced in the >>> page has been compromised to rewrite page content. >>> >>> Of course, this is quite possible in theory, however it would imply that >>> the hacker has already hacked the server, and one could ask what he is >>> still trying to hack. >>> >>> >>> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359634 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
