December 28th, 2012, 09:06 AM
|
|
|
|
Win 2008 - CF9
So as i was opening my presents with my family Christmas morning when my web server emailed me to let me know that a file had been created in my /CFIDE/ folder. This file was h.cfm and it was a nifty little tool used to scan files - copy files - dump SQL passwords - run commands - upload files ect....
My setup is CF9.0.1 on win server 2008 with mySQL5.5 . The servers only purpose is to host a few websites for my company. I poured over my IIS logs and could not find any trace of a connection to the webserver while this was happening. I then started looking at the http.log file in coldfusion server and found that it contained 2 entries at the time of the attack. Both looked like this... note i've removed the IP of the server. This file is the file that was uploaded to my server.
Code:
25-Dec-2012 6:54 AM Information jrpp-6969
Starting HTTP request {URL='http://IPAddress:80/CFIDE/h9.txt', method='get'}
My question is how did my server make a call to this server to download this file? I don't see how this was initiated? Is there a known vulnerability that i've overlooked?
Since then i've taken the proper measures to beef up the servers security. Changing all the account passwords and locking down my CFIDE folder. I've also setup a seperate site for the CFAdmin website.
Last edited by dsfx : December 28th, 2012 at 09:17 AM.
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
