Mark, I can confirm that there has been FTP related 'sploits going around.
I received a message from a hosting company warning that: "There is a potential security exploit within the FTP software that we use on your account." Just a 411 G! On Mon, Apr 13, 2009 at 1:13 PM, Mark Kruger <mkru...@cfwebtools.com> wrote: > > Donnie, > > I believe this is the same attack I have been helping another customer with > and it does not appear to be related to CF. Instead, it appears to start > with a malware install of some kind on the server (and possibly a root kit) > and then progress to the creation of accounts and the changing of file > permissions. Another theory gaining weight (and illustrating that we don't > know much yet) is that this attack is an agent on a client computer that > piggybacks onto FTP - which explains a few things but not everything. I'm > guessing some combination at this point. > > Anyway, I agree that cfexecute is a dangerous tag that needs to be > controlled, but it does not appear to be the cuprit. All of this advice is > good, but the only place that CF comes into play on this particular hack > happens to be the propensity to use "index.cfm" as the home page script. > The > attack targets "index.*" files and affects (on the server I am working > with) > Index.cfm, index.html and index.php etc. > > -Mark > > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -----Original Message----- > From: Donnie Bachan (Gmail) [mailto:donnie.bac...@gmail.com] > Sent: Monday, April 13, 2009 8:30 AM > To: cf-talk > Subject: Re: Question about hack > > > Hi Nick, > > I know this post is a bit late but to your original question, that attack > is > as a result of incorrect file/iis permissions and is not an XSS attack. I > would even bet that you are on a shared server (at HMS) since one of my > client sites had this exact same problem. The attacker would have gained > access to the file system (possibly via FTP) and executed code that > injected > the code into all index.* files on the server (not just your hosting > account). We have had a lot of problems trying to get this sorted out. It > appears that the issue was with security related to the windows script host > and/or CFEXECUTE. The only thing you can do to prevent this is work with > your hosting provider to secure the system or move to a VPS or dedicated > account and make sure your FTP accounts are secure. > > HTH > > Donnie Bachan > "Nitendo Vinces - By Striving You Shall Conquer" > ====================================================================== > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or > taking of any action in reliance upon, this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error, please contact the sender and delete the material from any > computer. > > > > On Mon, Apr 13, 2009 at 1:30 PM, Richard White <rich...@j7is.co.uk> wrote: > > > > hi dave, i have scripts that write to the file system as well. what > > would i need to do to secure them, do you have a link that i could > > read in relation to this as i am a little lost as to what to do > > > > thanks > > > >> > We are having to scrub our files to remove the injected code (which > >> is being written directly > >> > to the files as the result of the hack allowing "FULL CONTROL" for > >> the Everyone user on the > >> > machine. > >> > > >> > Have you determined a solution for removing/preventing this? > >> > >> First, audit your code to find any scripts that can write to the > >> filesystem. > >> Second, audit your code to find any scripts that pass unfiltered user > >> input to the database. > >> Third, fix that code. > >> Fourth, configure filesystem permissions properly to prevent CF or > >> your database from writing to the web server's webroot. > >> > >> Dave Watts, CTO, Fig Leaf Software > >> http://www.figleaf.com/ > >> > >> Fig Leaf Software provides the highest caliber vendor-authorized > >> instruction at our training centers in Washington DC, Atlanta, > >> Chicago, Baltimore, Northern Virginia, or on-site at your location. > >> Visit http://training.figleaf.com/ for more > > information! > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321595 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4