After allot of looking into and investigating last night, we have found some more info on the subject. What happened to us was not actually caused by ColdFusion. We found that it was a ColdFusion script we where running that was not secure. The attacker used a method called sql injection attack, which means he/she queried the server hundreds if not thousands of times data mining the database until they got the site's admin/password.
So, there was 1 security issue with the coldfusion script we where using. After he got the Admin/password they logged into the site's administration and uploaded a "gif" but it was not actually a "gif" rather it was an asp page that got executed on the server, because whoever wrote our CMS obviously didn't know how to code securely. (file name was logs.asp or log.aspx or a combo of the two) After he had a asp page on the server, he used that script to upload another asp page named "tops.aspx" which when I reviewed the code and did some research into found that the code was actually a well known trojan that was specifically designed to give "attackers" access to infect servers. Hope this comes of use to some other people having this issue; I cannot stress enough how important it is to escape sql strings before sending them to a SQL server of any kind, and how important it is to rename files that people upload when writing a script. (The most secure way is generally to do two things, first you can verify images by using code to make sure the file is actually an image [i'm sure you can find some free code to do so], and to rename the image so it does not put an extension on the file, or make sure the file ends in .jpg, .gif, exc... and make sure if you do not allow script execution in the file you upload too.) Hope this helps, -Nathan On Fri, Apr 10, 2009 at 7:53 AM, Mark Kruger <mkru...@cfwebtools.com> wrote: > > Nathan, > > Can you answer a question for me. Does this attack affect "all cfm" pages > or > does it affect "index.*" pages? > > -Mark > > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -----Original Message----- > From: Nathan Bruer [mailto:thegreat...@gmail.com] > Sent: Thursday, April 09, 2009 11:26 PM > To: cf-talk > Subject: Re: Question about hack > > > Ok, I wanted to post here because I have been looking around on google the > last few days because we had the same issue to give an update on to all the > findings we have found from our investigation... > > First off this IS an issue with either mssql/msaccess or ColdFusion or the > combination of the two. > > Whatever has been writing the script seems to be embedded in either one of > the coldfusion files somewhere or in the database you are executing from, > we > have not figured it out yet. > > This is what we have decided to do to solve the issue... > > Step 1: Shut down IIS. Whatever is causing this requires IIS to run from > what we have seen. > > Step 2: I have written a simple script in PHP (because that is what I > script > in) that will go through every file in the specified path and remove > anything that it finds matching the pattern in the 2.txt file. (default is > what was being written to our server). It will log all the files it changed > to alog.log file in the same directory. Here is what you need to do to run > the script... > > 1. Download: http://www.rallyinfo.com/fixer.zip > 2. Extract it somewhere on the server. > 3. Install PHP (if you don't already have it, REQ PHP5+ [I believe]) > 4. Open the 1.php file in the folder you extracted it too, and edit the > line that says "Path = 'D:/'" to whatever path you want to check for (i'd > suggest run it multiple times on every drive). > 5. Open a command line go to the folder that you extracted it to. > (example, in the command line type: "cd C:\FOLDER\YOU\EXTRACTED\IT\TOO", > then if it is on a different drive type the drive letter followed by a ":") > 6. type "php 1.php". Now wait, it may take hours depending on how many > files it has to read. > > This script will ONLY remove the infected files, it will NOT fix the issue. > We have not figured out what is causing the issue. I have a feeling, since > we are using access database to hold the info for ColdFusion, that there is > somewhere in the database it is executing from, however we have no proof > yet. Another theory is that it somehow implanted itself into one of the CF > files on whatever site had it infected first. And every time someone goes > to > that site it re-runs the script to infect a script to infect other files > with it. > > Step 3: Either uninstall ColdFusion or turn it off so it will no longer be > ran in IIS. We decided to uninstall ColdFusion because we only have about 2 > sites that still use it, and we have decided to convert them into PHP. > > After that I cannot help much, seens how we didn't actually find the issue, > but rather made it unable to run any longer. > > > If you have any questions or comments I will actively watch this thread, > and > I will assist in (only though this thread) removing corrupted files. > > -Nathan Bruer > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321496 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
