I recently came across an older ColdFusion 2018, update 12, server that was many patches behind. I can’t go into details on this server’s origin.
We noticed that one of many websites on this single Windows IIS server returned a “Failed to add HTML header” a couple of times. This site still uses FuseBox 3.1. Then the site just started returning empty content, with no error and a valid 200 HTTP code. No errors logged in the ColdFusion logs.
We noticed a .jpg file in the root with a recently modified date that did not belong there, and the robots.txt was recently updated.
The .jpg file contained malicious PHP code, while the robots.txt file had the following appended:
# Sitemap: http://{url}/?sitemap=1&type=index# AUTH:upload/7FD4B026F124.jpg
I am not positive why it added a sitemap reference.
If you deleted the .jpg file, it recreated it and appended another “AUTH:” line when the site was hit again, due to a cfinclude (in this case it was in the index.cfm).
When looking at FusionReactor, we saw HTTP calls being made to api.cdnapi.tech. Unknown the reason for those, but it’s malicious. Check your code for this.
We did find suspicious calls to “cf_script/clients.cfm” in the IIS log file. It was determined that this file was added to mimic the client variables handler file name. I am not going to publish the code, but it basically wrote a .cfm file from a form field (seemingly from the GET request, while it injected a form field below and likely modified the action property of the form), ran it via a cfinclude, and then deleted the file with some error handling. Pretty simple.
After running IIS logs through Claud.ai, it found that the adminAPI was exploited using a vulnerability that bypassed directory restrictions. Look for “/hax/..” in your IIS logs. This exploits CVE-2023-29298.
GET /hax/..CFIDE/adminapi/administrator.cfc?method=getBuildNumber&_cfclient=trueGET /hax/..CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat Status: 200GET /index.cfm?{redacted}/CFIDE/administrator/index.cfm/CFIDE/adminapi/base.cfc User-Agent: python-requests/2.32.4
The first GET queries the API administrator to get the ColdFusion version. The second appears to verify access to admin API using the getHeartBeat() method. The last GET statement is an injection attempt via a form. I have redacted the URL query specific to the site. Both GET statements were successful. We seen some other POST requests to accessmanager.cfc and base.cfc without the directory traversal hack, but were unsuccessful.
These requests were scattered over a period of about a month.
As an immediate solution, we blocked any URI starting with “hax/” in our WAF (Web Application Firewall). There should be no reason to access this path other than to exploit the server.
This information is to help other ColdFusion admins narrow down a similar compromised server as a reference. This particular server is getting the needed updates and resolution.
If you need assistance with a compromised server, reach out to me or CF Webtools to help you in a time of crisis.
Chris Tierney 