http://coldfusion.com logo
Join Slack
Powered by
I found an interesting exceptin in my logs. See th...
# adobe
d
I found an interesting exceptin in my logs. See thread for stacktrace. I have no idea what is triggering this error.
"Error","ajp-nio-127.0.0.1-8014-exec-6","04/19/23","091434","","Neither the method eo was found in component cf_scripts.scripts.ajax.ckeditor.plugins.filemanager.iedit nor was there any default method with this name present in any of the implementing interface.Ensure that the method is defined, and that it is spelled correctly. The specific sequence of files included or processed is: E:\servers\cfusion\wwwroot\cf_scripts\scripts\ajax\ckeditor\plugins\filemanager\iedit.cfc'' " coldfusion.runtime.TemplateProxy$InvalidMethodNameException: Neither the method eo was found in component cf_scripts.scripts.ajax.ckeditor.plugins.filemanager.iedit nor was there any default method with this name present in any of the implementing interface. at coldfusion.runtime.TemplateProxy.throwInvalidMethodNameException(TemplateProxy.java:1130) at coldfusion.runtime.TemplateProxy.resolveMethod(TemplateProxy.java:1089) at coldfusion.runtime.TemplateProxy.resolveMethod(TemplateProxy.java:1072) at coldfusion.runtime.TemplateProxy.resolveMethod(TemplateProxy.java:1062) at coldfusion.runtime.TemplateProxy.getMethodMetaData(TemplateProxy.java:366) at coldfusion.filter.ComponentFilter.invoke(ComponentFilter.java:231) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:597) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:43) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:162) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:96) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:60) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.xml.rpc.CFCServlet.invoke(CFCServlet.java:156) at coldfusion.xml.rpc.CFCServlet.doPost(CFCServlet.java:348) at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:311) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:46) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:47) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at jdk.internal.reflect.GeneratedMethodAccessor98.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:134) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doNext(FusionReactorRequestHandler.java:772) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doHttpServletRequest(FusionReactorRequestHandler.java:344) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.doFusionRequest(FusionReactorRequestHandler.java:207) at com.intergral.fusionreactor.j2ee.filter.FusionReactorRequestHandler.handle(FusionReactorRequestHandler.java:809) at com.intergral.fusionreactor.j2ee.filter.FusionReactorCoreFilter.doFilter(FusionReactorCoreFilter.java:36) at jdk.internal.reflect.GeneratedMethodAccessor97.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.intergral.fusionreactor.j2ee.filterchain.WrappedFilterChain.doFilter(WrappedFilterChain.java:71) at jdk.internal.reflect.GeneratedMethodAccessor96.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at com.intergral.fusionreactor.agent.filter.FusionReactorStaticFilter.doFilter(FusionReactorStaticFilter.java:54) at com.intergral.fusionreactor.agent.pointcuts.NewFilterChainPointCut$1.invoke(NewFilterChainPointCut.java:42) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:451) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:853) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1587) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.base/java.lang.Thread.run(Thread.java:834)
I haven't logged into CFADMIN in a while, and its blocked to external IPs.
m
MJ error?
1
Sorry. Captain Eo. I got nuthin.
Is there a recurring process that might log into the admin? Some kind of nightly? How often does the error show up?
d
none. none. occured 7 times this morning between 6am and 9am. occured 2 times on 4/11 occured 1 time on 4/10
I missed this log entry earlier:
Copy code
"Error","ajp-nio-127.0.0.1-8015-exec-6","04/19/23","09:00:43","","Exception occurred while calling indexDocument : for url /misc_data/databases/intra_webutility:cfintra:8503 with document {""port"":1433,""host"":""tp-sql2"",""vendor"":""MSSQLServer"",""db_name"":""intra"",""cluster_id"":null,""db_server_name"":""intra"",""instance_id"":""webutility:cfintra:8503"",""group_id"":null}"
java.lang.NullPointerException
b
Do you see IP addresses associated with these requests - either in these logs or another log source? This could be exploitation attempts for CVE-2023-26359 / CVE-2023-26360
☝️ 2
d
I do not.
