1

My site has just been hacked and I suspect that it was a remote file inclusion attack. These are my server specs: Windows Server 2008 R2 running ColdFusion 9 (9.0.1.274733) and IIS 7.5

This is the source code of the page that appeared after my site was hacked:

<!-- # sql_master : securiiity@gmail.com #--> 
<html> 
<head> 
<title>0wned !</title> 
<Meta http-equiv="content-type" content="text/html; charset=windows-1254"> 
<Meta http-equiv="content-type" content="text/html; charset=ISO-8859-9"> 
</head>
<body bgcolor="black"> 
<center>
 <font color="#ffffff" size="3" face="Tahoma">0wned By <br>SQL_Master , Z0mbi3_Ma , xMjahd !</font>
 <br><br> 
 <img src="http://fc08.deviantart.net/fs71/f/2010/255/e/7/never_look_back_by_arbebuk-d2yiadv.jpg" width="600" height="500"/> 
 <br><br> </div> </td>
  <font color="#ffffff" size="3" face="Tahoma"><a class="__cf_email__" href="http://www.cloudflare.com/email-protection" data-cfemail="d389e3beb1bae08c9eb293bbbca7beb2babffdb0bcbe">
    [email&nbsp;protected]</a>
    <script type="text/javascript"> /* <![CDATA[ */ (function(){try{var s,a,i,j,r,c,l,b=document.getElementsByTagName("script");l=b[b.length-1].previousSibling;a=l.getAttribute('data-cfemail');if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})(); /* ]]> */ </script>
  </font><br><br> <font color="#ffffff" size="3" face="Tahoma">FROM MOROCCO</font> </tr> 
</table> 
</body> </html>

My site and server are periodically scanned by Symantec and it only picked out the IP of the person who hacked my site.

After the site was hacked, I went and cleared the ColdFusion Verity search and in IIS, I made .cfm the default file type to give preference to and the site was back on line.

However, I did a whole site search but was unable to find the above code anywhere.

Can someone please explain to me how this types of attacks are made and how I can clean my site and server and prevent this from happening again in the future.

Thank you.

Matt Busche
  • 14,216
  • 5
  • 36
  • 61
raul prakash
  • 113
  • 1
  • 3
  • 10
  • 3
    This isn't a programming question, so it's probably better asked over at [SF] where there are more server admin experts - after doing suitable searches to ensure it hasn't already been asked. However, you should also checkout the details of this recent [Security Advisory](https://www.adobe.com/support/security/advisories/apsa13-01.html) which may well have been the culprit. – Peter Boughton Feb 13 '13 at 22:38
  • I have seen this type of thing happen via FTP. Check your FTP logs to see if there have been a large number of access attempts. Usually indicates someone is trying to use brute force user/password combinations and gain access. You should also look for any recently modified files on the site to see if they have had any extra code inserted into them. In my experience it's usually a string of obfuscated JavaScript appended to the end of a file. If you find FTP weirdness, change your password and lock down FTP to only allow from your IP address. – imthepitts Feb 13 '13 at 22:57

0 Answers0