Changes made to a .cfm file are being over-written as page loads

Hi, Dave.

The SQL injection was inserting a redirect script into many public-accessed data columns (house listings, realtor agent bios).  I cleaned out the offending code, and then used the CFQUERYPARAM to prevent future infections.  It was shortly after this that the current issue started popping up.

The server is not mine to start or stop anything on.  It belongs to a hosting service.  And I've been on the phone with a guy on their tech support.  I've never seen anything like this, before, and neither has he.  It did take us about ten minutes to discover that it's the action of the browser loading the page which is apparently causing the code to revert back.  Makes me think "virus".  But he is of the opinion that the server is not infected with a virus/trojan, and it's now obvious that it's not anything that the hosting service is doing.

Scratching my head on this one.

^_^

Often in this kind of attack more then just one site is infected. I have

seen servers with bad services installed and running.

It is also possible that some included file or application.cfc has been

added and running on page view.

I can pass that along to the tech support guy and see what he thinks.

I've searched the application.cfm and the myGlobals.cfm file; there is no code present that isn't supposed to be, or anything that looks like might be doing this.

The site IS using FuseBox 3.  (Correction: FuseBox 4)  Is there another file that runs with every page load?

Thanks,

^_^

I don't know, but you could enable debugging and find out, I think.

Dave Watts, CTO, Fig Leaf Software

Here's the weird thing.

After calling the tech support and getting someone different (Sean), and after having been on the phone with Sean for about 20 minutes, the decision was made to try something.  I would make the change and upload it, as I've been doing, then Sean would set permissions on that file to read only, and I would refresh the page.  This resulted in a different error.  One of the FuseBox files errored out due to the file not being over-written.  (What??)  He made one other change to a file that I do not currently remember, he refreshed the page, and then undid everything he did.  And it's now working.

Yeah, I don't know.  I'm stumped.  This was a few hours ago, and it's still working.  I guess time will tell.  Still.. why would FuseBox be over-writing anything??

^_^

One of the FuseBox files errored out due to the file not being over-written.  (What??)  He made one other change to a file that I do not currently remember, he refreshed the page, and then undid everything he did.  And it's now working. Yeah, I don't know.  I'm stumped.  This was a few hours ago, and it's still working.  I guess time will tell.  Still.. why would FuseBox be over-writing anything??

By the sounds of it the file you edited was one of the Fusebox parsed files, which - if Fusebox is configured wrong - get re-written every time the relevant circuit is called.

What dir was the file in?

--

Adam

The file that originally created the error message was in the parsed folder (/parsed/users.login.cfm).

The file that originally created the error message was in the parsed folder (/parsed/users.login.cfm).

Right.  You should not be messing with files in there, as Fusebox generates those from your circuit.xml.cfm files.  So that's why the files were being changed... because that's how things work with Fusebox by design.

What you need to do is to fix the problem properly, which'll be in the circuit.xml.cfm file in the users.login circuit.

Also: it sounds like your production server is in (Fusebox) developer mode, as those files should NOT be getting regenerated on every request.  You do not want your production server to be in dev mode, as it's a huge - and unnecessary - processing overhead.

--

Adam

But the /parsed/users.login.cfm file is the one that had the extra CFCATCH tag that was not nested inside a CFTRY.

As far as setting it for production vs development: How do I change that?  I'm not the one who originally designed/developed this site.  I've never been a fan of MVC frameworks.

Thanks,

^_^

But the /parsed/users.login.cfm file is the one that had the extra CFCATCH tag that was not nested inside a CFTRY.

Did you read this bit from my last post:

Right.  You should not be messing with files in there, as Fusebox generates those from your circuit.xml.cfm files.  So that's why the files were being changed... because that's how things work with Fusebox by design.

Fusebox parses your circuit.xml.cfm files and generates CFML out of them, which is written to those parsed files.  So if those parsed files contain an error, then it's simply reflecting bungness in your circuit code, which is then reflected in the parsed files.  So you can monkey with the parsed files all you like, but they'll be replaced the next time Fusebox re-generates those files (in dev mode, that's every time a fuseaction in the given circuit is requested), and you will never be dealing with the actual issue.

As far as setting it for production vs development: How do I change that?  I'm not the one who originally designed/developed this site.

OK, well it's a Fusebox site, so starting by familiarising yourself with how fusebox works would be a good place to start.

I've never been a fan of MVC frameworks.

That is an exceptionally naive position to hold.  And either way, you're working on a Fusebox site, so you've kinda got a responsibility to be familiar with your environment.

So hit those Fusebox docs... 😉

--

Adam

Well, if it's a server you can't directly control, there isn't anything you can do. You need to be able to monitor the filesystem to determine what's making the changes, and that requires local administrative access. Whoever's managing this server should know how to do that. I'm guessing it's a Windows server. If so, use Process Monitor:

http://technet.microsoft.com/en-us/sysinternals/bb896645

Dave Watts, CTO, Fig Leaf Software