Hacker Uploaded CFM Shell File

someone has uploaded a shell file to our server, I believe it was done through some kind of sql injection. Attached is the file, can someone give me more details on exactly what the file does. It looks like it could be for de-facing or for capturing your files, but can someone give me more exact details on the nature of this shell file?
test-hack-original.txt
seeraigAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RickEpnetCommented:
I do not have the time to dissect the whole file but it looks like it was designed to delete the files in a folder and replace them. Looks like it was meant to phone home with an email. Are the rest of your files OK? It also looks like it was designed to harvest your data source so it may be this file was there first then the SQL stuff happened.
0
seeraigAuthor Commented:
Can anyone provide some additional details?
0
_agx_Commented:
It looks like it's doing more than that.  There's code to

= list server directories, files, and file sizes
= Display the contents of server files
= delete/copy/move/create/modify server files and directories
= Upload and download files to and from the server.
= code to run arbitrary commands via cfexecute
= code to get information about the CF, o/s, datasource configuration, etc...

It may be doing more. But once you can manipulate server files and execute commands you pretty much run the table.

fwiw - according to an online translator most of the html escaped chars are vietnamese phrases like "move file from x to y". "is this file..etc.."
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

srikanthmadishettiCommented:
What agx said is correct it has the code to get ur cf details config , datasource etc .


That is why you should be very careful with upload option and following steps should be taken

1) Upload option should be restricted for selected files using accept attribute but The cffile accept attribute uses the mime type that your browser sends to the server.  browser tells cffile what the mime type is. It's very easy to spoof the mime type So better to check for file ext after upload and there are some API's available to check File Extension matches File Format.
2) Upload location should be out side ur web root, This is important as this will not allow hackers to execute it.
3) Remove execute permissions from directories where we are uploading
0
SidFishesCommented:
of at least equal importance is how the file was uploaded. an unpatched version of cf 8 & 8.01 was vulnerable to file upload due to a flaw in fckeditor http://www.adobe.com/support/security/bulletins/apsb09-09.html

also all queries should be protected with cfqueryparam...
0
seeraigAuthor Commented:
Other than a file upload mechanism, are there other ways that a file could be placed onto a server? Not ways via direct access to server, but through vulnerabilities in web application, ie cross-site scripting, sql injection, etc
0
srikanthmadishettiCommented:
Some one can place a file either through file upload or FTP
0
RickEpnetCommented:
Do you have WebDAV enabled?
0
SidFishesCommented:
aside from the obvious flaws like the fckeditor, SQL injection is probably the most common way - if your code is vulnerable to injection (ie: you didn't use cfqueryparam) then it's possible for the machine to be completely compromised with just a bit of effort ie: reading this http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

There's also a MIME spoofing attack http://www.raymondcamden.com/index.cfm/2009/6/30/Are-you-aware-of-the-MIMEFile-Upload-Security-Issue

There's a pretty good read on how to clean up a shell compromised server here
http://blog.cfwebstore.com/index.cfm/2009/7/3/Details-on-Dealing-with-the-File-Upload-Hack
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ColdFusion Language

From novice to tech pro — start learning today.