So as i was opening my presents with my family Christmas morning when my web server emailed me to let me know that a file had been created in my /CFIDE/ folder. This file was h.cfm and it was a nifty little tool used to scan files - copy files - dump SQL passwords - run commands - upload files ect....
My setup is CF9.0.1 on win server 2008 with mySQL5.5 . The servers only purpose is to host a few websites for my company. I poured over my IIS logs and could not find any trace of a connection to the webserver while this was happening. I then started looking at the http.log file in coldfusion server and found that it contained 2 entries at the time of the attack. Both looked like this... note i've removed the IP of the server. This file is the file that was uploaded to my server.
25-Dec-2012 6:54 AM Information jrpp-6969 Starting HTTP request {URL='http://IPAddress:80/CFIDE/h9.txt', method='get'}
There was nothing before this connection and nothing after it. It looks like some how my server was told to make a call to here. Nothing in any logs regarding the use of the h.cfm, no loggs in IIS showing suspicious page hit before and nothign suspicious after.
Am i missing something??? this is driving me nuts! The other weird thing about this attack was that they didn't touch any websites they copied the ColdFusion9\updater_backup\ folder and a few other odd things off the server.
Any insight into anything that went on would be helpful... even if it's just a guess that points me in the right direction.
Thanks,
JB.