cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

temporary files in the wwwroot-tmp detected by the antivirus as a threat despite hotfixes

RiccardoArea
New Here ,
May 13, 2013 May 13, 2013

Copy link to clipboard

Copied

Hello,
We have some web servers with different operating systems (ws 2003 standard edition r2 with iis 6 and coldfusion 9.0.1 hotfix 4 and ws 2008 r2 with iis 7.5 and coldfusion 10 update 8) and for machines with coldfusion 10 we used Server Lockdown Guide.

Last nightt in a period of time 15 minutes our antivirus reported some dangerous tmp files in folders:
- CF9: {coldfusion_path} \ runtime \ servers \ coldfusion \ SERVER-INF \ temp \ wwwroot-tmp \
- CF10: {coldfusion_path} \ cfusion \ runtime \ work \ Catalina \ localhost \ tmp \

The only thing that I could understand from the logs is that 2 hours before attempting to write these files on the server, a client with ip 188.190.126.105 carried out on all my servers the request of the "famous" page http://server_ip/CFIDE/h.cfm going into error because there is not that page.

Does anyone have any idea / suggestion of how it is possible that someone is still able to write these files in spite of:

- Coldfusion 9.0.1 with Hotfix 4 and coldfusion 10 with update 8
- The coldfusion administrator is not reachable from external ip,

- I have not file h.cfm or i.cfm in CFIDE folder

- All the requets of the type CFIDE/administrator are blocked
- Sites and Coldfusion are in different logical disks
- IIS and Coldfusion with different users
- Not all the servers are in the same lan, but all of them have had the intrusion

Thanks

Views

3.2K

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 3 Replies 3
latest latest Jump to latest reply
Anit_Kumar Adobe Employee
Adobe Employee ,
May 13, 2013 May 13, 2013

Copy link to clipboard

Copied

Hi,

The file residing at C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp \ is not a virus. The name is alphanumeric and is a temp file.

To Block /CFIDE requests

Even if you do not have a virtual directory specified for /CFIDE on your IIS sites, the ColdFusion IIS connector will still pass through requests for /CFIDE/administrator/index.cfm. Therefore, you must explicitly block /CFIDE requests.

IIS 7 has powerful request filtering capabilities that can enhance the security of your web server. Make sure that the Request Filtering feature is installed. Create a global Request Filtering rule for all sites on the server by editing the applicationHost.config file, which is located in the c:\windows\system32\inetsrv\config directory by default. Before editing the file, make a backup of this file.Adobe ColdFusion 9 Server Lockdown Guide 10

This file is an XML configuration file, so all changes must result in a valid XML document. Locate the <requestFiltering> tag, which is located in the <configuration> <system.webServer> <security> <requestFiltering> hierarchy.

Add a child tag to <requestFiltering> named <denyUrlSequences> with the following information:

<denyUrlSequences>

<add sequence=”/CFIDE/administrator” />

<add sequence=”/CFIDE/adminapi”/>

<add sequence=”/CFIDE/AIR”/>

<add sequence=”/CFIDE/appdeployment”/>

<add sequence=”/CFIDE/componentutils”/>

<add sequence=”/CFIDE/debug”/>

<add sequence=”/CFIDE/orm”/>

<add sequence=”/CFIDE/portlets”/>

<add sequence=”/CFIDE/probe.cfm”/>

<add sequence=”/CFIDE/scripts”/>

<add sequence=”/CFIDE/services”/>

<add sequence=”/CFIDE/wizards”/>

</denyUrlSequences>

If there is already a <denyUrlSequences> tag, append the <add sequence> tags to the existing tag.

Next , you must allow access to the /CFIDE/administrator URI in the cfadmin website. Create a file called web.config in the web root with the following content:

<configuration>

<system.webServer>

<security>

<requestFiltering>

<denyUrlSequences>

<remove sequence=”/CFIDE/administrator”/>

</denyUrlSequences>

</requestFiltering>

</security>

</system.webServer>

</configuration>

The above configuration overrides the global request filtering and removes the deny rule for the URI /CFIDE/administrator.

Regards,

Anit Kumar

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
a.s.webster
New Here ,
Jul 03, 2013 Jul 03, 2013

Copy link to clipboard

Copied

Did you ever find a solution to your issue?  I have locked down CFIDE but every so often, my virus protection detects and deletes 10-30 files being uploaded to the ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp.  I am unable to find any POST commands in the IIS logs to determine which site on this shared server could be allowing the upload.  We are running Windows 2008R2, IIS 7.5, CF 9,0,1,274733 hotfix 4.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
RiccardoArea
New Here ,
Jul 05, 2013 Jul 05, 2013

Copy link to clipboard

Copied

LATEST
In Response To a.s.webster

you can look at this thread http://forums.adobe.com/message/5443464#5443464 the post in position 8 and on Charlie Arehart's Blog at http://www.carehart.org/blog/client/index.cfm/2006/5/7/cfform_not_doin g_upload for understanding how it is possible.

The situation is that if you have a form with an input type file, when you submit the form this file is uploaded to the folder ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp even though there is not a cffile in the response page. However, if the file is in format .tmp it should not be dangerous.

To limit these uploads, I realized that in the logs of iis, in the same time that the antivirus blocks the file, there is a request for the page http://myserverip/cfide/h.cfm. When you see that request, block the ip address who made ​​it. In my case it's always the same group of 2-3 ip to make this kind of request.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation
ColdFusion User Guide
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices