Inspiring

Question

We have been hacked... appreciate any help...

Forum|Forum|10 years ago
November 23, 2015
2 replies
1758 views

Running CF Version 9,0,1,274733

One of our error reports showed:

----------------------------------------------------------------

Error Page: /CFIDE/beta.cfm

Query String: page=quickly

HTTP Referer: [removed for this post]/CFIDE/beta.cfm?page=quickly

Diagnostics: ColdFusion could not delete the file C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\session_log0.txt for an unknown reason.

----------------------------------------------------------------

This pointed us to that beta.cfm file that was somehow put into the CFIDE root. No FTP access to that directory and they have cleared the CF logs so no real record of what might have been done. Did find a few CF files that had been modified around the same time but nothing in them seemed out of the ordinary. Have removed access to them for now to be safe.

Any suggestions on where to start to figure out how they got that file into the CFIDE root? I do have the file (moved out of CFIDE) which I can supply but it's encrypted...

Appreciate any help.

This topic has been closed for replies.

F

fred fAuthor

Inspiring

Hi Charlie and Pete,

All still nice and quiet here but still getting lots of:

-------------------------------------------

"Information","jrpp-1015","11/24/15","19:23:23",,"Starting HTTP request {URL='http://lineronline.com:80/cgi-bin/vc.cgi', method='get'}"

"Information","jrpp-1015","11/24/15","19:23:24",,"HTTP request completed {Status Code=200 ,Time taken=306 ms}"

--------------------------------------------

in our http.log file...

Any thoughts on how to block and how those calls are being done anyways?

Thanks,

Fred

F

fred fAuthor

Inspiring

Might have solved the lineronline.com issue... if so, might be back to all known issues resolved... just wanted to update you both as really appreciated your help.

Charlie Arehart

Community Expert

Fred, thanks for the update, and the good news.

Would you be willing to share where you found those bogus calls (since it stumped you at first)? It may help others. I'll say that I would have proposed using the search tool to search any and all CF files and extensions (*.*cf*), on all drives, because it could be that the bad guys somehow put the code to do it somewhere where you may not think to look, but that they had enabled to be executable from within CF.

As for your previous note, and with regard to your preference of AgentRansack as a search tool, just note that that is the same thing as File Locator Lite. :-) I love it too, and have blogged about it for years. In fact, I complained of the same concern about the AR name to the vendor, explaining that I'd recommend it to people only to find later that it was removed because the name scared off others who saw it on their server. At first the he was reluctant to change the name, but did finally, offering it with both names, but for some reason still preferring to list AR as the "main" version of the tool as he offers it on the site. :-(

Anyway, glad to hear that you feel all is well for you now.

/Charlie (troubleshooter, carehart. org)

pete_freitag

Participating Frequently

Hi Fred,

Very sorry to hear that.

My guess as to how the file got there would be by exploiting APSB13-03 using that exploit attackers can create a scheduled task that writes the result of the task to a file (typically under /CFIDE because the mapping always exists and is often publicly exposed).

For CF9 you cannot be sure what hotfixes are applied by just the version number, so it is hard to say if you have applied the hotfix for that, however even if you had applied the hotfix an attacker might have exploited it years ago and left a backdoor on your server. FYI my company has a product called HackMyCF which does a scan of your server to determine which hotfixes are applied, it can even find some backdoors.

My advice when dealing with a hacked server is always to start fresh, new server, new CF install, and then review the application source code before putting it on the new server (to make sure other backdoors have not been added).

F

fred fAuthor

Inspiring

Thanks Pete. Appreciated.

We actually signed up for your HackMyCF product about an hour ago. Having Ben Forta recommend it put it high in my books.

We had all hotfixes aside from APSB14-23 installed and now that one has been added as well.

We also limited access to adminapi which was exposed. For quick fix just used iis request filtering but will look at the correct way to do it since request filtering stops us from accessing cf admin panel even locally on machine.

Shows we now just have 1 important (CFTOKEN is not a UUID) and 6 warnings.

And I agree about starting fresh but not something we can do quick enough not to majorly impact our clients so looking to hopefully deal with current situation and buy the time needed.

In the http.log I'm seeing a lot of lines of:

----------------------------------------------------

"Information","jrpp-58","11/23/15","16:04:54",,"Starting HTTP request {URL='http://lineronline.com:80/cgi-bin/vc.cgi', method='get'}"

"Information","jrpp-58","11/23/15","16:04:54",,"HTTP request completed {Status Code=200 ,Time taken=297 ms}"

----------------------------------------------------

Possibly related? And how would you deal with shutting that down regardless if related or not...

Any further thoughts?

Thanks again. Any and all help very appreciated.

Fred

pete_freitag

Participating Frequently

Thanks for signing up Fred!

Yes request filtering is a good way to go, I would setup a dedicated website that you use to access the CF administrator. This stuff is all covered in the ColdFusion 9 Lockdown Guide as well so I would recommend looking through that and following any steps you can. Also CF9 is considered an End Of Life product by Adobe, you should plan on upgrading to CF10 or CF11 so you can get the latest security hotfixes.

As for figuring out that http call, I would search your server for cfhttp calls and inspect them. You mentioned that the file might have been encoded using cfencode, you can look for encoded files by searching for files containing the string: SourceFile /

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded