I am reading up on Charlie's blog posts. (Thank you, Charlie.) My ColdFusion 9.0.2 server was hit with this.
I found h.cfm in /CFIDE/ with file date 12/24/2012. I deleted it. No new scheduled tasks were set in my CF Admin. I use IIS 7.5 on Windows 2008. Can someone review the exact steps needed to lock down the /CFIDE/ directory, yet make /CFIDE/scripts/ available for use by ColdFusion? All of my web sites and databases seem unaltered. But I am obviously a nervous wreck about this new security hole. Eric -----Original Message----- From: Raymond Camden [mailto:raymondcam...@gmail.com] Sent: Wednesday, January 02, 2013 9:16 PM To: cf-talk Subject: Re: New Security Issue with CF Charlie posted an update: http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_securit y_threat On Wed, Jan 2, 2013 at 9:00 PM, Robert Rhodes <rrhode...@gmail.com> wrote: > > Oh man I just looked and one of my standby servers got hit with this. > Somehow we forgot to patch that one. It had a bunch of sites on it, > but none of them were actually live (because it was a standby server). > > So I have questions. > > Does anyone know that this thing does? > > I can just wipe this box and reload it, but it was on the network with > our other windows servers (some of which are SQL database servers). > Is it possible this hacker could have accessed other other servers > through this hack? > > Do we know the steps yet to clean up the mess? > > Any idea where to look for damage that the hacker has caused? > > I am a little lost here. > > :( > > -RR > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353735 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm