Skip to main content
J
John Ertel
Inspiring
May 26, 2009
Question

Code (not sql) injection by hackers via coldfusion

  • May 26, 2009
  • 3 replies
  • 5131 views

Does anyone have any information on how hackers might inject code into my coldfusion files.  I am having a problem with hackers installing javascript links to their trojans inside the actual pages of my site.  I run the server with many different sites on it and the injections are ONLY happening on the coldfusion sites.  I tried to search for code injection coldfusion information through the search engines and this forum but didn't find anything.  What potential holes in my coldfusion code would allow a hacker to inject code into the actual files on the server?  I am mainly seeing the code injected into application.cfm itself so that the links are displayed on every page.  Guess these hackers are familiar with coldfusion.

    This topic has been closed for replies.

    3 replies

    T
    TLC-IT
    Inspiring
    June 2, 2009

    The only way that hackers can modify your ColdFusion Code is to get access to your server so that they can actually modify the CFM and/or CFC files that are stored upon it.  Unfortunately, on a shared-hosting setup that's not terribly difficult to do.  And, most programmers neglect to consider the file access permissions (other than the "x"ecutable bit in Unix/Linux) that they attach to any particular file when they upload them.

    You need to be certain that all of the files in your directories, and the directories themselves, are locked-down so that no one can modify them, and so that no one but "you 'n the web server" can see what they contain.  (Remember, shared-hosting companies give away shared-hosting accounts like water, and it's sometimes effortless for "the web-site next door" to see much more than it ought to be able to see... and maybe, to modify something!)

    If you're running on a Linux host, see if the server appears to support Access Control Lists (ACLs) and whether you as a secure-shell user can establish them.  If so, this will allow you to restrict access more thoroughly than the "owner/group/world" permissions-mask system would allow.  The equivalent mantra with regards to Windows hosts is different in details only.  One way or the other, implement the "principle of least privilege."

    The larger problem, of course, remains with us:  the end-user's computer, and the shameless reality that the aforesaid user is probably an all-powerful Administrator of a Windows "Home Edition" something-or-other ... whose entire system, therefore, is a sitting duck with no backups.   You can't do anything at all about that.

    Ken_Ford_-_ACP-QFo4AB
    Ken_Ford_-_ACP-QFo4AB
    Inspiring
    May 30, 2009

    This is probably what it is.

    http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

    Ken Ford
    Adobe Community Expert - Dreamweaver/ColdFusion
    Adobe Certified Expert - Dreamweaver CS4
    Adobe Certified Expert - ColdFusion 8
    Fordwebs, LLC
    http://www.fordwebs.com
    http://www.cfnoob.com

    C
    craigkaminsky
    Inspiring
    May 26, 2009

    John,

    What happens in your Applicatiopn.cfm file? DB queries? One common defense against XSS is to use CFQUERYPARAM in your queries (makes it tougher for the SQL injection attacks to work).

    There's a couple of nice utilities on RIAForge.com that will scan your server for vulnerabilities/protect against XSS, etc.

    http://portcullis.riaforge.org/

    http://qpScanner.riaforge.org/

    J
    John ErtelAuthor
    Inspiring
    May 26, 2009

    This is not an sql injection attack.  Nothing from the database is being read or displayed.  The application.cfm file is actually being edited somehow to include javascript calls to trojan software.  When I load up application.cfm, the lines have actually been physically added to the file itself.

    M
    mack_
    Participating Frequently
    May 27, 2009

    I've seen these effects before (files being psychically modified on

    the server). A developer machine with FTP access to the files was

    compromised by a trojan, FTP username and passwords were compromised

    and used by the attacker to connect to FTP, get the files, modify them

    and upload them back.

    Check your FTP logs on the server to confirm this (you should see a

    download of the file followed quickly by an upload of the file - not

    necessary from the same IP address).

    Mack

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices