Copy link to clipboard
Copied
It appears our CF9.02 ide has been "hacked", I have located a file that only exists on one of our servers date stamped with the date stamp of issues we are having it is located in ../CFIDE/debug/includes file name cf_debug_main.cfm , anyone else experience this? Or any clues as how this would have been placed here? Our firewall has all but port 80 and 443 locked down to this server from any ip address other than our office.
Copy link to clipboard
Copied
There should be a file in that directory named cf_debug_main.js -- what are the contents of the cfm file? Was the server patched with the latest security hotfixes? There is an exploit that could cause files to be uploaded under /CFIDE if not locked down properly, it was patched by Adobe just under a year ago.
Copy link to clipboard
Copied
Yes that .js file is there , this is a file that only exists on this server date stamped yesterday (we have 4 other servers all running same verison of CF) when the issues started. AFAIK I have latest patches on server I installed 9.02 in the http server logs there is calls specifically to that file -- it is encrypted so I can't view it's contents.
Copy link to clipboard
Copied
Oh geeze, I see now lot's of secrty patches to 9.02 here:
http://helpx.adobe.com/security.html#coldfusion
...so question -- are these "cumulative" or would I need to apply oldest to newest?
Copy link to clipboard
Copied
Javier, they are mostly cumulative, the patch http://www.adobe.com/support/security/bulletins/apsb13-19.html contained a JRun fix, so you need to install that one along with the latest patch, https://www.adobe.com/support/security/bulletins/apsb13-27.html for 9.0.2 and you should be all up to speed.
FYI my company has a service called HackMyCF that helps you monitor your CF security hotfixes and notifies you when new ones come out.
Copy link to clipboard
Copied
Awesome! ...got them installed on all our serves, I'll check out your service ....know anyone that would be able to unencrypt that ome cfm file? I'm very curious as to what it was doing
Copy link to clipboard
Copied
A moderator might delete this post but there is a decryption utilitiy floating around the Internet. I used it several years back and it worked like a charm. Now a days, not many legitimate applications and vendors use CFEncrypt because it is so easy to decrypt -- I think only hackers use it now. Hope this helps.
Copy link to clipboard
Copied
Moderator please delete this thread.