RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe

Thu, 01 Feb 2001 06:11:03 -0800 


> Scenario:
>
> It looks as though one or two of our servers have been hacked at
> some point
> (anytime between now and last August). Someone has just sent us an e-mail
> saying that there was a file in the CFIDE directory called iindex.cfm,
> written by Kevin Klinsky. Calling it appears to display a browsable folder
> view, allowing people to delete files.
>
> I did a search for the same file on the other servers and found a copy in
> another CFIDE directory. Along with it was reg.cfm which used CFREGISTRY
> (enabled on that server) to disable the Admin and Studio
> passwords. A third
> file called spawn.cfm ran CFX_Spawnl, passing it the attribute
> ARG0="C:\winnt\ipsvcs.exe", presumably executing the file. The
> template then
> displayed Spawnl and SpawnlError.
>
> The .exe was in the WINNT directory on that server. Does anyone know what
> happens when it's run?
>
> The CFX doesn't appear in the CF Administrator on that box and
> searching the
> registry for "spawnl" didn't find anything.

SpawnL is a cfx I wrote ages ago. It simply allows you to spawn off a
process (an exe or a bat) and run it like you would at the command prompt.
Sort of like CFEXECUTE.

Also, ages ago, I wrote a script called cf_autoaddcfx which show how to add
or delete cfx tags on any machine that have CFREGISTRY turned on.

They're both at http://www.intrafoundation.com/freeware.html. I assume
anyone that downloaded cfx_spawnl also knows all about cf_autoaddcfx.

These are all things that are... well... forces for good in the right hands,
but in others they're stepping stones useful to hack a machine if you know
what you're doing.

My guess is is someone uploaded these files to a web-reachable part of the
site, and used them to ultimately make your machines zombie slaves.

--min


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at 
http://www.fusionauthority.com/bkinfo.cfm

Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists

Reply via email to