Solved

cfm file executed when no cfm exists in directory - IIS 5 / Cold Fusion MX7 question

Posted on 2014-04-01
9
449 Views
Last Modified: 2014-07-16
I have a legacy server running Win2k/IIS-5 and Coldfusion MX. (No snickering in the back please...). Here's the issue/question:

I have many sites on this server - it is dedicated to a non profit. The server runs both cold fusion and HTML sites. Each site on the server has a unique url, and each site has a dedicated 'home' directory, but they exist under the primary directory of the primary web site - see below - this was done so that FTP to support all sites would be easier to configure.

In this specific case, one web site is html only. The 'documents' tab of iis lists only two document types to be executed: index.htm and index.html. Other than html files, and some a few subdirectories for images and a pdf or two, there is nothing else in this directory.

Here's the structure:

d:\inetpub\wwwroot\main_site
d:\inetpub\wwwroot\main_site\unique_site1
d:\inetpub\wwwroot\main_site\main_site_subdir1
d:\inetpub\wwwroot\main_site\main_site_subdir2
d:\inetpub\wwwroot\main_site\main_site_subdir3
d:\inetpub\wwwroot\main_site\main_site_subdir4
d:\inetpub\wwwroot\main_site\unique_site2

(the subdirs are things like 'images' for the main site; uniques_site1 is a sub dir that contains independent files that serve as a different site under IIS.)
Here's the problem

If you go to www.mainsitename.org, that unique site works fine;

If you go to www.sitename.com/somedirectory/ the site displays' an error message saying that directory listings are forbidden on the server (remember that the web files for the other html site is in a directory under the home or main ;

if you go to www.sitename.corg/somedirectory/index.cfm - the server finds a compromised cfm file and executes it.

Now, the compromised file is a typeof redirect to another site that sells cialis....

The problem is that i have looked for hidden, system, read only etc.. index.cfm files in the primary and in fact, i have searched all directories on the server and find nothing amiss.

this leads me to think the issue is around some type of traversal mechanism or in the default path of some part of iis.
0
Comment
Question by:Marty Block
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 200 total points
ID: 39970083
Funny you mention this as I am currently working on teaching people how to mitigate CF attacks. Currently CF 6/7/8/9/10 all have 0day exploits in them. How this happens is if you have /cfide/administrator/enter.cfm enabled there is a file path traversal which shows the password.properties file. Then they take that admin hash which it displays on the admin page and use the salt (which can be found in the source of the page... yes I know lol) use tamperdata to login and then usually they spawn a shell in /CFIDE/ using the scheduled tasks command. So basically if you're using CF it has multiple 0days so you're kind of out of luck unless you have CF 8 which is the only patch that Adobe released that fixes the 0day. Not sure about mx7 though.

http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/
This is just the tip of the iceberg. I highly recommend you check out your /CFIDE/ for every website.
0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39970842
I would check a variety of places:

ISAPI filters? IIS could've been compromised and the filters could be redirecting server requests to another service.

application.cfm? it's possible that the server is recursively looking for this file in the file system and executing the compromised code there.

Like pasha said, older unpatched versions of any software are vulnerable to attack, and cleaning the files themselves may not solve your problem, specially if the culprit is running some sort of service that keeps reinserting the bad code onto your files.

Here are some lockdown resources for ColdFusion servers 9 and 10, (don't know if lockdown resources exist for the older servers)
http://www.cfhour.com/post.cfm/show-212-playing-the-blame-game

Also, IIS 5 is pretty old, I believe it was shipped with Windows 2000 server? There are a number of vulnerabilities associated with it that I believe remain un-patched, so even if you lock down CF, you might still be attacked through the holes in IIS.

http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/version_id-63588/Microsoft-IIS-5.0.html
0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39970846
Oh, and if any information comes from a database, make sure you check the rows, you could have javascript in your rows that could be sending your users to the cialis sites. [SQL Injection]
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39970862
Rodrigo is absolutely correct that IIS could also have been compromised. The best thing to do is to upgrade everything to the latest patch. Check your ColdFusion Admin Panel's scheduled tasks too that's where the cfm shells come from.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 200 total points
ID: 39973574
(no points ...)

Not sure what kind of exploit you're dealing with, but if its similar to this CFIDE exploit , may want to consider starting with a clean slate, rather than cleaning. If a hacker has gained full access to your server, who knows what else they've installed ...
0
 
LVL 1

Author Comment

by:Marty Block
ID: 39974024
What I'm trying to understand is both how and what file is why when you go to www.mainsite.com/subsitedir/ you get a directory listing denied (as you should) but if you put in www.mainsite.com/subsitedir/index.cfm why and what index .cfm is being executed when:
there is no cfm file in the sub directory and
directory traversal if off for but the subsite and the main site....

I get that clean up is a bear. I need the location of the file that's being executed so i don't COPY IT O THE NEW SERVER.,.....
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39975268
Honestly show us everything in /CFIDE/ (if you don't mind) and check your "Scheduled Tasks" in the ColdFusion admin panel
0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39975348
It sounds like your 404 handler in IIS could be the culprit. It's possible that the malware rewrote the handler to forward the user (possibly with javascript) to the cialis site. That's where I would check first. Not just the mapping to the 404 handler, but check the contents of the actual 404 handler file itself. I don't think that this is happening in the CFIDE folder.
0
 
LVL 1

Author Closing Comment

by:Marty Block
ID: 40199563
Both suggestions are competent, though I am still unsure how it is that if you go to a particular directory that is empty you get a 'directory listing denied' error - as you should - BUT if you end the same URL with a 'index.cfm' - it executes something that does not appear to be on the server. I was thinking there was some type of directory traversal (turned off). In any event we've determined to move to a Wordpress configuration for the site, and so I am nearly ready to decommission both the server and the site. Thanks for the feedback
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now