Hi I really need some help!

Recently one of my sites have been hit with an iframe injection:

<iframe scrolling="no" frameborder="0" src="the source changes but normally htttp://collegefun4u.com/" width="0" height="1"></iframe>

It happens at random times and gets inserted in random include files.

We have clean scanned all computers + server for viruses, changed all ftp/remote desktop passwords but the problem still occurs.

I don't think that it's an SQL injection attack because it is not hitting the database and only being injected into include files.

Some advice would really be appreciated as I have tried extensivley to get rid of it with no avail!

I am currently using CF9 runnning on a Windows 2003 server.

Thanks Alot!

Hi, Have you had any joy getting this resolved? We run a Coldfusion server with several sites and have recently started experiencing the same problems. The hidden iFrame is exactly the same as yours.

After some more digging, I found 2 malicious Coldfusion scripts in our 'Default Site' directory. (we use ISS on windows). One of the files was named something along the lines of '0188568_google.cfm', and was scripted to use cfexecute to run another script from the command line to modify a file passed in as a param. We have deleted the malicious files and changed all passwords/blocked access to our default site so hopefully this will not re-occur.