Prevention is better than cure, having a decent Anti Malware product with real time scanning will avoid this situation altogether. If you use something like Clamwin or other free products which only do scheduled scanning and no real time protection then you are vulnerable to any malware on websites or in email or anything that is being executed now. Products like Kaspersky Internet Security or Bit Defender will stop malware like this dead in their tracks, not only do that scan for malware and virus on your system, but they monitor all executing applications in real time for suspicious activity, scan your internet traffic for malware, injections, phishing and block known malware sites.
I would also recommend using a secure password storage program for storing all your logins, bank details etc so they are not in plain text anywhere on your system and thus not accessible to any old script that might get onto your system or worse if your laptop got stolen. I use a program called ewallet which is the most flexible tool I have found for storing just about any type of details and allows you to sync multiple pc's via FTP as well as mobile devices and USB memory stick support, but there are plenty of other free ones out there just for storing logins and passwords. Russ -----Original Message----- From: Nick Call [mailto:n...@accessutah.com] Sent: 13 December 2010 17:37 To: cf-talk Subject: RE: index.cfm being hacked (now application.cfm) I went through this last year. It's a nightmare of possibilities. I can save you all a TON of time right here. I thought they were targeting just files named index.cfm so I changed all my home page filenames to something else. Whatever the process was it got wise to it within days. I changed file and folder permissions, I changed this and that, I even shut off Cold Fusion to see what would happen. It's not coming from the server side!!!! It's coming right through your FTP channel. Simple and clever. If you don't want to have to fight security go through the front door. That's what they are doing. If you visit an infected site it silently downloads through their javascript a worm to your computer. It looks for FTP configuration files. Cute, Dreamweaver, whatever, if it's FTP this worm finds it. Then every 24 hours it, or someone, logs in to your sites using FTP and carefully appends your default pages with the malicious hijack script (the script has been getting more and more sophisticated it changes all the time so detecting a pattern is impossible. The client calls you in anger, you find it, freak out, replace the files with good ones, even turn off write access to the file, and in a day or so you it happens again. You can spend the better part of your lives trying to figure out how the attacker is getting onto the server. The answer is under your nose. Wipe and reload the OS on any computer in your company that has FTP access to the infected sites. I haven't found a scanner that will detect this thing yet. Better safe than sorry. Wipe and reload. THEN - make it a policy to NEVER store an FTP password again. I manually enter all my FTP passwords now. It's a few seconds here and there, sometimes it's a pain, but I haven't had a problem with an infected site since. If you find this helpful please let me know off-list. Thank you. Nick -----Original Message----- From: Terry Troxel [mailto:terry.tro...@gmail.com] Sent: Friday, December 10, 2010 7:38 PM To: cf-talk Subject: RE: index.cfm being hacked (now application.cfm) Is the site in question on a "SHARED" Server? I had this issue a while ago and it wasn't my site, but someone else's and it rewrote every default page on the entire server no matter what language. Just a thought. They could have modified the exploit to not only do index.html, index.cfm, etc. but say, application.cfm, etc. It took the hosting company a while to track down the actual site that got hacked. Terry -----Original Message----- From: Josh Nathanson [mailto:joshnathan...@gmail.com] Sent: Friday, December 10, 2010 4:39 PM To: cf-talk Subject: Re: index.cfm being hacked (now application.cfm) AFAIK (kinda guessing here) Google doesn't "sniff" the files themselves, they just hit a link and "sniff" the resulting HTML. So anything that's output to the resultant page, whether on the index.cfm or application.cfm, will be picked up by Google. -- Josh On Fri, Dec 10, 2010 at 1:49 PM, Mike Little <m...@nzsolutions.co.nz> wrote: > > thanks for that mary. this seems like a good idea. i will contact hostek > today to try and have the ftp restricted. > > because they are modifying just the application file now, i think it must > be an auto script as when they were attacking the index file the links were > very visible to google. it doesn't make sense now to include their links in > the application?? > > > > (changed the ftp password for the umpteenth time today as well). > > > > Hhm, if they are getting in via FTP, which is certainly a strong > > possibility as well, you might want to try turning it off for that > > site, or at least restricting it to only the IP addresses that use it. > > I have seen numerous attacks over unsecured FTP accounts, so only use > > SFTP and restricted by IP these days and it's definitely helped > > greatly reduce such issues. > > > > --- Mary Jo > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:340041 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
