ColdFusion Process Outbound Connection Via SSH port.

Report · Jul 11, 2025

I am observing an outbound connection initiated by the process coldfusion.exe over the SSH port. The destination IP is not flagged as malicious on VirusTotal. Could you please advise if this is a legitimate process behavior by coldfusion, or should I investigate this activity further?

Report · Jul 11, 2025

I'd investigate further. This isn't something CF does automatically to arbitrary hosts, I think - someone please correct me if I'm wrong about that - but it's conceivably something your CF developers might do. What's the DNS name of the IP address?

Dave Watts, Eidolon LLC

Report · Jul 12, 2025

I think you are right, @Dave Watts . ColdFusion would not automatically connect to an arbitrary host via an SSH port. Unless, of course, there is a legitimate reason.

@Bhavya_Mittal8762 , here are some notes and suggestions.

1. Possible legitimate uses for an SSH connection:

A developer may have written CFML code that uses SSH/SFTP to connect to another server (for example, to upload files, transfer data, or trigger a remote script).
ColdFusion could be using a Java library (such as JSch) behind the scenes for SSH functionality, and since ColdFusion is Java-based, the process would show as coldfusion.exe.
Your ColdFusion application could be uploading/downloading files via SFTP (SSH File Transfer Protocol),
ColdFusion could have been scripted to connect to remote systems via SSH to execute commands (for example, for deployment or automation tasks).

If none of the above apply, it's a red flag. You should investigate further, looking to detect malicious activity.

2. Potentially malicious or suspicious scenarios:

Your ColdFusion server might have been compromised. If your server has been compromised, malware running inside coldfusion.exe could be using SSH to secretly export data or to connect to a "command-and-control" server.
A malicious backdoor, CFML script or Java class could be running SSH connections from within ColdFusion.

3. Steps you can undertake

Search for any use of ssh, sftp or external libraries in your CFML codebase. Look for scheduled tasks, CF jobs or background processes that might be performing SSH actions.
Check file integrity, especially within wwwroot and custom tag directories. Are there any suspicious files or directories there?
Use a tool such as netstat, TCPView, or Wireshark to inspect where exactly the SSH connection is going.
Run a malware scan on the server.

Report · Jul 15, 2025

I have checked the destination IPs they all are not flaged malicous by virustotal and other threat enrichment platform as well these IPs are refering towards- MICROSOFT-CORP-MSN-AS-BLOCK And Amazon.

Report · Jul 16, 2025

That is a good check to start with. Next, you have to answer the question why ColdFusion is making an SSH connection to MICROSOFT-CORP-MSN-AS-BLOCK and Amazon.

Report · Jul 23, 2025

I do not have the access to the firewall I have SIEM insatalled in it.

Report · Jul 24, 2025

@Bhavya_Mittal8762 , we cannot tell you what is safe on your server and what is not. You have to determine that yourself.

I suggested 4 steps you can do. Have you done them? If so, what is the result?