All geek questions in one place

How do you globally change page output sent from IIS without changing the page source?

Several of my sites have recently been hacked. Someone was able to add a JavaScript line at the bottom of each page of the site.

The server is Windows Server 2003, and Cold Fusion 8 and MySQL 5.x are installed and running on it.

A look at the code on each page shows that none of the pages have been changed. JavaScript is not in the code files themselves. This makes me think that this is an IIS problem, but I am not sure and cannot find anything that could do this in IIS.

The added JavaScript redirects the user to another page only if they come from Google, or at least it works this way.

Any help on how someone was able to accomplish this, as well as remove it, would be greatly appreciated.

Another way to pose a question thanks to @Jeffrey Hantin

How do you systematically change the output from IIS without changing individual pages?

EDIT . A few more tests showed that only .cfm pages add extra javascript. A new .cfm was added, and js was there, but .html was not there.

Edit2: Turns out it was a cold problem. One way or another, the OnRequestEnd.cfm pages were created on sites and added that js.

+3
source share
5 answers

It looks like someone has used some of the latest Adobe CF vulnerabilities.

. :

, .

+2

, , . OnRequestEnd.cfm ​​, js.

+2

IIS , , ISAPI. Coldfusion, application.cfc .

. , , . , . , -, application.cfc , .

+1

, . .

0

, ISAPI. , IIS .

In your specific situation, you can check ISAPI filters that you do not want to install. Of course, if your server has been compromised, you will most likely be better off rebuilding from a well-known good image rather than trying to fix it in place.

0
source

Source: https://habr.com/ru/post/1723512/

More articles:


All Articles