Hello,
We havesome web serverswith different operating systems(ws 2003 standard edition r2 withiis6 andcoldfusion9.0.1 hotfix 4 and ws2008r2withiis7.5andcoldfusion10update8) andfor machines withcoldfusion10we used ServerLockdownGuide.
Last nightt inaperiod of time15 minutes ourantivirusreportedsomedangeroustmp filesin folders:
-CF9: {coldfusion_path} \ runtime \servers \coldfusion\SERVER-INF \ temp \wwwroot-tmp \
-CF10: {coldfusion_path} \ cfusion\ runtime\ work\Catalina\localhost \tmp \
The only thing thatI could understand from the logsis that2 hours beforeattempting to writethese fileson the server,a client withip188.190.126.105carried outonall my serversthe request of the"famous" pagehttp://server_ip/CFIDE/h.cfmgoinginto errorbecausethere is not that page.
Does anyone have anyidea/suggestionof howit is possible thatsomeone is still able to write these files in spite of:
-Coldfusion9.0.1withHotfix4 andcoldfusion 10 with update 8
-The coldfusion administrator is notreachable from external ip,
- I have not fileh.cfmori.cfm in CFIDE folder
- All the requets of thetypeCFIDE/administrator are blocked
-Sites and Coldfusion are in differentlogical disks
- IISandColdfusionwithdifferent users
-Not all the serversare in the samelan, but all of them have had the intrusion
Thanks