SQL injection embeded .js file to execute CF hack

Report · Jul 27, 2008

I am a programmer sent to investigate suspicious activity at a client's web application. I cannot attach a file in case of infection potential. The Coldfusion code is open to SQL injection attack which is how we believe the Apache web server became infected. Upon investigation we found javascript files which had been written with CFML code programatically scripted to fit within a .js javascript file and write and read data from the server.

Has ANYONE seen this type of attack before? I cannot disclose the client or specific data as we are under a NDA (Non-Disclosure Agreement), however, I need help of other Coldfusion programmers to fully understand this attack. Has anyone seen CFML code programmed into a .js javascript file and run by calling the .js javascript file before?

We have found japanese or chinese language within the code and within files on the server. The client states they have NOT installed any language packs or anything referencing other languages than English. There have been japanese characters found on the database server. There are hundreds of .js and .xml files on the server which reference japanese. Furthermore, we have found many XML files on the server,but the client does not use .xml so these .xml files would then be foreign and potentially programatically scripted by the server launching code to write these files under the un-knowing eyes of the client.

So we need to understand the limits or potential threats:
1. Can CFML scripting be embedded into a .js javascript file
2. If database parameters are not locked, what are the possible attacks available to SQL injection

Any help would be appreciated.
Thank you in advance.
Alex Dove

Report · Jul 27, 2008

1. Only if the server is set to parse a .js file as CFML

2. A lot!

http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already

http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARAM

--
Ken Ford
Adobe Community Expert - Dreamweaver/ColdFusion
Fordwebs, LLC
http://www.fordwebs.com

"ajdove" <webforumsuser@macromedia.com> wrote in message news:g6jbdj$gmk$1@forums.macromedia.com...
>

> I am a programmer sent to investigate suspicious activity at a client's web
> application. I cannot attach a file in case of infection potential. The
> Coldfusion code is open to SQL injection attack which is how we believe the
> Apache web server became infected. Upon investigation we found javascript
> files which had been written with CFML code programatically scripted to fit
> within a .js javascript file and write and read data from the server.
>
> Has ANYONE seen this type of attack before? I cannot disclose the client or
> specific data as we are under a NDA (Non-Disclosure Agreement), however, I need
> help of other Coldfusion programmers to fully understand this attack. Has
> anyone seen CFML code programmed into a .js javascript file and run by calling
> the .js javascript file before?
>
> We have found japanese or chinese language within the code and within files on
> the server. The client states they have NOT installed any language packs or
> anything referencing other languages than English. There have been japanese
> characters found on the database server. There are hundreds of .js and .xml
> files on the server which reference japanese. Furthermore, we have found many
> XML files on the server,but the client does not use .xml so these .xml files
> would then be foreign and potentially programatically scripted by the server
> launching code to write these files under the un-knowing eyes of the client.
>
> So we need to understand the limits or potential threats:
> 1. Can CFML scripting be embedded into a .js javascript file
> 2. If database parameters are not locked, what are the possible attacks
> available to SQL injection
>
> Any help would be appreciated.
> Thank you in advance.
> Alex Dove
>
>

Report · Jul 27, 2008

> 2. If database parameters are not locked, what are the possible attacks available to SQL injection

Absolutely anything can be done that the user set up in the datasource can do. If the user has rights to drop tables, then a SQL injection attack could drop whole tables, etc.

That said, it sounds like there are new files on the server (you reference new .js files and .xml files). Are there any sections of the site that allow users to upload files? What other services are running on the server that are accepting connections? Sounds like there's more going on than a simple SQL injection attack.

Report · Jul 27, 2008

Thank you for the quick reply.
Since the last backup less than a month ago there have been around 78 new .js javascript files written to the server. The client is not writing any of them. As for uploading files from the outside, no, however, there are forms on the site. The first indication that there were problems was the client began seeing chinese characters added to their home page.

We also found other files on the system which we were un-familiar. Such as a cfform.js file and a ehlpdhtm.js files but further investigation seems to indicate that these are installed as part of the original install. We initially thought these files, as they had functions to capture keystrokes and other window behaviors, were viral, but they may not be in the end. However, the other files we have found do indicate malicious intent. We believe that the extra .js and .xml files are being replicated with similar files names on the server to mask their true intent.

Is there any reason why a server would have chinese files on it from the original install if the administrator did not select to have the files loaded? On doing searches on the server and sub-folders, we found numerous files with _ja.xml or _ja.js which seem to mimic the file nomenclature of language files for server interpretation. I searched and found NO other languages on the server which are supported by Coldfusion, only English and Japanese.

Is there a way to find out which file names come from an original install? We would like to use this to match against what we are currently seeing to be able to establish a baseline to work from.

Report · Jul 27, 2008

> Is there a way to find out which file names come from an original install? We would like to use this to match against what we are currently seeing to be able to establish a baseline to work from.

Yeah, do an install to a different folder. Then you can do a diff -r between that and the current CF folder.

Is Apache all updated? What modules are loaded/activated?

Report · Jul 28, 2008

I do not know anything about their Apache server. The worse thing yet is they no nothing of it either. It was created by a 3rd party consultant whom they have cut communication with a fews years back. There are no web administrators on-site and nobody knows anything about the web server and additionally there are no programmers on-site.

Has anyone seen this or have knowledge about these types of attacks where chinese language is appearing on the site. There have been trojan files and other virus related warnings throughout the company recently referring to a domain mm.ll80.com

Report · Jul 28, 2008

Is that website using SQL Server?

A google search of that domain turned up:
http://blog.scansafe.com/journal/2008/7/22/coldfusion-attacks.html
http://russ.michaels.me.uk/index.cfm/2008/7/24/SQL-Injection-Attacks--How-to-protect_yourself

And the article referenced in both of those posts:
http://www.0x000000.com/index.php?i=610

I'm still betting it's more than just a SQL injection attack, as how did those files actually get on the server?

Report · Jul 28, 2008

Yes they are using SQL 2000. They have no stored procs either. I was looking at the cfform.js and ehlpdhtm.js files which appear to be installed by the server when originally created. These files contain very specific js functions to collect data and send data. Is there a way to hack these pages for malicious intent?