Re: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe
If you haven't done so already you owe it to yourself to take a look at some white papers recently posted in the Allaire Security area (I think at www.allaire.com/security/ although the site seems to be down at the moment). Specifically the papers on Hardening NT, Intrusion Detection and Incident Response. Also, there are loads of free tools you can use to assess your vulnerability and monitor any suspcious activity in the future. You may want to check out: Snort - www.snort.org (a light weight intrusion detection system). Nessus - www.nessus.org (an excellent security scanner) I'd also agree with the previous poster that noted a complete OS reinstall is in order. You really have no idea what other system components may have been tampered with. -- Kirk Biglione [EMAIL PROTECTED] Allaire Certified Cold Fusion Developer -- Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe
It looks as though one or two of our servers have been hacked at some point (anytime between now and last August). Someone has just sent FYI, Norton just said that "ipsvcs.exe" is a BO2K variant. -- Aidan Whitehall [EMAIL PROTECTED] Netshopper UK Ltd Advanced Web Solutions Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe
ouch! Did they give you a fix Aidan...? -Original Message- From: Aidan Whitehall [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 01, 2001 1:16 PM To: CF-Talk Subject: RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe It looks as though one or two of our servers have been hacked at some point (anytime between now and last August). Someone has just sent FYI, Norton just said that "ipsvcs.exe" is a BO2K variant. -- Aidan Whitehall [EMAIL PROTECTED] Netshopper UK Ltd Advanced Web Solutions Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe
ouch! Did they give you a fix Aidan...? We just moved the files off the servers (found it on 3 out of 4). Do you think we'd need to take any further steps? The network admin says he's reluctant to install anti-virus software on any of the servers but this seems to be a good reason to do exactly that. It looks like they've been sat there since last August (the date/time stamp on two of the files) and could possibly go towards explaining a period of problems we were having with several servers at that time. Changing several network passwords stopped the problems. Hey, why does this thread feel like I'm saying "Please come and hack our machines... our security is so crap, someone has managed it"?;-) -- Aidan Whitehall [EMAIL PROTECTED] Netshopper UK Ltd Advanced Web Solutions Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe
-Original Message- ouch! Did they give you a fix Aidan...? We just moved the files off the servers (found it on 3 out of 4). Do you think we'd need to take any further steps? If I were you I'd find out what port(s) that particular Trojan runs on and block it. Also get yourself a decent Trojan/Port scanner. I'd recommend BlackIce (or Network Ice for servers) (http://www.networkice.com) that's also a good site for informational purposes, you may also find something at: http://www.hack-net.com/html/archives/display_archives_category.php3?show_ca tegory=Intrusion%20Detection The network admin says he's reluctant to install anti-virus software on any of the servers but this seems to be a good reason to do exactly that. Why did he say that No offence but that strikes me as just plain dumb! It looks like they've been sat there since last August (the date/time stamp on two of the files) and could possibly go towards explaining a period of problems we were having with several servers at that time. Changing several network passwords stopped the problems. Yeah it would do. Hey, why does this thread feel like I'm saying "Please come and hack our machines... our security is so crap, someone has managed it"?;-) I can recommend a very good NT security consultant in the UK ;o) You may also want to get a copy of "Hacking Exposed 2nd Ed." available on Amazon.. -= Ed ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe
Scenario: It looks as though one or two of our servers have been hacked at some point (anytime between now and last August). Someone has just sent us an e-mail saying that there was a file in the CFIDE directory called iindex.cfm, written by Kevin Klinsky. Calling it appears to display a browsable folder view, allowing people to delete files. I did a search for the same file on the other servers and found a copy in another CFIDE directory. Along with it was reg.cfm which used CFREGISTRY (enabled on that server) to disable the Admin and Studio passwords. A third file called spawn.cfm ran CFX_Spawnl, passing it the attribute ARG0="C:\winnt\ipsvcs.exe", presumably executing the file. The template then displayed Spawnl and SpawnlError. The .exe was in the WINNT directory on that server. Does anyone know what happens when it's run? The CFX doesn't appear in the CF Administrator on that box and searching the registry for "spawnl" didn't find anything. SpawnL is a cfx I wrote ages ago. It simply allows you to spawn off a process (an exe or a bat) and run it like you would at the command prompt. Sort of like CFEXECUTE. Also, ages ago, I wrote a script called cf_autoaddcfx which show how to add or delete cfx tags on any machine that have CFREGISTRY turned on. They're both at http://www.intrafoundation.com/freeware.html. I assume anyone that downloaded cfx_spawnl also knows all about cf_autoaddcfx. These are all things that are... well... forces for good in the right hands, but in others they're stepping stones useful to hack a machine if you know what you're doing. My guess is is someone uploaded these files to a web-reachable part of the site, and used them to ultimately make your machines zombie slaves. --min ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe
If I were you I'd find out what port(s) that particular Trojan runs on and Thanks. All points noted and passed on to the "relevant authorities". -- Aidan Whitehall [EMAIL PROTECTED] Netshopper UK Ltd Advanced Web Solutions Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe
These are all things that are... well... forces for good in the right hands, but in others they're stepping stones useful to hack a machine if you know what you're doing. So you're trying to deny you're responsible! Nah, just j/k. You're right, of course. For example, guns can also be used for... umm ... oh, no... bad analogy ;-) My guess is is someone uploaded these files to a web-reachable part of the site, and used them to ultimately make your machines zombie slaves. Methinks uploading wasn't necessary ;-) But the zombie slaves part was spot on... until we cured them with new network passwords all-round. -- Aidan Whitehall [EMAIL PROTECTED] Netshopper UK Ltd Advanced Web Solutions Services http://www.netshopperuk.com/ Telephone +44 (01744) 648650 Fax +44 (01744) 648651 ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
RE: Hacked server - iindex.cfm, CFX_SpawnL and ipsvcs.exe
So you're trying to deny you're responsible! Nah, just j/k. /-) I have done keyword searches for "intrafoundation" on yahoo from time to time and found where people were testing out cfx_spawnl or cfx_consolecommand and just leave the thing there. Documentation and all. On their production servers. You can run the examples and eek... it lists all kinds of things about their routing info, etc you definately don't want anyone else to know. So it could have been more embarassing. Methinks uploading wasn't necessary ;-) But the zombie slaves part was spot on... until we cured them with new network passwords all-round. Didn't notice a large collection of porn or warez sitting on the drives anywhere did you? :) If not... who knows what they were using it as a platform for. Oh well. --min ~~ Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
