Thank you all. I am going through all of the sites on that box to see if any discernible damage has been done and have already started implementing some of the steps detailed in the Lockdown Guide Dave mentioned. What a way to start off the new year. Scott
________________________________ From: Mallory Woods <mallory.wo...@gmail.com> To: cf-talk <cf-talk@houseoffusion.com> Sent: Thursday, January 3, 2013 2:50 PM Subject: Re: What is this code doing? Is it harmful? http://stackoverflow.com/questions/13099802/cfml-strange-script-found-in-hosting- Seems that someone has dealt with this a few months ago. On Thu, Jan 3, 2013 at 2:22 PM, Mahcsig <mahc...@mahcsig.com> wrote: > > It also has an option for cfexecute, and filesetlastmodified, so they could > have covered some of their tracks that way. > > If CF is running as local system, they could have done some really bad > things to the system... > > ~Mahcsig > > > On Thu, Jan 3, 2013 at 11:05 AM, Dave Watts <dwa...@figleaf.com> wrote: > > > > > > My company is running CF8 on IIS. We have a website that doesn't get > > much use inbetween biannual meetings. > > > I just noticed the following code that was inserted into one of the > > subfolder's index.cfm files. I'm not seeing any > > > other changes in any other file (yet) and the server doesn't appear to > > have taken a hit, but I'm not even sure what > > > this code is doing, how it got there, and whether it's harmful. > > > > Any code that can write to your server's filesystem is potentially > > harmful. This code appears to do that, along with listing files on > > your filesystem and allowing viewers to download them. Both of these > > things are potentially harmful, unless you explicitly want to do that. > > > > > Next steps (other than yanking out the code, which I've already > done)??? > > > > Why is CF allowed to write to the web root? If you prevent CF from > > writing files where it generally shouldn't, you can prevent a lot of > > these types of vulnerabilities. Preventing this may involve changing > > CF's login from SYSTEM to a non-privileged user in addition to setting > > filesystem permissions. > > > > I would recommend that you read the excellent CF 9 Lockdown Guide, > > which I think is still on the Adobe site. Then, do the things it says > > to do. > > > > Dave Watts, CTO, Fig Leaf Software > > http://www.figleaf.com/ > > http://training.figleaf.com/ > > > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > > GSA Schedule, and provides the highest caliber vendor-authorized > > instruction at our training centers, online, or onsite. > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353749 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
