Skip to main content
WolfShade
WolfShade
Legend
December 4, 2011
Question

Changes made to a .cfm file are being over-written as page loads

  • December 4, 2011
  • 1 reply
  • 2743 views

Hello, everyone.

I'm stuck with something that acts almost as if there is a virus on the hosting service web server, and I'm at a loss on how to correct this issue.

The website that I'm working on has recently been subjected to SQL injection.  I have corrected this by putting everything that accesses the database into CFQUERYPARAM tags.  That stopped the SQL injection.

Since that has been fixed, I think the site has become the victim of yet another attack.

The site has a custom built CMS.  Now, whenever anyone tries to log on to the CMS, an error message is given relating to a CFCATCH tag that is not nested inside a CFTRY.

Here's how it goes:

1. I use DreamWeaver to open the file and remove the extra CFCATCH tag.

2. I save it and put it to the server.

3. I get the file and open it, again, to see that my change is still there.

4. I try to log on to the CMS, and get the error message, again.

5. I get the file and open it, again, to see that MY CHANGE HAS BEEN OVER-WRITTEN with the original offending code.

Has anyone run across this, before?  Both myself and the tech support guy at the hosting service are scratching our heads over this one.  How do I keep this from happening??

Thanks,

_

    This topic has been closed for replies.

    1 reply

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    December 4, 2011

    First, did you identify exactly what happened as a result of the SQL injection?

    Second, have you tried stopping and starting various services? My guess is that they've done something intentional to lock down sensitive areas to prevent further problems.

    Dave Watts, CTO, Fig Leaf Software

    Dave Watts, Eidolon LLC
    WolfShade
    WolfShadeAuthor
    Legend
    December 4, 2011

    Hi, Dave.

    The SQL injection was inserting a redirect script into many public-accessed data columns (house listings, realtor agent bios).  I cleaned out the offending code, and then used the CFQUERYPARAM to prevent future infections.  It was shortly after this that the current issue started popping up.

    The server is not mine to start or stop anything on.  It belongs to a hosting service.  And I've been on the phone with a guy on their tech support.  I've never seen anything like this, before, and neither has he.  It did take us about ten minutes to discover that it's the action of the browser loading the page which is apparently causing the code to revert back.  Makes me think "virus".  But he is of the opinion that the server is not infected with a virus/trojan, and it's now obvious that it's not anything that the hosting service is doing.

    Scratching my head on this one.

    ^_^

    J
    Joshua_Cyr
    Participating Frequently
    December 4, 2011

    Often in this kind of attack more then just one site is infected. I have

    seen servers with bad services installed and running.

    It is also possible that some included file or application.cfc has been

    added and running on page view.

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices