I am not sure how this happened, and waiting for the logs and the host to confirm this, but today I found a file had been modified to point to the domain caprichosdecasa.net and some php file that is on that site. This is something that has just happened in the last few weeks, so I am not sure of this is a ColdFusion exploit or a ContenBox exploit.
So a heads up if anyone is running ContentBox and / or ColdFusion, but I am posting here and even though I would like to think that this is not a ContentBox problem, I could use all your help in looking and asking the hosting provider to what to look for in the logs.
I am also wondering if this is no coincidence with the problems I have been having with some mail from time to time as well.
Hi Andrew, I ran in to a problem like this last year on a Hosting.com server. What happened was the server was exploited not through ColdFusion but through a .NET flaw on another domain and it propagated down other domains.
Thanks George, the host is going through all the logs to see how the files got on the server, but the best thing was that rewrite rules and ContentBox/ColdBox routes stopped them from being able to run the files.
But now that the host has undeleted the file I can now share it here.
This was added to the the 404.html in the /includes/templates folder
And a test folder with a 0 size application.cfc and cffile.cfm had been uploaded to the server, it appears that they did not spoof their IP. But when they tried to run the cffile it was redirected due to some logic I put in for page not found they must have given up. I will let the hosts not about the .Net exploit just in case.
I forgot to mention, there seems to be a connection between this and the other mail problems I was having, as the same IP was used to try and access certain ColdBox components.
But again they had no luck running these, so they obviously know ColdBox.
OK. Just thought I would point it out since it was a recent discovery and the hotfix was only released on Jan 15, 2013.
It also sounded similar since in the exploit the link describes it contacts another domain and cf code is sent back and written to a local file that is then used to further exploit.
Yeah thanks, I keep abreast of all updates and patch on my systems when they are released. I then run some code to make sure that the patches have been also applied to the production server. Just in this case I hadn’t rewritten that code for ContentBox so I have to go on the words on the hosting provider on this occasion.
Hostek have been extremely good in all aspects, so I doubt they would not have patched the moment it was released.