Hello folks, I am looking for a crowd sourced security solution.
I have a client that has a VPS at a well known ColdFusion hosting company.
Their setup is IIS 7.0, Windows server 2008 R2, HackmyCF & CF9
Capturing a netstat -o during the event shows a connection running conhost.exe
I have FTP turned off.
I appreciate any help & suggestions in this issue.
Code inserted at the top of index.cfm
Code inserted at the bottom of index.cfm
It appears that a file manager written in CF in a single file was placed on the server.
To the best of my understanding it is the same as what Charlie Arehart describes here.
Further reading available here
SEARCH YOUR CODE BASE FOR "TRIPSHELL"