website being attacked

Hi Experts,

I am facing some intrusion into one of my website.

I am getting weird issues

1. an Iframe gets inserted into my website someone, i am using wibiya toolbar also on the website
2. I am using portcullies.cfc and the blocker4.cfm file from cfwebstore in the application.cfm to stop the error but it is still entering

3. i have also enabled the scriptprotext="all" in aplication.cfm

now couple of things. my website is nt all cfqueyparam but now i am in the process of doing all the files to cfquryparam

i have enabled the mail system whenever an attack is done, i do receive emails also, but it still gets inserted

btw i have noticed that iframe gets inserted into my header/footer included files rather than on main page

what do i need to do here now

guide now

website is o linux server and version control of SVN
LVL 16
Gurpreet Singh RandhawaWeb DeveloperAsked:
Who is Participating?
mrigsbyConnect With a Mentor Commented:
What version of CF are you running?
What OS is the server?
Is it on a shared hosting server or your own dedicated?

I have had similar issues on some sites as well. Here are a couple of things to check for.

Make sure that all your cfquery's are using cfqueryparam for any variables. This is the most common way database's get hacked.

Check if you Coldfusion Administrator is available from this site ( If it is, you need to either remove it, or restrict access to the Administrator directory. I recently just had multiple sites on a server hacked via the Coldfusion 8 Administrator directory, and once I restricted it, it stopped.

A great tool for searching your code is notepad++. It can search for text in files and you can specifiy a filter for file type. This has been a very useful feature when trying to fix these issues. You could search the website files for <iframe and see any pages that have an iframe tag in it.

You might also want to spend a little time looking through the webserver log files to see if you can see any out of the ordinary URL's and that could help you narrow down what pages have the vulnerabilities. It helps if you know an approx. time and day of when the site was hacked, you can also look at the date modified on any files that where modified to help you narrow down where to look in the log files.

Hope this helps.
btanExec ConsultantCommented:
not a coldfusion user but if website is attacked, the event log if possible would reveal the source ip and firewall to block it, yes it is not fullproof since the src address can be varied and nat-ed...better to stop the bleeding.

Lockdown @

most probably the website would still have the payload residing. better to clean it up if the server is on the run..ideally I see WAF can be put in place as a "virtual patch"

WAF such as FuseGuard -
More @

Upgrading into Coldfusion 10 Security enhancement -

Overall Security resource-

Thought this reference is another point to note on possible issue...
Have a look at my recent article, it deals specifically with iframe vulnerabilities not dealt with by cfqueryparam & script protect...

It also includes some tools for cleanup
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Gurpreet Singh RandhawaWeb DeveloperAuthor Commented:
Thanks Guys,

i read all ur docs and have implemented such things in my website, in regards to this i am also this issue on coldfusion website , it occuring for every single request being sent from even one page to other and i am facing the same issue when i open the CFadmin also. in all browsers

<H2>Server Error</H2>The server encountered an internal error and was unable to complete your request.<P><B>Application server is busy.  Either there are too many concurrent requests or the server still is starting up.</B>

we do have coldfusion server installed on the system, it is not on shared host
Gurpreet Singh RandhawaWeb DeveloperAuthor Commented:
also which xss attack is better,

this one checks from blocker4.cfm

strXSS = "((\%3C)|<)((\%2F)|\/)*[a-zA-Z0-9\%]+";

this i found from another:

Variables.XSSRegex = "(-- )|(' )|(script)|(<)|(>)|(%3c)|(%3e)|(SELECT) |(UPDATE) |(INSERT) |(DELETE)|(DROP)|(GRANT) |(REVOKE)|(UNION)|(&lt;)|(&gt;)";

but in both, there is no check for the iframe issue

btw in my website there are many pages which open through iframe, i hope that is not an issue
Gurpreet Singh RandhawaWeb DeveloperAuthor Commented:
now i am also reciving Jrun Servelt Error while doing login or registration too

what is going wrong guys
btanExec ConsultantCommented:
my thinking is that you should  be pulling down the site for off site analysis, will be tough to have it online while potentially the attack is (or may be) coming ... normally if we do a comparison of the original site vs the existing site, we can try to sieve out the difference. Or even a vulnerability scanner would surface low hanging flaws...let hear from others
Gurpreet Singh RandhawaWeb DeveloperAuthor Commented:
here is some of the JVM that can help

Max Memory Available to JVM: 1020MB
Total Memory Allocated: 1020MB
Free Allocated Memory: 891MB
% of Free Allocated Memory: 87%
% of Available Memory Allocated: 100%
Processors: 2
btanExec ConsultantCommented:
iframe itself is a sweetspot for XSS. esp those that is hidden. see brief example below

why i mentioned to pull website off is the DB may be tainted especially if XSS is persistent  e.g. injected into DB recordset. Hence it became "permanent" in that sense that the threat persist even if codes are changed. I am even suspecting the login account is changed etc. having low resource need not necessary meant that it is alright, furthermore if it is vulnerability in JVM (which java 6/7 vulnerability recently has many "glamour" shots). easy way (but not operation friendly which I understand) is to recover to original  website and do scanning and code changes etc
Gurpreet Singh RandhawaWeb DeveloperAuthor Commented:
are u saying the JVM needs Updation and if we do upgrade to Cf 9.0.1, will that solve this issue expect iframe
btanExec ConsultantCommented:
I hope so but may not necessarily clean those tainted piece in the website or database records...pardon me as I am not into CF. But it is always good to patch to latest after staging for stability ....those outsider like to pick the published vulnerability
Gurpreet Singh RandhawaWeb DeveloperAuthor Commented:
i can access it like this

Check if you Coldfusion Administrator is available from this site ( If it is, you need to either remove it, or restrict access to the Administrator

how do i place restriction, it is locked with password and only i can open, are u saying about any other layer of security

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.