-1

A few of my sites got a code injection and it is the first time I am dealing with something like this. Is there any specific procedure that I can follow to debug the code and find where the source of the injection? Also, is there anything that is ColdFusion specific regarding this matter?

Geo
  • 3,160
  • 6
  • 41
  • 82
  • Are you saying that the ColdFusion files on your server have been modified? The only way to modify those files is to have access to the server. The flip side is that the PC has been infected and those lines are being appended on the client side. – Miguel-F Aug 05 '13 at 19:58
  • 3
    Can you pls edit-out / trim all those spurious links from your question? It is showing up as malware on AVG, and you're basically doing the hacker's job for them by circulating their crap! – Adam Cameron Aug 05 '13 at 19:59
  • What version of ColdFusion are you running? Is it fully patched? Have you followed the lock-down guide? Have you located the file that is injecting that stuff onto your pages? – Adam Cameron Aug 05 '13 at 20:00
  • @Miguel-F probably is the pc that is infected but the anti-virus does not detect anything and the code it was not modified at all. – Geo Aug 05 '13 at 20:07
  • probably `access.log`? – Daniel W. Aug 05 '13 at 20:08
  • 2
    I am sorry but the notion that with comments on SO, and without any knowledge of the subject, you will be able to actually audit your application against possible living exploit is surreal. This sort of work usually requires deep knowledge of deployment stack, installed application and quite few other things. As it is your question is way too open and cannot really be answered. – Tymoteusz Paul Aug 05 '13 at 20:19
  • @Puciek I know what you mean. It is the first time that I have to deal with something like this so I am trying to give it a try since I don't really have any other options at this point. – Geo Aug 05 '13 at 20:25
  • 1
    The obvious choice for me would be to hire a professional who knows the nature of such issues and will resolve it for you. If that is not an option then there is no other way to go but educate yourself (and that is going to take magnitude of time). – Tymoteusz Paul Aug 05 '13 at 20:27
  • TBH. I think @Puciek is right. Not a job for someone who is not already au fait with what they need to do. Get a consultant in to sort it out for you. – Adam Cameron Aug 05 '13 at 20:34
  • Both of you are correct. I am talking now with my sysadmin to figure it – Geo Aug 05 '13 at 20:54
  • Are you sure it's server side? One of our clients with admin rights was working on an infected PC and every time he used a WYSIWYG editor the virus on his computer was adding malicious Javascript to every article he created. – Lucas Aug 05 '13 at 20:55
  • @Lucas yes because I just found files on production that were changed. Those files have not been edited by anyone for at least a year now. – Geo Aug 05 '13 at 20:57

1 Answers1

3

This question is perhaps better asked on Server Fault, not Stack Overflow. That's why you've got the close vote (it was not from me).

Update your question's tagging to include the correct ColdFusion version.

The ColdFusion 9 lockdown guide (which I found by googling "coldfusion lockdown guide", btw) is here.

Make sure you are fully patched. Fortunately Adobe are still releasing security patches for 9.0.1. Advise us here whether you are already up-to-date, or whether you are short any patch(es).

Look for files called h.cfm (in your web root directory, as well as the /CFIDE directory structure). This file is a known vector for a security hack which did the rounds at the beginning of the year.

Community
  • 1
  • 1
Adam Cameron
  • 29,677
  • 4
  • 37
  • 78
  • @Geo - here is a link to the particular hotfix that Adam is referring to. [APSB13-03](http://www.adobe.com/support/security/bulletins/apsb13-03.html) You will need to look over the others as well. – Miguel-F Aug 05 '13 at 20:21
  • We found a lot of code changed and a lot of hotfixes missing. Thanks for the useful links and resources. – Geo Aug 05 '13 at 20:56