|
|
Thank you for the quick reply.
Since the last backup less than a month ago there have been around 78 new .js
javascript files written to the server. The client is not writing any of them.
As for uploading files from the outside, no, however, there are forms on the
site. The first indication that there were problems was the client began
seeing chinese characters added to their home page.
We also found other files on the system which we were un-familiar. Such as a
cfform.js file and a ehlpdhtm.js files but further investigation seems to
indicate that these are installed as part of the original install. We
initially thought these files, as they had functions to capture keystrokes and
other window behaviors, were viral, but they may not be in the end. However,
the other files we have found do indicate malicious intent. We believe that
the extra .js and .xml files are being replicated with similar files names on
the server to mask their true intent.
Is there any reason why a server would have chinese files on it from the
original install if the administrator did not select to have the files loaded?
On doing searches on the server and sub-folders, we found numerous files with
_ja.xml or _ja.js which seem to mimic the file nomenclature of language files
for server interpretation. I searched and found NO other languages on the
server which are supported by Coldfusion, only English and Japanese.
Is there a way to find out which file names come from an original install? We
would like to use this to match against what we are currently seeing to be able
to establish a baseline to work from.
|
|