Monday, April 20, 2015

Continuously hacked! HELP!

Hello folks, I am looking for a crowd sourced security solution.

I have a client that has a VPS at a well known ColdFusion hosting company.

Their setup is IIS 7.0, Windows server 2008 R2, HackmyCF & CF9

Capturing a netstat -o during the event shows a connection running conhost.exe

I have FTP turned off.

I appreciate any help & suggestions in this issue.

Code inserted at the top of index.cfm

Code inserted at the bottom of index.cfm

Possible solution!

It appears that a file manager written in CF in a single file was placed on the server.

To the best of my understanding it is the same as what Charlie Arehart describes here.

Further reading available here