Reputation: 237
Unwanted code being inserted into pages
Some of our ColdFusion sites are having the words "coupon" inserted into their footer with a link to another site. Is there anything I can do to prevent this? Is there any software I can run to help detect any vulnerabilities? It doesn't seem to be SQL injection as the databases seem fine and nothing unusual is showing up in the logs.
Upvotes: 0
Views: 190
Answers (3)
Reputation: 2287
Another option that I would recommend is searching your site(s) for any use of the <cffile> tag that isn't expected. I had a customer that somehow got a single file that was a backdoor to their site. It was particularly dangerous because it could upload files to any location on the server as well as execute any SQL command against any datasource on the server. In other words, this single file opened the door to all of the sites and databases that were running on that server.
This backdoor file (which was named vision.cfm) was often used to update footers with links to coupon and spam sites. vision.cfm was only 210 lines of code.
The entire server had to be sanitized after this was discovered.
Upvotes: 1
Reputation: 66
We had something similar happen when one of our servers was hit by the hack Charlie Arehart describes here:
http://www.carehart.org/blog/client/index.cfm/2013/1/2/serious_security_threat
Have you had these patches?
Upvotes: 1
Reputation: 7193
There are several variations of attacks that produce this sort of result (appending a link to some malicious or nefarious site). For example, this one (Script Injection) uses the latency between a file upload and checking to insert executable code on your server.
Other attack vectors include FTP (which is why you should not use it), or other file transfer protocols. In your case the infected machine may not be the server. It could be a client machine with access to the server - a developer who has set up FTP to the server for example.
Let me know if you need formal help - we have a good track record fixing this sort of thing. If you get more clues post them and I'll try to help. I will warn you that if this is a server infectionit is at the root level and is so pervasive your only option is to start with a pristine install and reinstall your code. Bad news I know - sorry :(
Upvotes: 2
Related Questions
- Javascript Injected in browser
- How to prevent Coldfusion from injecting cfform.js into the head section?
- How to prevent script tags and other XSS entities from being inserted into the db?
- XSS remediation - Improper Neutralization of Script-Related HTML Tags
- extra html that I did not write
- Aargh! Coldfusion sites are being hacked
- unwanted javascript injection into html
- ColdFusion/Java strange script
- Malicious JavaScript-Code injected - but doing nothing malicious?
- I'm finding rogue code included in my HTML page head -- how did it get there and how do I stop it?