The attack on House of Fusion and Forta.com were not using fckeditor.
The issue was with file uploads and a mass attempt to run the uploaded
file as it got to the server but before it was validated. I'll have a
fix for the issue posted in the morning. I'll also have a writeup on
what to look for t
> The attacker used a version of FCKeditor embedded in a shopping cart
> software (cfwebstore) to upload a index.cfm file into the
> store/customtags directory.
Actually, this isn't quite accurate information (even if it pertained to the
attack on HOF which is unlikely). If the attack origina
I host sites for several customers and had been battling this issue. I think I
just recently dealt with this issue, this is what I found:
The attacker used a version of FCKeditor embedded in a shopping cart software
(cfwebstore) to upload a index.cfm file into the store/customtags directory.
>>You may want to make sure you're not hosting
any tentacle porn, etc.
lmao. That made my day. Thanx.
On Thu, Sep 17, 2009 at 5:55 PM, Dave Watts wrote:
>
>
--
Gerald Guido
http://www.myinternetisbroken.com
"To invent, you need a good imagination and a pile of junk."
-- Thomas A. Edison
~~
> Could they have been opened by a virus?
Well, I don't think it would be a virus in the traditional sense, no.
But if you have access to the filesystem with SYSTEM or admin rights,
you can do anything you want really.
> I've checked the whole system and if there was any Hentai on it, I'd know.
oops, should have been off-list. Sorry!
On Thu, Sep 17, 2009 at 17:55, Dave Watts wrote:
>>> Fast question. On win2k is there an easy way of closing/blocking these
>>> or does it have to be further up the chain.
>>
>> Yes. You can do this with an IP security policy. However, I would also
>> reco
Could they have been opened by a virus?
I've checked the whole system and if there was any Hentai on it, I'd know.
> Frankly, I'm surprised you haven't had other problems, with SMB/CIFS
> exposed to the public. You may want to make sure you're not hosting
> any tentacle porn, etc. It wouldn't hav
>> Fast question. On win2k is there an easy way of closing/blocking these
>> or does it have to be further up the chain.
>
> Yes. You can do this with an IP security policy. However, I would also
> recommend that you block all unwanted traffic at the gateway, of
> course.
If you like, I can proba
> Fast question. On win2k is there an easy way of closing/blocking these
> or does it have to be further up the chain.
Yes. You can do this with an IP security policy. However, I would also
recommend that you block all unwanted traffic at the gateway, of
course.
Dave Watts, CTO, Fig Leaf Softwar
..@bradwood.com]
> Sent: Thursday, September 17, 2009 12:47 PM
> To: cf-talk
> Subject: RE: malware patterns
>
>
> Michael, a quick nMap shows the following ports are open on the server
> that houseoffusion.com resolves to (64.118.74.245).
>
> PORT STATE SERVICE
> 2
Fast note. Some anti-virus programs are reporting this thread as
having a virus due to the code fragment from the first post. This is a
false positive, but if there is a concern, just use the website
interface.
~|
Want to reach t
>>http://bgadf.cn>
Arg... chinese junk again :-(
~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-t
4:33 PM, Jacob wrote:
>> >
>> > 135 and 445 should NOT be open to the public!
>> >
>> > -Original Message-
>> > From: b...@bradwood.com [mailto:b...@bradwood.com]
>> > Sent: Thursday, September 17, 2009 12:47 PM
>> > To: cf-ta
. Or worst case, limit the outside IP addresses that
have access to them.
Chances are, the only ports that really need to be publicly accessible
on a web server are 80 and possibly 443.
~Brad
Original Message
Subject: Re: malware patterns
From: Michael Dinowitz
Date
to be further up the chain.
>
> On Thu, Sep 17, 2009 at 4:33 PM, Jacob wrote:
> >
> > 135 and 445 should NOT be open to the public!
> >
> > -Original Message-
> > From: b...@bradwood.com [mailto:b...@bradwood.com]
> > Sent: Thursday, September 17, 2
..@bradwood.com]
> Sent: Thursday, September 17, 2009 12:47 PM
> To: cf-talk
> Subject: RE: malware patterns
>
>
> Michael, a quick nMap shows the following ports are open on the server
> that houseoffusion.com resolves to (64.118.74.245).
>
> PORT STATE SERVICE
> 2
135 and 445 should NOT be open to the public!
-Original Message-
From: b...@bradwood.com [mailto:b...@bradwood.com]
Sent: Thursday, September 17, 2009 12:47 PM
To: cf-talk
Subject: RE: malware patterns
Michael, a quick nMap shows the following ports are open on the server
that
OK, here's what to do. Search your entire code base for any web
accessible script containing the text "chanm". I found a jsp and a cfm
file, both with the ability to upload and manipulate files on a
server. If you do find a file like this, please send me the code so I
can compare it to what I have
I've seen this sort of attack before on a client's server that they were
hosting at their office. The malware that did it used a stolen FTP
password to log in as an actual user and modify every HTML file on their
server. We found it be reviewing the FTP server logs and saw that their
general u
Thanks. I'll check those out. I found the hole though as well as the
script used to access the machine. Nasty piece of code.
On Thu, Sep 17, 2009 at 3:47 PM, wrote:
>
> Michael, a quick nMap shows the following ports are open on the server
> that houseoffusion.com resolves to (64.118.74.245).
>
Super thorough research Brad. While I'm not affected, I appreciate your
level of expertise.
-Original Message-
From: b...@bradwood.com [mailto:b...@bradwood.com]
Sent: Thursday, September 17, 2009 2:47 PM
To: cf-talk
Subject: RE: malware patterns
Michael, a quick nMap show
Michael, a quick nMap shows the following ports are open on the server
that houseoffusion.com resolves to (64.118.74.245).
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1036/tcp open u
I'll do that. I have to take the below information, make it nice and
neat, and then write it up as a Fusion Authority site article.
On Thu, Sep 17, 2009 at 3:14 PM, DURETTE, STEVEN J (ATTASIAIT)
wrote:
>
> If you ever find the root cause, you may want to write an article on it,
> or do a present
If you ever find the root cause, you may want to write an article on it,
or do a presentation for cfmeetup!
I know I'd be interested in it!
-Original Message-
From: Michael Dinowitz [mailto:mdino...@houseoffusion.com]
Sent: Thursday, September 17, 2009 3:08 PM
To: cf-talk
Subject: malwa
24 matches
Mail list logo
