Re: New Security Issue with CF
Another: http://blogs.coldfusion.com/post.cfm/a-new-security-advisory-for-coldfusion-is-now-available On Fri, Jan 4, 2013 at 7:55 PM, Eric Bourland e...@ebwebwork.com wrote: Claude, thank you. That's really helpful information and gives me perspective. Eric -Original Message- From: Claude Schnéegans schneeg...@internetique.com [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans schneegans@interneti=71?= =?ISO-8859-1?Q?ue.com=3E?=] Sent: Friday, January 04, 2013 4:16 PM To: cf-talk Subject: Re: New Security Issue with CF I downloaded and reviewed the h.cfm file -- yeah, it is pretty clever. The file itself is some tool designed to be used by developers, probably not developed by rhe hacker himself. He just found a way to store it on servers. but how did that hacker place the h.cfm file in /CFIDE/ to begin with? I'm not going to unvail the trick here, all I can say is that there must be a programer at Adobe not very proud of him, if he is still working for Adobe today. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353785 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
First official comment from Adobe(?) http://blogs.adobe.com/psirt/2013/01/upcoming-security-advisory-for-coldfusion.html On Thu, Jan 3, 2013 at 8:11 AM, Robert Rhodes rrhode...@gmail.com wrote: I looked into this a bit more this morning, and have realized that I may have gotten very lucky. In going through the logs again, I see that there were no POSTs to h.cfm. So the hacker never logged into h.cfm. And I see no GETs with a fuseaction, as described in Charlie's post. I ran the hacker's script again to confirm that logging in shows a POST in my logs. I also tried a some of the non destructive actions he could take, and found that those caused either a POST or GET+fuseaction. I think I dodged a bullet here. -- Forwarded message -- From: Robert Rhodes rrhode...@gmail.com Date: Thu, Jan 3, 2013 at 12:00 AM Subject: Re: New Security Issue with CF To: cf-talk@houseoffusion.com Thanks. I saw that afterwards. I was freaking out a bit there. Still am. :( I have gone through the logs on that server (windows 2008 R2 server running IIS7.5 and CF9.02) and the hacker loaded his script 1 time each on 15 different sites. They all look like this: 2013-01-02 00:15:15 192.168.55.129 GET /CFIDE/h.cfm - 80 - 178.170.124.210 python-requests/0.14.2+CPython/2.7.3+Linux/3.2.0-32-generic 200 0 0 171 But on 3 of the sites, he also loaded: help,cfm, administrator.cfc, mappings.cfm, scheduleedit.cfm, and scheduletasks.cfm but there are no scheduled tasks showing in the administrator. I checked the CF Administrator log and found nothing. Fortunately, he missed the one site (none of his crap shows up in its logs) where there was sensitive information, so assuming he could not traverse directories, I am hoping I am ok there. I ran his file (after renaming it), and none of my datasources showed up (it was an empty select). I am hoping I am good there too. It looks like his script it needs to be driven by a human (a lot of it is a form). So I am hoping that the one hit I see on most of those sites is an automated hit to see if the script is there, then he was going to come around later and do his damage -- and he never did. Wishful thinking right? I don't see any other signs of trouble anywhere, but am very worried that something bad has happened that I have just not stumbled on yet. Any suggestions or advice? Any place else I should be looking? Am I fooling my self to think I got lucky here? I have shut down CF on that server and am now searching all other servers for h.cfm. So far nothing. Tomorrow, I will completely wipe that server and reload it. -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353765 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Things must be bad if they are issuing something that ominous-sounding without a solution. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353767 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Don't get me wrong, I detest hackers and their exploits, but i think the way this one works quite ingenious. My server did get hit, but after reviewing the log files and checking for changes, I don't think they did anything. I am thankful for that, cause they could have done some major damage. We migrated to a virtual environment and from CF7 to CF9 a few months ago. Ironically, we were protected under CF7, but I neglected to fully lock down the server after we migrated. Live an learn. I am surprised there has not been more activity on this considering the severity of the possible compromise. On Fri, Jan 4, 2013 at 12:55 PM, Money Pit websitema...@gmail.com wrote: Things must be bad if they are issuing something that ominous-sounding without a solution. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353770 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
