asked on

Coldfusion Hack of some type

Hi,
I have a site running CF9. It's been running for a few years with no major problems.
Today I noticed my home page timestamp had changed. When I compared the code to the back up version I found some javascript inserted that I definitely did not put in.
The code is below.
What are some of the common ways this could have gotten inserted and what can/should I do to protect my server?
Thanks,
Nacht

<script language="JavaScript">function zdrViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState();
</script>

Jerry Miller

This person had the same issue as you. The hacked code is explained with some preventative measures that you can employ.

http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354228

RickEpnet

Have you installed all the updates to CF9? Do you have your CF Administrator locked down or delete from the production server? Are you running Windows or Linux?

nachtmsk

ASKER

@Rick : I am running Windows Server 2008. I think I have all the updates to CF9, but I'm not certain, I will check that out.
When you say do I have CF admin locked down, what do you mean exactly?
Thanks,
Nacht

RickEpnet

Basically you should not be able to get to the ColdFusion Administrators site from the internet. You need to check this on every site you have setup.

RickEpnet

Check this site out. Has a link to a tester.

nachtmsk

ASKER

@Rick -- you forgot to put the link to that site you mentioned :)

SOLUTION

RickEpnet

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.