1

My CFIDE just went crazy this morning and I can't locate the what is causing this. When I log in from example.com/cfide/administrator/index.cfm some of the tabs on the left work fine and some are showing the index page of example.com like in an iframe... I restarted the app server but the issue is still there. Any recommendations on how to debug this thing?

Geo
  • 3,160
  • 6
  • 41
  • 82
  • Apache? IIS? How do you have /CFIDE configured? – Sean Coyne Jul 15 '14 at 15:20
  • IIS7, we were able to fix it. it seems like the scheduled _tasks.cfm file was deleted from its' directory somehow so we replaced it with a backup one. – Geo Jul 15 '14 at 15:29
  • 2
    Well, while you're in there, be sure to lock down /CFIDE. It shouldn't be accessible from the outside world. Many a CF server has been hacked due to vulnerabilities in the CF admin. – Sean Coyne Jul 15 '14 at 15:30
  • 1
    I found the lock down process and I will probably start it today just in case it was never done. Thanks Sean – Geo Jul 15 '14 at 15:40
  • 1
    @Geo... if files are going missing from CFAdmin, especially around scheduled tasks, you might want to make sure you haven't been exploited somehow (scheduled tasks have been a vector for exploits, recently). Is all your patching up to date? – Adam Cameron Jul 15 '14 at 16:06
  • @AdamCameron I'll have to check because last time I updated the CF admin was about 8-9 months ago. Unfortunately I don't have an around the clock admin guy so things like that are falling short sometimes. Anything that I can check to get a better idea if there is anything fishy going on? – Geo Jul 15 '14 at 16:11
  • This is very long-winded, but details the one I'm thinking of: http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat. TL;DR: start by looking for a file `h.cfm`. – Adam Cameron Jul 15 '14 at 16:38
  • There are two on the top of my head. The bitcoin exploit (miner.d) and the ckeditor file upload exploit both Tap underlying java to cause problems. If you see that h.cfm file it is UGLY Obfuscated nasty code but not very sophisticated. – Frank Tudor Jul 15 '14 at 23:49
  • @FrankTudor I couldn't find this h.cfm file but I need to keep searching for clues just to be sure. – Geo Jul 16 '14 at 19:10
  • @geo http://stackoverflow.com/questions/13099802/cfml-strange-script-found-in-hosting (be careful). – Frank Tudor Jul 21 '14 at 01:56
  • @FrankTudor it doesn't say where they found the file though and what the name of the file was... – Geo Jul 21 '14 at 17:10
  • 1
    @Geo It is also named: i.cfm, h9.cfm, r.cfm, adss.cfm or fusebox.cfm here is the black hat page that give you a ton of info. I'm viewing the cached site because I don't trust the blackhat sites: http://webcache.googleusercontent.com/search?q=cache:q4gZ_4qbjqUJ:www.blackhatlibrary.net/Coldfusion_hacking+&cd=2&hl=en&ct=clnk&gl=us – Frank Tudor Jul 21 '14 at 17:41
  • @Geo if you deconstruct and format the code it will give you shivers. The developer is not native to CF, and jumps from script style to CMFL style (A lot can be revealed by a coder's code.) Anyways...That's all I got for you. – Frank Tudor Jul 21 '14 at 17:44
  • 1
    @FrankTudor well, I guess I just found out how my night is going to be spent tonight :) Thanks – Geo Jul 21 '14 at 17:46
  • @FrankTudor I found a file named fusebox.cfm but is in an unreadable form. I tried opening it with 4 different IDEs but it is full of hieroglyphics or something... – Geo Jul 21 '14 at 19:04
  • 1
    @Geo Nice work...Here is a link to a site that describes some github sourcecode that can decrypt it for you. That is Coldfusion 5 crap that still floats around now and again. http://www.sourceamax.com/?p=881&lang=en (I'm pretty sure it will look similar to that code in the SO link I pasted above). – Frank Tudor Jul 21 '14 at 19:20
  • @FrankTudor can you write your comment as an answer so i can accept it? The one with all the possible names of the file and the link to the decryption code. – Geo Jul 21 '14 at 19:56
  • @Geo...thanks for that nice fat green checkmark. I would return the favor and upvote your question but I already did once. :) – Frank Tudor Jul 21 '14 at 21:10

1 Answers1

1

So for posterity here is what we found.

There are two possibilities of exploits that could be affecting you:

  1. the bitcoin exploit (miner.d)
  2. the ckeditor file upload exploit (this is the h.cfm file)

There are others but these are common and known. Both tap underlying java to unfold work that either calls something more sinister, delivers server meta data or unrolls a scheduled task to fireoff worker bees to consume resources doing something the admin is unaware of.

So as we discovered we have a varietal of this h.cfm called fusebox.cfm (obfuscated with bonus encrypted CF5 garble). If you can open the file you will see that h.cfm file and open it you will see UGLY and Obfuscated code but not very sophisticated. A lot can be revealed by a coder's code and if you deconstruct and format this particular code you will discern that the developer is not native to CF, and jumps from script style to CMFL style (in caps no-less).

(here is the Stack Overflow link with the raw code (be careful))

It is also named: i.cfm, h9.cfm, r.cfm, adss.cfm or fusebox.cfm here is the black hat page that give you a ton of info. I'm viewing the cached site because I don't trust the blackhat sites. (because one loaded something on my system that raised an antivirus alert).

The file may be unreadable so here is a link to a site that describes some github sourcecode that can decrypt it for you. That is Coldfusion 5 crap that still floats around now and again. (I'm pretty sure it will look similar to that code in the SO link I pasted above).

Post mortum: One more coldfusion serve saved from villainy. Remember, it never hurts to run through your systems and see if anything can be found like this. It also never hurts to make things a little more difficult for would be server exploiters ;)

Community
  • 1
  • 1
Frank Tudor
  • 4,226
  • 2
  • 23
  • 43