We use Dailyrazor as our web host. Over the past couple of days our CFM forms have been acting strange. Every time a form is submitted it now has a JS header forwarding the browser to a site in Japan. None of the form is processed. Our host was hacked a couple of weeks ago – I’m wondering if the CF install was hijacked/corrupted? Or am I just missing something simple?
Here is an example page:
https://skicmsc.com/_contact_include.html
Submit the form and take a look at the resulting code. The very first line of my file is currently a <cfabort>. The file can be empty. Or it can be the actual file to process the form. Results are the same.
Edit: I found the problem. Our application file was replaced by one with malicious code. You would think the ISP would have caught this.
Newbie
1 posts
We have seen this happen from customers coming from other hosting providers (not xByte Cloud) where someone had a security incident and not everything was found. Recently, we migrated a customer that had a bad actor that we believe had been grabbing credit card numbers for years. The previous hosting partner did not properly limit the web server which allowed PHP code to be executed. Combined with a bad practice of adding form submitted files to a common location, the bad actor was able to upload and download data. If you are not 100% sure everything is now secure, I would reach out to someone like Charlie to double check you.
If you are looking for security best practices, here is a video and blog we created based on our experiences: https://blog.xbytecloud.com/essential-security-practices-for-coldfusion-web-applications/
I will ditto what Charlile mentioned about some hosting companies not updating or patching CF leading to a lot of security challenges. I know we at xByte Cloud have been notifying our customers about all the recent updates and then updating them. I guess it is good to get things patched, but it is still a lot of work to keep up with all the recent updates. If you are not at a hosting partner that takes care of that for you, you need to make sure you watch for security updates from Adobe. It is very easy to find lists of CF sites and then scan them to test for vulnerabilities.
We have seen this happen from customers coming from other hosting providers (not xByte Cloud) where someone had a security incident and not everything was found. Recently, we migrated a customer that had a bad actor that we believe had been grabbing credit card numbers for years. The previous hosting partner did not properly limit the web server which allowed PHP code to be executed. Combined with a bad practice of adding form submitted files to a common location, the bad actor was able to upload and download data. If you are not 100% sure everything is now secure, I would reach out to someone like Charlie to double check you.
If you are looking for security best practices, here is a video and blog we created based on our experiences: https://blog.xbytecloud.com/essential-security-practices-for-coldfusion-web-applications/
I will ditto what Charlile mentioned about some hosting companies not updating or patching CF leading to a lot of security challenges. I know we at xByte Cloud have been notifying our customers about all the recent updates and then updating them. I guess it is good to get things patched, but it is still a lot of work to keep up with all the recent updates. If you are not at a hosting partner that takes care of that for you, you need to make sure you watch for security updates from Adobe. It is very easy to find lists of CF sites and then scan them to test for vulnerabilities.
I will ditto what Charlile mentioned about some hosting companies not updating or patching CF leading to a lot of security challenges. I know we at xByte Cloud have been notifying our customers about all the recent updates and then updating them. I guess it is good to get things patched, but it is still a lot of work. If you are not at a hosting partner that takes care of that for you, you need to make sure you watch for security updates from Adobe. Which as I mentioned have been many recently. It is very easy to find lists of CF sites and then scan them to test for vulnerabilities.
We have also seen issues with bad security pratices which allowed bad actors into their files even after the original hole was fixed because the bad actors added their own back door which wasn’t initially found. If you think/know you have been hacked, I would 100% advise having someone like Charlie review your files to look for anything left behind.
To help with security practices, here is a blog we did listing some of our recommendations – https://blog.xbytecloud.com/essential-security-practices-for-coldfusion-web-applications/
Beware: though you’ve found WHAT had happened (reflected in Rick’s “edit” at the bottom of his post above), sadly the fact that it DID happen means it likely will again.
And the problem may be in some bad-guy gode that’s been placed elsewhere in your site folders, and which still remains. Until you resolve that, the problem may recur.
Beyond that the ROOT cause is how they were able to PUT that bad-guy code on the server. That’s often due to a failure of the host to have kept cf updated, when past vulns were identified and fixed. If they since have done that, perhaps the bad guys won’t be able to put such code on the server again. If they’ve NOT, then you’ll likely only keep experiencing the problem. (Same with other cf clients on that host.)
I can help you with finding and removing such bad guy code, as well as checking the state of such cf updates, and more–even in such a shared hosting setup, where you have access only to your own code folders. More at carehart.org/consulting. There’s just way too much to outline here, and different situations have different solutions.
Hope that helps you or others finding this. And if your problem doesn’t recur, that’s great.
You must be logged in to post a comment.
22 Sep 2025
Las Vegas, NV
