> I noticed my CF server started timing out a lot lately. Then I looked at the > code and on the Application.cfm page at the > top was this code that I didn't put there. Anybody know what this is and how > it might have gotten on the Application.cfm > pages of the sites on this VPS? Not sure how it got there. Any help in > plugging this hole would be appreciated.
The code fetches your page, outputs it, then fetches something from somewhere else and outputs that also. The "somewhere else" is this URL: http://199.19.94.194/cfset2.txt The content of that URL is: <script language="JavaScript">function zdrViewState() { var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a]; t=z=''; for(v=0;v<m.length;){t+=m.charAt(v++); if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState(); </script> followed by a snippet of spam for payday loans. There are many things that could have allowed this to be injected. I recommend that you configure CF to run as a specific user account, and give that user account read/execute permissions to your CF files. By default, CF runs as SYSTEM on Windows, which has full control of all local files. It doesn't need this level of permissions. Doing this won't close the vulnerability used to inject the code in the first place, but it will prevent it from doing anything. Then, once you've done that, read the CF 9 Lockdown Guide and follow its instructions as best you can. You should do this as a matter of course for any CF server install. http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on GSA Schedule, and provides the highest caliber vendor-authorized instruction at our training centers, online, or onsite. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354228 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
