I need help. For the second time in three months every single .cfm page has a malicous cross-site script appended to the orginal code. It looks something like this:
I'm having a really hard time trying to figure out where this might be coming from, or where the vulnerability is. Has anyone been affected by the same scripting attack? I'm running a windows 2003 server, fusebox 4.0 framework on MS SQL database. Thanks for any help or any leds that might help solve this problem!
1 Correct answer
This is what you have:
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
Ken Ford
Adobe Community Expert - Dreamweaver/ColdFusion
Adobe Certified Expert - Dreamweaver CS4
Adobe Certified Expert - ColdFusion 8
Fordwebs, LLC
http://www.fordwebs.com
http://www.cfnoob.com
5
Replies
This problem is necessarily caused by modification of the server-side script files. Therefore, it is necessary that the server must have been compromised. On a shared server, this is "more or less to be expected," since hundreds if not thousands of people other than yourself have accounts on the same server(s). However, there is a lot that you can do to preven it: it only takes a couple of extra steps.
- Always use sftp (secure FTP) to transfer files and to establish host sessions. Many hosting companies allow you to disable non-secure FTP, and you should do so.
- Protect your username/password as robustly as you can. "password1234" is an extremely common password, as is "password."
- After transferring files to your computer, use chown (Unix), cacls (Windows), or its equivalent to secure the files against anyone, including yourself. (You can always countermand your directives later, the next time you're ready to update the site.) This will at-least require the intruder to have compromised your account, not someone else's.
- In that same vein, don't forget to secure all of the parent directories! "It'll do no damn good at all" if the intruder can replace your carefully-secured directory, in its entirety, with an altered one!
- Make backups!
- If your site permits any sort of user-contributed content to be provided, make absolutely sure it is well-filtered.
- "Think like a pirate." ("RRRRRrrrrrrrr!!") Web-site compromises are always "crimes of opportunity." Many a cat-burglar has made a good living by trying each door in a neighborhood while carrying a pizza box.
AdChoices