9 Replies Latest reply on Jun 24, 2013 7:35 AM by RiccardoArea

    C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\

    Area srl

      In theese days i receive a intrusion trought this directory. my antivirus says the a virus is present in this dir and remove it.

      i try to lock and disable CFIDE from external ip and domain.

       

      how i can lock this type of attack ?

       

      all patch are inserted until 8/03 on CF 9.0.1

       

      thanks a lot

        • 1. Re: C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
          Anit_Kumar Adobe Employee

          Hi,

           

          The file residing at C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp \ is not a virus. The name is alphanumeric and is a temp file.

           

          To Block /CFIDE requests

          Even if you do not have a virtual directory specified for /CFIDE on your IIS sites, the ColdFusion IIS connector will still pass through requests for /CFIDE/administrator/index.cfm. Therefore, you must explicitly block /CFIDE requests.

          IIS 7 has powerful request filtering capabilities that can enhance the security of your web server. Make sure that the Request Filtering feature is installed. Create a global Request Filtering rule for all sites on the server by editing the applicationHost.config file, which is located in the c:\windows\system32\inetsrv\config directory by default. Before editing the file, make a backup of this file.Adobe ColdFusion 9 Server Lockdown Guide 10

          This file is an XML configuration file, so all changes must result in a valid XML document. Locate the <requestFiltering> tag, which is located in the <configuration> <system.webServer> <security> <requestFiltering> hierarchy.

           

          Add a child tag to <requestFiltering> named <denyUrlSequences> with the following information:

           

          <denyUrlSequences>

          <add sequence=”/CFIDE/administrator” />

          <add sequence=”/CFIDE/adminapi”/>

          <add sequence=”/CFIDE/AIR”/>

          <add sequence=”/CFIDE/appdeployment”/>

          <add sequence=”/CFIDE/componentutils”/>

          <add sequence=”/CFIDE/debug”/>

          <add sequence=”/CFIDE/orm”/>

          <add sequence=”/CFIDE/portlets”/>

          <add sequence=”/CFIDE/probe.cfm”/>

          <add sequence=”/CFIDE/scripts”/>

          <add sequence=”/CFIDE/services”/>

          <add sequence=”/CFIDE/wizards”/>

          </denyUrlSequences>

           

          If there is already a <denyUrlSequences> tag, append the <add sequence> tags to the existing tag.

           

          Next , you must allow access to the /CFIDE/administrator URI in the cfadmin website. Create a file called web.config in the web root with the following content:

           

          <configuration>

          <system.webServer>

          <security>

          <requestFiltering>

          <denyUrlSequences>

          <remove sequence=”/CFIDE/administrator”/>

          </denyUrlSequences>

          </requestFiltering>

          </security>

          </system.webServer>

          </configuration>

           

          The above configuration overrides the global request filtering and removes the deny rule for the URI /CFIDE/administrator.

           

          Regards,

          Anit Kumar

          • 2. Re: C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
            plarts Level 1

            Thanks for this discussion,
            I have worked for 3 weeks on this question.
            Every 2 or 3 days I have 2 TMP files found as VIRUS in that directory.

            This make me very afraid.

            I thought it came from an unsecure UPLOAD ?
            Can you confirm these files are not VIRUS ?

             

            I do not understand your recommandations above with requestfiltering , CFIDE etc...
            I am not enough knowledgeable to understand this.

             

            If I leave the configuration as it is, with these files files coming regularly,
            IS THIS SAFE ???

             

            A big thanks for your answer or recommandation.
            Pierre.

            • 3. Re: C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
              RiccardoArea

              Hello Anit,

              thanks for your response.

               

              I made all the things you advise:

              - Block /CFIDE/ requests

              - Block access to cf administrator to external ip

              - use different users for iis and coldfusion service

              - updated coldfusion with last hotfix

               

              for 2 months we have not received more attacks of this kind, but this morning someone managed to retry the upload.

              Do you have any other advice for us?

              You're right that the tmp files are not dangerous, but the fact that someone might write files on the server is one thing that does not make me feel comfortable

               

              Thanks, R

              • 4. Re: C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
                Anit_Kumar Adobe Employee

                Hello RiccardoAea,

                 

                If you think, your server is compromised, then please send all the details to Adobe Product Security Incident Response Team at psirt@adobe.com

                 

                Regards,

                Anit Kumar

                • 5. Re: C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
                  plarts Level 1

                  My file applicationHost.config does not have the tags :

                  <security> <requestFiltering>

                   

                  Why, should I have to create them before inserting the <denyUrlSequences>

                   

                  Thanks for answer.

                  I still have files detected by the antivirus in :

                  C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\

                  • 6. Re: C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
                    Anit_Kumar Adobe Employee

                    Hello Plarts,

                     

                    plarts wrote:

                     

                    My file applicationHost.config does not have the tags :

                    <security> <requestFiltering>

                     

                     

                    Yes, you need to create them before inserting the <denyUrlSequence>

                     

                    plarts wrote:

                     

                    I still have files detected by the antivirus in :

                    C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\

                     

                    You can ignore the files at C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\.

                     

                    They are not viruses, but are temp files. Its, just that the antivirus is not able to diagnose the same.

                     

                    Regards,

                    Anit Kumar

                    • 7. Re: C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
                      plarts Level 1

                      Thanks a lot for this information.

                      I used 2 differents Antivirus at different times : MSE and ISET

                      The 2, detected these TEMP files as Virus.

                      So, now I forget about this and consider this as normal behaviour.

                      Thanks , Pierre.

                      • 8. Re: C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
                        charlie@carehart.org Adobe Community Professional & MVP

                        Hey folks, Pierre (@plarts) pointed me to this forum in talking with me about another problem of his. I shared this observation with him and want to share it here for readers of this thread.

                         

                        As for the temp files referred to here, I’m a bit surprised that no one has yet pointed out that those come from HTTP uploads to a CF page (and have nothing to do with the CFIDE directory or Admin lockdown).

                         

                        Any file upload to a CF page will be posted to that temp directory within CF. Of course, most CFM pages receiving an upload would then move it to a destination directory, using the CFFILE Action=”upload” and its DESTINATION attribute.

                         

                        But while most people think it’s the CFFILE that “does the upload”, that’s just not the case. For more, see a blog entry I did on this very topic several years ago, which still holds true:

                         

                        CFMythbusters: For a file to be uploaded to a CFM page, it needs a CFFILE Upload tag, right? Wrong!

                        http://www.carehart.org/blog/client/index.cfm/2006/5/7/cfform_not_doing_upload

                         

                        And I point out there also how such files should be removed at the end of each request. My understanding is that the only way they would remain would be if the request failed.

                         

                        As for them being identified here as containing viruses, I suppose it's possible that a scanner may identify them as such by their pure file content, but as Anit seems to be pointing out, since these are just .tmp files, it would seem that nothing could really "execute" them (even if something somehow had execute privileges on the directory).

                         

                        But if it concerns one that they are there, then just delete them. But you can't really stop them getting put there, since again any post of a file upload to any CFM will cause them to appear there. Again, though, they should disappear at the end of the request. 

                         

                        Separate from the concern about viruses (if there really should be one), I'll note that I also mention in the blog entry that this fact that any CFM page can "receive" an upload could technically be "abused" by someone, pushing files to the server.

                         

                        But it's not also "entirely open", as there are some mechanisms in place (in the CF Admin) to throttle such file uploads somewhat. See the blog entry for more.

                         

                        Finally, we should note that CF10 has added still more to help with this issue, in that if a CFFILE ACTION="upload" has a new STRICT attribute that causes CF to not only check the mime type (if listed in the ACCEPT attribute) but also makes sure that the file content itself matches that file content. There is also a new filegetmimetype that can be used against a file or directory of files to confirm if their contents meet their mime type.

                        1 person found this helpful
                        • 9. Re: C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\
                          RiccardoArea Level 1

                          Hello Charlie, thank you very much for this post, it was very helpful to understand how these files access on our web server