but i think the way this one works quite ingenious. I'm not sure if it is as much ingenious as the breach is gross, frankly. Have you seen how the schedule task could have been set? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353771 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Yes Sent from my iPhone On Jan 4, 2013, at 12:28 PM, Claude Schnéegans schneeg...@internetique.com wrote: but i think the way this one works quite ingenious. I'm not sure if it is as much ingenious as the breach is gross, frankly. Have you seen how the schedule task could have been set? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353772 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Fwd: New Security Issue with CF
I apologize to the list this was not supposed to be sent. Sent from my iPhone Begin forwarded message: From: Steve Artis st...@artisdesigns.commailto:st...@artisdesigns.com Date: January 4, 2013, 12:30:16 PM MST To: cf-talk cf-talk@houseoffusion.commailto:cf-talk@houseoffusion.com Subject: Re: New Security Issue with CF Reply-To: cf-talk@houseoffusion.commailto:cf-talk@houseoffusion.com Yes Sent from my iPhone On Jan 4, 2013, at 12:28 PM, Claude Schnéegans schneeg...@internetique.commailto:schneeg...@internetique.com wrote: but i think the way this one works quite ingenious. I'm not sure if it is as much ingenious as the breach is gross, frankly. Have you seen how the schedule task could have been set? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353775 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New Security Issue with CF
I have locked down the default /CFIDE/administrator and /CFIDE/adminapi/ folder in /inetpub/; I also locked down the virtual /CFIDE/ folders that I created for my various ColdFusion web sites. Only 127.0.0.1 can access them now. After reading Charlie's posts, I think this is a good time to review the CF 9 lockdown guide as well. I downloaded and reviewed the h.cfm file -- yeah, it is pretty clever. This might sound like a basic question, but how did that hacker place the h.cfm file in /CFIDE/ to begin with? By utilizing tools that already existed in /CFIDE/? Eric -Original Message- From: Steve Artis [mailto:st...@artisdesigns.com] Sent: Friday, January 04, 2013 1:30 PM To: cf-talk Subject: Re: New Security Issue with CF Yes Sent from my iPhone On Jan 4, 2013, at 12:28 PM, Claude Schnéegans schneeg...@internetique.com wrote: but i think the way this one works quite ingenious. I'm not sure if it is as much ingenious as the breach is gross, frankly. Have you seen how the schedule task could have been set? ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353776 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
I downloaded and reviewed the h.cfm file -- yeah, it is pretty clever. The file itself is some tool designed to be used by developers, probably not developed by rhe hacker himself. He just found a way to store it on servers. but how did that hacker place the h.cfm file in /CFIDE/ to begin with? I'm not going to unvail the trick here, all I can say is that there must be a programer at Adobe not very proud of him, if he is still working for Adobe today. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353780 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
The file itself is some tool designed to be used by developers, probably not developed by rhe hacker himself. He just found a way to store it on servers. I've seen this tool make the rounds before through other attack vectors. It's been around since at least ColdFusion MX 6. The undocumented servicefactory it's calling to get datasources only works on CF 6 but was deprecated in 7, if I remember correctly, which is why the datasource list is blank on more modern versions where this is dropped in. The script is old, but the insertion method is new. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353781 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
I agree. It is the insertion method I am intrigued by. It is that type of non linear thinking that we as developers use to create elegant solutions. The tool is ugly, and not that special, but the insertion method is clever. What I don't understand is why adobe would allow something like the scheduler to be called without authentication. Seems like a glaring oversight to me. Brian Cain On Jan 4, 2013, at 5:16 PM, Justin Scott leviat...@darktech.org wrote: The file itself is some tool designed to be used by developers, probably not developed by rhe hacker himself. He just found a way to store it on servers. I've seen this tool make the rounds before through other attack vectors. It's been around since at least ColdFusion MX 6. The undocumented servicefactory it's calling to get datasources only works on CF 6 but was deprecated in 7, if I remember correctly, which is why the datasource list is blank on more modern versions where this is dropped in. The script is old, but the insertion method is new. -Justin ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353782 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New Security Issue with CF
Claude, thank you. That's really helpful information and gives me perspective. Eric -Original Message- From: Claude Schnéegans schneeg...@internetique.com [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans schneegans@interneti=71?= =?ISO-8859-1?Q?ue.com=3E?=] Sent: Friday, January 04, 2013 4:16 PM To: cf-talk Subject: Re: New Security Issue with CF I downloaded and reviewed the h.cfm file -- yeah, it is pretty clever. The file itself is some tool designed to be used by developers, probably not developed by rhe hacker himself. He just found a way to store it on servers. but how did that hacker place the h.cfm file in /CFIDE/ to begin with? I'm not going to unvail the trick here, all I can say is that there must be a programer at Adobe not very proud of him, if he is still working for Adobe today. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353784 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Fwd: New Security Issue with CF
I looked into this a bit more this morning, and have realized that I may have gotten very lucky. In going through the logs again, I see that there were no POSTs to h.cfm. So the hacker never logged into h.cfm. And I see no GETs with a fuseaction, as described in Charlie's post. I ran the hacker's script again to confirm that logging in shows a POST in my logs. I also tried a some of the non destructive actions he could take, and found that those caused either a POST or GET+fuseaction. I think I dodged a bullet here. -- Forwarded message -- From: Robert Rhodes rrhode...@gmail.com Date: Thu, Jan 3, 2013 at 12:00 AM Subject: Re: New Security Issue with CF To: cf-talk@houseoffusion.com Thanks. I saw that afterwards. I was freaking out a bit there. Still am. :( I have gone through the logs on that server (windows 2008 R2 server running IIS7.5 and CF9.02) and the hacker loaded his script 1 time each on 15 different sites. They all look like this: 2013-01-02 00:15:15 192.168.55.129 GET /CFIDE/h.cfm - 80 - 178.170.124.210 python-requests/0.14.2+CPython/2.7.3+Linux/3.2.0-32-generic 200 0 0 171 But on 3 of the sites, he also loaded: help,cfm, administrator.cfc, mappings.cfm, scheduleedit.cfm, and scheduletasks.cfm but there are no scheduled tasks showing in the administrator. I checked the CF Administrator log and found nothing. Fortunately, he missed the one site (none of his crap shows up in its logs) where there was sensitive information, so assuming he could not traverse directories, I am hoping I am ok there. I ran his file (after renaming it), and none of my datasources showed up (it was an empty select). I am hoping I am good there too. It looks like his script it needs to be driven by a human (a lot of it is a form). So I am hoping that the one hit I see on most of those sites is an automated hit to see if the script is there, then he was going to come around later and do his damage -- and he never did. Wishful thinking right? I don't see any other signs of trouble anywhere, but am very worried that something bad has happened that I have just not stumbled on yet. Any suggestions or advice? Any place else I should be looking? Am I fooling my self to think I got lucky here? I have shut down CF on that server and am now searching all other servers for h.cfm. So far nothing. Tomorrow, I will completely wipe that server and reload it. -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353742 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
New Security Issue with CF
A new CF security issue was just discovered a few days ago. You may want to forward this information to whomever is your CF Admin. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat To make a very long story short, the exploit allows a hacker to upload a file is put on the server. This gives a hacker pretty much unfettered access to a lot of things including reading/downloading/uploading/renaming and creating files, accessing datasource information, and more. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353730 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
and also read the following article. http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installation-on-windows On Wed, Jan 2, 2013 at 7:47 PM, Larry Lyons larrycly...@gmail.com wrote: A new CF security issue was just discovered a few days ago. You may want to forward this information to whomever is your CF Admin. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat To make a very long story short, the exploit allows a hacker to upload a file is put on the server. This gives a hacker pretty much unfettered access to a lot of things including reading/downloading/uploading/renaming and creating files, accessing datasource information, and more. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353731 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Thanks for posting. I thought I had my stuff locked down pretty well but I screwed up and left a door open. The nature of this is almost unbelievably nasty. -- --m@Robertson-- Janitor, The Robertson Team mysecretbase.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353732 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Oh man I just looked and one of my standby servers got hit with this. Somehow we forgot to patch that one. It had a bunch of sites on it, but none of them were actually live (because it was a standby server). So I have questions. Does anyone know that this thing does? I can just wipe this box and reload it, but it was on the network with our other windows servers (some of which are SQL database servers). Is it possible this hacker could have accessed other other servers through this hack? Do we know the steps yet to clean up the mess? Any idea where to look for damage that the hacker has caused? I am a little lost here. :( -RR On Wed, Jan 2, 2013 at 3:52 PM, Russ Michaels r...