views:

92

answers:

5

A couple sites of mine recently got "hacked". Someone was able to add a line of JavaScript to the bottom of every page on the site.

The server is a Windows Server 2003, and has Cold Fusion 8 and MySQL 5.x installed and running.

Looking into the code on each page shows that none of the pages were modified. The JavaScript is not in the code files themselves. This leads me to believe it is an IIS problem, but I am unsure and cannot find anything that would be able to do this within IIS.

The JavaScript being added redirects a user to another page only when they come from Google, or at least it appears to work this way.

Any help on how someone was able to accomplish this as well as removing it would be greatly appreciated.

Another way to word the question thanks to @Jeffrey Hantin

How do you systematically modify output from IIS without modifying individual pages?


EDIT: A bit more testing has shown that only the .cfm pages add the extra javascript. Added a new .cfm and the js was there but a .html did not have it.


Edit2: Turns out to have been a coldfusion problem after all. Somehow the pages OnRequestEnd.cfm were created on the sites and added that js.

A: 

They might have guessed your password. You should change it immediately.

Mark Byers
just did this a few weeks back. It was something pretty basic before but the one now is much more difficult but worth trying.
corymathews
A: 

It's possible that an ISAPI filter is used to do this. I once used one myself to perform compression before IIS supported it natively.

In your specific situation, you may want to check for ISAPI filters you don't want installed. Of course, if your server has been compromised, you will likely be better off rebuilding from a known good image rather than trying to fix it in situ.

Jeffrey Hantin
+2  A: 

Turns out to have been a coldfusion problem after all. The page OnRequestEnd.cfm were created on the sites and added that js.

corymathews
+2  A: 

Looks like someone exploited some latest Adobe CF vulnerabilities.

Please see these blog posts for details and try to search symptoms on your server:

Hope this helps.

Sergii
Interesting stuff here, reading into it more. Thanks.
corymathews
+1  A: 

If you only want to use IIS to modify output, the ISAPI filter is probably the best answer. If you would like to use Coldfusion, you could utilize the application.cfc to modify output during certain parts of the request cycle or wrap all of your pages in a Custom Tag to consolidate the like portions of your page templates.

I have used both. In cases where my page headers and footers are all the same, the custom tag is fast and easy to use. To make changes to all the pages, you edit one custom tag file. In cases where I have a more complicated web application I'll use the application.cfc to store and insert common components where they are needed.

Dan Sorensen