Solved

Hacker Uploaded CFM Shell File

Posted on 2012-03-11
9
3,059 Views
Last Modified: 2012-03-26
someone has uploaded a shell file to our server, I believe it was done through some kind of sql injection. Attached is the file, can someone give me more details on exactly what the file does. It looks like it could be for de-facing or for capturing your files, but can someone give me more exact details on the nature of this shell file?
test-hack-original.txt
0
Comment
Question by:seeraig
  • 2
  • 2
  • 2
  • +2
9 Comments
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37707768
I do not have the time to dissect the whole file but it looks like it was designed to delete the files in a folder and replace them. Looks like it was meant to phone home with an email. Are the rest of your files OK? It also looks like it was designed to harvest your data source so it may be this file was there first then the SQL stuff happened.
0
 

Author Comment

by:seeraig
ID: 37707881
Can anyone provide some additional details?
0
 
LVL 52

Accepted Solution

by:
_agx_ earned 167 total points
ID: 37708238
It looks like it's doing more than that.  There's code to

= list server directories, files, and file sizes
= Display the contents of server files
= delete/copy/move/create/modify server files and directories
= Upload and download files to and from the server.
= code to run arbitrary commands via cfexecute
= code to get information about the CF, o/s, datasource configuration, etc...

It may be doing more. But once you can manipulate server files and execute commands you pretty much run the table.

fwiw - according to an online translator most of the html escaped chars are vietnamese phrases like "move file from x to y". "is this file..etc.."
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 13

Assisted Solution

by:srikanthmadishetti
srikanthmadishetti earned 167 total points
ID: 37708590
What agx said is correct it has the code to get ur cf details config , datasource etc .


That is why you should be very careful with upload option and following steps should be taken

1) Upload option should be restricted for selected files using accept attribute but The cffile accept attribute uses the mime type that your browser sends to the server.  browser tells cffile what the mime type is. It's very easy to spoof the mime type So better to check for file ext after upload and there are some API's available to check File Extension matches File Format.
2) Upload location should be out side ur web root, This is important as this will not allow hackers to execute it.
3) Remove execute permissions from directories where we are uploading
0
 
LVL 36

Expert Comment

by:SidFishes
ID: 37710132
of at least equal importance is how the file was uploaded. an unpatched version of cf 8 & 8.01 was vulnerable to file upload due to a flaw in fckeditor http://www.adobe.com/support/security/bulletins/apsb09-09.html

also all queries should be protected with cfqueryparam...
0
 

Author Comment

by:seeraig
ID: 37712116
Other than a file upload mechanism, are there other ways that a file could be placed onto a server? Not ways via direct access to server, but through vulnerabilities in web application, ie cross-site scripting, sql injection, etc
0
 
LVL 13

Expert Comment

by:srikanthmadishetti
ID: 37713001
Some one can place a file either through file upload or FTP
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 37713032
Do you have WebDAV enabled?
0
 
LVL 36

Assisted Solution

by:SidFishes
SidFishes earned 166 total points
ID: 37714672
aside from the obvious flaws like the fckeditor, SQL injection is probably the most common way - if your code is vulnerable to injection (ie: you didn't use cfqueryparam) then it's possible for the machine to be completely compromised with just a bit of effort ie: reading this http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

There's also a MIME spoofing attack http://www.raymondcamden.com/index.cfm/2009/6/30/Are-you-aware-of-the-MIMEFile-Upload-Security-Issue

There's a pretty good read on how to clean up a shell compromised server here
http://blog.cfwebstore.com/index.cfm/2009/7/3/Details-on-Dealing-with-the-File-Upload-Hack
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Coldfusion speed up 4 88
Update cached table in H2 database 6 55
popup load of page and setting up of session 8 37
REGEX HELP 11 43
This article  is about submitting  form through  ColdFusion.Ajax.submitForm to the action page and send a response back in JSON format which later can be decoded using ColdFusion.JSON.decode. By this way you can avoid the usual page refresh for subm…
PROBLEM: How to add your own buttons to the bottom toolbar with paging info ( result count ). While creating a cfgrid, I ran into an issue where I wanted to embed my own custom buttons where the default ones ( insert / delete / etc… ) are for aes…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question