Solved

Coldfusion Hack of some type

Posted on 2013-02-04
9
999 Views
Last Modified: 2013-02-05
Hi,
I have a site running CF9. It's been running for a few years with no major problems.
Today I noticed my home page timestamp had changed. When I compared the code to the back up version I found some javascript inserted that I definitely did not put in.
The code is below.
What are some of the common ways this could have gotten inserted and what can/should I do to protect my server?
Thanks,
Nacht



<script language="JavaScript">function zdrViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState();
</script>
0
Comment
Question by:nachtmsk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 18

Expert Comment

by:Jerry Miller
ID: 38851488
This person had the same issue as you. The hacked code is explained with some preventative measures that you can employ.

http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354228
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38851642
Have you installed all the updates to CF9? Do you have your CF Administrator locked down or delete from the production server? Are you running Windows or Linux?
0
 

Author Comment

by:nachtmsk
ID: 38851778
@Rick : I am running Windows Server 2008. I think I have all the updates to CF9, but I'm not certain, I will check that out.
When you say do I have CF admin locked down, what do you mean exactly?
Thanks,
Nacht
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:RickEpnet
ID: 38851804
Basically you should not be able to get to the ColdFusion Administrators site from the internet.  You need to check this on every site you have setup.
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38851811
Check this site out. Has a link to a tester.
0
 

Author Comment

by:nachtmsk
ID: 38851844
@Rick -- you forgot to put the link to that site you mentioned :)
0
 
LVL 14

Assisted Solution

by:RickEpnet
RickEpnet earned 250 total points
ID: 38851897
0
 
LVL 36

Accepted Solution

by:
SidFishes earned 250 total points
ID: 38852334
You will want to be very diligent about inspecting your server. Modified source code (as opposed to XSS exploits which are inserted into a database) means that the bad guys have at least partial unrestricted access to your server. And possibly it's completely compromised. Best practice says do a complete format & reinstall, but that's a decision you'll have to make.

There was a critical notification for CF9 & 10 issued about a month ago do to an issue which allowed for complete bypass of cfadmin due to authentication problems. There are active exploits against this flaw. There is no patch at this time, only mitigation steps.

http://threatpost.com/en_us/blogs/adobe-coldfusion-exploits-wild-patch-remains-week-away-010713

http://www.techworld.com.au/article/445715/adobe_warns_actively_exploited_coldfusion_flaws/


Highly recommend subscription to the Adobe Security Bulletins
http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert
0
 
LVL 14

Expert Comment

by:RickEpnet
ID: 38852354
I agree with SidFishes that the safest thing to do is format and start over.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is an updated version of a post made on my blog over 3 years ago. It is unfortunately, still very relevant as we continue to see both SQLi (SQL injection) and XSS (cross site scripting) attacks hitting some of the most recognizable website and …
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question