Super thorough research Brad. While I'm not affected, I appreciate your level of expertise.
-----Original Message----- From: b...@bradwood.com [mailto:b...@bradwood.com] Sent: Thursday, September 17, 2009 2:47 PM To: cf-talk Subject: RE: malware patterns Michael, a quick nMap shows the following ports are open on the server that houseoffusion.com resolves to (64.118.74.245). PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1036/tcp open unknown 1041/tcp open unknown 2522/tcp open unknown 3389/tcp open ms-term-serv 7999/tcp open unknown Have you accounted for each program that is listening on these ports and can any of them closed that aren't needed? You've got terminal services in there as well as Directory Services. I would audit the passwords on all the windows accounts since they are the only thing keeping someone from using these ports. Also, did you ever find anything in your Windows logs? Security under Event Viewer should show you all authentication that happened prior to the attack. Also, on the complete random off-chance that your vulnerability was through a CFML file that got uploaded, taking a peek at your class files (which would be no small task) might reveal any compiled crumbs left behind by a rouge .cfm file that deleted itself after execution. If you are on SQL Server 2005, I have been able to get the SQL of recently run queries by looking in the cached execution plans. SELECT cached.*, sqltext.* FROM sys.dm_exec_cached_plans cached CROSS APPLY sys.dm_exec_sql_text (cached.plan_handle) AS sqltext I know those are long shots, but the sooner you look, the more you might be able to uncover before the tracks slowly get covered. I do hope you are able to find the cause for the benefit of us all. ~Brad -------- Original Message -------- Subject: malware patterns From: Michael Dinowitz <mdino...@houseoffusion.com> Date: Thu, September 17, 2009 2:08 pm To: cf-talk <cf-talk@houseoffusion.com> The recent attack on House of Fusion resulted in some useful information as to what you should look for. In general, all or most of the files with the following extensions were affected: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326395 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
