I'm consulting for a company, and their server is being used by intruders to send spam email. It is Windows 2008 x64 with IIS, CF9, and SQL Server. The CF server is running their home grown web site, and my suspicion is that there is an unsecured .cfm file that allows all cfmail parameters to be provided via form variables, or else the intruders got their own .cfm file somewhere that's doing it. The files showing up in spool and undelivr all appear to be formatted in such a way that they look just like legitimate emails I compared, so that's another reason I think it's a rogue .cfm file. I have mail logged turned all the way up to debug, but it still doesn't show where the email "came from". I found other evidence of exploit severe enough that I have informed the customer that their server needs to be completely flattened and reinstalled before it cant be trusted again. I'm going on site in 3 weeks to do this rebuilt, but in the meantime, I am continuing to see evidence that spam email is being sent out despite my efforts to track it down. The reason I think there is an unsecured .cfm page is that the entire site is unfortunately fairly low-tech, and a recursive text search for "<cfmail" turns up 450 hits. Any tips on how I can track this down?
↧