Tom,
My one questions is you say that view source is identical from a hacked and
non hacked server - that seems odd. There are a number of hacks that could
produce results that manipulate your files by adding content.
This one uses the missing file handler:
Hi Mark,
On Wed, Nov 12, 2014 at 12:33 PM, Mark A Kruger mkru...@cfwebtools.com
wrote:
My one questions is you say that view source is identical from a hacked and
non hacked server - that seems odd.
Extremely. That's why I mentioned it. I both looked through the source in a
browser and
My one questions is you say that view source is identical from a hacked and
non hacked server - that seems odd. There are a number of hacks that could
produce results that manipulate your files by adding content.
Not necessarily. There's no reason that content can't be injected at
serve
Obviously, I still hope someone has seen a similar attack, because I'm not
all that relieved that the symptom has gone away.
Honestly, I would assume the worst, and do the following. Back up
server settings and the source files themselves, review the server
settings manually, review the source
There's no reason that content can't be injected at
serve time.
In this case, there would be a difference in the files delivered to the visitor.
IMO the hack is in the browser, not on the server.
~|
Order the Adobe Coldfusion
There's no reason that content can't be injected at serve time.
In this case, there would be a difference in the files delivered to the
visitor.
IMO the hack is in the browser, not on the server.
Yes, I missed the reference by the original poster about using view
source. If that's the
in to various
things...
-Mark
-Original Message-
From: Claude Schnéegans schneeg...@internetique.com
[mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans schneegans@interneti=71?=
=?ISO-8859-1?Q?ue.com=3E?=]
Sent: Wednesday, November 12, 2014 1:40 PM
To: cf-talk
Subject: Re: FW: CF9.02 administrator
The idea that there's no visible indication in the view source makes me
consider that as well - but why would it just appear on a login page for the
cfadmin? Perhaps it looks for specific form field names and throws up the
java out of date message to prey on fears of folks logging in to
but why would it just appear on a login page for the cfadmin?
Who knows what may happen or not happen in some hacker's mind ? ;-)
Perhaps it looks for specific form field names
... especially input fields of type PASSWORD!
The hacker may be more interested in getting access to the CF
One is that, while it doesn't show
up in the view source for a given page, a JS library referenced in the
page has been compromised to rewrite page content.
Of course, this is quite possible in theory, however it would imply that the
hacker has already hacked the server, and one could ask what
I appreciate all the suggestions - and I especially appreciate when you
step in, Dave.
Certainly, I'm considering a clean installation.
But as a followup: Dave's comment about the problem is almost certainly in
the browser itself or some other piece of malware installed on the client
brings up
One more followup: whatever this is, it isn't related to CF. I jumped to
the wrong conclusion.
The problem reappeared when I was in the CF admin page, long after I'd
logged on.
But then I opened another browser and purposely asked for a local page that
didn't exist. The IIS error page contained
One is that, while it doesn't show up in the view source for a given page,
a JS library referenced in
the page has been compromised to rewrite page content.
Of course, this is quite possible in theory, however it would imply that the
hacker has already hacked
the server, and one could
Wil,
Thanks. I'd already checked that. Mark chimed in earlier, and it's his post.
Pete,
Thanks. I was so concerned that the server was compromised in a way that
would affect its performance as a server, I hadn't had a chance to start
googling the text itself.
And Dave,
Thanks again. Yes,
14 matches
Mail list logo