Thread: Win 2008 - CF9

  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Rep Power

    Win 2008 - CF9

    So as i was opening my presents with my family Christmas morning when my web server emailed me to let me know that a file had been created in my /CFIDE/ folder. This file was h.cfm and it was a nifty little tool used to scan files - copy files - dump SQL passwords - run commands - upload files ect....

    My setup is CF9.0.1 on win server 2008 with mySQL5.5 . The servers only purpose is to host a few websites for my company. I poured over my IIS logs and could not find any trace of a connection to the webserver while this was happening. I then started looking at the http.log file in coldfusion server and found that it contained 2 entries at the time of the attack. Both looked like this... note i've removed the IP of the server. This file is the file that was uploaded to my server.

    25-Dec-2012    6:54 AM    Information    jrpp-6969       
    Starting HTTP request {URL='http://IPAddress:80/CFIDE/h9.txt', method='get'}
    My question is how did my server make a call to this server to download this file? I don't see how this was initiated? Is there a known vulnerability that i've overlooked?

    Since then i've taken the proper measures to beef up the servers security. Changing all the account passwords and locking down my CFIDE folder. I've also setup a seperate site for the CFAdmin website.
    Last edited by dsfx; December 28th, 2012 at 09:17 AM.

IMN logo majestic logo threadwatch logo seochat tools logo