any idea how they were able to get the file that ran into the cfide directory? and what might prevent that part? that's the most haunting part to him. i said it was probably a windows exploit first... not sure tho.
any help is awesome. thanks guys On Wed, Feb 22, 2012 at 12:47 PM, Pete Freitag <p...@foundeo.com> wrote: > > I have seen variants of that script before, it is published in several > places. > > In addition to what has already been mentioned, here are some steps you can > take to make sure these types of attacks fail (obviously though the more > critical issue is how did the attacker get the file there in the first > place, probably though a file upload vulnerability, or a path traversal > that exposed a password they could then use to upload) > > 1) Change the default encryption seed in CF administrator (this is for CF9 > only) > 2) Check "Disable access to internal ColdFusion Java components" in the CF > Admin to prevent access to the service factory > 3) Setup a sandbox (and Yes you can still setup a sandbox on Standard > edition, you are just limited to one set of sandbox settings for the entire > server, instead of being able to create multiple sandboxes) to block > cfexecute, and more if possible. > > -- > Pete Freitag - Adobe Community Professional > http://foundeo.com/ - ColdFusion Consulting & Products > http://petefreitag.com/ - My Blog > http://hackmycf.com - Is your ColdFusion Server Secure? > > > > > On Wed, Feb 22, 2012 at 11:31 AM, Ras Tafari <rastaf...@gmail.com> wrote: > >> >> here's the code again incase pastebin killed that link >> >> http://pastebin.com/qvBTEP50 >> >> On Wed, Feb 22, 2012 at 11:12 AM, Dave Watts <dwa...@figleaf.com> wrote: >> > >> >> this code was somehow dropped into my friends cfide directory and ran, >> >> did lots of bad things, stole db passwords, changed his cf code, etc. >> >> >> >> http://pastebin.com/Jg2Cs0ch >> >> >> >> any idea how to protect from this kinda attack? >> >> thanks! >> > >> > I would recommend that you read the CF 9 Server Lockdown Guide: >> > >> > >> http://www.adobe.com/products/coldfusion/whitepapers/pdf/91025512_cf9_lockdownguide_wp_ue.pdf >> > >> > In this specific case, you shouldn't allow CF to write to any web >> > content directories by default, and you shouldn't allow file uploads >> > to any web content directories. >> > >> > Dave Watts, CTO, Fig Leaf Software >> > http://www.figleaf.com/ >> > http://training.figleaf.com/ >> > >> > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on >> > GSA Schedule, and provides the highest caliber vendor-authorized >> > instruction at our training centers, online, or onsite. >> > >> > >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350055 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm