Tom, My one questions is you say that view source is identical from a hacked and non hacked server - that seems odd. There are a number of hacks that could produce results that manipulate your files by adding content.
This one uses the missing file handler: http://www.coldfusionmuse.com/index.cfm/2013/12/5/attack.vector.missing.temp late.handler and can alter files. This one that uses the (bad) practice of moving files to a URL accessible folder before checking them - or relying JUST on the file extension. http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.ve ctor Either one of these is capable of producing an iframe or adding content to files etc. Of course there are others - bad news I know. Sometimes the best solution in these cases (the one that gives you the most reassurance and least amount of time spent) is to reinstall on a pristine server - from a repo if you have it. -Mark P.S. let CFWT know if you need formal help on this. Mark Kruger - CFG CF Webtools www.cfwebtools.com www.coldfusionmuse.com O: 402.932.3318 E: mkru...@cfwebtools.com Skype: markakruger -----Original Message----- From: Tom McNeer [mailto:tmcn...@gmail.com] Sent: Wednesday, November 12, 2014 10:40 AM To: cf-talk Subject: CF9.02 administrator hack Hi, I've just discovered that one of my servers, running 9.02, has been hacked. I'm not sure of the update level, because the hack is visible in the administrator and prevents its use. It's not the old h.cfm hack. I haven't been able to find any references to what I'm seeing, but I hope someone else knows what's up. I have not seen any obvious problems caused in the sites delivered from the server. It became evident when I tried to log in to the admin today to check on something. The immediate symptoms are that an ad appears in an iframe below the CF Admin login inputs; the username input label has been restyled and appears to have a link behind it. A recurring popup says "The page at b1.zcxbtm.com says: WARNING, Your Java version is outdated, have security risks, Please update now." Naturally, none of this is visible in View Source. No reference to other files and scripts. The View Source is identical to one on a non-hacked server. The CF Admin is not publicly accessible - at least not normally. I can see that a site was added and used temporarily which had a virtual directory pointing to the admin, most likely one created by running the config tool. That site is dead now, but it could easily have been a vector at one time. The CF service _is_ running under the System account. I know this is bad practice, but I didn't set up the server. Any suggestions for troubleshooting this would be greatly appreciated. And I'll certainly be happy provide any other details I can. -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359622 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
