<cftextarea> and FCKeditor Exploit
I have now experienced a couple of servers exploited to inject harmful code into .js files. There's a lack of information out there and I believe I have finally ran into what I was looking for.
There appears to be a vulnerability with the FCKeditor file upload feature. It appears it affects at least ColdFusion and PHP servers. Attackers are able to use the file uploader to run malware on the server injecting a <script> tag into the end of every .js file. The script includes the URL: "http://bit.ly/dUdvv". Avast, an anti-virus program, recognizes it as a IFRAME virus when you visit the compromised website.
ColdFusion has a built-in instance of FCKeditor through the <CFTEXTAREA> tag. It is advised that if you use this tag and have rich-text enabled, that you disable the file upload feature. This includes the lastest install of 8.0.1. To see if your file upload connector is enabled, go to "CFIDE\scripts\ajax\FCKeditor\editor\filemanager\connectors\cfm", and look at the config.cfm. You can also delete the filemanager directory found under "CFIDE\scripts\ajax\FCKeditor\editor".
I have seen that after removing the infected code from the .js files, they are once again re-infected. One company's soltion was to move all website files to a brand-new ColdFusion server to get rid of this issue. So there must be a program or service running that hides itself well.
The latest version of FCKeditor is 2.6.4. It also appears that the AJAX file manager CKFinder may also have this issue. I have not yet been able to determine if this version is safe. So far I've only seen this on Windows servers. So if anyone has additional information on this, please comment below.
Other sources of information:
http://isc.sans.org/diary.html?storyid=6715
http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat
a reboot into safe mode in order to be able to stop the process, then find the infectious file and remove it. Without successfully identifying and killing the virus, the sites will be continually infected over and over
again.
This also has infected many CFWEBSTORE sites. People have found that you need to run CF under a user name that does not have admin rights on the win32 folder. You might also find many .exe's in the temp folder
on your server. Use a file search program like PowerGrep or something similar, (people have also used DreamWeaver after re-downloading their entire site to a local PC) and search for these terms:
seraph
createshell
The first term seraph is unique to this infection and any file with this in it, can definitely be considered malicious. You should replace any file with that word in it with a known good copy from backup. I believe that any file
that has the term createshell, can be considered suspicious and should also be replaced with a known good copy. Check the dates on file that have those words in them and then search your site for any other files
that were modified the same date and time and consider replacing them with known good files.
Of course all of that should only be done after you successfully find and remove the virus from your server. This may require the assistance of your hosting provider.
We've been working on this since Monday morning and the infection has been morphing on sites that were thought to be clean, but they never found the virus leading us to believe that the cybercriminals behind this
(from China) still have remote access to many, many servers and are simply reinfecting them with newer code.
This has also started migrating to .php based sites as well although not as successfully as Cold Fusion based sites.
http://blogs.adobe.com/psirt/2009/07/potential_col...
They are working on an update to ColdFusion to resolve the issue, which they expect to make available this week.
Information and the download can be found at http://www.adobe.com/support/security/bulletins/ap...