Hi Mark, On Wed, Nov 12, 2014 at 12:33 PM, Mark A Kruger <mkru...@cfwebtools.com> wrote:
> My one questions is you say that view source is identical from a hacked and > non hacked server - that seems odd. Extremely. That's why I mentioned it. I both looked through the source in a browser and saved it and did a file compare locally. There was no evidence of any additional scripting. > > This one uses the missing file handler: > > http://www.coldfusionmuse.com/index.cfm/2013/12/5/attack.vector.missing.temp > late.handler > Thanks. Yes, I had already read that post, and now I've read the second. But it doesn't seem to have been the former (I'll explain in a minute), and while the latter situation is possible (there is one area where an image could be uploaded to a web-accessible directory), the form is secured by an admin login. So it's less likely. What's terminally weird is that I just remoted in to the server again, and the problem has disappeared. I know that doesn't mean it's "gone," but the admin is appearing, and working, cleanly now. And the missing template handler input field is blank, so I guess it wasn't that particular attack. And the only change I had made was to delete the old, temporary site I mentioned, the one that did accidentally have a virtual directory for CFIDE, from IIS. The site was not running, and hadn't been for a long time. But it did still exist as an entry in IIS. I can't imagine how that change would make a difference. It's just the only change that was made between my two logins. Obviously, I still hope someone has seen a similar attack, because I'm not all that relieved that the symptom has gone away. Thanks for your suggestions. If I need more formal help, I'll definitely yell. > and can alter files. > > This one that uses the (bad) practice of moving files to a URL accessible > folder before checking them - or relying JUST on the file extension. > > http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.ve > ctor > > Either one of these is capable of producing an iframe or adding content to > files etc. Of course there are others - bad news I know. Sometimes the best > solution in these cases (the one that gives you the most reassurance and > least amount of time spent) is to reinstall on a pristine server - from a > repo if you have it. > > -Mark > > P.S. let CFWT know if you need formal help on this. > > Mark Kruger - CFG > CF Webtools > www.cfwebtools.com > www.coldfusionmuse.com > O: 402.932.3318 > E: mkru...@cfwebtools.com > Skype: markakruger > > > > -----Original Message----- > From: Tom McNeer [mailto:tmcn...@gmail.com] > Sent: Wednesday, November 12, 2014 10:40 AM > To: cf-talk > Subject: CF9.02 administrator hack > > > Hi, > > I've just discovered that one of my servers, running 9.02, has been hacked. > I'm not sure of the update level, because the hack is visible in the > administrator and prevents its use. > > It's not the old h.cfm hack. I haven't been able to find any references to > what I'm seeing, but I hope someone else knows what's up. > > I have not seen any obvious problems caused in the sites delivered from the > server. It became evident when I tried to log in to the admin today to > check on something. > > The immediate symptoms are that an ad appears in an iframe below the CF > Admin login inputs; the username input label has been restyled and appears > to have a link behind it. > > A recurring popup says "The page at b1.zcxbtm.com says: WARNING, Your Java > version is outdated, have security risks, Please update now." > > Naturally, none of this is visible in View Source. No reference to other > files and scripts. The View Source is identical to one on a non-hacked > server. > > The CF Admin is not publicly accessible - at least not normally. I can see > that a site was added and used temporarily which had a virtual directory > pointing to the admin, most likely one created by running the config tool. > That site is dead now, but it could easily have been a vector at one time. > > The CF service _is_ running under the System account. I know this is bad > practice, but I didn't set up the server. > > Any suggestions for troubleshooting this would be greatly appreciated. And > I'll certainly be happy provide any other details I can. > > -- > Thanks, > > Tom > > Tom McNeer > MediumCool > http://www.mediumcool.com > 1735 Johnson Road NE > Atlanta, GA 30306 > 404.589.0560 > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359623 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
