My CFIDE just went crazy this morning and I can't locate the what is causing this. When I log in from example.com/cfide/administrator/index.cfm some of the tabs on the left work fine and some are showing the index page of example.com like in an iframe... I restarted the app server but the issue is still there. Any recommendations on how to debug this thing?
So for posterity here is what we found.
There are two possibilities of exploits that could be affecting you:
the bitcoin exploit (miner.d)
the ckeditor file upload exploit (this is the h.cfm file)
There are others but these are common and known. Both tap underlying java to unfold work that either calls something more sinister, delivers server meta data or unrolls a scheduled task to fireoff worker bees to consume resources doing something the admin is unaware of.
So as we discovered we have a varietal of this h.cfm called fusebox.cfm (obfuscated with bonus encrypted CF5 garble). If you can open the file you will see that h.cfm file and open it you will see UGLY and Obfuscated code but not very sophisticated. A lot can be revealed by a coder's code and if you deconstruct and format this particular code you will discern that the developer is not native to CF, and jumps from script style to CMFL style (in caps no-less).
(here is the Stack Overflow link with the raw code (be careful))
It is also named: i.cfm, h9.cfm, r.cfm, adss.cfm or fusebox.cfm here is the black hat page that give you a ton of info. I'm viewing the cached site because I don't trust the blackhat sites. (because one loaded something on my system that raised an antivirus alert).
The file may be unreadable so here is a link to a site that describes some github sourcecode that can decrypt it for you. That is Coldfusion 5 crap that still floats around now and again. (I'm pretty sure it will look similar to that code in the SO link I pasted above).
Post mortum: One more coldfusion serve saved from villainy. Remember, it never hurts to run through your systems and see if anything can be found like this. It also never hurts to make things a little more difficult for would be server exploiters ;)
Related
I have this website that I'm editing for a friend and they want to get rid of this message at the checkout screen but their boss doesnt know who implemented it. Its an error message at the top in read that says "If you are having trouble checking out, please contact us at sales#cbobaby.com" and is in the check out page. This is an open cart website and I only work with wordpress sites so I'm having trouble figuring out where the source of the message is coming from. I've dug through some of the template files in the theme and I can't seem to find or delete anything that gets rid of it. My question is if there is anything in Chrome dev tools that would help me identify the source or template it lives in? I only use dev tools for adjusting css but I know there's so much more you can do it with. Thanks.
No, DevTools can't relate your front-end code to what generates it for the DOM. For the exact same reason we are unable to persist edits in the DOM to your source.
You need to use grep, or some code editor with "find all" functionality and look for some part of the string. If that fails, search your database and see if it is coming out of there. You can then either edit the database and hope nothing breaks, or try to back-track through the application logic to find where is calling that part of the DB. It should give you some ground as to where to look.
In the Sources tab, you can see the resources, that are loaded when you are on a particular page. You can also use the Inspect tool in the Elements tab to find the element that hosts that bit of text to narrow things down in your search.
To add to this, if content is generated on the server side, the resources you see will likely be a merge from multiple generated sources, e.g. with templates in your case. You can search your solution for aspects of the DOM elements you see in Chrome Developer Tools, but look for the static parts instead of the dynamic parts. For example, the text itself won't be part of the template file, a placeholder will exist - a CSS class could be useful.
It probably took me too long, 4 hours, to figure out the real issue. Some of my iPhone app's requests were getting through to my shared-hosting web server, and others weren't. I finally pinned down that the difference was in the text contents of my POST headers.
My shared-host tech support enlightened me. One of my requests contained the words "I'm having a good time" in a POST header from user input, and the server's mod_security module didn't like the word "having", apparently believing it was a security threat.
I mentally went ballistic. This was an example of security run amok, trashing my app's requests (causing problems for my users) for a very stupid reason. Tech support disabled that particular mod_security rule, but that left many others that could be equally stupid.
So I used cPanel to turn off mod_security entirely for all my sites. My php script carefully sanitizes all user input, and it seemed like mod_security itself was the most serious threat to my app's proper performance.
Did I do the right thing? Or will it bite me in the ass down the road?
I have a CF9 site set up locally on OSX Snow Leopard, and it's started to behave very strangely - probably about 1 out of every 5 times I load any page in the site, it will throw a 'Cannot find CFML template for custom tag' error. I just refresh the page and then everything works fine. It can happen on any page, but it never happens consistently with any one page. Furthermore, this doesn't happen at all on the live server when the code is checked in through SVN, so I figure it has to be some kind of configuration problem on my local instance. I can still do my work, but it's pretty annoying having to refresh pages ALL the time. Has anyone run into similar difficulties?
Try using <cfmodule template="pathTo/yourTag.cfm"> rather than <cf_yourtag>, so you can specify the exact location of the template (in case the server is getting confused as to where it resides).
FYI, this is based on a tip from Raymond Camden's blog post: http://www.raymondcamden.com/index.cfm/2006/8/17/ColdFusion-Custom-Tag-Tips
Chris, odd that I should run into your question now, as this just started happening to me last night. I have all of my CF errors being emailed to me, and I am seeing that similar problems are happening across multiple sites that all run the same software, some of which haven't been touched in a long time. That got me thinking, it's probably a corrupt compiled template in the CF cache. You can recompile the template by making a slight change to it, say add an extra line or a comment or something, then access the site again. Or, purge the whole cache and let CF rebuild everything, which is likely what I'll do since who knows what else might be affected.
