BlueThunder Blog

Yesterday, it was discovered that there is yet another new 0-day exploit for ColdFusion. When viewing the exploit code, it was determined that this exploit potentially affects all versions of ColdFusion. The good news is that if you’ve followed our previous recommendations to lock down ColdFusion administrator, adminapi, and componentutils directories, your server is presumed safe from this exploit. All fully managed.supported servers with ColdFusion were locked down in previous months by us. If you manage your own server or someone else manages your server/ColdFusion, then you should make sure they have done the lock down.

What the exploit attempts to do is determine the version of ColdFusion running on the server and then attempts to get the Coldfusion Administrator password. If successful, the attacker has free reign over the server and can install malicious shell scripts, malicious executables, and view any data stored on the server, including anything stored in databases.

Currently, the only way to prevent the exploit is to lock down ColdFusion with the recommendations we outlined in the prior months and by viewing Adobe’s recommendations linked above. As always, be sure to keep up-to-date with any ColdFusion releases for your server(s) and apply them.

During the past few days we have witnessed a highly sophisticated and well orchestrated worldwide attack on WordPress blogs and websites that use WordPress as their content management system (CMS). The attacks are using ‘brute force’ hacking techniques to guess weak and commonly used account names and passwords.

For all Bluethunder customers running WordPress installations, we strongly recommend that you immediately:

1. Log in to WordPress and change any common and default account names (for example ‘Admin’, ‘Administrator’,‘User’, ‘Root’, ‘Test’ etc.) to something less likely to be in common use
2. Review and update all your WordPress passwords, ensuring each one meets the password security requirements specified by WordPress
3. Update to the most up to date version of WordPress (version 3.5.1)
4. Update all third party WordPress plug-ins to the latest versions 

 

Some Joomla powered sites have also been attacked. We recommend you take similar precautions if you use Joomla as your CMS. For more information or if you have any questions, please contact Bluethunder support

 

About Brute force Attacks

‘Brute force’ attacks use thousands machines infected with malware (a botnet) to attempt to guess weak and commonly used account names and passwords against the URL suffix of /wp-amin. There are a few enterprise grade security solutions to protect yourself from this such as an application firewall that restricts only specific IP addresses to those pages on your site(s) bot for most users of this platform simply removing the obvious will suffice.

That’s why, as well as changing your account names from default or obvious options, it is also extremely important to use strong passwords. Strong passwords are at least eight characters, a mix of different cases, numbers and special characters, and NEVER use ‘real’ words, names or similar as these are guessed within seconds. 

The “botnet” is most probably installed on thousands of individual machines (PC’s and office servers) by infecting them with malware. ONce set the botnet specifically targets servers and websites with huge amounts of data such as known web hosts or open source platforms such as vulnerable WordPress and Joomla sites. Most likely these attacks are not specifically targeted to individuals or organisations but aimed at building a more significant botnet running on higher powered web servers which could be used for more powerful attacks in the future. Please make security of your websites, blogs and servers the very highest priority.

 

Security is everyone’s responsibility, not just your host. Only working together can we keep your sites online and protected from harm. 

Mura CMS is the most popular and widely used CMS for ColdFusion/Railo, which we have been officially supporting for some time, both on our shared hosting platform and on our dedicated VPS/Cloud platform.

Over the last 12 months or so we have migrated quite a few Mura sites over from other (less able) hosts as well as taken on quite a few new customers running Mura, so it is clear that its popularity is growing in leaps and strides as is our popularity as a Mura host.

The one thing we have noticed though, is that most customers don’t really know how to use the Mura Admin very well as they have never been given any training and are thus not really making the best use of its features. If you think  fall into this category then here is your chance to change that and get some excellent training and info direct from the source this April/June, see below.

If you would like to get your aging ColdFusion site converted to Mura CMS, or in fact any other popular CMS system such as WordPress, Joomla or Drupal, then please feel free to contact us for advice.

