More on ColdFusion hacks

来源:http://isc.sans.org/diary.html?storyid=6730

Thanks to our reader Adam we received some additional information regarding recent ColdFusion hacks.
As I wrote in the previous diary (http://isc.sans.org/diary.html?storyid=6715), the attackers are exploiting vulnerable FCKEditor installations, which come enabled by default with ColdFusion 8.0.1 as well as some other ColdFusion packages.

The first thing the attackers do is uploading a ColdFusion web shell – a script very similar to ASP.NET or PHP web shells we’ve been writing so much about. The web shell I analyzed is very powerful and seems to be recent – according to the date in the script it was released on the 23rd of June by a Chinese hacker “Seraph”.

The script has a simple authentication mechanism – it verifies what the URL parameter “action” is set to, as can be seen in the screenshot below:

seraph

If the parameter “action” is set to “seraph”, the user can access the web site, otherwise the script just prints back “seraph”. In other words, the URL the attacker accesses after uploading the script will look something like this: http://www.hacked.site/uploaded_file.cfm?action=seraph

A nice thing (for us doing forensics, at least) is that you can now grep through your logs for “action=seraph” to see if you have been hacked with the same script. Keep in mind that this is not a definite test, of course, since the action variable’s name can be easily modified.

测试版下载:cfm.txt

相关日志

抢楼还有机会... 抢座Rss 2.0或者 Trackback

  • ROOTEYE

    感谢, 刚好有个服务器是ColdFusion, 以前没有CFM的后门,这下解决问题了:)

    Seraph 是哪位大大啊 ?

发表评论