Clearing the Cache in Coldfusion Production server
I see that pre-compiling pages to java classes will increase performance, while using the -deploy command will encode the pages to java bytecode, thus hiding the source code.
Questions:
Can both of the above be done? Pre-compiling the application, then encoding them?
Is updating sourceless pages & cfc's as simple as encoding the newly updated files locally, then overwrite the older ones on the server?
Thank you for your contributions.
It's worth noting that byte code won't 'secure' your code if someone gets onto your server. There is nothing to stop someone from decompiling your code using tools like this.
There is offical Adobe info here on sourceless distribution but I haven't tried it. Remember, the compile hit if only on the first request (provided you have your CF admin setting correct) so the boost isn't for every request.
I'd also prefer to 'secure' my source code in other ways, i.e. making sure the server is secure.
What I am looking for is a tool that easily or automatically sends coldfusion error messages to their system.
Then I can use the web-based interface, to manage priorities, track who fixed what and so forth.
But I want to use this to help us deal with errors better, but also to show the importance of a bug tracking system to my fellow works.
System Requirements: Apache, Windows, Coldfusion 8 Standard, Sql Server 2005.
Financial Requirements: Free or Open Source
Goal Or Purpose: To encourage my fellow workers to want and use a bug tracking system.
Does this re-write make more sense?
Thanks
Craig
Wiki has a list of issue tracking software, maybe this list could help.
http://en.wikipedia.org/wiki/Comparison_of_issue_tracking_systems
You may be able to find a hosted service and use either email or web services to create the ticket using onError. With that said, a simple issue tracking app could be created for your site using the same DB used to drive the content. 2 or 3 tables would take care of the data storage and you're already using CF so the application layer is already there.
HTH.
I have been heavily using this type of a setup for several years by email only, and the last 3 years with a Bug Tracking Software.
I must say, the bug tracking software has made my life so much more peaceful. Nothing is left, forgotten, or slips through the cracks. It's easy to find trends in errors, and remember "all the times" it happened.
Our setup is like this:
1) Coldfusion + Appropriate framework with error reporting - It doesn't matter what you use. I have used Fusebox extensively and am making the transition to ColdBox. Both are very capable, in addition to Mach-II, FW/1, Model-Glue, etc. The key part you have to find in them is their ability to catch "onError", usualy in the application CFC.
2) Custom OnError Script - Wherever an error occurs, you want to capture the maximum amount of information about that error and email it in. What we do is, when an error occurs, we log the user out with a message of "oops, log in again". Before logging them out, the application captures the error and emails it to Fogbugz. Along with it, at the top we include the CGI variables for the IP address, browser being used, etc. Over time you will find the things you need to add.
3) Routing in Fogbugz. A 2 user version of Fogbugz is free, and hosted online. There are two main ways to submit bugs. One is to email one in at a time. So if an error happens 2000 times, you get 2000 emails, and 2000 cases. Not always the best to link them together, etc. They have a feature called BugzScout, which is essentially an HTTP address that you do a form post to with cfform with all of the same information you would have put into the email. There's plenty of documentation on this and something I've always wanted to get around to. I had a scenario of 2000 emails for the first time happen a few weeks ago so I'll be switching over to this.
Hope that helps. Share what you ended up doing and why so we all can learn too!
I'm surprised no one mentioned LighthousePro (http://lighthousepro.riaforge.org). Open source - 100% free - and ColdFusion. As the author I'm a bit biased though. :)
Hard question to answer not knowing what kind of restrictions are there? Do you have any permissions to install anything? Also most bug-tracking systems require some kind of database support.
I have a suggestion. You can put in place a basic bug-tracking system, that just allows people to create tickets, and allows you/someone else to close it.
More Windows based tools are mentioned here
Good open-source bug tracking / issue tracking sofware for Windows
Any reason why coldfusion specifically?
I really like Fogbugz from the makers of Stack Overflow. For one user it's quite reasonably priced. I enter some bugs manually and have others emailed in.
A lot of bug tracking software will expose SOAP methods for entering data into them.
For example, we used Axosoft's OnTime and that exposed some WSDL pages that I consumed in my application. I was told that Jira did as well.
There are few in CF411 list: Bug Tracking/Defect Tracking/Trouble Ticket/Help Desk Tools Written in CFML
We use HopToad. There is another bug-tracking app called LightHouse that integrates with HopToad so you can easily create a [bug] ticket from an incoming exception. HopToad has an API of which there are many clients, you want the CF based one:
http://github.com/timblair/coldfusion-hoptoad-notifier
Even if you dont use HopToad and you end up using a different service or roll your own, if you needed to write your own API client you could leverage the code or pattern(s) of the above HopToad client.
A lot of good information from everyone, and I really do appreciate the efforts given. But not the answer i was looking for. Which maybe means, that what i want does not exist, yet.
So i may have to roll my own solution...Or maybe integrate with another existing app...
Thank You all.