Hi, I've just discovered that one of my servers, running 9.02, has been hacked. I'm not sure of the update level, because the hack is visible in the administrator and prevents its use.
It's not the old h.cfm hack. I haven't been able to find any references to what I'm seeing, but I hope someone else knows what's up. I have not seen any obvious problems caused in the sites delivered from the server. It became evident when I tried to log in to the admin today to check on something. The immediate symptoms are that an ad appears in an iframe below the CF Admin login inputs; the username input label has been restyled and appears to have a link behind it. A recurring popup says "The page at b1.zcxbtm.com says: WARNING, Your Java version is outdated, have security risks, Please update now." Naturally, none of this is visible in View Source. No reference to other files and scripts. The View Source is identical to one on a non-hacked server. The CF Admin is not publicly accessible - at least not normally. I can see that a site was added and used temporarily which had a virtual directory pointing to the admin, most likely one created by running the config tool. That site is dead now, but it could easily have been a vector at one time. The CF service _is_ running under the System account. I know this is bad practice, but I didn't set up the server. Any suggestions for troubleshooting this would be greatly appreciated. And I'll certainly be happy provide any other details I can. -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359621 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm