Aweome Nate... I'm going to add this as an adendum to my post...
Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -----Original Message----- From: ALL [mailto:thegreat...@gmail.com] Sent: Thursday, April 16, 2009 3:06 PM To: cf-talk Subject: Re: Question about hack Hey Thanks Mark, I learnt a bit more about it from reading your article and found more info on it last night when (as you stated) 9:00 rolled around... I have been running a process monitor program that tracks file changes to see what process/program is actually changing the files, and it was coming from cscript.exe which is the executer to execute *.vbs scripts and other "visual" languages. The executing script was "c:/gm.vbs" but the script did not exist when I went looking for it.... So, my thoughts on it are this is just the part doing the dirty work, and there is an actual executable or service somewhere that is making the file and executing it. Here is the info my process monitor spit out about the cscript.exe file that was doing the dirty work: Path: "C:\WINDOWS\system32\cscript.exe" Command Line: "cscript c:\gm.vbs d:\inetpub" User: "NT AUTHORITY\SYSTEM" Started: "4/15/2009 8:57:58 PM" Ended: "4/15/2009 9:01:11 PM" Architecture: 32-bit I hope this may help anyone else working on this issue, I believe I am extremely close to solving it and just need it to run once more, because this time I have the process monitor tracking almost everything. -Nathan Bruer On Thu, Apr 16, 2009 at 1:31 PM, Mark Kruger <mkru...@cfwebtools.com> wrote: > > For those interested I have compiled all I know about this attack into > a blog post: > > http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.hac > k > > Again, we have not specifically identified the attack but we have lots > of information and a stop gap measure :) > > -Mark > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -----Original Message----- > From: Mark Kruger [mailto:mkru...@cfwebtools.com] > Sent: Tuesday, April 14, 2009 5:37 PM > To: cf-talk > Subject: RE: Question about hack > > > Thanks... I'll add that to my list. > > I have a pretty hefty blog post coming out on this tomorrow (or > hopefully tomorrow :). > > -mark > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321708 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4