Re: HoF invaded
On Tuesday 15 Sep 2009, Jacob wrote: Format C: - Reinstall apps - restore data from backup. Although probably OK in this case, note that malware could be hiding in the BIOS, Intel vPro etc. etc., especially if you have been target specifically. -- Helping to efficiently establish market-driven experiences as part of the IT team of the year, '09 and '08 This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.halliwells.co ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326534 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
HoF invaded
Somehow, every .cfm file on the HoF site has been infected with a malware script tag. I'm cleaning it out now but it's a bit worrysome as to how it got on. I'll have an update as soon as I run a cleaner regex against the whole site. -- Michael Dinowitz (http://www.linkedin.com/in/mdinowitz) President: House of Fusion(http://www.houseoffusion.com) Publisher: Fusion Authority(http://www.fusionauthority.com) Adobe Community Expert / Advanced Certified ColdFusion Professional Si, soy el senor chico malo para todos ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326313 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HoF invaded
Ouch. Are you on shared hosting? I would change every FTP password stat. Good Luck. ~Brad Original Message Subject: HoF invaded From: Michael Dinowitz mdino...@houseoffusion.com Date: Tue, September 15, 2009 11:46 am To: cf-talk cf-talk@houseoffusion.com Somehow, every .cfm file on the HoF site has been infected with a malware script tag. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326315 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
My own machine. If it was FTP then there would be logs. I'm downloading all of the .cfm files and using powergrep to remove all of the malware script tags. It takes more time to FTP than it does to fix. I should install powergrep on the server. My 'local copy' is sitting at home and I'm in the city so it's easier just to bring it down, fix it, and send it back up. It'll be done soon. On Tue, Sep 15, 2009 at 12:54 PM, b...@bradwood.com wrote: Ouch. Are you on shared hosting? I would change every FTP password stat. Good Luck. ~Brad Original Message Subject: HoF invaded From: Michael Dinowitz mdino...@houseoffusion.com Date: Tue, September 15, 2009 11:46 am To: cf-talk cf-talk@houseoffusion.com Somehow, every .cfm file on the HoF site has been infected with a malware script tag. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326316 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HoF invaded
Is it the actual file itself? That means someone got into your site via FTP. I told you that you shouldn't have left the password as 1234. :) But seriously. Sorry to hear about that Michael. Keep us posted. -Original Message- From: b...@bradwood.com [mailto:b...@bradwood.com] Sent: Tuesday, September 15, 2009 11:54 AM To: cf-talk Subject: RE: HoF invaded Ouch. Are you on shared hosting? I would change every FTP password stat. Good Luck. ~Brad Original Message Subject: HoF invaded From: Michael Dinowitz mdino...@houseoffusion.com Date: Tue, September 15, 2009 11:46 am To: cf-talk cf-talk@houseoffusion.com Somehow, every .cfm file on the HoF site has been infected with a malware script tag. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326317 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
Each and every .cfm file that is on a site that is mapped to iis was affected. If a .cfm was in a non-mapped directory then it was not touched. This says to me that the hole is in iis. On Tue, Sep 15, 2009 at 1:02 PM, Andy Matthews li...@commadelimited.com wrote: Is it the actual file itself? That means someone got into your site via FTP. I told you that you shouldn't have left the password as 1234. :) But seriously. Sorry to hear about that Michael. Keep us posted. -Original Message- From: b...@bradwood.com [mailto:b...@bradwood.com] Sent: Tuesday, September 15, 2009 11:54 AM To: cf-talk Subject: RE: HoF invaded Ouch. Are you on shared hosting? I would change every FTP password stat. Good Luck. ~Brad Original Message Subject: HoF invaded From: Michael Dinowitz mdino...@houseoffusion.com Date: Tue, September 15, 2009 11:46 am To: cf-talk cf-talk@houseoffusion.com Somehow, every .cfm file on the HoF site has been infected with a malware script tag. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326319 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HoF invaded
Or the user account the web/app server runs as shouldn't have write access to the code it's executing? Sure, it might be a hole in IIS, but IIS is like sieve, and you shouldn't be able to modify the code in place like that in any case. On Tue, Sep 15, 2009 at 10:14 AM, Michael Dinowitz mdino...@houseoffusion.com wrote: Each and every .cfm file that is on a site that is mapped to iis was affected. If a .cfm was in a non-mapped directory then it was not touched. This says to me that the hole is in iis. On Tue, Sep 15, 2009 at 1:02 PM, Andy Matthews li...@commadelimited.com wrote: Is it the actual file itself? That means someone got into your site via FTP. I told you that you shouldn't have left the password as 1234. :) But seriously. Sorry to hear about that Michael. Keep us posted. -Original Message- From: b...@bradwood.com [mailto:b...@bradwood.com] Sent: Tuesday, September 15, 2009 11:54 AM To: cf-talk Subject: RE: HoF invaded Ouch. Are you on shared hosting? I would change every FTP password stat. Good Luck. ~Brad Original Message Subject: HoF invaded From: Michael Dinowitz mdino...@houseoffusion.com Date: Tue, September 15, 2009 11:46 am To: cf-talk cf-talk@houseoffusion.com Somehow, every .cfm file on the HoF site has been infected with a malware script tag. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326320 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
Sorry to hear about the problems on HoF. Thanks for letting us know. I was about to post a message about HoF being flagged as a possible malware site in google. But I see you discovered the problem already. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326321 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HoF invaded
Each and every .cfm file that is on a site that is mapped to iis was affected. If a .cfm was in a non-mapped directory then it was not touched. This says to me that the hole is in iis. I suspect you have a query vulnerable to SQL injection. Paul ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326322 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
