Solved

Hacker Uploaded CFM Shell File

Posted on 2012-03-11
9
3,108 Views
Last Modified: 2012-03-26
someone has uploaded a shell file to our server, I believe it was done through some kind of sql injection. Attached is the file, can someone give me more details on exactly what the file does. It looks like it could be for de-facing or for capturing your files, but can someone give me more exact details on the nature of this shell file?
test-hack-original.txt
0
Comment
Question by:seeraig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37707768
I do not have the time to dissect the whole file but it looks like it was designed to delete the files in a folder and replace them. Looks like it was meant to phone home with an email. Are the rest of your files OK? It also looks like it was designed to harvest your data source so it may be this file was there first then the SQL stuff happened.
0
 

Author Comment

by:seeraig
ID: 37707881
Can anyone provide some additional details?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 167 total points
ID: 37708238
It looks like it's doing more than that.  There's code to

= list server directories, files, and file sizes
= Display the contents of server files
= delete/copy/move/create/modify server files and directories
= Upload and download files to and from the server.
= code to run arbitrary commands via cfexecute
= code to get information about the CF, o/s, datasource configuration, etc...

It may be doing more. But once you can manipulate server files and execute commands you pretty much run the table.

fwiw - according to an online translator most of the html escaped chars are vietnamese phrases like "move file from x to y". "is this file..etc.."
0
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

 
LVL 13

Assisted Solution

by:srikanthmadishetti
srikanthmadishetti earned 167 total points
ID: 37708590
What agx said is correct it has the code to get ur cf details config , datasource etc .


That is why you should be very careful with upload option and following steps should be taken

1) Upload option should be restricted for selected files using accept attribute but The cffile accept attribute uses the mime type that your browser sends to the server.  browser tells cffile what the mime type is. It's very easy to spoof the mime type So better to check for file ext after upload and there are some API's available to check File Extension matches File Format.
2) Upload location should be out side ur web root, This is important as this will not allow hackers to execute it.
3) Remove execute permissions from directories where we are uploading
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37710132
of at least equal importance is how the file was uploaded. an unpatched version of cf 8 & 8.01 was vulnerable to file upload due to a flaw in fckeditor http://www.adobe.com/support/security/bulletins/apsb09-09.html

also all queries should be protected with cfqueryparam...
0
 

Author Comment

by:seeraig
ID: 37712116
Other than a file upload mechanism, are there other ways that a file could be placed onto a server? Not ways via direct access to server, but through vulnerabilities in web application, ie cross-site scripting, sql injection, etc
0
 
LVL 13

Expert Comment

by:srikanthmadishetti
ID: 37713001
Some one can place a file either through file upload or FTP
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37713032
Do you have WebDAV enabled?
0
 
LVL 36

Assisted Solution

by:SidFishes
SidFishes earned 166 total points
ID: 37714672
aside from the obvious flaws like the fckeditor, SQL injection is probably the most common way - if your code is vulnerable to injection (ie: you didn't use cfqueryparam) then it's possible for the machine to be completely compromised with just a bit of effort ie: reading this http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

There's also a MIME spoofing attack http://www.raymondcamden.com/index.cfm/2009/6/30/Are-you-aware-of-the-MIMEFile-Upload-Security-Issue

There's a pretty good read on how to clean up a shell compromised server here
http://blog.cfwebstore.com/index.cfm/2009/7/3/Details-on-Dealing-with-the-File-Upload-Hack
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, Even though I have created this Tutorial on My personal Blog, Some people might not able to find my website, So here i am posting it again Today, from the topic it is very clear that i will be showing you here the very basic usage of how we …
I spent nearly three days trying to figure out how incorporate OAuth in Coldfusion for the Eventful API. Hopefully, this article will allow Coldfusion Programmers to buzz through the API when they need to. Basically, what this script does is authori…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question