@michaels.me.uk wrote: and also read the following article. http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installation-on-windows On Wed, Jan 2, 2013 at 7:47 PM, Larry Lyons larrycly...@gmail.com wrote: A new CF security issue was just discovered a few days ago. You may want to forward this information to whomever is your CF Admin. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat To make a very long story short, the exploit allows a hacker to upload a file is put on the server. This gives a hacker pretty much unfettered access to a lot of things including reading/downloading/uploading/renaming and creating files, accessing datasource information, and more. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353733 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Charlie posted an update: http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat On Wed, Jan 2, 2013 at 9:00 PM, Robert Rhodes rrhode...@gmail.com wrote: Oh man I just looked and one of my standby servers got hit with this. Somehow we forgot to patch that one. It had a bunch of sites on it, but none of them were actually live (because it was a standby server). So I have questions. Does anyone know that this thing does? I can just wipe this box and reload it, but it was on the network with our other windows servers (some of which are SQL database servers). Is it possible this hacker could have accessed other other servers through this hack? Do we know the steps yet to clean up the mess? Any idea where to look for damage that the hacker has caused? I am a little lost here. :( -RR On Wed, Jan 2, 2013 at 3:52 PM, Russ Michaels r...@michaels.me.uk wrote: and also read the following article. http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installation-on-windows On Wed, Jan 2, 2013 at 7:47 PM, Larry Lyons larrycly...@gmail.com wrote: A new CF security issue was just discovered a few days ago. You may want to forward this information to whomever is your CF Admin. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat To make a very long story short, the exploit allows a hacker to upload a file is put on the server. This gives a hacker pretty much unfettered access to a lot of things including reading/downloading/uploading/renaming and creating files, accessing datasource information, and more. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353734 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New Security Issue with CF
I am reading up on Charlie's blog posts. (Thank you, Charlie.) My ColdFusion 9.0.2 server was hit with this. I found h.cfm in /CFIDE/ with file date 12/24/2012. I deleted it. No new scheduled tasks were set in my CF Admin. I use IIS 7.5 on Windows 2008. Can someone review the exact steps needed to lock down the /CFIDE/ directory, yet make /CFIDE/scripts/ available for use by ColdFusion? All of my web sites and databases seem unaltered. But I am obviously a nervous wreck about this new security hole. Eric -Original Message- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Wednesday, January 02, 2013 9:16 PM To: cf-talk Subject: Re: New Security Issue with CF Charlie posted an update: http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_securit y_threat On Wed, Jan 2, 2013 at 9:00 PM, Robert Rhodes rrhode...@gmail.com wrote: Oh man I just looked and one of my standby servers got hit with this. Somehow we forgot to patch that one. It had a bunch of sites on it, but none of them were actually live (because it was a standby server). So I have questions. Does anyone know that this thing does? I can just wipe this box and reload it, but it was on the network with our other windows servers (some of which are SQL database servers). Is it possible this hacker could have accessed other other servers through this hack? Do we know the steps yet to clean up the mess? Any idea where to look for damage that the hacker has caused? I am a little lost here. :( -RR ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353735 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Thanks. I saw that afterwards. I was freaking out a bit there. Still am. :( I have gone through the logs on that server (windows 2008 R2 server running IIS7.5 and CF9.02) and the hacker loaded his script 1 time each on 15 different sites. They all look like this: 2013-01-02 00:15:15 192.168.55.129 GET /CFIDE/h.cfm - 80 - 178.170.124.210 python-requests/0.14.2+CPython/2.7.3+Linux/3.2.0-32-generic 200 0 0 171 But on 3 of the sites, he also loaded: help,cfm, administrator.cfc, mappings.cfm, scheduleedit.cfm, and scheduletasks.cfm but there are no scheduled tasks showing in the administrator. I checked the CF Administrator log and found nothing. Fortunately, he missed the one site (none of his crap shows up in its logs) where there was sensitive information, so assuming he could not traverse directories, I am hoping I am ok there. I ran his file (after renaming it), and none of my datasources showed up (it was an empty select). I am hoping I am good there too. It looks like his script it needs to be driven by a human (a lot of it is a form). So I am hoping that the one hit I see on most of those sites is an automated hit to see if the script is there, then he was going to come around later and do his damage -- and he never did. Wishful thinking right? I don't see any other signs of trouble anywhere, but am very worried that something bad has happened that I have just not stumbled on yet. Any suggestions or advice? Any place else I should be looking? Am I fooling my self to think I got lucky here? I have shut down CF on that server and am now searching all other servers for h.cfm. So far nothing. Tomorrow, I will completely wipe that server and reload it. -RR On Wed, Jan 2, 2013 at 10:16 PM, Raymond Camden raymondcam...