Hacked Response Header to Googlebot

Report · Feb 13, 2013

We have a website that, when browsed by Googlebot (or any test site that uses the Googlebot 2.1 http_user_agent ID) embedds a bunch of links in the response header (spam link for Cialis). What anyone else sees in the their browser is the regular website as the spam links are not inserted into the response header. The web server is IIS on Windows Server 2008 (with the latest patches) and CF is CF 9 Enterprise. I initially thought that it was an attack on IIS that corrupted the system, but there are several other websites on the same server that aren't affected. If something affected a core dll file or something like that, it seems like it would affect all sites. In looking at all of our .cfm files and files that they reference (e.g. .js) they are fine - the malicous content isn't in any of them. However, something has become corrupted that enables this content to be put in the http response header. I've heard of similar attacks ("Pharma hacks") on Wordpress and Joonla, but nothing in reference to ColdFusion.Does anyone have any ideas?

Report · Feb 13, 2013

Look for files that don't belong (typically named i.cfm or h.cfm, but it could be anything), remove them and apply the latest security patch.

^_^

Report · Feb 13, 2013

Yeah, I found an h.cfm file that clearly doesn't belong in the root of the CFIDE folder for every site on the server. It appears to be a file manager that likely gave them access to the whole serer file system. I see that this appears to be some type of exploit of the admin api system for CF and Adobe now has a patch for it. I'm hoping I can find what other files they altered so I don't have to compeltely uninstall CF, shutting down all of the websites, and then re-installing everything.

Report · Feb 13, 2013

As I understand it, I think just removing the files that don't belong and applying the patch should be sufficient. But browse this forum for the same situation - there are instructions, somewhere, that I don't have the URL for.

^_^

Report · Feb 18, 2013

Look for adss.cfm and fusebox.cfm as well, and make sure you have a password set for the RDS user and then turn RDS off (you need a password even if you arent' using it). Check any application.cfm files, especially at the root for any changed code.

Check the dates for any of the files you found, and then search your system for anything modified on those dates.

Check for any scheduled programs that shouldn't be there and change passwords to any of your SQL databases as they are part of the target.

There is another thread on here titled "CF8.01 hacked. Need info on patches" that has more details. We were patched on Jan 16th (CF9) but the first hack was Dec 25th and the second during SuperBowl.

Sue

Report · Feb 18, 2013

Good point on setting the RDS password before disabling it; I believe that had been done, but I did it again anyway. I changed the db passwords (which was a pain as there are ASP-based applications on the same site that require files be updated with the new passwords). To find all of the new files that were put on the server (or the ones that were changed) I went to the classes folder where CF comiles the .cfm files into the cached java binary. Since there is a .class file for each .cfm and it is updated when the .cfm changes, I simply sorted the files by date. Our original compromise was also on Dec. 25th. That managed to install an h.cfm file in the CFIDE root on all of our server instances on this one physical server. Then, in January, the hacker returned to install several file (e.g. looc.cfm), modify the webroot administrator.cfm, etc. He apparently returned a couple of times in January to make these modifications, based on the dates of the .class files. I used these records to track down his changes and undo them.

Adobe Community

Hacked Response Header to Googlebot

1 Correct answer