Re: How To Fix Server Hack
There is a lot of work to do at this point and you will need to face the possibility that it could be to late to lockdown (depending on what was hacked/installed etc and what data was taken) and you may in the worst case be looking at reinstalling everything from scratch. In the mean time you can use the CF9 lockdown guide (most applies to CF8) to learn what you need to do to lock down the server. http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf If you want professional help then contact us at CF Webtools. This is what we do and weve written a few blog posts on security and locking down ColdFusion. http://www.coldfusionmuse.com/index.cfm/2014/3/6/IIS.Vulnerability.CF.Task.Scheduler.API http://www.coldfusionmuse.com/index.cfm/2013/5/10/Protecting-the-CFIDE-directory-in-IIS http://www.coldfusionmuse.com/index.cfm/2013/5/9/sub.zero.coldfusion http://www.trunkful.com/index.cfm/ColdFusion-Security Regards, Wil Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Aug 5, 2014, at 6:47 PM, E Cohen wrote: > > Hello All, > > Sorry this is a bit of a clueless email. I have a ColdFusion 8 server that > was hacked yesterday. A file was installed at /CFIDE/scripts/index.html on a > Windows 2008 server that redirected to a phishing site. I am trying to work > out what they did to install that file and lock it down. Does anyone have > any tips or ideas? > > Thank you > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359059 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
How To Fix Server Hack
Hello All, Sorry this is a bit of a clueless email. I have a ColdFusion 8 server that was hacked yesterday. A file was installed at /CFIDE/scripts/index.html on a Windows 2008 server that redirected to a phishing site. I am trying to work out what they did to install that file and lock it down. Does anyone have any tips or ideas? Thank you ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359058 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Emails MIA
> Issues only occur with service provider emails (BCC to me is OK). Their > network provider advises the missing emails don't even hit their mail server > - they run their own mail server and don't use their ISP's mail system. The > usual suspects of anti-spam systems and junk mail have been checked but > nothing extraordinary there. > > I've approached the hosting provider to see if we can get SMTP logs but they > won't provide them because they contain other customer data - that's > understandable but we could only ask. > > Is there anything I can do application side to provide some tracking or > auditing or something so we can try to track this down. First, some anti-spam systems will not actually put all identified spam in a folder, etc, where it could be found. For example, Postini has a feature, on by default, called Blatant Spam Blocking. BSB-tagged messages won't be moved to the user's quarantine, they'll simply be treated as if they never existed. Postini may have actually accepted the message and closed the SMTP transaction normally, so from the client's side the mail has been successfully sent. So you'll really need SMTP logs to verify the disposition on the receiver side. Most spam filtering systems allow you to search SMTP logs without having to export the whole thing. On the application side, all you can do is demonstrate that it was successfully sent. The SMTP server you're using locally can probably log this, but honestly if it's processed and not rejected, it's been sent successfully. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359057 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Emails MIA
Your hosting provider should troubleshoot this if they will not provide the SMTP logs. We do not usually provide entire logs either, but will attempt to find the pertinent records and provide them. Should be easy enough to parse the logs if you provide an approximate time the email was sent and email address for the destination. Provider should also check to see if it just never made it off the local server. Could be the endpoint mail server was unresponsive at the time. Most email server will queue and retry a few times after a certain time period, but eventually fail and hold Your provider may also have an outbound spam filter trapping the email. This might account for it not making it to the end point. Use a failto in cfmail as it may provide you some detail. If the mail isn't making it off the server, it should bounce to the failto. I do agree with Russ a shared web server sending mail through localhost is usually a bad thing. We stopped allowing this. Just too many customers who have compromised forms that abusers use to send spam. So we now require smtp auth to send via their shared mail server (makes it easier to track abuse) or suggest an external mail service. Byron Mann Lead Engineer & Architect HostMySite ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359056 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Emails MIA
If the email was bcc to you and it arrived then it was successfully sent. You should tell the recipient to check his own spam folder and mail logs. I would aldo suggest you stop using the hosts default mail settings and instead relay through a mailbox on your own domain then you can see them in your sent items at least. Also if the host provides a free unlimited smtp server on localhost this will not only affect web server performance but cause mail delays if other sites sebd bulk email. The best solution is to use a service such as sendgrid.com and use the api to send email rather than smtp. Russ Michaels www.michaels.me.uk cfmldeveloper.com cflive.net cfsearch.com On 5 Aug 2014 12:27, "Kevin Parker" wrote: > > Hi guys - wonder if anyone can give little advice on a missing emails > issue. > Of course this is the old some arrive and some don't issue (but most > arrive) > - it would be a lot easier if none arrived. > > > > The site is running CF8 on IIS with a SQL Server dbase - mail server is set > in CFMAIL to localhost as specified by the shared hosting provider. > > > > Basic application process is a client requests a medical service by filling > in an online form and hits submit. > > > > Database updates OK. > > > > Email to the client arrives OK (BCC to me arrives OK). > > > > Email to the service provider (there's only one) arrives most times but > occasionally doesn't (BCC to me arrives OK). > > > > Issues only occur with service provider emails (BCC to me is OK). Their > network provider advises the missing emails don't even hit their mail > server > - they run their own mail server and don't use their ISP's mail system. The > usual suspects of anti-spam systems and junk mail have been checked but > nothing extraordinary there. > > > > I've approached the hosting provider to see if we can get SMTP logs but > they > won't provide them because they contain other customer data - that's > understandable but we could only ask. > > > > Is there anything I can do application side to provide some tracking or > auditing or something so we can try to track this down. > > > > Thanks guys > > > > > > ++ > > Kevin Parker > > > > ++ > > > > > > ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359055 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Emails MIA
Hi guys - wonder if anyone can give little advice on a missing emails issue. Of course this is the old some arrive and some don't issue (but most arrive) - it would be a lot easier if none arrived. The site is running CF8 on IIS with a SQL Server dbase - mail server is set in CFMAIL to localhost as specified by the shared hosting provider. Basic application process is a client requests a medical service by filling in an online form and hits submit. Database updates OK. Email to the client arrives OK (BCC to me arrives OK). Email to the service provider (there's only one) arrives most times but occasionally doesn't (BCC to me arrives OK). Issues only occur with service provider emails (BCC to me is OK). Their network provider advises the missing emails don't even hit their mail server - they run their own mail server and don't use their ISP's mail system. The usual suspects of anti-spam systems and junk mail have been checked but nothing extraordinary there. I've approached the hosting provider to see if we can get SMTP logs but they won't provide them because they contain other customer data - that's understandable but we could only ask. Is there anything I can do application side to provide some tracking or auditing or something so we can try to track this down. Thanks guys ++ Kevin Parker ++ ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359054 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm