>> Each and every .cfm file that is on a site that is mapped to iis was >> affected. If a .cfm was in a non-mapped directory then it was not >> touched. This says to me that the hole is in iis. > > I suspect you have a query vulnerable to SQL injection.
If the attack actually caused the malware script to be written to CF files, I think this is somewhat unlikely. Most automated SQL injection attacks I've seen don't rewrite files, they add stuff to database fields to have that rendered at runtime. Of course, if HoF uses something to generate files from database queries, all bets are off. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326324 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4