RE: CF Hack
Found this on MACR http://www.macromedia.com/support/coldfusion/ts/documents/tn17881.htm _ From: Paul Wilson [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 8:02 PM To: CF-Talk Subject: CF Hack Hi I've had the following files uploaded to one of my dev servers get_registry_keys.cfm kill_keys_commit.cfm make_keys.cfm Anyone seen this before? Thanks _ [Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
RE: CF Hack -- hope this helps
FYI, here's a post from the editor of BugTraq: --- "This is definitely being caused by the problems discussed in MS01-033. Its a buffer overflow in Index Server, which is installed and started by default. You may be able to find traces in your IIS logs by looking for requests for default.ida followed by a bunch of "N"s. There will be no trace on disk, its pushed into memory through the overflow where it continues to execute. After the defacement it will also scan other IP addresses looking for more IIS boxes to inflict the same damage to. "As to being patched, many things might cause a patched system to become unpatched. Simply adding or modifying a component can revert a patched system to an unpatched state." "In this case, the best thing to do is to unmap .ida and .ida in your Extensions Mapping screen, and then get the patch in case you decide to use that functionality later on." --- here are some additional links: the Microsoft security alert for the hack: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec ur ity/bulletin/MS01-033.asp the forums thread at Allaire: http://forums.allaire.com/coldfusion/messageview.cfm?catid=12&threadid =2 12752 -mike > -Original Message- > From: Gary Longford [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 17, 2001 7:36 AM > To: CF-Talk > Subject: RE: CF Hack > > > Do you have any additional information on this. As my company > got hit by > this today. Can you maybe forward the email from Macromedia. In great > computing style my manager is panicking about the problem, > and is reluctant > to try the web servers back on. I have email Macromedia > myself but have > received no response as of yet. > > Yours, > > Gary Longford > Senior Web/Database Developer > > -Original Message- > From: Dylan Bromby [mailto:[EMAIL PROTECTED]] > Sent: 17 July 2001 00:23 > To: CF-Talk > Subject: CF Hack > > > This weekend a friend of mine's web sites were hacked. It > only affected his > CF pages/applications. All CF pages displayed the message > "Welcome to the > http://www.worm.com Hacked by Chinese". > > They received immediate attention from Macromedia this > morning after sending > them an email. They were one of 3 sites reporting the hack; > they were the > only U.S. based site. Macromedia engineers and personnel are actively > involved in investigating the hack, and one person suggested a > memory-resident virus. But nothing's been confirmed. > > He runs CF4.5 to the best of my knowledge. > > As I learn more I will post. > > --Dylan > ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF Hack
> and is reluctant > to try the web servers back on. Just an idea, but have you / were you running the new patch from Allaire for the security hole ? ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF Hack
Do you have any additional information on this. As my company got hit by this today. Can you maybe forward the email from Macromedia. In great computing style my manager is panicking about the problem, and is reluctant to try the web servers back on. I have email Macromedia myself but have received no response as of yet. Yours, Gary Longford Senior Web/Database Developer -Original Message- From: Dylan Bromby [mailto:[EMAIL PROTECTED]] Sent: 17 July 2001 00:23 To: CF-Talk Subject: CF Hack This weekend a friend of mine's web sites were hacked. It only affected his CF pages/applications. All CF pages displayed the message "Welcome to the http://www.worm.com Hacked by Chinese". They received immediate attention from Macromedia this morning after sending them an email. They were one of 3 sites reporting the hack; they were the only U.S. based site. Macromedia engineers and personnel are actively involved in investigating the hack, and one person suggested a memory-resident virus. But nothing's been confirmed. He runs CF4.5 to the best of my knowledge. As I learn more I will post. --Dylan ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
Re: CF Hack
Dylan Bromby wrote: >...< > As I learn more I will post. There is a thread at the CF Forums about this. Look under "Security", it has a lot more information. Jochem ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: CF Hack for MS's WAS
This is a multi-part message in MIME format. --=_NextPart_000_0002_01BFFC6E.F87236A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Here's the URL2Form tag that I mentioned. I placed a call to it in the Application.cfm for load testing purposes with WAS. So far so good... Matt --=_NextPart_000_0002_01BFFC6E.F87236A0 Content-Type: application/octet-stream; name="URL2Form.cfm" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="URL2Form.cfm" =20 --=_NextPart_000_0002_01BFFC6E.F87236A0-- -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ To Unsubscribe visit http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the body.