More on ColdFusion hacks(更多关于ColdFusion黑客)
More on ColdFusion hacks(更多关于ColdFusion黑客)From http://isc.sans.org/diary.html?storyid=6715
Thanks to our reader Adam we received some additional information regarding recent ColdFusion hacks.
As I wrote in the previous diary (http://isc.sans.org/diary.html?storyid=6715), the attackers are exploiting vulnerable FCKEditor installations, which come enabled by default with ColdFusion 8.0.1 as well as some other ColdFusion packages.
The first thing the attackers do is uploading a ColdFusion web shell – a script very similar to ASP.NET or PHP web shells we've been writing so much about. The web shell I analyzed is very powerful and seems to be recent – according to the date in the script it was released on the 23rd of June by a Chinese hacker "Seraph".
The script has a simple authentication mechanism – it verifies what the URL parameter "action" is set to, as can be seen in the screenshot below:
If the parameter "action" is set to "seraph", the user can access the web site, otherwise the script just prints back "seraph". In other words, the URL the attacker accesses after uploading the script will look something like this: http://www.hacked.site/uploaded_file.cfm?action=seraph
A nice thing (for us doing forensics, at least) is that you can now grep through your logs for "action=seraph" to see if you have been hacked with the same script. Keep in mind that this is not a definite test, of course, since the action variable's name can be easily modified.
中文:
从http://isc.sans.org/diary.html?storyid=6715
由于我们的读者亚当我们收到一些额外的资料,最近ColdFusion黑客。
正如我在以前的日记( http://isc.sans.org/diary.html?storyid=6715 ) ,攻击者正在利用FCKEditor设施脆弱,这是默认启用的ColdFusion 8.0.1以及一些其他ColdFusion封装。
的第一件事要做的就是攻击者上传ColdFusion网页壳牌-脚本非常相似, ASP.NET或PHP的web弹我们已经写这么多有关。该网站的壳我分析是非常强大,似乎是最近的-根据最新的脚本它公布于6月23日由中国黑客“天使” 。
该脚本有一个简单的认证机制-验证什么URL参数“行动”是设定为可以看出,在下面的截图:
如果该参数的“行动”是设定为“天使” ,用户可以进入该网站,否则,脚本只是打印回到“天使” 。换句话说,攻击者的网址访问在上载该脚本将是这个样子: http://www.hacked.site/uploaded_file.cfm?action=seraph
好用的事(为我们做证,至少)是,您现在可以通过grep按您的日志“行动=天使” ,看看您是否已被黑客用同样的脚本。请记住,这不是一个明确的测试,当然,由于行动变量的名字可以很容易地修改。
页:
[1]