Inspiring

Question

We have been hacked... appreciate any help...

Forum|Forum|10 years ago
November 23, 2015
2 replies
1762 views

Running CF Version 9,0,1,274733

One of our error reports showed:

----------------------------------------------------------------

Error Page: /CFIDE/beta.cfm

Query String: page=quickly

HTTP Referer: [removed for this post]/CFIDE/beta.cfm?page=quickly

Diagnostics: ColdFusion could not delete the file C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\session_log0.txt for an unknown reason.

----------------------------------------------------------------

This pointed us to that beta.cfm file that was somehow put into the CFIDE root. No FTP access to that directory and they have cleared the CF logs so no real record of what might have been done. Did find a few CF files that had been modified around the same time but nothing in them seemed out of the ordinary. Have removed access to them for now to be safe.

Any suggestions on where to start to figure out how they got that file into the CFIDE root? I do have the file (moved out of CFIDE) which I can supply but it's encrypted...

Appreciate any help.

This topic has been closed for replies.

F

fred fAuthor

Inspiring

Hi Charlie and Pete,

All still nice and quiet here but still getting lots of:

-------------------------------------------

"Information","jrpp-1015","11/24/15","19:23:23",,"Starting HTTP request {URL='http://lineronline.com:80/cgi-bin/vc.cgi', method='get'}"

"Information","jrpp-1015","11/24/15","19:23:24",,"HTTP request completed {Status Code=200 ,Time taken=306 ms}"

--------------------------------------------

in our http.log file...

Any thoughts on how to block and how those calls are being done anyways?

Thanks,

Fred

F

fred fAuthor

Inspiring

Might have solved the lineronline.com issue... if so, might be back to all known issues resolved... just wanted to update you both as really appreciated your help.

Charlie Arehart

Community Expert

Fred, thanks for the update, and the good news.

Would you be willing to share where you found those bogus calls (since it stumped you at first)? It may help others. I'll say that I would have proposed using the search tool to search any and all CF files and extensions (*.*cf*), on all drives, because it could be that the bad guys somehow put the code to do it somewhere where you may not think to look, but that they had enabled to be executable from within CF.

As for your previous note, and with regard to your preference of AgentRansack as a search tool, just note that that is the same thing as File Locator Lite. :-) I love it too, and have blogged about it for years. In fact, I complained of the same concern about the AR name to the vendor, explaining that I'd recommend it to people only to find later that it was removed because the name scared off others who saw it on their server. At first the he was reluctant to change the name, but did finally, offering it with both names, but for some reason still preferring to list AR as the "main" version of the tool as he offers it on the site. :-(

Anyway, glad to hear that you feel all is well for you now.

/Charlie (troubleshooter, carehart. org)

pete_freitag

Participating Frequently

Hi Fred,

Very sorry to hear that.

My guess as to how the file got there would be by exploiting APSB13-03 using that exploit attackers can create a scheduled task that writes the result of the task to a file (typically under /CFIDE because the mapping always exists and is often publicly exposed).

For CF9 you cannot be sure what hotfixes are applied by just the version number, so it is hard to say if you have applied the hotfix for that, however even if you had applied the hotfix an attacker might have exploited it years ago and left a backdoor on your server. FYI my company has a product called HackMyCF which does a scan of your server to determine which hotfixes are applied, it can even find some backdoors.

My advice when dealing with a hacked server is always to start fresh, new server, new CF install, and then review the application source code before putting it on the new server (to make sure other backdoors have not been added).

F

fred fAuthor

Inspiring

Thanks Pete. Appreciated.

We actually signed up for your HackMyCF product about an hour ago. Having Ben Forta recommend it put it high in my books.

We had all hotfixes aside from APSB14-23 installed and now that one has been added as well.

We also limited access to adminapi which was exposed. For quick fix just used iis request filtering but will look at the correct way to do it since request filtering stops us from accessing cf admin panel even locally on machine.

Shows we now just have 1 important (CFTOKEN is not a UUID) and 6 warnings.

And I agree about starting fresh but not something we can do quick enough not to majorly impact our clients so looking to hopefully deal with current situation and buy the time needed.

In the http.log I'm seeing a lot of lines of:

----------------------------------------------------

"Information","jrpp-58","11/23/15","16:04:54",,"Starting HTTP request {URL='http://lineronline.com:80/cgi-bin/vc.cgi', method='get'}"

"Information","jrpp-58","11/23/15","16:04:54",,"HTTP request completed {Status Code=200 ,Time taken=297 ms}"

----------------------------------------------------

Possibly related? And how would you deal with shutting that down regardless if related or not...

Any further thoughts?

Thanks again. Any and all help very appreciated.

Fred

F

fred fAuthor

Inspiring

Thanks Pete.

Looks like a great product to get a quick summary of things to look at.

Will definitely revisit the cf9 lock down guide and we are planning to migrate in the not too distant future.

Did a search for any files modified around the time of the intrusion and did find a whole bunch of .class files in: C:\ColdFusion9\wwwroot\WEB-INF\cfclasses\

Which had modified date/time around that time. Any easier way to deal with that aside from a full CF reinstall?

Thanks again for your help.

Fred

Got a little more familiar with that cfclasses directory. Worried a little less now.... will just delete all those and let it rebuild new ones as it needs. I believe shouldn't be any issues with that?

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded