php virus written to CF temp file

Glenn, here are 3 things to consider about your challenge, first a way the files could be getting there, and then two tips about analyzing the web server logs for this:

1) I can appreciate why you’d think that the files can only be uploaded to “uploading scripts”, and that if you’ve “turned them off” then it should no longer be possible for uploads to take place. But there’s at least one way that they could end up there. It’s a surprise to most folks: in fact ANY CF page can in fact receive a file uploads, and it will in fact be placed in that CF temp directory.

Now, most folks understandably assume that only a page with a CFFILE Action=”upload” can “receive a file upload”, but all that tag really does is move the uploaded file from that temp directory to the location the tag’s DESTINATION attribute. But indeed any page can receive an uploaded file and will place it in that temp dir. For more on that, including demonstration code, see an old blog entry I did on it, http://www.carehart.org/blog/client/index.cfm/2006/5/7/cfform_not_doing_upload.

But note there that I observed that a file uploaded to such a CF page should automatically be removed at the end of the request (at least it was back then when I wrote that in 2006). Are you seeing these files “stick around” a long time? If so, then there may be some change, or some other explanation. What version of CF is this on?

2) As for trying to find evidence of the upload in the web server logs, while you can’t get them to list the files uploaded, you can enable them to track bytes received per request (the count of bytes received from the client to the server). You could then find which requests are doing any significant uploads, and for those, from what IP, and to what hostname and page.

3) As for searching 2gb logs (mentioned in a later note in the thread), here are two tips for that. Of course, if you’re on Linux, GREP can handle that pretty well. On Windows, here are two free tools that can help: FileLocator Lite (to search for files by name or text, really fast, even gigs of file content), and Universal Viewer (which can open even a 2GB file in a second). I’ve blogged more on each of these:

http://www.carehart.org/blog/client/index.cfm/2009/12/2/faster_better_file_searching

http://www.carehart.org/blog/client/index.cfm/2010/10/15/viewing_large_log_files_with_universalviewer

Let us know if any of this info helps.

/charlie

Check your log files.  Can you tell where the files are being written from?  I mean, if they are coming from a file upload you should see the traffic in your webserver log files.