Michael, a quick nMap shows the following ports are open on the server
that houseoffusion.com resolves to (64.118.74.245).
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1036/tcp open unknown
1041/tcp open unknown
2522/tcp open unknown
3389/tcp open ms-term-serv
7999/tcp open unknown
Have you accounted for each program that is listening on these ports and
can any of them closed that aren't needed? You've got terminal services
in there as well as Directory Services. I would audit the passwords on
all the windows accounts since they are the only thing keeping someone
from using these ports.
Also, did you ever find anything in your Windows logs? Security under
Event Viewer should show you all authentication that happened prior to
the attack.
Also, on the complete random off-chance that your vulnerability was
through a CFML file that got uploaded, taking a peek at your class files
(which would be no small task) might reveal any compiled crumbs left
behind by a rouge .cfm file that deleted itself after execution.
If you are on SQL Server 2005, I have been able to get the SQL of
recently run queries by looking in the cached execution plans.
SELECT cached.*,
sqltext.*
FROM sys.dm_exec_cached_plans cached
CROSS APPLY sys.dm_exec_sql_text (cached.plan_handle) AS sqltext
I know those are long shots, but the sooner you look, the more you might
be able to uncover before the tracks slowly get covered.
I do hope you are able to find the cause for the benefit of us all.
~Brad
-------- Original Message --------
Subject: malware patterns
From: Michael Dinowitz <mdino...@houseoffusion.com>
Date: Thu, September 17, 2009 2:08 pm
To: cf-talk <cf-talk@houseoffusion.com>
The recent attack on House of Fusion resulted in some useful
information as to what you should look for. In general, all or most of
the files with the following extensions were affected:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Want to reach the ColdFusion community with something they want? Let them know
on the House of Fusion mailing lists
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326394
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
