Solved

Hacker Uploaded CFM Shell File

Posted on 2012-03-11
9
3,096 Views
Last Modified: 2012-03-26
someone has uploaded a shell file to our server, I believe it was done through some kind of sql injection. Attached is the file, can someone give me more details on exactly what the file does. It looks like it could be for de-facing or for capturing your files, but can someone give me more exact details on the nature of this shell file?
test-hack-original.txt
0
Comment
Question by:seeraig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37707768
I do not have the time to dissect the whole file but it looks like it was designed to delete the files in a folder and replace them. Looks like it was meant to phone home with an email. Are the rest of your files OK? It also looks like it was designed to harvest your data source so it may be this file was there first then the SQL stuff happened.
0
 

Author Comment

by:seeraig
ID: 37707881
Can anyone provide some additional details?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 167 total points
ID: 37708238
It looks like it's doing more than that.  There's code to

= list server directories, files, and file sizes
= Display the contents of server files
= delete/copy/move/create/modify server files and directories
= Upload and download files to and from the server.
= code to run arbitrary commands via cfexecute
= code to get information about the CF, o/s, datasource configuration, etc...

It may be doing more. But once you can manipulate server files and execute commands you pretty much run the table.

fwiw - according to an online translator most of the html escaped chars are vietnamese phrases like "move file from x to y". "is this file..etc.."
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 
LVL 13

Assisted Solution

by:srikanthmadishetti
srikanthmadishetti earned 167 total points
ID: 37708590
What agx said is correct it has the code to get ur cf details config , datasource etc .


That is why you should be very careful with upload option and following steps should be taken

1) Upload option should be restricted for selected files using accept attribute but The cffile accept attribute uses the mime type that your browser sends to the server.  browser tells cffile what the mime type is. It's very easy to spoof the mime type So better to check for file ext after upload and there are some API's available to check File Extension matches File Format.
2) Upload location should be out side ur web root, This is important as this will not allow hackers to execute it.
3) Remove execute permissions from directories where we are uploading
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37710132
of at least equal importance is how the file was uploaded. an unpatched version of cf 8 & 8.01 was vulnerable to file upload due to a flaw in fckeditor http://www.adobe.com/support/security/bulletins/apsb09-09.html

also all queries should be protected with cfqueryparam...
0
 

Author Comment

by:seeraig
ID: 37712116
Other than a file upload mechanism, are there other ways that a file could be placed onto a server? Not ways via direct access to server, but through vulnerabilities in web application, ie cross-site scripting, sql injection, etc
0
 
LVL 13

Expert Comment

by:srikanthmadishetti
ID: 37713001
Some one can place a file either through file upload or FTP
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37713032
Do you have WebDAV enabled?
0
 
LVL 36

Assisted Solution

by:SidFishes
SidFishes earned 166 total points
ID: 37714672
aside from the obvious flaws like the fckeditor, SQL injection is probably the most common way - if your code is vulnerable to injection (ie: you didn't use cfqueryparam) then it's possible for the machine to be completely compromised with just a bit of effort ie: reading this http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

There's also a MIME spoofing attack http://www.raymondcamden.com/index.cfm/2009/6/30/Are-you-aware-of-the-MIMEFile-Upload-Security-Issue

There's a pretty good read on how to clean up a shell compromised server here
http://blog.cfwebstore.com/index.cfm/2009/7/3/Details-on-Dealing-with-the-File-Upload-Hack
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PROBLEM:  How to open a cfwindow or run a function on double click of a cfgrid row. One of my clients wanted to be able to double click on a row item to get more detailed information about a transaction and to be able to modify the line items i…
Recently while working on a project I got a very annoying cfdocument has no body error message. I had never seen this error before. So I checked the code. The code was pretty simple; it was Just showing me the cfdocumnt tag and inside that tag a …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question