cfm file executed when no cfm exists in directory - IIS 5 / Cold Fusion MX7 question

I have a legacy server running Win2k/IIS-5 and Coldfusion MX. (No snickering in the back please...). Here's the issue/question:

I have many sites on this server - it is dedicated to a non profit. The server runs both cold fusion and HTML sites. Each site on the server has a unique url, and each site has a dedicated 'home' directory, but they exist under the primary directory of the primary web site - see below - this was done so that FTP to support all sites would be easier to configure.

In this specific case, one web site is html only. The 'documents' tab of iis lists only two document types to be executed: index.htm and index.html. Other than html files, and some a few subdirectories for images and a pdf or two, there is nothing else in this directory.

Here's the structure:


(the subdirs are things like 'images' for the main site; uniques_site1 is a sub dir that contains independent files that serve as a different site under IIS.)
Here's the problem

If you go to, that unique site works fine;

If you go to the site displays' an error message saying that directory listings are forbidden on the server (remember that the web files for the other html site is in a directory under the home or main ;

if you go to www.sitename.corg/somedirectory/index.cfm - the server finds a compromised cfm file and executes it.

Now, the compromised file is a typeof redirect to another site that sells cialis....

The problem is that i have looked for hidden, system, read only etc.. index.cfm files in the primary and in fact, i have searched all directories on the server and find nothing amiss.

this leads me to think the issue is around some type of traversal mechanism or in the default path of some part of iis.
Marty BlockOwnerAsked:
Who is Participating?
Pasha KravtsovConnect With a Mentor Support EngineerCommented:
Funny you mention this as I am currently working on teaching people how to mitigate CF attacks. Currently CF 6/7/8/9/10 all have 0day exploits in them. How this happens is if you have /cfide/administrator/enter.cfm enabled there is a file path traversal which shows the file. Then they take that admin hash which it displays on the admin page and use the salt (which can be found in the source of the page... yes I know lol) use tamperdata to login and then usually they spawn a shell in /CFIDE/ using the scheduled tasks command. So basically if you're using CF it has multiple 0days so you're kind of out of luck unless you have CF 8 which is the only patch that Adobe released that fixes the 0day. Not sure about mx7 though.
This is just the tip of the iceberg. I highly recommend you check out your /CFIDE/ for every website.
Rodrigo MuneraSr. Software EngineerCommented:
I would check a variety of places:

ISAPI filters? IIS could've been compromised and the filters could be redirecting server requests to another service.

application.cfm? it's possible that the server is recursively looking for this file in the file system and executing the compromised code there.

Like pasha said, older unpatched versions of any software are vulnerable to attack, and cleaning the files themselves may not solve your problem, specially if the culprit is running some sort of service that keeps reinserting the bad code onto your files.

Here are some lockdown resources for ColdFusion servers 9 and 10, (don't know if lockdown resources exist for the older servers)

Also, IIS 5 is pretty old, I believe it was shipped with Windows 2000 server? There are a number of vulnerabilities associated with it that I believe remain un-patched, so even if you lock down CF, you might still be attacked through the holes in IIS.
Rodrigo MuneraSr. Software EngineerCommented:
Oh, and if any information comes from a database, make sure you check the rows, you could have javascript in your rows that could be sending your users to the cialis sites. [SQL Injection]
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Pasha KravtsovSupport EngineerCommented:
Rodrigo is absolutely correct that IIS could also have been compromised. The best thing to do is to upgrade everything to the latest patch. Check your ColdFusion Admin Panel's scheduled tasks too that's where the cfm shells come from.
_agx_Connect With a Mentor Commented:
(no points ...)

Not sure what kind of exploit you're dealing with, but if its similar to this CFIDE exploit , may want to consider starting with a clean slate, rather than cleaning. If a hacker has gained full access to your server, who knows what else they've installed ...
Marty BlockOwnerAuthor Commented:
What I'm trying to understand is both how and what file is why when you go to you get a directory listing denied (as you should) but if you put in why and what index .cfm is being executed when:
there is no cfm file in the sub directory and
directory traversal if off for but the subsite and the main site....

I get that clean up is a bear. I need the location of the file that's being executed so i don't COPY IT O THE NEW SERVER.,.....
Pasha KravtsovSupport EngineerCommented:
Honestly show us everything in /CFIDE/ (if you don't mind) and check your "Scheduled Tasks" in the ColdFusion admin panel
Rodrigo MuneraSr. Software EngineerCommented:
It sounds like your 404 handler in IIS could be the culprit. It's possible that the malware rewrote the handler to forward the user (possibly with javascript) to the cialis site. That's where I would check first. Not just the mapping to the 404 handler, but check the contents of the actual 404 handler file itself. I don't think that this is happening in the CFIDE folder.
Marty BlockOwnerAuthor Commented:
Both suggestions are competent, though I am still unsure how it is that if you go to a particular directory that is empty you get a 'directory listing denied' error - as you should - BUT if you end the same URL with a 'index.cfm' - it executes something that does not appear to be on the server. I was thinking there was some type of directory traversal (turned off). In any event we've determined to move to a Wordpress configuration for the site, and so I am nearly ready to decommission both the server and the site. Thanks for the feedback
All Courses

From novice to tech pro — start learning today.