Coldfusion Hack of some type

Hi,
I have a site running CF9. It's been running for a few years with no major problems.
Today I noticed my home page timestamp had changed. When I compared the code to the back up version I found some javascript inserted that I definitely did not put in.
The code is below.
What are some of the common ways this could have gotten inserted and what can/should I do to protect my server?
Thanks,
Nacht



<script language="JavaScript">function zdrViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState();
</script>
LVL 1
nachtmskAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SidFishesConnect With a Mentor Commented:
You will want to be very diligent about inspecting your server. Modified source code (as opposed to XSS exploits which are inserted into a database) means that the bad guys have at least partial unrestricted access to your server. And possibly it's completely compromised. Best practice says do a complete format & reinstall, but that's a decision you'll have to make.

There was a critical notification for CF9 & 10 issued about a month ago do to an issue which allowed for complete bypass of cfadmin due to authentication problems. There are active exploits against this flaw. There is no patch at this time, only mitigation steps.

http://threatpost.com/en_us/blogs/adobe-coldfusion-exploits-wild-patch-remains-week-away-010713

http://www.techworld.com.au/article/445715/adobe_warns_actively_exploited_coldfusion_flaws/


Highly recommend subscription to the Adobe Security Bulletins
http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert
0
 
Jerry MillerCommented:
This person had the same issue as you. The hacked code is explained with some preventative measures that you can employ.

http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354228
0
 
RickEpnetCommented:
Have you installed all the updates to CF9? Do you have your CF Administrator locked down or delete from the production server? Are you running Windows or Linux?
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
nachtmskAuthor Commented:
@Rick : I am running Windows Server 2008. I think I have all the updates to CF9, but I'm not certain, I will check that out.
When you say do I have CF admin locked down, what do you mean exactly?
Thanks,
Nacht
0
 
RickEpnetCommented:
Basically you should not be able to get to the ColdFusion Administrators site from the internet.  You need to check this on every site you have setup.
0
 
RickEpnetCommented:
Check this site out. Has a link to a tester.
0
 
nachtmskAuthor Commented:
@Rick -- you forgot to put the link to that site you mentioned :)
0
 
RickEpnetConnect With a Mentor Commented:
0
 
RickEpnetCommented:
I agree with SidFishes that the safest thing to do is format and start over.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.