Skip to main content
B
Bhavya_Mittal8762
Participant
July 11, 2025
Question

ColdFusion Process Outbound Connection Via SSH port.

  • July 11, 2025
  • 1 reply
  • 407 views

I am observing an outbound connection initiated by the process coldfusion.exe over the SSH port. The destination IP is not flagged as malicious on VirusTotal. Could you please advise if this is a legitimate process behavior by coldfusion, or should I investigate this activity further?

 

 

 

 

1 reply

D
Community Expert
Dave WattsCommunity Expert
Community Expert
July 11, 2025

I'd investigate further. This isn't something CF does automatically to arbitrary hosts, I think - someone please correct me if I'm wrong about that - but it's conceivably something your CF developers might do. What's the DNS name of the IP address?

 

Dave Watts, Eidolon LLC
BKBK
Community Expert
BKBKCommunity Expert
Community Expert
July 12, 2025

I think you are right, @Dave Watts . ColdFusion would not automatically connect to an arbitrary host via an SSH port. Unless, of course, there is a legitimate reason.

 

@Bhavya_Mittal8762 , here are some notes and suggestions.

1.  Possible legitimate uses for an SSH connection:
  • A developer may have written CFML code that uses SSH/SFTP to connect to another server (for example, to upload files, transfer data, or trigger a remote script).
  • ColdFusion could be using a Java library (such as JSch) behind the scenes for SSH functionality, and since ColdFusion is Java-based, the process would show as coldfusion.exe.
  • Your ColdFusion application could be uploading/downloading files via SFTP (SSH File Transfer Protocol),
  • ColdFusion could have been scripted to connect to remote systems via SSH to execute commands (for example, for deployment or automation tasks).
 
If none of the above apply, it's a red flag. You should investigate further, looking to detect malicious activity.
 
2.  Potentially malicious or suspicious scenarios:
  • Your ColdFusion server might have been compromised. If your server has been compromised, malware running inside coldfusion.exe could be using SSH to secretly export data or to connect to a "command-and-control" server.
  • A malicious backdoor, CFML script or Java class could be running SSH connections from within ColdFusion.

 

3. Steps you can undertake

  • Search for any use of ssh, sftp or external libraries in your CFML codebase. Look for scheduled tasks, CF jobs or background processes that might be performing SSH actions.
  • Check file integrity, especially within wwwroot and custom tag directories. Are there any suspicious files or directories there?
  • Use a tool such as netstat, TCPView, or Wireshark to inspect where exactly the SSH connection is going.
  • Run a malware scan on the server.
B
Bhavya_Mittal8762Author
Participant
July 16, 2025

I have checked the destination IPs they all are not flaged malicous by virustotal and other threat enrichment platform as well these IPs are refering towards- MICROSOFT-CORP-MSN-AS-BLOCK And Amazon.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices