Garry The hack files are not always called h.cfm. In fact that was just one named used by one attacker. there was also i.cfm by another attacker. Others have used other file names and/or other techniques as described in this blog post that Mark Kruger wrote that describes an exploit method I found. The file can be named anything. and its does not even need to be a .cfm or .cfc file. As this post points out (http://www.coldfusionmuse.com/index.cfm/2013/12/5/attack.vector.missing.template.handler ) Odds are someone was able to insert onto your server a "web shell" file that is granting them full access to anything they want on the server.
The blog post by Charlie that was already mentioned is a great resource too. Here is what I would be doing: 1. At this point I would be changing my mail server credentials and going from CFAdmin mail credential settings to template level just to stop the flow of bogus email. 2. Locking down the CFAdmin and CFIDE or disabling it all together. The fastest way on IIS would be to restrict access to CFIDE to the 127.0.0.1 IP address. 3. Next I would do a search of all text files for the existence of "<CFMAIL. 4. If a file is found then you can search for that file name in your web server and CF logs to see when it was first created/accessed. Depending on what you find it may or may not be necessary to abandoned the server and start with a fresh setup. That is the worst case situation and weve run into that before. Also remember that a fully patched CF8.0.1 server HAS the CFAdmin API exploit. If you need further help please contact me. Investigating hacked servers is a large part of what we do at CF Webtools. Regards, Wil Wil Genovese Sr. Web Application Developer/ Systems Administrator CF Webtools www.cfwebtools.com wil@cfwebtools www.trunkful.com On Aug 18, 2014, at 3:23 PM, Jeff Garza <j...@garzasixpack.com> wrote: > > What version of ColdFusion are you currently on and what's your patch > level. I've seen instances where the vulnerability in the AdminAPI is > exploited to upload templates that mass send junk mail. Look for a file > called "h.cfm" in your CFIDE folder and in your webroot. That is the usual > vector for this kind of attack.. > > If you find it, you'll need to assume that your entire server is > potentially compromised as they have the ability to upload and execute any > code in your system... > > -- > Jeff > > > > -------- Original Message -------- >> From: "G T" <tran.ga...@gmail.com> >> Sent: Monday, August 18, 2014 1:13 PM >> To: "cf-talk" <cf-talk@houseoffusion.com> >> Subject: Re: EMail Injection Attack >> >> Hi Robert - Thanks for the reply, yes of course let me explain a bit > more. >> >> While checking our sent mail logs, logged by coldfusion, we noticed > emails were being sent out that was not directly sent through our own > pages. Spam emails that were sent to different outside emails. >> >> So we can see that spam emails were sent outbound, but as of yet, we have > no source of where they're coming from (ie. which pages are compromised). >> >> From what I've been researching, one way this is done by email inject - > where they use form submissions to inject their own coldfusion code to form > their own 'cfmail' sends. > http://www.asadesigner.com/13-coldfusion/07d6a249de5791e6.htm >> >> Please let me know if you need additional info >> >>> Can you explain a bit more what you mean by email injection attack? >>> Do you mean someone is spamming forms that generate forms email, or is >>> someone using some application you have to generate spam? Can you >>> provide a slightly better explanation of what's happening? >>> >>> >>> Robert Harrison >>> Director of Interactive Services >>> >>> Austin & Williams >>> Advertising I Branding I Digital I Direct >>> 125 Kennedy Drive, Suite 100 I Hauppauge, NY 11788 >>> T 631.231.6600 X 119 F 631.434.7022 >>> http://www.austin-williams.com >>> >>> Blog: http://www.austin-williams.com/blog >>> Twitter: http://www.twitter. >> com/austin_ >> >> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359146 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
