I have seen variants of that script before, it is published in several places.
In addition to what has already been mentioned, here are some steps you can take to make sure these types of attacks fail (obviously though the more critical issue is how did the attacker get the file there in the first place, probably though a file upload vulnerability, or a path traversal that exposed a password they could then use to upload) 1) Change the default encryption seed in CF administrator (this is for CF9 only) 2) Check "Disable access to internal ColdFusion Java components" in the CF Admin to prevent access to the service factory 3) Setup a sandbox (and Yes you can still setup a sandbox on Standard edition, you are just limited to one set of sandbox settings for the entire server, instead of being able to create multiple sandboxes) to block cfexecute, and more if possible. -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://petefreitag.com/ - My Blog http://hackmycf.com - Is your ColdFusion Server Secure? On Wed, Feb 22, 2012 at 11:31 AM, Ras Tafari <rastaf...@gmail.com> wrote: > > here's the code again incase pastebin killed that link > > http://pastebin.com/qvBTEP50 > > On Wed, Feb 22, 2012 at 11:12 AM, Dave Watts <dwa...@figleaf.com> wrote: > > > >> this code was somehow dropped into my friends cfide directory and ran, > >> did lots of bad things, stole db passwords, changed his cf code, etc. > >> > >> http://pastebin.com/Jg2Cs0ch > >> > >> any idea how to protect from this kinda attack? > >> thanks! > > > > I would recommend that you read the CF 9 Server Lockdown Guide: > > > > > http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf > > > > In this specific case, you shouldn't allow CF to write to any web > > content directories by default, and you shouldn't allow file uploads > > to any web content directories. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350032 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