@gmail.comwrote: Charlie posted an update: http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat On Wed, Jan 2, 2013 at 9:00 PM, Robert Rhodes rrhode...@gmail.com wrote: Oh man I just looked and one of my standby servers got hit with this. Somehow we forgot to patch that one. It had a bunch of sites on it, but none of them were actually live (because it was a standby server). So I have questions. Does anyone know that this thing does? I can just wipe this box and reload it, but it was on the network with our other windows servers (some of which are SQL database servers). Is it possible this hacker could have accessed other other servers through this hack? Do we know the steps yet to clean up the mess? Any idea where to look for damage that the hacker has caused? I am a little lost here. :( -RR On Wed, Jan 2, 2013 at 3:52 PM, Russ Michaels r...@michaels.me.uk wrote: and also read the following article. http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installation-on-windows On Wed, Jan 2, 2013 at 7:47 PM, Larry Lyons larrycly...@gmail.com wrote: A new CF security issue was just discovered a few days ago. You may want to forward this information to whomever is your CF Admin. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat To make a very long story short, the exploit allows a hacker to upload a file is put on the server. This gives a hacker pretty much unfettered access to a lot of things including reading/downloading/uploading/renaming and creating files, accessing datasource information, and more. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353736 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
I am investing a server that has been hit. I am seeing these files were created at the time of the attack. C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cfh2ecfm509131890$funcLOC.class C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cfh2ecfm509131890.class C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cfi2ecfm506365939.class C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cf7einfo2drequest2dsend2ecfm170364941.class I do not know what they do as of yet. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Jan 2, 2013, at 11:00 PM, Robert Rhodes rrhode...@gmail.com wrote: Thanks. I saw that afterwards. I was freaking out a bit there. Still am. :( I have gone through the logs on that server (windows 2008 R2 server running IIS7.5 and CF9.02) and the hacker loaded his script 1 time each on 15 different sites. They all look like this: 2013-01-02 00:15:15 192.168.55.129 GET /CFIDE/h.cfm - 80 - 178.170.124.210 python-requests/0.14.2+CPython/2.7.3+Linux/3.2.0-32-generic 200 0 0 171 But on 3 of the sites, he also loaded: help,cfm, administrator.cfc, mappings.cfm, scheduleedit.cfm, and scheduletasks.cfm but there are no scheduled tasks showing in the administrator. I checked the CF Administrator log and found nothing. Fortunately, he missed the one site (none of his crap shows up in its logs) where there was sensitive information, so assuming he could not traverse directories, I am hoping I am ok there. I ran his file (after renaming it), and none of my datasources showed up (it was an empty select). I am hoping I am good there too. It looks like his script it needs to be driven by a human (a lot of it is a form). So I am hoping that the one hit I see on most of those sites is an automated hit to see if the script is there, then he was going to come around later and do his damage -- and he never did. Wishful thinking right? I don't see any other signs of trouble anywhere, but am very worried that something bad has happened that I have just not stumbled on yet. Any suggestions or advice? Any place else I should be looking? Am I fooling my self to think I got lucky here? I have shut down CF on that server and am now searching all other servers for h.cfm. So far nothing. Tomorrow, I will completely wipe that server and reload it. -RR On Wed, Jan 2, 2013 at 10:16 PM, Raymond Camden raymondcam...@gmail.comwrote: Charlie posted an update: http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat On Wed, Jan 2, 2013 at 9:00 PM, Robert Rhodes rrhode...@gmail.com wrote: Oh man I just looked and one of my standby servers got hit with this. Somehow we forgot to patch that one. It had a bunch of sites on it, but none of them were actually live (because it was a standby server). So I have questions. Does anyone know that this thing does? I can just wipe this box and reload it, but it was on the network with our other windows servers (some of which are SQL database servers). Is it possible this hacker could have accessed other other servers through this hack? Do we know the steps yet to clean up the mess? Any idea where to look for damage that the hacker has caused? I am a little lost here. :( -RR On Wed, Jan 2, 2013 at 3:52 PM, Russ Michaels r...