Solved

cfm file executed when no cfm exists in directory - IIS 5 / Cold Fusion MX7 question

Posted on 2014-04-01
9
455 Views
Last Modified: 2014-07-16
I have a legacy server running Win2k/IIS-5 and Coldfusion MX. (No snickering in the back please...). Here's the issue/question:

I have many sites on this server - it is dedicated to a non profit. The server runs both cold fusion and HTML sites. Each site on the server has a unique url, and each site has a dedicated 'home' directory, but they exist under the primary directory of the primary web site - see below - this was done so that FTP to support all sites would be easier to configure.

In this specific case, one web site is html only. The 'documents' tab of iis lists only two document types to be executed: index.htm and index.html. Other than html files, and some a few subdirectories for images and a pdf or two, there is nothing else in this directory.

Here's the structure:

d:\inetpub\wwwroot\main_site
d:\inetpub\wwwroot\main_site\unique_site1
d:\inetpub\wwwroot\main_site\main_site_subdir1
d:\inetpub\wwwroot\main_site\main_site_subdir2
d:\inetpub\wwwroot\main_site\main_site_subdir3
d:\inetpub\wwwroot\main_site\main_site_subdir4
d:\inetpub\wwwroot\main_site\unique_site2

(the subdirs are things like 'images' for the main site; uniques_site1 is a sub dir that contains independent files that serve as a different site under IIS.)
Here's the problem

If you go to www.mainsitename.org, that unique site works fine;

If you go to www.sitename.com/somedirectory/ the site displays' an error message saying that directory listings are forbidden on the server (remember that the web files for the other html site is in a directory under the home or main ;

if you go to www.sitename.corg/somedirectory/index.cfm - the server finds a compromised cfm file and executes it.

Now, the compromised file is a typeof redirect to another site that sells cialis....

The problem is that i have looked for hidden, system, read only etc.. index.cfm files in the primary and in fact, i have searched all directories on the server and find nothing amiss.

this leads me to think the issue is around some type of traversal mechanism or in the default path of some part of iis.
0
Comment
Question by:Marty Block
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 200 total points
ID: 39970083
Funny you mention this as I am currently working on teaching people how to mitigate CF attacks. Currently CF 6/7/8/9/10 all have 0day exploits in them. How this happens is if you have /cfide/administrator/enter.cfm enabled there is a file path traversal which shows the password.properties file. Then they take that admin hash which it displays on the admin page and use the salt (which can be found in the source of the page... yes I know lol) use tamperdata to login and then usually they spawn a shell in /CFIDE/ using the scheduled tasks command. So basically if you're using CF it has multiple 0days so you're kind of out of luck unless you have CF 8 which is the only patch that Adobe released that fixes the 0day. Not sure about mx7 though.

http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/
This is just the tip of the iceberg. I highly recommend you check out your /CFIDE/ for every website.
0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39970842
I would check a variety of places:

ISAPI filters? IIS could've been compromised and the filters could be redirecting server requests to another service.

application.cfm? it's possible that the server is recursively looking for this file in the file system and executing the compromised code there.

Like pasha said, older unpatched versions of any software are vulnerable to attack, and cleaning the files themselves may not solve your problem, specially if the culprit is running some sort of service that keeps reinserting the bad code onto your files.

Here are some lockdown resources for ColdFusion servers 9 and 10, (don't know if lockdown resources exist for the older servers)
http://www.cfhour.com/post.cfm/show-212-playing-the-blame-game

Also, IIS 5 is pretty old, I believe it was shipped with Windows 2000 server? There are a number of vulnerabilities associated with it that I believe remain un-patched, so even if you lock down CF, you might still be attacked through the holes in IIS.

http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/version_id-63588/Microsoft-IIS-5.0.html
0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39970846
Oh, and if any information comes from a database, make sure you check the rows, you could have javascript in your rows that could be sending your users to the cialis sites. [SQL Injection]
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39970862
Rodrigo is absolutely correct that IIS could also have been compromised. The best thing to do is to upgrade everything to the latest patch. Check your ColdFusion Admin Panel's scheduled tasks too that's where the cfm shells come from.
0
 
LVL 52

Assisted Solution

by:_agx_
_agx_ earned 200 total points
ID: 39973574
(no points ...)

Not sure what kind of exploit you're dealing with, but if its similar to this CFIDE exploit , may want to consider starting with a clean slate, rather than cleaning. If a hacker has gained full access to your server, who knows what else they've installed ...
0
 
LVL 1

Author Comment

by:Marty Block
ID: 39974024
What I'm trying to understand is both how and what file is why when you go to www.mainsite.com/subsitedir/ you get a directory listing denied (as you should) but if you put in www.mainsite.com/subsitedir/index.cfm why and what index .cfm is being executed when:
there is no cfm file in the sub directory and
directory traversal if off for but the subsite and the main site....

I get that clean up is a bear. I need the location of the file that's being executed so i don't COPY IT O THE NEW SERVER.,.....
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 39975268
Honestly show us everything in /CFIDE/ (if you don't mind) and check your "Scheduled Tasks" in the ColdFusion admin panel
0
 
LVL 4

Expert Comment

by:Rodrigo Munera
ID: 39975348
It sounds like your 404 handler in IIS could be the culprit. It's possible that the malware rewrote the handler to forward the user (possibly with javascript) to the cialis site. That's where I would check first. Not just the mapping to the 404 handler, but check the contents of the actual 404 handler file itself. I don't think that this is happening in the CFIDE folder.
0
 
LVL 1

Author Closing Comment

by:Marty Block
ID: 40199563
Both suggestions are competent, though I am still unsure how it is that if you go to a particular directory that is empty you get a 'directory listing denied' error - as you should - BUT if you end the same URL with a 'index.cfm' - it executes something that does not appear to be on the server. I was thinking there was some type of directory traversal (turned off). In any event we've determined to move to a Wordpress configuration for the site, and so I am nearly ready to decommission both the server and the site. Thanks for the feedback
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I spent nearly three days trying to figure out how incorporate OAuth in Coldfusion for the Eventful API. Hopefully, this article will allow Coldfusion Programmers to buzz through the API when they need to. Basically, what this script does is authori…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question