My site has just been hacked and I suspect that it was a remote file inclusion attack. These are my server specs: Windows Server 2008 R2 running ColdFusion 9 (9.0.1.274733) and IIS 7.5

This is the source code of the page that appeared after my site was hacked:

<!-- # sql_master : securiiity@gmail.com #--> 
<html> 
<head> 
<title>0wned !</title> 
<Meta http-equiv="content-type" content="text/html; charset=windows-1254"> 
<Meta http-equiv="content-type" content="text/html; charset=ISO-8859-9"> 
</head>
<body bgcolor="black"> 
<center>
 <font color="#ffffff" size="3" face="Tahoma">0wned By <br>SQL_Master , Z0mbi3_Ma , xMjahd !</font>
 <br><br> 
 <img src="http://fc08.deviantart.net/fs71/f/2010/255/e/7/never_look_back_by_arbebuk-d2yiadv.jpg" width="600" height="500"/> 
 <br><br> </div> </td>
  <font color="#ffffff" size="3" face="Tahoma"><a class="__cf_email__" href="http://www.cloudflare.com/email-protection" data-cfemail="d389e3beb1bae08c9eb293bbbca7beb2babffdb0bcbe">
    [email protected]</a>
    <script type="text/javascript"> /* <![CDATA[ */ (function(){try{var s,a,i,j,r,c,l,b=document.getElementsByTagName("script");l=b[b.length-1].previousSibling;a=l.getAttribute('data-cfemail');if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})(); /* ]]> */ </script>
  </font><br><br> <font color="#ffffff" size="3" face="Tahoma">FROM MOROCCO</font> </tr> 
</table> 
</body> </html>

My site and server are periodically scanned by Symantec and it only picked out the IP of the person who hacked my site.

After the site was hacked, I went and cleared the ColdFusion Verity search and in IIS, I made .cfm the default file type to give preference to and the site was back on line.

However, I did a whole site search but was unable to find the above code anywhere.

Can someone please explain to me how this types of attacks are made and how I can clean my site and server and prevent this from happening again in the future.

Thank you.

Member Avatar for LastMitch

Can someone please explain to me how this types of attacks are made and how I can clean my site and server and prevent this from happening again in the future.

This is issue is more internal meaning that if you are being hack most likely you have to look at your host server database to see what the time it happened and what file did it happened and there you can pin point the issue (meaning fixed).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.