MuraCon EU 2013

June 5th in Edinburgh, Scotland

Cost: $99, or free to SotR attendees

Join us at MuraCon EU, where we’ll be showing off the latest developments and features in Mura CMS, along with invaluable insight into development processes and inside inf. Held the day before Scotch on Rocks in Edinburgh, Scotland, MuraCon EU will show how you can harness the power of one of the world’s top Content Management Systems.

MuraCon EU is the only European user conference focused solely on Mura CMS. You’ll get a full day of presentations by both Mura Team members and top developers from the Mura CMS community.

Visit eu.muracon.com for more information and to register for the conference.

Mura CMS Training Seminar

April 29th – May 3rd in London, England

Cost: £1450 for full week

Blue River is offering Mura CMS training Monday, April 29 – Friday, May 3, 2013 in London, England. Sign up now and take advantage of the opportunity to learn Mura CMS directly from the expert team at Blue River.

These full-day training courses will provide you with in-depth understanding of how to get the most out of Mura CMS, from simple content updates all the way to creating new Mura CMS plug-ins. We have 3 courses available, each tailored to the unique needs of your different team members.

Discounts are available for students, CFUG attendees and group managers. Space in the course is limited and can fill up quickly, so please book early!

You can find more information on our website as well as register for the course.

Introduction to Mura CMS

April 8th in Brussels, Belgium

Cost: Free

Visit us on April 8th at BIP in Brussels, Belgium for a comprehensive look at Mura CMS. We’ll cover all the basics, including initial setup, adding (or creating) a unique theme, managing your content, and demonstrating cool features like drop-in galleries, change sets, site bundles, drag/drop form building and much more.

This seminar is free (including the coffee and snacks) but space is limited, so sign up soon! Information and the registration form can be found here.

Mura CMS Books available in paperback or eBook format

Hot off the press, three new Mura CMS guides are available for you to order today. These guides are based directly on the material we use in our three training courses. There is the Content Manager’s Guide, the Front-End Developer’s Guide and the Back-End Developer’s Guide, each tailored to your role and use of Mura CMS. The books are a great resource and are up-to-date, covering Mura CMS 6, including use of Mura CMS 6 screen shots throughout. Get the book you need, or order all three.

By Dave Lee – Technology reporter, BBC News

The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history.

A row between a spam-fighting group and hosting firm has sparked retaliation attacks flooding core infrastructure.

It is having an impact on widely used services like Netflix – and experts worry it could escalate to affect banking and email services.

Five national cyber-police-forces are investigating the attacks.

Spamhaus, a group based in both London and Geneva, is a non-profit organisation which aims to help email providers filter out spam and other unwanted content.

To do this, the group maintains a number of blocklists – a database of servers known to be being used for malicious purposes.

Recently, Spamhaus blocked servers maintained by Cyberbunker, a Dutch web host which states it will host anything with the exception of child pornography or terrorism-related material.

Sven Olaf Kamphuis, who claims to be a spokesman for Cyberbunker, said, in a message, that Spamhaus was abusing its position, and should not be allowed to decide "what goes and does not go on the internet".

Spamhaus has alleged that Cyberbunker, in cooperation with "criminal gangs" from Eastern Europe and Russia, is behind the attack.

Cyberbunker has as yet offered no reply to the BBC when contacted directly.

‘Immense job’

Steve Linford, chief executive for Spamhaus, told the BBC the scale of the attack was unprecedented.

"We’ve been under this cyber-attack for well over a week.

"But we’re up – they haven’t been able to knock us down. Our engineers are doing an immense job in keeping it up – this sort of attack would take down pretty much anything else."

Mr Linford told the BBC that the attack was being investigated by five different national cyber-police-forces around the world, but said he was unable to disclose more details as the forces in question were concerned that they too may suffer attacks on their own infrastructure.

The attackers have used a tactic known as Distributed Denial of Service (DDoS), which floods the intended target with large amounts of traffic in an attempt to render it unreachable.

In this case, Spamhaus’s Domain Name System (DNS) servers were targeted – the infrastructure that joins domain names, such as bbc.co.uk, the website’s numerical internet protocol address.

Mr Linford said the attack’s power would be strong enough to take down government internet infrastructure.

