cf9, how can I determine which .cfm is sending emails?

Report · Jun 15, 2015

I'm consulting for a company, and their server is being used by intruders to send spam email. It is Windows 2008 x64 with IIS, CF9, and SQL Server. The CF server is running their home grown web site, and my suspicion is that there is an unsecured .cfm file that allows all cfmail parameters to be provided via form variables, or else the intruders got their own .cfm file somewhere that's doing it. The files showing up in spool and undelivr all appear to be formatted in such a way that they look just like legitimate emails I compared, so that's another reason I think it's a rogue .cfm file. I have mail logged turned all the way up to debug, but it still doesn't show where the email "came from". I found other evidence of exploit severe enough that I have informed the customer that their server needs to be completely flattened and reinstalled before it cant be trusted again. I'm going on site in 3 weeks to do this rebuilt, but in the meantime, I am continuing to see evidence that spam email is being sent out despite my efforts to track it down. The reason I think there is an unsecured .cfm page is that the entire site is unfortunately fairly low-tech, and a recursive text search for "<cfmail" turns up 450 hits. Any tips on how I can track this down?

Report · Jun 15, 2015

I think easiest would be to examine IIS logs for CFM being run.

\inetpub\logs\LogFiles\W3SVC1

log file content EG only:

#Version: 1.0

#Date: 2015-04-06 00:52:22

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken

2015-04-06 00:55:43 ::1 GET /path/bad.cfm - 80 - ::1 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Trident/5.0) 200 0 0 920

CF9 might not be well patched. Note CF9 is Adobe end of life. CF9 runs Java so that could be Java 6 underneath which is Oracle end of life.

HTH, Carl.

Report · Jun 17, 2015

In my experience the hijacking of an existing .cfm file is also very likely. It is easier to hide the code this way. It would be prudent to do a complete reinstall (CF itself may be purposely corrupted) and also examine all the source code, line by line. ColdFusion can send emails in a number of ways, with CFML, with Java and via third party extensions. If files are in the CF spool, then code on the server is sending the emails, as you suggest. I would reinstall, lock down, and then either use a backup to a restore point before the problem or examine every template before placing it back on the server.

Adobe Community

cf9, how can I determine which .cfm is sending emails?