FW: CF9.02 administrator hack
Tom, My one questions is you say that view source is identical from a hacked and non hacked server - that seems odd. There are a number of hacks that could produce results that manipulate your files by adding content. This one uses the missing file handler: http://www.coldfusionmuse.com/index.cfm/2013/12/5/attack.vector.missing.temp late.handler and can alter files. This one that uses the (bad) practice of moving files to a URL accessible folder before checking them - or relying JUST on the file extension. http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.ve ctor Either one of these is capable of producing an iframe or adding content to files etc. Of course there are others - bad news I know. Sometimes the best solution in these cases (the one that gives you the most reassurance and least amount of time spent) is to reinstall on a pristine server - from a repo if you have it. -Mark P.S. let CFWT know if you need formal help on this. Mark Kruger - CFG CF Webtools www.cfwebtools.com www.coldfusionmuse.com O: 402.932.3318 E: mkru...@cfwebtools.com Skype: markakruger -Original Message- From: Tom McNeer [mailto:tmcn...@gmail.com] Sent: Wednesday, November 12, 2014 10:40 AM To: cf-talk Subject: CF9.02 administrator hack Hi, I've just discovered that one of my servers, running 9.02, has been hacked. I'm not sure of the update level, because the hack is visible in the administrator and prevents its use. It's not the old h.cfm hack. I haven't been able to find any references to what I'm seeing, but I hope someone else knows what's up. I have not seen any obvious problems caused in the sites delivered from the server. It became evident when I tried to log in to the admin today to check on something. The immediate symptoms are that an ad appears in an iframe below the CF Admin login inputs; the username input label has been restyled and appears to have a link behind it. A recurring popup says The page at b1.zcxbtm.com says: WARNING, Your Java version is outdated, have security risks, Please update now. Naturally, none of this is visible in View Source. No reference to other files and scripts. The View Source is identical to one on a non-hacked server. The CF Admin is not publicly accessible - at least not normally. I can see that a site was added and used temporarily which had a virtual directory pointing to the admin, most likely one created by running the config tool. That site is dead now, but it could easily have been a vector at one time. The CF service _is_ running under the System account. I know this is bad practice, but I didn't set up the server. Any suggestions for troubleshooting this would be greatly appreciated. And I'll certainly be happy provide any other details I can. -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359622 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
Hi Mark, On Wed, Nov 12, 2014 at 12:33 PM, Mark A Kruger mkru...@cfwebtools.com wrote: My one questions is you say that view source is identical from a hacked and non hacked server - that seems odd. Extremely. That's why I mentioned it. I both looked through the source in a browser and saved it and did a file compare locally. There was no evidence of any additional scripting. This one uses the missing file handler: http://www.coldfusionmuse.com/index.cfm/2013/12/5/attack.vector.missing.temp late.handler Thanks. Yes, I had already read that post, and now I've read the second. But it doesn't seem to have been the former (I'll explain in a minute), and while the latter situation is possible (there is one area where an image could be uploaded to a web-accessible directory), the form is secured by an admin login. So it's less likely. What's terminally weird is that I just remoted in to the server again, and the problem has disappeared. I know that doesn't mean it's gone, but the admin is appearing, and working, cleanly now. And the missing template handler input field is blank, so I guess it wasn't that particular attack. And the only change I had made was to delete the old, temporary site I mentioned, the one that did accidentally have a virtual directory for CFIDE, from IIS. The site was not running, and hadn't been for a long time. But it did still exist as an entry in IIS. I can't imagine how that change would make a difference. It's just the only change that was made between my two logins. Obviously, I still hope someone has seen a similar attack, because I'm not all that relieved that the symptom has gone away. Thanks for your suggestions. If I need more formal help, I'll definitely yell. and can alter files. This one that uses the (bad) practice of moving files to a URL accessible folder before checking them - or relying JUST on the file extension. http://www.coldfusionmuse.com/index.cfm/2009/9/18/script.insertion.attack.ve ctor Either one of these is capable of producing an iframe or adding content to files etc. Of course there are others - bad news I know. Sometimes the best solution in these cases (the one that gives you the most reassurance and least amount of time spent) is to reinstall on a pristine server - from a repo if you have it. -Mark P.S. let CFWT know if you need formal help on this. Mark Kruger - CFG CF Webtools www.cfwebtools.com www.coldfusionmuse.com O: 402.932.3318 E: mkru...@cfwebtools.com Skype: markakruger -Original Message- From: Tom McNeer [mailto:tmcn...@gmail.com] Sent: Wednesday, November 12, 2014 10:40 AM To: cf-talk Subject: CF9.02 administrator hack Hi, I've just discovered that one of my servers, running 9.02, has been hacked. I'm not sure of the update level, because the hack is visible in the administrator and prevents its use. It's not the old h.cfm hack. I haven't been able to find any references to what I'm seeing, but I hope someone else knows what's up. I have not seen any obvious problems caused in the sites delivered from the server. It became evident when I tried to log in to the admin today to check on something. The immediate symptoms are that an ad appears in an iframe below the CF Admin login inputs; the username input label has been restyled and appears to have a link behind it. A recurring popup says The page at b1.zcxbtm.com says: WARNING, Your Java version is outdated, have security risks, Please update now. Naturally, none of this is visible in View Source. No reference to other files and scripts. The View Source is identical to one on a non-hacked server. The CF Admin is not publicly accessible - at least not normally. I can see that a site was added and used temporarily which had a virtual directory pointing to the admin, most likely one created by running the config tool. That site is dead now, but it could easily have been a vector at one time. The CF service _is_ running under the System account. I know this is bad practice, but I didn't set up the server. Any suggestions for troubleshooting this would be greatly appreciated. And I'll certainly be happy provide any other details I can. -- Thanks, Tom Tom McNeer MediumCool http://www.mediumcool.com 1735 Johnson Road NE Atlanta, GA 30306 404.589.0560 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359623 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
My one questions is you say that view source is identical from a hacked and non hacked server - that seems odd. There are a number of hacks that could produce results that manipulate your files by adding content. Not necessarily. There's no reason that content can't be injected at serve time. You can do this in CF using the onRequest event in Application.cfc, but you can also do it at a lower level via Java servlet filters. For CF, those are the first places I'd look. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359624 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
Obviously, I still hope someone has seen a similar attack, because I'm not all that relieved that the symptom has gone away. Honestly, I would assume the worst, and do the following. Back up server settings and the source files themselves, review the server settings manually, review the source files (hopefully less manually), and build a clean CF/IIS install following the lockdown guides where possible/appropriate. Then, deploy the server settings and source to the new install. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359625 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
There's no reason that content can't be injected at serve time. In this case, there would be a difference in the files delivered to the visitor. IMO the hack is in the browser, not on the server. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359626 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
There's no reason that content can't be injected at serve time. In this case, there would be a difference in the files delivered to the visitor. IMO the hack is in the browser, not on the server. Yes, I missed the reference by the original poster about using view source. If that's the case, the problem is almost certainly in the browser itself or some other piece of malware installed on the client. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359627 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: FW: CF9.02 administrator hack
Claude, The idea that there's no visible indication in the view source makes me consider that as well - but why would it just appear on a login page for the cfadmin? Perhaps it looks for specific form field names and throws up the java out of date message to prey on fears of folks logging in to various things... -Mark -Original Message- From: Claude Schnéegans schneeg...@internetique.com [mailto:=?ISO-8859-1?Q?Claude_Schn=E9egans schneegans@interneti=71?= =?ISO-8859-1?Q?ue.com=3E?=] Sent: Wednesday, November 12, 2014 1:40 PM To: cf-talk Subject: Re: FW: CF9.02 administrator hack There's no reason that content can't be injected at serve time. In this case, there would be a difference in the files delivered to the visitor. IMO the hack is in the browser, not on the server. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359628 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
The idea that there's no visible indication in the view source makes me consider that as well - but why would it just appear on a login page for the cfadmin? Perhaps it looks for specific form field names and throws up the java out of date message to prey on fears of folks logging in to various things... There are two possibilities here. One is that, while it doesn't show up in the view source for a given page, a JS library referenced in the page has been compromised to rewrite page content. The other is that there's a local malware issue that's rewriting the page content. In either case, it could be designed only to respond to specific URLs or URL patterns. Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359629 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
but why would it just appear on a login page for the cfadmin? Who knows what may happen or not happen in some hacker's mind ? ;-) Perhaps it looks for specific form field names ... especially input fields of type PASSWORD! The hacker may be more interested in getting access to the CF Administrator where he could do much more harm. I have implemented in my system a Javascrip error log, and you can't imagine how much errors I get in code not even on my server. There are plenty of scripts added to every page by hacked browsers, for any purpose, generaly add trackers etc. And I only track errors, not scripts that cause no errors. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359630 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
