I am investing a server that has been hit. I am seeing these files were created at the time of the attack.
C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cfh2ecfm509131890$funcLOC.class C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cfh2ecfm509131890.class C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cfi2ecfm506365939.class C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\cf7einfo2drequest2dsend2ecfm170364941.class I do not know what they do as of yet. Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wilg...@trunkful.com www.trunkful.com On Jan 2, 2013, at 11:00 PM, Robert Rhodes <rrhode...@gmail.com> wrote: > > Thanks. I saw that afterwards. I was freaking out a bit there. Still am. > :( > > I have gone through the logs on that server (windows 2008 R2 server running > IIS7.5 and CF9.02) and the hacker loaded his script 1 time each on 15 > different sites. > > They all look like this: > 2013-01-02 00:15:15 192.168.55.129 GET /CFIDE/h.cfm - 80 - 178.170.124.210 > python-requests/0.14.2+CPython/2.7.3+Linux/3.2.0-32-generic 200 0 0 171 > > But on 3 of the sites, he also loaded: help,cfm, > administrator.cfc, mappings.cfm, scheduleedit.cfm, and scheduletasks.cfm > but there are no scheduled tasks showing in the administrator. > > I checked the CF Administrator log and found nothing. > > Fortunately, he missed the one site (none of his crap shows up in its logs) > where there was sensitive information, so assuming he could not traverse > directories, I am hoping I am ok there. > > I ran his file (after renaming it), and none of my datasources showed up > (it was an empty <select>). I am hoping I am good there too. It looks like > his script it needs to be driven by a human (a lot of it is a form). So I > am hoping that the one hit I see on most of those sites is an automated hit > to see if the script is there, then he was going to come around later and > do his damage -- and he never did. Wishful thinking right? > > I don't see any other signs of trouble anywhere, but am very worried that > something bad has happened that I have just not stumbled on yet. > > Any suggestions or advice? Any place else I should be looking? Am I > fooling my self to think I got lucky here? > > I have shut down CF on that server and am now searching all other servers > for h.cfm. So far nothing. > > Tomorrow, I will completely wipe that server and reload it. > > -RR > > On Wed, Jan 2, 2013 at 10:16 PM, Raymond Camden > <raymondcam...@gmail.com>wrote: > >> >> Charlie posted an update: >> >> http://www.carehart.org/blog/client/index.cfm/2013/1/2/Part2_serious_security_threat >> >> >> On Wed, Jan 2, 2013 at 9:00 PM, Robert Rhodes <rrhode...@gmail.com> wrote: >> >>> >>> Oh man I just looked and one of my standby servers got hit with this. >>> Somehow we forgot to patch that one. It had a bunch of sites on it, but >>> none of them were actually live (because it was a standby server). >>> >>> So I have questions. >>> >>> Does anyone know that this thing does? >>> >>> I can just wipe this box and reload it, but it was on the network with >> our >>> other windows servers (some of which are SQL database servers). Is it >>> possible this hacker could have accessed other other servers through this >>> hack? >>> >>> Do we know the steps yet to clean up the mess? >>> >>> Any idea where to look for damage that the hacker has caused? >>> >>> I am a little lost here. >>> >>> :( >>> >>> -RR >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Wed, Jan 2, 2013 at 3:52 PM, Russ Michaels <r...@michaels.me.uk> >> wrote: >>> >>>> >>>> and also read the following article. >>>> >>>> >>> >> http://www.michaels.me.uk/post.cfm/securing-your-coldfusionmx-installation-on-windows >>>> >>>> >>>> On Wed, Jan 2, 2013 at 7:47 PM, Larry Lyons <larrycly...@gmail.com> >>> wrote: >>>> >>>>> >>>>> A new CF security issue was just discovered a few days ago. You may >>> want >>>>> to forward this information to whomever is your CF Admin. >>>>> >>>>> >>>>> >>>> >>> >> http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat >>>>> >>>>> To make a very long story short, the exploit allows a hacker to >> upload >>> a >>>>> file is put on the server. This gives a hacker pretty much unfettered >>>>> access to a lot of things including >>>> reading/downloading/uploading/renaming >>>>> and creating files, accessing datasource information, and more. >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353737 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
