Welcome Dialog

Welcome to the Community!

We have a brand new look! Take a tour with us and explore the latest updates on Adobe Support Community.


Help me figure this hack out.

New Here ,
Dec 28, 2012 Dec 28, 2012

Copy link to clipboard

Copied

So as i was opening my presents with my family Christmas morning when my web server emailed me to let me know that a file had been created in my /CFIDE/ folder. This file was h.cfm and it was a nifty little tool used to scan files - copy files - dump SQL passwords - run commands - upload files ect....

My setup is CF9.0.1 on win server 2008 with mySQL5.5 . The servers only purpose is to host a few websites for my company. I poured over my IIS logs and could not find any trace of a connection to the webserver while this was happening. I then started looking at the http.log file in coldfusion server and found that it contained 2 entries at the time of the attack. Both looked like this... note i've removed the IP of the server. This file is the file that was uploaded to my server.

25-Dec-2012    6:54 AM    Information    jrpp-6969  Starting HTTP request {URL='http://IPAddress:80/CFIDE/h9.txt', method='get'} 

There was nothing before this connection and nothing after it.  It looks like some how my server was told to make a call to here.  Nothing in any logs regarding the use of the h.cfm, no loggs in IIS showing suspicious page hit before and nothign suspicious after.

Am i missing something??? this is driving me nuts! The other weird thing about this attack was that they didn't touch any websites they copied the ColdFusion9\updater_backup\ folder and a few other odd things off the server.

Any insight into anything that went on would be helpful... even if it's just a guess that points me in the right direction.

Thanks,

JB.

Views

41.3K

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Community Professional , Dec 28, 2012 Dec 28, 2012
@JB, that's indeed a gnarly one. I found I'd been hit by it as well (also on Dec 25, in my case at 12:31am). Happy freakin' holidays.  So thanks very much for for sharing this news.I do have answers for you, and also info for others who may come across this.How it got there:As for your not having found any trace of it, I suspect it's because you're looking in the IIS logs for some one site--but it must then have gotten in on another site (either one you're not considering, or one for which you'...

Likes

Translate

Translate
Adobe Community Professional ,
Jun 11, 2013 Jun 11, 2013

Copy link to clipboard

Copied

LATEST

So sorry for missing this, Pierre. I could certainly help, and do appreciate why some people feel it's too much to try on their own. If you're still interested, please drop me a note directly at charlie@carehart.org.    


/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
    • 1
    • 2