Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


cfm file executed when no cfm exists in directory - IIS 5 / Cold Fusion MX7 question

Posted on 2014-04-01
Medium Priority
Last Modified: 2014-07-16
I have a legacy server running Win2k/IIS-5 and Coldfusion MX. (No snickering in the back please...). Here's the issue/question:

I have many sites on this server - it is dedicated to a non profit. The server runs both cold fusion and HTML sites. Each site on the server has a unique url, and each site has a dedicated 'home' directory, but they exist under the primary directory of the primary web site - see below - this was done so that FTP to support all sites would be easier to configure.

In this specific case, one web site is html only. The 'documents' tab of iis lists only two document types to be executed: index.htm and index.html. Other than html files, and some a few subdirectories for images and a pdf or two, there is nothing else in this directory.

Here's the structure:


(the subdirs are things like 'images' for the main site; uniques_site1 is a sub dir that contains independent files that serve as a different site under IIS.)
Here's the problem

If you go to, that unique site works fine;

If you go to the site displays' an error message saying that directory listings are forbidden on the server (remember that the web files for the other html site is in a directory under the home or main ;

if you go to www.sitename.corg/somedirectory/index.cfm - the server finds a compromised cfm file and executes it.

Now, the compromised file is a typeof redirect to another site that sells cialis....

The problem is that i have looked for hidden, system, read only etc.. index.cfm files in the primary and in fact, i have searched all directories on the server and find nothing amiss.

this leads me to think the issue is around some type of traversal mechanism or in the default path of some part of iis.
Question by:Marty Block
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1

Accepted Solution

Pasha Kravtsov earned 600 total points
ID: 39970083
Funny you mention this as I am currently working on teaching people how to mitigate CF attacks. Currently CF 6/7/8/9/10 all have 0day exploits in them. How this happens is if you have /cfide/administrator/enter.cfm enabled there is a file path traversal which shows the file. Then they take that admin hash which it displays on the admin page and use the salt (which can be found in the source of the page... yes I know lol) use tamperdata to login and then usually they spawn a shell in /CFIDE/ using the scheduled tasks command. So basically if you're using CF it has multiple 0days so you're kind of out of luck unless you have CF 8 which is the only patch that Adobe released that fixes the 0day. Not sure about mx7 though.
This is just the tip of the iceberg. I highly recommend you check out your /CFIDE/ for every website.

Expert Comment

by:Rodrigo Munera
ID: 39970842
I would check a variety of places:

ISAPI filters? IIS could've been compromised and the filters could be redirecting server requests to another service.

application.cfm? it's possible that the server is recursively looking for this file in the file system and executing the compromised code there.

Like pasha said, older unpatched versions of any software are vulnerable to attack, and cleaning the files themselves may not solve your problem, specially if the culprit is running some sort of service that keeps reinserting the bad code onto your files.

Here are some lockdown resources for ColdFusion servers 9 and 10, (don't know if lockdown resources exist for the older servers)

Also, IIS 5 is pretty old, I believe it was shipped with Windows 2000 server? There are a number of vulnerabilities associated with it that I believe remain un-patched, so even if you lock down CF, you might still be attacked through the holes in IIS.

Expert Comment

by:Rodrigo Munera
ID: 39970846
Oh, and if any information comes from a database, make sure you check the rows, you could have javascript in your rows that could be sending your users to the cialis sites. [SQL Injection]
Stressed Out?

Watch some penguins on the livecam!


Expert Comment

by:Pasha Kravtsov
ID: 39970862
Rodrigo is absolutely correct that IIS could also have been compromised. The best thing to do is to upgrade everything to the latest patch. Check your ColdFusion Admin Panel's scheduled tasks too that's where the cfm shells come from.
LVL 52

Assisted Solution

_agx_ earned 600 total points
ID: 39973574
(no points ...)

Not sure what kind of exploit you're dealing with, but if its similar to this CFIDE exploit , may want to consider starting with a clean slate, rather than cleaning. If a hacker has gained full access to your server, who knows what else they've installed ...

Author Comment

by:Marty Block
ID: 39974024
What I'm trying to understand is both how and what file is why when you go to you get a directory listing denied (as you should) but if you put in why and what index .cfm is being executed when:
there is no cfm file in the sub directory and
directory traversal if off for but the subsite and the main site....

I get that clean up is a bear. I need the location of the file that's being executed so i don't COPY IT O THE NEW SERVER.,.....

Expert Comment

by:Pasha Kravtsov
ID: 39975268
Honestly show us everything in /CFIDE/ (if you don't mind) and check your "Scheduled Tasks" in the ColdFusion admin panel

Expert Comment

by:Rodrigo Munera
ID: 39975348
It sounds like your 404 handler in IIS could be the culprit. It's possible that the malware rewrote the handler to forward the user (possibly with javascript) to the cialis site. That's where I would check first. Not just the mapping to the 404 handler, but check the contents of the actual 404 handler file itself. I don't think that this is happening in the CFIDE folder.

Author Closing Comment

by:Marty Block
ID: 40199563
Both suggestions are competent, though I am still unsure how it is that if you go to a particular directory that is empty you get a 'directory listing denied' error - as you should - BUT if you end the same URL with a 'index.cfm' - it executes something that does not appear to be on the server. I was thinking there was some type of directory traversal (turned off). In any event we've determined to move to a Wordpress configuration for the site, and so I am nearly ready to decommission both the server and the site. Thanks for the feedback

Featured Post

Cloud Training Guides

FREE GUIDES: In-depth and hand-crafted Linux, AWS, OpenStack, DevOps, Azure, and Cloud training guides created by Linux Academy instructors and the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question