@michaels.me.uk wrote: and also read the following article. http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installation-on-windows On Wed, Jan 2, 2013 at 7:47 PM, Larry Lyons larrycly...@gmail.com wrote: A new CF security issue was just discovered a few days ago. You may want to forward this information to whomever is your CF Admin. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat To make a very long story short, the exploit allows a hacker to upload a file is put on the server. This gives a hacker pretty much unfettered access to a lot of things including reading/downloading/uploading/renaming and creating files, accessing datasource information, and more. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353737 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Security Issue with CF
Never mind - I just realized this server has template caching turned on. duh. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Jan 3, 2013, at 12:14 AM, Wil Genovese jugg...@trunkful.com wrote: I am investing a server that has been hit. I am seeing these files were created at the time of the attack. C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cfh2ecfm509131890$funcLOC.class C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cfh2ecfm509131890.class C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cfi2ecfm506365939.class C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cf7einfo2drequest2dsend2ecfm170364941.class I do not know what they do as of yet. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Jan 2, 2013, at 11:00 PM, Robert Rhodes rrhode...@gmail.com wrote: Thanks. I saw that afterwards. I was freaking out a bit there. Still am. :( I have gone through the logs on that server (windows 2008 R2 server running IIS7.5 and CF9.02) and the hacker loaded his script 1 time each on 15 different sites. They all look like this: 2013-01-02 00:15:15 192.168.55.129 GET /CFIDE/h.cfm - 80 - 178.170.124.210 python-requests/0.14.2+CPython/2.7.3+Linux/3.2.0-32-generic 200 0 0 171 But on 3 of the sites, he also loaded: help,cfm, administrator.cfc, mappings.cfm, scheduleedit.cfm, and scheduletasks.cfm but there are no scheduled tasks showing in the administrator. I checked the CF Administrator log and found nothing. Fortunately, he missed the one site (none of his crap shows up in its logs) where there was sensitive information, so assuming he could not traverse directories, I am hoping I am ok there. I ran his file (after renaming it), and none of my datasources showed up (it was an empty select). I am hoping I am good there too. It looks like his script it needs to be driven by a human (a lot of it is a form). So I am hoping that the one hit I see on most of those sites is an automated hit to see if the script is there, then he was going to come around later and do his damage -- and he never did. Wishful thinking right? I don't see any other signs of trouble anywhere, but am very worried that something bad has happened that I have just not stumbled on yet. Any suggestions or advice? Any place else I should be looking? Am I fooling my self to think I got lucky here? I have shut down CF on that server and am now searching all other servers for h.cfm. So far nothing. Tomorrow, I will completely wipe that server and reload it. -RR On Wed, Jan 2, 2013 at 10:16 PM, Raymond Camden raymondcam...@gmail.comwrote: Charlie posted an update: http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat On Wed, Jan 2, 2013 at 9:00 PM, Robert Rhodes rrhode...@gmail.com wrote: Oh man I just looked and one of my standby servers got hit with this. Somehow we forgot to patch that one. It had a bunch of sites on it, but none of them were actually live (because it was a standby server). So I have questions. Does anyone know that this thing does? I can just wipe this box and reload it, but it was on the network with our other windows servers (some of which are SQL database servers). Is it possible this hacker could have accessed other other servers through this hack? Do we know the steps yet to clean up the mess? Any idea where to look for damage that the hacker has caused? I am a little lost here. :( -RR On Wed, Jan 2, 2013 at 3:52 PM, Russ Michaels r...@michaels.me.uk wrote: and also read the following article. http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installation-on-windows On Wed, Jan 2, 2013 at 7:47 PM, Larry Lyons larrycly...@gmail.com wrote: A new CF security issue was just discovered a few days ago. You may want to forward this information to whomever is your CF Admin. http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat To make a very long story short, the exploit allows a hacker to upload a file is put on the server. This gives a hacker pretty much unfettered access to a lot of things including reading/downloading/uploading/renaming and creating files, accessing datasource information, and more. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353738 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
