Process "911.exe" in folder "coldfusion\SERVER-INF\temp\wwwroot-tmp"

I think we already installed sophos. We will update sophos to the latest version and run the scan again.

Yes, you should have an AV running on your server but I don't think the executables mentioned here in this thread are the actual problem -- instead, they are the symptoms of an un-patched ColdFusion server. Your server is the victim of an unauthorized upload of an .exe and its execution.

There is a thread somewhere that describes remapping the CFIDE directory to an empty directory and then creating a "scripts" virtual directory under it the points back to the CFIDE/scripts directory. I highly recommend doing this whether or not you patch to the latest and this will plug your immediate vulnerability hole. Good luck.

Hi Steve,

You know where we can find the thread?

I attempted to find the thread yesterday but my searches returned too many results. I guess it's a hot topic. Anyway, what we do is:

First, create an empty folder on your server. It does not matter the name, but I call it something like CFIDE_faux.

For all sites bound to external IP addresses (all but localhost/127.0.0.1):

1. Delete the CFIDE virtual directory from the site.
2. Create a CFIDE virtual directory and point it to the empty directory you created above.
3. Under this virtual directory, create another virtual directory called scripts. Point this virtual directory to the original CF CFIDE\scripts directory.
4. Now you have a CFIDE directory with only a scripts directory -- no admin and others.

An alternative to the double virtual directory is to copy the scripts directory to the empty CFIDE directory you created. The disadvantage to this is that CF patches will not be applied to the copy whereas they will be applied using the double virtual directory method.

Another option I found in my research yesterday but have not tried myself is to delete CFIDE virtual directory, then create a virtual directory for /CFIDE/scripts, again pointed to the original CF scripts directory. This "supposedly" leaves the CFIDE directory as a 404. Sounds like it might work, but I have not tried it.

If you look at the history of CF vulnerabilities, most revolve around the exposure or the complete CFIDE directory tree. Why Adobe does not hidden the CFIDE tree by default and only publish the scripts directory is beyond me. All the patches and hot fixes to the CFIDE seem like bandages on a broken leg.

Hope this helps.

I restricted access to my /CFIDE directory by IP range.  From an outside address, it gives a 403-Forbidden error.  However, the 911.exe and other files were dropped into my c:\ directory.  Is this consistent with what others have seen? 

Yoou restricted access to the entire CFIDE tree, or just the CFIDE directory. Also, was this via the CF administrator or at the web server/OS level?

My understanding is that there have been a few vulnerabilities where unauthorized uploads and execution could occur. Another thing to check is if you have an older version of fckeditor installed. It also had a similar unauthorized upload vulnerability.

Steve, I mis-spoke.  I only restricted access to the CFIDE/administrator directory (via IIS).  So, your tip above is something I need to look into.  Thanks!

I am in the same boat too...

Can someone clarify is this a bug/vulnerability in CF9 all versions all patches or just up to a certain patch level?

Is putting IP restrictions on the CDIFE directory a valid solution to prevent future infections?

david_mcknight wrote: ...Is putting IP restrictions on the CDIFE directory a valid solution to prevent future infections?

If you mean through the CF Administrator option, no -- especially if you are not up to the latest patch level but even then I would still say no.

I guess it's possible at the web server/OS level, but that would be more work than the method I described above.

Steve Sommers wrote: I guess it's possible at the web server/OS level, but that would be more work than the method I described above.

Right, so in IIS I set an IP restriction to my local subnet on the CFIDE folder and all subfolders.  The theory being that IIS should not allow access to any files in those folders, there by not allowing any coldfusion code to run from files in that directory tree, unless you are here on site.

Is there any test I can do to see if I have properly plugged this hole?

Just remember that several client side CF features (CFForm field validation for example) requires access to /CFIDE/scripts so you'll need to remove the IP restriction on this directory -- unless you don't use CFFORM, CFGRID, others.

Steve Sommers wrote: Just remember that several client side CF features (CFForm field validation for example) requires access to /CFIDE/scripts so you'll need to remove the IP restriction on this directory -- unless you don't use CFFORM, CFGRID, others.

I see, now your previous post make sense.

Thanks.

Hi efirkey,

I feel this is coldfusion server issue. Still googleing if there are any hotfix we can use.