One is that, while it doesn't show up in the view source for a given page, a JS library referenced in the page has been compromised to rewrite page content. Of course, this is quite possible in theory, however it would imply that the hacker has already hacked the server, and one could ask what he is still trying to hack. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359631 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
I appreciate all the suggestions - and I especially appreciate when you step in, Dave. Certainly, I'm considering a clean installation. But as a followup: Dave's comment about the problem is almost certainly in the browser itself or some other piece of malware installed on the client brings up lots of other possibilities. To be clear (since some other folks have misunderstood this), I can't say that this hack appears *only* in the CF Admin login page, or only in the CF Admin. I have the browser on the server set to the CF admin as a default, because that's what I use the browser for - administering CF. So the hacks appeared immediately after the browser was started and the first page loaded -- which *happened* to be the CF Admin. It's entirely possible, as Dave suggests, that the problem isn't related to CF at all, now that we've discussed it. That doesn't make it less of a problem. In fact, it means there are lots of other possible vectors. On Wed, Nov 12, 2014 at 3:29 PM, wrote: One is that, while it doesn't show up in the view source for a given page, a JS library referenced in the page has been compromised to rewrite page content. Of course, this is quite possible in theory, however it would imply that the hacker has already hacked the server, and one could ask what he is still trying to hack. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359632 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
One more followup: whatever this is, it isn't related to CF. I jumped to the wrong conclusion. The problem reappeared when I was in the CF admin page, long after I'd logged on. But then I opened another browser and purposely asked for a local page that didn't exist. The IIS error page contained ads. Again, this doesn't make me feel a whole lot better. But folks should know that this is not a new CF attack. On Wed, Nov 12, 2014 at 3:56 PM, Tom McNeer tmcn...@gmail.com wrote: I appreciate all the suggestions - and I especially appreciate when you step in, Dave. Certainly, I'm considering a clean installation. But as a followup: Dave's comment about the problem is almost certainly in the browser itself or some other piece of malware installed on the client brings up lots of other possibilities. To be clear (since some other folks have misunderstood this), I can't say that this hack appears *only* in the CF Admin login page, or only in the CF Admin. I have the browser on the server set to the CF admin as a default, because that's what I use the browser for - administering CF. So the hacks appeared immediately after the browser was started and the first page loaded -- which *happened* to be the CF Admin. It's entirely possible, as Dave suggests, that the problem isn't related to CF at all, now that we've discussed it. That doesn't make it less of a problem. In fact, it means there are lots of other possible vectors. On Wed, Nov 12, 2014 at 3:29 PM, wrote: One is that, while it doesn't show up in the view source for a given page, a JS library referenced in the page has been compromised to rewrite page content. Of course, this is quite possible in theory, however it would imply that the hacker has already hacked the server, and one could ask what he is still trying to hack. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359633 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
One is that, while it doesn't show up in the view source for a given page, a JS library referenced in the page has been compromised to rewrite page content. Of course, this is quite possible in theory, however it would imply that the hacker has already hacked the server, and one could ask what he is still trying to hack. That's pretty obvious: the client. Lots of server hacks are pretty trivial in their effect on the server, and are ultimately aimed at compromising clients (whether the client is a browser or a search engine). Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359636 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: FW: CF9.02 administrator hack
Wil, Thanks. I'd already checked that. Mark chimed in earlier, and it's his post. Pete, Thanks. I was so concerned that the server was compromised in a way that would affect its performance as a server, I hadn't had a chance to start googling the text itself. And Dave, Thanks again. Yes, it's just a client-side problem. And Pete seems to have identified the particular hack. On Wed, Nov 12, 2014 at 5:13 PM, Dave Watts dwa...@figleaf.com wrote: One is that, while it doesn't show up in the view source for a given page, a JS library referenced in the page has been compromised to rewrite page content. Of course, this is quite possible in theory, however it would imply that the hacker has already hacked the server, and one could ask what he is still trying to hack. That's pretty obvious: the client. Lots of server hacks are pretty trivial in their effect on the server, and are ultimately aimed at compromising clients (whether the client is a browser or a search engine). Dave Watts, CTO, Fig Leaf Software 1-202-527-9569 http://www.figleaf.com/ http://training.figleaf.com/ Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business (SDVOSB) on GSA Schedule, and provides the highest caliber vendor- authorized instruction at our training centers, online, or onsite. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:359637 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm