My CFIDE just went crazy this morning and I can't locate the what is causing this. When I log in from example.com/cfide/administrator/index.cfm some of the tabs on the left work fine and some are showing the index page of example.com like in an iframe... I restarted the app server but the issue is still there. Any recommendations on how to debug this thing?
CF Admin showing the root website
197 Views Asked by Geo At
1
There are 1 best solutions below
Related Questions in COLDFUSION
- Is there a way to get a dynamically generated QR to print on a badge card?
- "Apache2 Syntax Error: Cannot load mod_jrun22.so - undefined symbol: ap_log_error"
- Getting Java Error - java.lang.reflect.InaccessibleObjectException: Unable to make public sun.util.calendar.ZoneInfo(java.lang.String,int) accessible
- Unreadable text - dialog with goofy robot icon in VS Code
- Cold Fusion Custom Tags How To Block generatedContent if executionMode eq start
- Coldfusion SOAP API, name of parameters on wsdl changes to generic one
- passing multiple values with comma seperation in cfqueryparam causing issue. it is paasing as index scan instead of index seek
- ColdFusion app " Error Executing Database Query. Access denied for user" for RDS mySQL
- Why is CFTHREAD resuing local variable values in a loop?
- jquery validation code working but ending up uploaading same files in both different folders
- Encountering 'Error invoking CFC for gateway file: null
- cfspreadhseet - how to delete/update a comment in the cell?
- ColdFusion - page with CFCHART inserts JS into HTML <head> - Test and Prod servers it is at top of <head> my local is at bottom and causes JS conflict
- How do I decrypt an encrypted private key in ColdFusion?
- Does Coldfusion 2021 support connections to MySQL 8.0? (AWS RDS MySQL Community Server)
Related Questions in COLDFUSION-9
- cfspreadhseet - how to delete/update a comment in the cell?
- I've updated CF9 mail server settings but my application is still trying to use the old mail server
- Get array key and structure data from an array with structure
- Query sort in coldfusion
- Coldfusion calculate seconds in days, hours, min
- print a matrix by 1 to 9 in coldfusion
- Installing ColdFusion 9.0.1 Updates and JVM
- Upgrading from Coldfusion 9 to Coldfusion 2021
- PDF Not Generated With Android WebView
- 3 Related Select using Coldfusion
- Coldfusion How can i detect duplicate variable in array
- ColdFusion 9 - Spreadsheetaddrows dropping partial values in column
- Coldfusion Query OF Query Generates more records than expected
- How can I run a ColdFusion 9 application in Apache?
- Coldfusion session variables usage
Related Questions in COLDFUSION-ADMINISTRATOR
- passing multiple values with comma seperation in cfqueryparam causing issue. it is paasing as index scan instead of index seek
- coldfusion 10 application server service not starting
- Need help to hide server specific error when running Curl command tool
- Coldfusion 11 Application server stops automatically in windows 10
- ColdFusion Maximum number of simultaneous Web Service Requests
- ColdFusion doesn't install Font OpenType TTF
- Limit how many emails/second that ColdFusion sends to AWS SES
- How to uncheck 'Disable updating ColdFusion internal cookies' programmatically
- What is the "Disable Service Factory" option that appears in CF Admin Settings Summary?
- ColdFusion 11 Administrator: ColdFusion Archives Page shows error
- ColdFusion - local server not using CSS
- CF Admin showing the root website
- Coldfusion application log repeated error with no file or error, is this a concern?
- Not able to send mail from ColdFusion 10
- Coldfusion 8 Submit Changes does not save Mail Server Settings in CF Administrator
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
So for posterity here is what we found.
There are two possibilities of exploits that could be affecting you:
There are others but these are common and known. Both tap underlying java to unfold work that either calls something more sinister, delivers server meta data or unrolls a scheduled task to fireoff worker bees to consume resources doing something the admin is unaware of.
So as we discovered we have a varietal of this h.cfm called fusebox.cfm (obfuscated with bonus encrypted CF5 garble). If you can open the file you will see that h.cfm file and open it you will see UGLY and Obfuscated code but not very sophisticated. A lot can be revealed by a coder's code and if you deconstruct and format this particular code you will discern that the developer is not native to CF, and jumps from script style to CMFL style (in caps no-less).
(here is the Stack Overflow link with the raw code (be careful))
It is also named: i.cfm, h9.cfm, r.cfm, adss.cfm or fusebox.cfm here is the black hat page that give you a ton of info. I'm viewing the cached site because I don't trust the blackhat sites. (because one loaded something on my system that raised an antivirus alert).
The file may be unreadable so here is a link to a site that describes some github sourcecode that can decrypt it for you. That is Coldfusion 5 crap that still floats around now and again. (I'm pretty sure it will look similar to that code in the SO link I pasted above).
Post mortum: One more coldfusion serve saved from villainy. Remember, it never hurts to run through your systems and see if anything can be found like this. It also never hurts to make things a little more difficult for would be server exploiters ;)