Discussion:
Hack attempts?
(too old to reply)
DennBen
2009-07-24 13:19:52 UTC
Permalink
I am looking through my Coldfusion exception.log file and seeing a
couple hundred errors around the same time yesterday. I am wondering
what would cause them.

There errors are varying but there are a few these mixed in:
Error","jrpp-3308","07/23/09","11:49:32",,"Probe requests must
originate from localhost, 127.0.0.1 The specific sequence of files
included or processed is: D:\InetPub\CFIDE\probe.cfm, line: 53 "
coldfusion.runtime.CustomException: Probe requests must originate from
localhost, 127.0.0.1

and lots of file not found errors in different directories, some are
coldfusion directories: (to name a few:)
File not found: /cgi-bin/CFIDE/probe.cfm
File not found: /Admin/CFIDE/probe.cfm
File not found: /instaboard/index.cfm
File not found: /cfide/index.cfm
File not found: /cgi-bin/ftj6dvaz.cfc
File not found: /junk999.cfm
/cfdocs/cfmlsyntaxcheck.cfm

The first error was File not found: /mNkvt1Kz3gj6.cfm

Looks like this went on for about a 45 minutes.

Is this a hack attempt? And if so, how would I know if I am
vulnerable? I dont have a site-wide error set up so they would know
they are getting file not found errors. the reason i dont have that
set up is because there are multiple websites on one coldfusion server
and I havent been able to think of a way to give a standard error
messge that would suit them all.

Any advice or input would be greatly appreciated.

Thanks
Nick Voss
2009-07-25 13:18:15 UTC
Permalink
Post by DennBen
I am looking through my Coldfusion exception.log file and seeing a
couple hundred errors around the same time yesterday. I am wondering
what would cause them.
Error","jrpp-3308","07/23/09","11:49:32",,"Probe requests must
originate from localhost, 127.0.0.1 The specific sequence of files
included or processed is: D:\InetPub\CFIDE\probe.cfm, line: 53 "
coldfusion.runtime.CustomException: Probe requests must originate from
localhost, 127.0.0.1
and lots of file not found errors in different directories, some are
coldfusion directories: (to name a few:)
File not found: /cgi-bin/CFIDE/probe.cfm
File not found: /Admin/CFIDE/probe.cfm
File not found: /instaboard/index.cfm
File not found: /cfide/index.cfm
File not found: /cgi-bin/ftj6dvaz.cfc
File not found: /junk999.cfm
/cfdocs/cfmlsyntaxcheck.cfm
The first error was File not found: /mNkvt1Kz3gj6.cfm
Looks like this went on for about a 45 minutes.
Is this a hack attempt? And if so, how would I know if I am
vulnerable? I dont have a site-wide error set up so they would know
they are getting file not found errors. the reason i dont have that
set up is because there are multiple websites on one coldfusion server
and I havent been able to think of a way to give a standard error
messge that would suit them all.
Any advice or input would be greatly appreciated.
Thanks
Can you tell from the log what the IP address was? You might do a
reverse on that and see if it looks like it was just the googlebot or
another search engine crawler. If not then it might not be a bad idea
to look into restricting that particular IP if it's causing trouble.

In general if you're using safe practices in your code
(cfqueryparam!), have set your CF admin password(s) to something
suitably complex, and have not enabled RDS then your CF server should
be running pretty secure. Also of note, if you think someone is
managing to watch the traffic to and from your server you should not
be transferring files using ftp. They'll sniff your password and
could then upload and execute malicious code. This would be of
particular concern if your various web sites have access to cffile and
cfdirectory where they can potentially perform actions across your
server and further it's connected network.
DennBen
2009-07-27 12:55:55 UTC
Permalink
Post by DennBen
I am looking through my Coldfusion exception.log file and seeing a
couple hundred errors around the same time yesterday. I am wondering
what would cause them.
Error","jrpp-3308","07/23/09","11:49:32",,"Probe requests must
originate from localhost, 127.0.0.1 The specific sequence of files
included or processed is: D:\InetPub\CFIDE\probe.cfm, line: 53 "
coldfusion.runtime.CustomException: Probe requests must originate from
localhost, 127.0.0.1
and lots of file not found errors in different directories, some are
coldfusion directories: (to name a few:)
File not found: /cgi-bin/CFIDE/probe.cfm
File not found: /Admin/CFIDE/probe.cfm
File not found: /instaboard/index.cfm
File not found: /cfide/index.cfm
File not found: /cgi-bin/ftj6dvaz.cfc
File not found: /junk999.cfm
/cfdocs/cfmlsyntaxcheck.cfm
The first error was File not found: /mNkvt1Kz3gj6.cfm
Looks like this went on for about a 45 minutes.
Is this a hack attempt? And if so, how would I know if I am
vulnerable? I dont have a site-wide error set up so they would know
they are getting file not found errors. the reason i dont have that
set up is because there are multiple websites on one coldfusion server
and I havent been able to think of a way to give a standard error
messge that would suit them all.
Any advice or input would be greatly appreciated.
Thanks
Can you tell from the log what the IP address was?  You might do a
reverse on that and see if it looks like it was just the googlebot or
another search engine crawler.  If not then it might not be a bad idea
to look into restricting that particular IP if it's causing trouble.
In general if you're using safe practices in your code
(cfqueryparam!), have set your CF admin password(s) to something
suitably complex, and have not enabled RDS then your CF server should
be running pretty secure.  Also of note, if you think someone is
managing to watch the traffic to and from your server you should not
be transferring files using ftp.  They'll sniff your password and
could then upload and execute malicious code.  This would be of
particular concern if your various web sites have access to cffile and
cfdirectory where they can potentially perform actions across your
server and further it's connected network.
Thanks for the input. The exception_log doesnt include the ip address
so i'm not able to use your advice there. Thank you for the input. The
site doesn't always use the CFQUERYPARAM but it does use stored
procedures which is better then dynamic inline SQL and should prevent
sql injection.
dNagel
2009-07-30 07:59:06 UTC
Permalink
Post by DennBen
Thanks for the input. The exception_log doesnt include the ip address
so i'm not able to use your advice there. Thank you for the input. The
site doesn't always use the CFQUERYPARAM but it does use stored
procedures which is better then dynamic inline SQL and should prevent
sql injection.
maybe, not, but the web server is going to log all activity. If it's
IIS then look
in your default sys log files after inspecting IIS manager for the
correct log
file name and path. Unless the IIS or apache logging was purposely
crippled,
you should have a list of all IP's that communicated with you, along
with
status codes like 404 (not found) or 500 (server side error without a
catch).

synchronize your log scans for the same time the
error occurred to match them, unless you know of
something else IIS and an error report would have
had in common.

D.

Loading...