Monday, April 20, 2015

Continuously hacked! HELP!

Hello folks, I am looking for a crowd sourced security solution.

I have a client that has a VPS at a well known ColdFusion hosting company.

Their setup is IIS 7.0, Windows server 2008 R2, HackmyCF & CF9

Capturing a netstat -o during the event shows a connection running conhost.exe

I have FTP turned off.

I appreciate any help & suggestions in this issue.

Code inserted at the top of index.cfm

Code inserted at the bottom of index.cfm

Possible solution!

It appears that a file manager written in CF in a single file was placed on the server.

To the best of my understanding it is the same as what Charlie Arehart describes here.

Further reading available here

SEARCH YOUR CODE BASE FOR "TRIPSHELL"

3 comments:

Anonymous said...

Is you CF secure? with CF9 most of these kind of attacks are due to the exploit in the CF admin and they have managed to put down a file that can control most aspects of your server, as well as editing these pages.

You will need to make sure no access is remotely available to the CFIDE stuff.

Unfortunately, rule of thumb is, you have been compromised. Format and start again. Even sorting this problem out wont fix things as they could have left files anywhere to access your system.

Timothy Leach said...

Something like this could be good to get a baseline of what may be lacking in your security:
https://foundeo.com/hack-my-cf/

Rich said...

Hi Timothy, I am running hack my cf already.