Donnie, I believe this is the same attack I have been helping another customer with and it does not appear to be related to CF. Instead, it appears to start with a malware install of some kind on the server (and possibly a root kit) and then progress to the creation of accounts and the changing of file permissions. Another theory gaining weight (and illustrating that we don't know much yet) is that this attack is an agent on a client computer that piggybacks onto FTP - which explains a few things but not everything. I'm guessing some combination at this point.
Anyway, I agree that cfexecute is a dangerous tag that needs to be controlled, but it does not appear to be the cuprit. All of this advice is good, but the only place that CF comes into play on this particular hack happens to be the propensity to use "index.cfm" as the home page script. The attack targets "index.*" files and affects (on the server I am working with) Index.cfm, index.html and index.php etc. -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: Donnie Bachan (Gmail) [mailto:donnie.bac...@gmail.com] Sent: Monday, April 13, 2009 8:30 AM To: cf-talk Subject: Re: Question about hack Hi Nick, I know this post is a bit late but to your original question, that attack is as a result of incorrect file/iis permissions and is not an XSS attack. I would even bet that you are on a shared server (at HMS) since one of my client sites had this exact same problem. The attacker would have gained access to the file system (possibly via FTP) and executed code that injected the code into all index.* files on the server (not just your hosting account). We have had a lot of problems trying to get this sorted out. It appears that the issue was with security related to the windows script host and/or CFEXECUTE. The only thing you can do to prevent this is work with your hosting provider to secure the system or move to a VPS or dedicated account and make sure your FTP accounts are secure. HTH Donnie Bachan "Nitendo Vinces - By Striving You Shall Conquer" ====================================================================== The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Mon, Apr 13, 2009 at 1:30 PM, Richard White <rich...@j7is.co.uk> wrote: > > hi dave, i have scripts that write to the file system as well. what > would i need to do to secure them, do you have a link that i could > read in relation to this as i am a little lost as to what to do > > thanks > >> > We are having to scrub our files to remove the injected code (which >> is being written directly >> > to the files as the result of the hack allowing "FULL CONTROL" for >> the Everyone user on the >> > machine. >> > >> > Have you determined a solution for removing/preventing this? >> >> First, audit your code to find any scripts that can write to the >> filesystem. >> Second, audit your code to find any scripts that pass unfiltered user >> input to the database. >> Third, fix that code. >> Fourth, configure filesystem permissions properly to prevent CF or >> your database from writing to the web server's webroot. >> >> Dave Watts, CTO, Fig Leaf Software >> http://www.figleaf.com/ >> >> Fig Leaf Software provides the highest caliber vendor-authorized >> instruction at our training centers in Washington DC, Atlanta, >> Chicago, Baltimore, Northern Virginia, or on-site at your location. >> Visit http://training.figleaf.com/ for more > information! > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321554 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
