Nathan, Can you answer a question for me. Does this attack affect "all cfm" pages or does it affect "index.*" pages?
-Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Nathan Bruer [mailto:thegreat...@gmail.com] Sent: Thursday, April 09, 2009 11:26 PM To: cf-talk Subject: Re: Question about hack Ok, I wanted to post here because I have been looking around on google the last few days because we had the same issue to give an update on to all the findings we have found from our investigation... First off this IS an issue with either mssql/msaccess or ColdFusion or the combination of the two. Whatever has been writing the script seems to be embedded in either one of the coldfusion files somewhere or in the database you are executing from, we have not figured it out yet. This is what we have decided to do to solve the issue... Step 1: Shut down IIS. Whatever is causing this requires IIS to run from what we have seen. Step 2: I have written a simple script in PHP (because that is what I script in) that will go through every file in the specified path and remove anything that it finds matching the pattern in the 2.txt file. (default is what was being written to our server). It will log all the files it changed to alog.log file in the same directory. Here is what you need to do to run the script... 1. Download: http://www.rallyinfo.com/fixer.zip 2. Extract it somewhere on the server. 3. Install PHP (if you don't already have it, REQ PHP5+ [I believe]) 4. Open the 1.php file in the folder you extracted it too, and edit the line that says "Path = 'D:/'" to whatever path you want to check for (i'd suggest run it multiple times on every drive). 5. Open a command line go to the folder that you extracted it to. (example, in the command line type: "cd C:\FOLDER\YOU\EXTRACTED\IT\TOO", then if it is on a different drive type the drive letter followed by a ":") 6. type "php 1.php". Now wait, it may take hours depending on how many files it has to read. This script will ONLY remove the infected files, it will NOT fix the issue. We have not figured out what is causing the issue. I have a feeling, since we are using access database to hold the info for ColdFusion, that there is somewhere in the database it is executing from, however we have no proof yet. Another theory is that it somehow implanted itself into one of the CF files on whatever site had it infected first. And every time someone goes to that site it re-runs the script to infect a script to infect other files with it. Step 3: Either uninstall ColdFusion or turn it off so it will no longer be ran in IIS. We decided to uninstall ColdFusion because we only have about 2 sites that still use it, and we have decided to convert them into PHP. After that I cannot help much, seens how we didn't actually find the issue, but rather made it unable to run any longer. If you have any questions or comments I will actively watch this thread, and I will assist in (only though this thread) removing corrupted files. -Nathan Bruer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321495 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