Each and every .cfm file that is on a site that is mapped to iis was affected. If a .cfm was in a non-mapped directory then it was not touched. This says to me that the hole is in iis. Unless you're running a very old version of IIS, this is highly unlikely. You almost certainly have some script (CF or other) that is rewriting the other scripts. You should be able to use the IIS logs to find the call to this script, and you should be able to look at the date of one of the modified files to see when this was done. To remediate the problem, whatever services run scripts (CF or other) should not run as a user with permissions to write to these files. Unless you're using CFFILE all over your site, this shouldn't be a problem. CF should not be running as SYSTEM. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326323 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
Each and every .cfm file that is on a site that is mapped to iis was affected. If a .cfm was in a non-mapped directory then it was not touched. This says to me that the hole is in iis. I suspect you have a query vulnerable to SQL injection. If the attack actually caused the malware script to be written to CF files, I think this is somewhat unlikely. Most automated SQL injection attacks I've seen don't rewrite files, they add stuff to database fields to have that rendered at runtime. Of course, if HoF uses something to generate files from database queries, all bets are off. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326324 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HoF invaded
While this is possible via xp_cmdshell (MS SQL Server), it is unlikely since the majority of SQLi attacks affect your data and MD stated that the actual .cfm files themselves had the text inserted. ~Brad Original Message Subject: RE: HoF invaded From: Paul Vernon paul.ver...@web-architect.co.uk I suspect you have a query vulnerable to SQL injection. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326325 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
Nope. I have very strong protection against that on multiple levels. And again, if that was the case it would effect more than just public facing cfm files. I suspect you have a query vulnerable to SQL injection. Paul ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326326 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
Michael Dinowitz wrote: Somehow, every .cfm file on the HoF site has been infected with a malware script tag. I'm cleaning it out now but it's a bit worrysome as to how it got on. I'll have an update as soon as I run a cleaner regex against the whole site. This does sound like a currently unpatched IIS venerability published by MS dealing with the FTP service. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326331 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
If the MS ftp was enabled then maybe but it's not. Unless it is and it is hidden for some reason. On Tue, Sep 15, 2009 at 2:41 PM, Ian Skinner h...@ilsweb.com wrote: Michael Dinowitz wrote: Somehow, every .cfm file on the HoF site has been infected with a malware script tag. I'm cleaning it out now but it's a bit worrysome as to how it got on. I'll have an update as soon as I run a cleaner regex against the whole site. This does sound like a currently unpatched IIS venerability published by MS dealing with the FTP service. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326332 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
On Tue, Sep 15, 2009 at 1:00 PM, Michael Dinowitz mdino...@houseoffusion.com wrote: My own machine. If it was FTP then there would be logs. Never assume your logs are accurate on a compromised machine. Sorry to hear this happened - good luck with the cleanup... -Cameron ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326338 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: HoF invaded
Format C: - Reinstall apps - restore data from backup. Backup? Hmm... ;-) -Original Message- From: Cameron Childress [mailto:camer...@gmail.com] Sent: Tuesday, September 15, 2009 2:06 PM To: cf-talk Subject: Re: HoF invaded On Tue, Sep 15, 2009 at 1:00 PM, Michael Dinowitz mdino...@houseoffusion.com wrote: My own machine. If it was FTP then there would be logs. Never assume your logs are accurate on a compromised machine. Sorry to hear this happened - good luck with the cleanup... -Cameron ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326344 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
On Tue, Sep 15, 2009 at 5:31 PM, Jacob ja...@excaliburfilms.com wrote: Format C: - Reinstall apps - restore data from backup. Backup? Hmm... ;-) I saw this once before it only targeted index.cfm files and was due to a employees computer being compromized and did same thign as what is happening here. This person had ftp access to the site. The persons computer in turn grabbed current copy of page, added code, uploaded to all folders available which of course means your mapped folders if they are in your FTP site. Check all users who have FTP access to this server now. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326345 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: HoF invaded
Can you give us some of the text that was added to each file? And was it added to the same spot in each file (like top or bottom?) I have a monitor that checks my website every 5 minutes for changes to the database.. I should probably add a function to compare the text on the page and tell me if it ever changes.. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326348 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: HoF invaded
It happened to a Linux site that I maintain that runs Apache... Here's how it happened: Another user had the FTP credentials in Front Page (but I suspect it could have been any standard Windows FTP program) and they visited a malware site, got a virus on their machine and it found the ability FTP to my site and it updated every HTML page on the site (but not the .php files) - without their knowledge. Another possible vector would be the recent FCKEditor vulnerability that was used to target a lot of ColdFusion sites - did you patch that as soon as it was known? Sean On Tue, Sep 15, 2009 at 10:00 AM, Michael Dinowitz mdino...@houseoffusion.com wrote: My own machine. If it was FTP then there would be logs. I'm downloading all of the .cfm files and using powergrep to remove all of the malware script tags. It takes more time to FTP than it does to fix. I should install powergrep on the server. My 'local copy' is sitting at home and I'm in the city so it's easier just to bring it down, fix it, and send it back up. It'll be done soon. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326349 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4