b
Do you see any indicators on your server of a successful compromise, as outlined by @carehart ‘s blog post here - https://www.carehart.org/blog/2023/3/17/coldfusion_march_2023_emergency_update
The “method not found” error and the fact that iedit.cfc is a publicly-accessible, standard cfc is what makes me think these could be exploit attempts
d
Thank you Brian. I'm going through Charlie's list of checks. the web apps are publicly available, CF ADmin is not. I agree this looks like a hack attempt.
b
CFAdmin accessibility isn't required for exploitation -- just any accessible .cfc. If you hit a URL like http://your.public.fqdn/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true you should see an error like "Neither the method foo was found in component..." in your logs (edit: updated URL typo)
d
my logs only went back 2 hours so I couldn't find any traces of query string "_cfclient" nor "cfintra". I'm going to need time to apply an update, so for now I used Request filtering to deny "_cfclient" query string requests using IIS._
@Brian Reilly thank you!
👍 1
oh also, I didn't find any traces of such "bad-guy" files.
c
but did you find any 2exml.class or 2elog.class files in the cfclasses of your CF instance? That was the first evidence to seek, per my post. (Sorry, been with clients all day. First chance to jump in. Glad to see Brian helping to now.)
And when you say your logs only go back 2 hours, do you mean your web server access logs? Really, only 2 hours? That would be something to reconsider. They are vital as secondary evidence for all kinds of issues. Most servers keep days, weeks, months, or even years of them (perhaps zipping them up after some number of days).
And if you happen to be running FusionReactor, note that it has request logs also (tracking every CFM or CFC file request), and it keeps its logs by default for 30 days.
d
Hi Charlie, I did not find any of those class files.
c
But sure, the fact that you put in the qs block in the meantime while awaiting to do the update is important. But when you say you found no "bad guy files", they could be hidden in many places. That's why gathering the other evidence is key, to help decide if further exploration is needed.
and are you confirming there ARE other class files in the cfclasses folder? and that they have recent dates? (Some people disable the "save class files" feature in the CF Admin...in which case there would be no new class files created after that. Those there, if any, would have old dates.) You could create a test.cfm page and call it, and see if it appears anew in there, as a sanity check
d
I stand corrected. I confused the class files as "bad-guy" files. I meant I didn't find any class files that you said to search for.
oh yes class files are being saved. feature enabled.
c
and with recent dates, right? if so, then the fact that there are no files with the pattern 2exml or 2elog means that the bad guys did not succeed to use the hack to cause CF to display such log or xml files--and that would generally mean they did not proceed to do the more nefarious aspect of the hack, which led to creation of a file with a shell script....which led to the worst part of the hack--that they could do essentially anything from within CF. If all that's so, count your blessings, indeed 🙂
d
ok
c
but yes, the original error you report would indeed be commensurate with them having sent in a url that TRIED to effect the hack. The fact that your "admin is not public" is not what protected you, though. That url would try to find that cf_scripts folder--which normally is NOT blocked. But if you guys blocked it, then perhaps THAT is what protected you.
☝🏾 1
d
yes, recent dates found in cfclasses folder.
c
Actually, I take that back. Since you got the error, the cfs_scripts was NOT blocked. your error said that the method was not found. And indeed, to anyone reading this later, the error Daniel reported (the method not found) WOULD happen whether they did or did NOT succeed in perpetrating the hack. As Brian said, the hack URL just needs to point to a CFC that CAN be reached from the outside. Even if they method named fails to exist, the rest of the payload (the querystring vars) could effect their dirty deed. But something seems to have protected you. Can't say what, from what little info we have. But get that update in place, and wipe your brow and move on to more important tasks you surely have 🙂
👍🏾 1
Open in Slack
PreviousNext
Powered by