Copy link to clipboard
Copied
My server was recently hacked and I'm looking for malicious code the hacker may have left behind. I see a number of exe files in the CFIDE folder that were created during the period the server was exposed. Can you help me know which ones I should quarantine by giving me a list of the one that are supposed to be in that folder? I'm using ColdFusion 9. Thanks.
Copy link to clipboard
Copied
I do not have any EXE or DLL files in my CF9 CFIDE folders. HTH, Carl.
Copy link to clipboard
Copied
Carl, thanks for the quick feedback. My virus scanner was in the process of scanning the whole server, and had not got to these files yet. Once I got your response, I renamed the files removing the exe extension. When my virus scanner finally got to them, it confirmed that they were all malicious.
Copy link to clipboard
Copied
Format and start again is my advice. The malware could write all over the file system. We had a WordPress install hacked that did this and it put files all over, and not just in CFIDE. Unless you wipe and reinstall you'll be forever worrying...
Copy link to clipboard
Copied
tribule wrote:
Format and start again is my advice.
Sound advice. However, by 'format' I take it you mean reinstall.
Copy link to clipboard
Copied
No. I mean format the disk and reinstall everything.
If you just reinstall Windows, say, it will not always remove any malicious files that are already there and which are not part of the OS (unless you do a low-level fdisk etc). Malware can write all manner of strange files and files with strange permissions to the disk. If you are running a server that is running critical processes, e.g. e-commerce or customer data, then a format and reinstall is what I would personally recommend. It's a bummer, but at least then you know you started clean. Malware doesn't just infect CFIDE, it will drop DLLs/EXEs etc all over.
Also, never install something like WordPress (PHP) on the same CF server. WordPress is always being patched and it is a common entrance vector for malware. Keep all such things off-site is very advisable.
Copy link to clipboard
Copied
I am on ColdFusion 10. I, too, could find no EXEs or DLLs in my CFIDE folder. You seem to have been the victim of the m32.exe and m64.exe exploits discussed here some weeks ago.
Copy link to clipboard
Copied
The CFIDE folder doesn't contains any exe files. you should quarantine all. I would suggest using http://hackmycf.com/ to scan your server. In case you find any vulnerability, please report it to
Adobe Product Security Incident Response Team (psirt@adobe.com) immediatly.
Regards,
Anit Kumar
Copy link to clipboard
Copied
CFBarbarian wrote:
ColdFusion 9: What exe files are supposed to be in the CFIDE folder?
... Can you help me know which ones I should quarantine by giving me a list of the one that are supposed to be in that folder?
Just a remark for anyone else in a similar situation. The CFIDE folder is exposed to the web, by design. Therefore bells should ring if you see any EXE, DLL or OCX files in it.