Skip to main content
P
pepsiboy123456
Participant
September 10, 2012
Question

Iframe Injection Attack in Coldfusion

  • September 10, 2012
  • 2 replies
  • 1411 views

Hi,

Recently one of my sites have been hit with an iframe injection:

<iframe scrolling="no" frameborder="0" src="the source changes but normally htttp://collegefun4u.com/" width="0" height="1"></iframe>

It happens at random times and gets inserted in random include files.

We have clean scanned all computers + server  for viruses, changed all ftp/remote desktop passwords but the problem still occurs.

I don't think that it's an SQL injection attack because it is not hitting the database and only being injected into include files.

Some advice would really be appreciated as I have tried extensivley to get rid of it  with no avail!

I am currently using CF9 runnning on a Windows 2003 server.

Thanks!

This topic has been closed for replies.

2 replies

T
TALAL_MANAA
Inspiring
September 26, 2012

set all your files on the server to readonly mod 444

WolfShade
WolfShade
Legend
September 26, 2012

It's a Windows server.  mod 444 doesn't work.. but setting the files to read only might.  Still.. what a pain..  hope the issue has been resolved.

^_^

12Robots
12Robots
Participating Frequently
September 10, 2012

I'm afraid you don't give us much to go on.

Are all of the include files in the same directory?

It could be any number of things from an FTP exploit (just changing passwords may not be enough) to a completely unrelated page being exploited to rewrite other files.

There is really no way of telling, based on what you have provided, to determine what the problem is. If you're looking for a known exploit that would make this possible, there are none that I am aware of.

If you can, I would say disable your FTP when it is not in use and see if the problem stops.  Is your FTP open to the internet?  If so, does it need to be?  Could you block that port and see if the problem stops?

That could give you a TON of information right there. Also make sure the filewall is adequately protecting your server. No unneeded ports open.

Jason

P
pepsiboy123456Author
Participant
September 10, 2012

Sorry I know its a bit vague.

Our includes are currently sitting in the same folder yes. We also have multiple template folders etc.

I will disable ftp and see if that solves the problem. If it doesn't at least we can eliminate it.

The only issue is that the attack happens at random intervals sometimes within hours sometimes within minutes so I apologie if I don't respond straight away.

Thanks!

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices