We use Dailyrazor as our web host. Over the past couple of days our CFM forms have been acting strange. Every time a form is submitted it now has a JS header forwarding the browser to a site in Japan. None of the form is processed. Our host was hacked a couple of weeks ago – I’m wondering if the CF install was hijacked/corrupted? Or am I just missing something simple?
Here is an example page:
https://skicmsc.com/_contact_include.html
Submit the form and take a look at the resulting code. The very first line of my file is currently a <cfabort>. The file can be empty. Or it can be the actual file to process the form. Results are the same.
Edit: I found the problem. Our application file was replaced by one with malicious code. You would think the ISP would have caught this.
Beware: though you’ve found WHAT had happened (reflected in Rick’s “edit” at the bottom of his post above), sadly the fact that it DID happen means it likely will again.
And the problem may be in some bad-guy gode that’s been placed elsewhere in your site folders, and which still remains. Until you resolve that, the problem may recur.
Beyond that the ROOT cause is how they were able to PUT that bad-guy code on the server. That’s often due to a failure of the host to have kept cf updated, when past vulns were identified and fixed. If they since have done that, perhaps the bad guys won’t be able to put such code on the server again. If they’ve NOT, then you’ll likely only keep experiencing the problem. (Same with other cf clients on that host.)
I can help you with finding and removing such bad guy code, as well as checking the state of such cf updates, and more–even in such a shared hosting setup, where you have access only to your own code folders. More at carehart.org/consulting. There’s just way too much to outline here, and different situations have different solutions.
Hope that helps you or others finding this. And if your problem doesn’t recur, that’s great.
You must be logged in to post a comment.
22 Sep 2025
Las Vegas, NV