"If you aimed this at Downing Street they would be down instantly," he said. "They would be completely off the internet."

He added: "These attacks are peaking at 300 gb/s (gigabits per second).

"Normally when there are attacks against major banks, we’re talking about 50 gb/s."

Clogged-up motorway

The knock-on effect is hurting internet services globally, said Prof Alan Woodward, a cybersecurity expert at the University of Surrey.

"If you imagine it as a motorway, attacks try and put enough traffic on there to clog up the on and off ramps," he told the BBC.

"With this attack, there’s so much traffic it’s clogging up the motorway itself."

Spamhaus is able to cope, the group says, as it has highly distributed infrastructure in a number of countries.

The group is supported by many of the world’s largest internet companies who rely on it to filter unwanted material.

Mr Linford told the BBC that several companies, such as Google, had made their resources available to help "absorb all of this traffic".

The attacks typically happened in intermittent bursts of high activity.

"They are targeting every part of the internet infrastructure that they feel can be brought down," Mr Linford said.

"We can’t be brought down.

"Spamhaus has more than 80 servers around the world. We’ve built the biggest DNS server around."

More on This Story

Related Stories

• Huge spam botnet is taken down

  19 JULY 2012, TECHNOLOGY

• Microsoft aids spammer shutdown

  17 MARCH 2011, TECHNOLOGY

• Global spam levels suddenly fall

  06 JANUARY 2011, TECHNOLOGY

• Crime warning for web protestors

  22 DECEMBER 2010, TECHNOLOGY

Yesterday we had several customers report they were unable to access any services on our network.

We can confirm 100% that the issue was not at our end.

Basically this was due to a huge hole that opened up in the internet’s core routing, anything that tried to go trough that hole failed.
Imagine it like a huge tailback on the M25, if you tried to reach your destination via the M25 then you would fail, but if you were travelling via a different route then you would succeed.

So far we are aware that Entanet, BT and Virgin had major issues, in addition the BBC were attacked at about the same time.

We – and many others – reconfigured our routers to bypass any UK routes using that part of the internet, and all was well, it took about an hour to figure out what was going on and find a work around.

All U.S. routes and IPV6 traffic was fine.

WHMCS System Security Advisory Notice

This morning WHMCS released new patches for the latest V5 series billing system which is being used by Bluethunder for all customers operating out of the London data centre. The updates are to provide targeted changes that address security concerns with the WHMCS code and although it is against our usual policy to make changes to infrastructure or services during office hours we were strongly encouraged to update immediately as WHMCS claim the updates include critical and important security impacts.

After our first attempt this morning we unearthed a couple of bugs that these “fixes” have introduced. We will continue to run our existing version until the WHMCS staff fix all ancillary  problems the update introduces and this release has been fully tested on our infrastructure. We apologise for any inconvenience this may cause and will work hard to ensure you experience minimal or no loss of access to your account.

PLEASE NOTE: THIS WILL NOT EFFECT LIVE SITES HOSTED WITH US IT IS PURELY THE BILLING SYSTEM AND SELF SERVICE CENTRE. SHOULD YOU NEED TO ORDER SERVICES OR MAKE CHANGES TO YOUR ACCOUNT PLEASE CONTACT THE SUPPORT STAFF VIA THE TICKET SYSTEM AND WE WILL MAKE ANY NECESSARY URGENT CHANGES. 

Critical

A critical rating applies to vulnerabilities that allow remote, unauthenticated access and code execution, with no user interaction required. These would allow complete system compromise and can easily be exploited by automated scripts such as worms.

Important

An important rating applies to vulnerabilities that allow system authentication levels to be compromised. These include allowing local users to elevate their privilege levels, unauthenticated remote users to see resources that should require authentication to view, the execution of arbitrary code by remote users, or any local or remote attack that could result in an denial of service.

 

Security Issue Information

The resolved security issues were all identified by Vlad C. of NetSec Interactive Solutions . There is no reason to believe that these vulnerabilities are known to the public so we will only release limited information as an update to this post regarding the vulnerabilities at this time. We will only know the full detail once sufficient time has passed to allow all WHMCS customers to install the update whereafter WHMCS will release additional information regarding the nature of the security issues.

