Yeah our host Hosting.com sent out an email about those vulnerabilities and we applied the hotfixes for those already. About 6 weeks ago I think. The only thing I can think of is the cfide is setup as a virtual directory for these sites so they can use things like the FCKEditor etc. Is there another way to enable the use of things like that without just setting the CFIDE directory as a virtual directory for the entire site?
-----Original Message----- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Saturday, February 02, 2013 11:58 AM To: cf-talk Subject: Re: Possible Hack? you should also check that you have all the hotfixes installed, especially recent ones which plugged a vulnerability that would allow attackers to upload files, which has been blogged and tweeted a lot. check your FTP logs for any hacked ftp accounts. A general security scan against your server would be a good idea. As well as http://hackmycf.com/ On Sat, Feb 2, 2013 at 4:48 PM, Dave Watts <dwa...@figleaf.com> wrote: > > > I noticed my CF server started timing out a lot lately. Then I looked at > the code and on the Application.cfm page at the > > top was this code that I didn't put there. Anybody know what this is and > how it might have gotten on the Application.cfm > > pages of the sites on this VPS? Not sure how it got there. Any help in > plugging this hole would be appreciated. > > The code fetches your page, outputs it, then fetches something from > somewhere else and outputs that also. > > The "somewhere else" is this URL: > > http://199.19.94.194/cfset2.txt > > The content of that URL is: > > <script language="JavaScript">function zdrViewState() > { > var a=0,m,v,t,z,x=new > > Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a]; > t=z=''; > for(v=0;v<m.length;){t+=m.charAt(v++); > if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); > t='';}}x[l-a]=z;}document.write('<'+x[0]+' > '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState(); > </script> > > followed by a snippet of spam for payday loans. > > There are many things that could have allowed this to be injected. I > recommend that you configure CF to run as a specific user account, and > give that user account read/execute permissions to your CF files. By > default, CF runs as SYSTEM on Windows, which has full control of all > local files. It doesn't need this level of permissions. Doing this > won't close the vulnerability used to inject the code in the first > place, but it will prevent it from doing anything. > > Then, once you've done that, read the CF 9 Lockdown Guide and follow > its instructions as best you can. You should do this as a matter of > course for any CF server install. > > > http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-lockdownguide-wp-ue.pdf > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354231 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
