Solved

cfm file executed when no cfm exists in directory - IIS 5 / Cold Fusion MX7 question

Posted on 2014-04-01
9
454 Views
Last Modified: 2014-07-16
I have a legacy server running Win2k/IIS-5 and Coldfusion MX. (No snickering in the back please...). Here's the issue/question:

I have many sites on this server - it is dedicated to a non profit. The server runs both cold fusion and HTML sites. Each site on the server has a unique url, and each site has a dedicated 'home' directory, but they exist under the primary directory of the primary web site - see below - this was done so that FTP to support all sites would be easier to configure.

In this specific case, one web site is html only. The 'documents' tab of iis lists only two document types to be executed: index.htm and index.html. Other than html files, and some a few subdirectories for images and a pdf or two, there is nothing else in this directory.

Here's the structure:

d:\inetpub\wwwroot\main_site
d:\inetpub\wwwroot\main_site\unique_site1
d:\inetpub\wwwroot\main_site\main_site_subdir1
d:\inetpub\wwwroot\main_site\main_site_subdir2
d:\inetpub\wwwroot\main_site\main_site_subdir3
d:\inetpub\wwwroot\main_site\main_site_subdir4
d:\inetpub\wwwroot\main_site\unique_site2

(the subdirs are things like 'images' for the main site; uniques_site1 is a sub dir that contains independent files that serve as a different site under IIS.)
Here's the problem

If you go to www.mainsitename.org, that unique site works fine;

If you go to www.sitename.com/somedirectory/ the site displays' an error message saying that directory listings are forbidden on the server (remember that the web files for the other html site is in a directory under the home or main ;

if you go to www.sitename.corg/somedirectory/index.cfm - the server finds a compromised cfm file and executes it.

Now, the compromised file is a typeof redirect to another site that sells cialis....

The problem is that i have looked for hidden, system, read only etc.. index.cfm files in the primary and in fact, i have searched all directories on the server and find nothing amiss.

this leads me to think the issue is around some type of traversal mechanism or in the default path of some part of iis.
0
Comment
Question by:Marty Block
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 200 total points
ID: 39970083
Funny you mention this as I am currently working on teaching people how to mitigate CF attacks. Currently CF 6/7/8/9/10 all have 0day exploits in them. How this happens is if you have /cfide/administrator/enter.cfm enabled there is a file path traversal which shows the password.properties file. Then they take that admin hash which it displays on the admin page and use the salt (which can be found in the source of the page... yes I know lol) use tamperdata to login and then usually they spawn a shell in /CFIDE/ using the scheduled tasks command. So basically if you're using CF it has multiple 0days so you're kind of out of luck unless you have CF 8 which is the only patch that Adobe released that fixes the 0day. Not sure about mx7 though.

http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/
This is just the tip of the iceberg. I highly recommend you check out your /CFIDE/ for every website.
0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39970842
I would check a variety of places:

ISAPI filters? IIS could've been compromised and the filters could be redirecting server requests to another service.

application.cfm? it's possible that the server is recursively looking for this file in the file system and executing the compromised code there.

Like pasha said, older unpatched versions of any software are vulnerable to attack, and cleaning the files themselves may not solve your problem, specially if the culprit is running some sort of service that keeps reinserting the bad code onto your files.

Here are some lockdown resources for ColdFusion servers 9 and 10, (don't know if lockdown resources exist for the older servers)
http://www.cfhour.com/post.cfm/show-212-playing-the-blame-game

Also, IIS 5 is pretty old, I believe it was shipped with Windows 2000 server? There are a number of vulnerabilities associated with it that I believe remain un-patched, so even if you lock down CF, you might still be attacked through the holes in IIS.

http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/version_id-63588/Microsoft-IIS-5.0.html
0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39970846
Oh, and if any information comes from a database, make sure you check the rows, you could have javascript in your rows that could be sending your users to the cialis sites. [SQL Injection]
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39970862
Rodrigo is absolutely correct that IIS could also have been compromised. The best thing to do is to upgrade everything to the latest patch. Check your ColdFusion Admin Panel's scheduled tasks too that's where the cfm shells come from.
0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 200 total points
ID: 39973574
(no points ...)

Not sure what kind of exploit you're dealing with, but if its similar to this CFIDE exploit , may want to consider starting with a clean slate, rather than cleaning. If a hacker has gained full access to your server, who knows what else they've installed ...
0
 
LVL 1

Author Comment

by:Marty Block
ID: 39974024
What I'm trying to understand is both how and what file is why when you go to www.mainsite.com/subsitedir/ you get a directory listing denied (as you should) but if you put in www.mainsite.com/subsitedir/index.cfm why and what index .cfm is being executed when:
there is no cfm file in the sub directory and
directory traversal if off for but the subsite and the main site....

I get that clean up is a bear. I need the location of the file that's being executed so i don't COPY IT O THE NEW SERVER.,.....
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39975268
Honestly show us everything in /CFIDE/ (if you don't mind) and check your "Scheduled Tasks" in the ColdFusion admin panel
0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39975348
It sounds like your 404 handler in IIS could be the culprit. It's possible that the malware rewrote the handler to forward the user (possibly with javascript) to the cialis site. That's where I would check first. Not just the mapping to the 404 handler, but check the contents of the actual 404 handler file itself. I don't think that this is happening in the CFIDE folder.
0
 
LVL 1

Author Closing Comment

by:Marty Block
ID: 40199563
Both suggestions are competent, though I am still unsure how it is that if you go to a particular directory that is empty you get a 'directory listing denied' error - as you should - BUT if you end the same URL with a 'index.cfm' - it executes something that does not appear to be on the server. I was thinking there was some type of directory traversal (turned off). In any event we've determined to move to a Wordpress configuration for the site, and so I am nearly ready to decommission both the server and the site. Thanks for the feedback
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CFIf Syntax and Logic 27 65
HTTP to HTTPS but have 2 sub sites 8 35
IIS FTP Logging 10 51
Running powershell scripts from ASP.NET 6 54
Recently while working on a project I got a very annoying cfdocument has no body error message. I had never seen this error before. So I checked the code. The code was pretty simple; it was Just showing me the cfdocumnt tag and inside that tag a …
Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question