We have had a few small (only a few minutes at a time) outages over the last couple of days which we have now been identified as an ARP hack which took some parts of our network down. Three websites that were the offending source of the hack attempts have been identified and isolated. ARP is basically the bit of a switch that figures out which port to use for an IP packet. It maintains a table of IP number vs MAC address called the address resolution table. The ARP is the protocol used to populate this table. The hack generated thousands of spoof entries and killed individual switches that were connected to the offending sites. We are monitoring the situation closely by checking patterns of rapid entries and will immediately suspend suspected sources.

Apologies for any inconvenience this may have caused.

If you use Windows Remote Desktop to manage you’re server then you may have noticed some annoyances such as in windowed mode the Alt+tab flips among windows within your local desktop interface, when you actually want it to happen on the remote desktop. Or, you may be working in  full-screen mode and wish to use alt-tab against your local desktop and it does it on the remote server instead. What you probably do currently if minimize the remote desktop to work on your local desktop, but there’s a better solution by making the remote desktop a window and using a couple of great alternative keyboard shortcuts when working in a remote desktop window.

 

• ctrl+alt+break
  switches Remote Desktop between full-screen and windowed mode. When in full-screen mode, all the normal keyboard shortcuts work within that remote desktop as you’d expect.
• Alt+PageUp
  when the focus is on the remote desktop window, it then acts like alt-tab, but only on the remote.
• Alt+PageDown
  Does the reverse of above, and is equivalent of Shift+Alt+Tab on your local desktop.
• alt+home
  to bring up the remote desktop’s start menu
• alt+del (the delete key) to do the equivalent of alt-space in the windows remote desktop, which will open the "window" menu in the top left of the selected window. This can be useful on the command prompt window at remote dektop, to do an edit>paste command to the command prompt.
• alt+ins (or ctrl+alt+ins) to minimize the selected windows in the remote desktop (equivalent to ctrl+alt+esc on your local desktop)
• ctrl+alt+end to do a ctrl+alt+del in the windowed remote desktop (such as to
• ctrl+alt+plus (the + key) is the equivalent of PrtSc (the Print Screen button) which takes a screenshot of the remote desktop session, saving it to the the clipboard. Related to that is ctrl+alt+minus (the ‘-’ key), which is the equivalent of Alt+PrtSc, taking a screenshot of the currently selected window (only) on the remote desktop

New Domains. New Opportunities.

Starting 2013, over a thousand new domain extensions, or TLDs, will change how the world uses the Web. People will have the option of choosing memorable and intuitive domain names specific to their online ventures. New TLDs help consumers know what to expect from the websites they visit, making it easier to find sites relevant to them.

A recent threat has been discovered affecting ColdFusion servers which allows an attacker to upload files (cfml, php, etc) and then execute those files within the context of the coldfusion administrator. 
Ergo if you run ColdFusion under the SYSTEM account, any cfml files uploaded will have full file system access to your server and the ability to use cfexecute and cfregistry.
On some installations the hack is also able to gain access to CF data sources and and any database login details stored in those data sources. 

Please note that  you’re NOT protected against this simply by having applied recent CF security hotfixes.  It’s been confirmed to have hit at least CF9 (9.01 and 9.0.2) servers, but it seems it would apply to as well to CF10 or down to CF 7, as it leverage’s the Admin API.

It is recommended that all customers running an Adobe ColdFusion server should check if they have been hacked and should take required measures to protect themselves. this does not effect RAILO servers.

You can find a more detailed explanation of the vulnerability and associated issues, and how to check your logs for hacker activity HERE, but below is the short and simple version.

You are vulnerable if

1. Your ColdFusion administrator is publicly accessible on the default website or any other website on your server.
2. You have a virtual directory pointing to the original CFIDE from other websites on your server, this giving full access to AdminAPi and Administrator
3. You use the ColdFusion built in web server
4. You run multiple instances, which has the built in web server enabled by default.