cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Exit
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0
Upvote

Iframe Injection Attack in Coldfusion

pepsiboy123456
New Here ,
Sep 10, 2012 Sep 10, 2012

Hi,

Recently one of my sites have been hit with an iframe injection:

<iframe scrolling="no" frameborder="0" src="the source changes but normally htttp://collegefun4u.com/" width="0" height="1"></iframe>

It happens at random times and gets inserted in random include files.

We have clean scanned all computers + server  for viruses, changed all ftp/remote desktop passwords but the problem still occurs.

I don't think that it's an SQL injection attack because it is not hitting the database and only being injected into include files.

Some advice would really be appreciated as I have tried extensivley to get rid of it  with no avail!

I am currently using CF9 runnning on a Windows 2003 server.

Thanks!

1.3K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 4 Replies 4
latest latest Jump to latest reply
12Robots
Advocate ,
Sep 10, 2012 Sep 10, 2012

I'm afraid you don't give us much to go on.

Are all of the include files in the same directory?

It could be any number of things from an FTP exploit (just changing passwords may not be enough) to a completely unrelated page being exploited to rewrite other files.

There is really no way of telling, based on what you have provided, to determine what the problem is. If you're looking for a known exploit that would make this possible, there are none that I am aware of.

If you can, I would say disable your FTP when it is not in use and see if the problem stops.  Is your FTP open to the internet?  If so, does it need to be?  Could you block that port and see if the problem stops?

That could give you a TON of information right there. Also make sure the filewall is adequately protecting your server. No unneeded ports open.

Jason

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
pepsiboy123456
New Here ,
Sep 10, 2012 Sep 10, 2012
In Response To 12Robots

Sorry I know its a bit vague.

Our includes are currently sitting in the same folder yes. We also have multiple template folders etc.

I will disable ftp and see if that solves the problem. If it doesn't at least we can eliminate it.

The only issue is that the attack happens at random intervals sometimes within hours sometimes within minutes so I apologie if I don't respond straight away.

Thanks!

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
TALAL_MANAA
Explorer ,
Sep 26, 2012 Sep 26, 2012

set all your files on the server to readonly mod 444

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
WolfShade
LEGEND ,
Sep 26, 2012 Sep 26, 2012
LATEST
In Response To TALAL_MANAA

It's a Windows server.  mod 444 doesn't work.. but setting the files to read only might.  Still.. what a pain..  hope the issue has been resolved.

^_^

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Open in a new window
Copyright © 2025 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices