Tuesday, June 03, 2014

China loves ColdFusion?

Some Chinese IPs in the 202.46.xx.xx-range are regularly trying to reach the following pages on our webserver:


Adware_Removal.cfm
Best_Browser.cfm
Computer_Parts.cfm
Disk_Defragmenter.cfm
Firewall_Protection.cfm
Fix_Slow_Computer.cfm
Format_Hard_Drives.cfm
Laptop_Repairs.cfm
Online_Data_Backup.cfm
Registry_Cleaner.cfm
Registry_Restore.cfm
Security_Software.cfm
Virus_Removal.cfm
Windows_Repair.cfm
Windows_XP_Help.cfm
Windows_XP_Software.cfm

Example:

xxx:80 202.46.xxx.xxx - - [xx/xxx/2014:xx:xx:xx +0200] "GET /Registry_Restore.cfm?fp=[randomcharacters]&maxads=0&prvtof=[randomcharacters]&kt=xxx&kbc=xxx&ki=xxxxxx&ktd=0&kp=4 HTTP/1.1" 403 222 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"

These appear to be ColdFusion files, and, well, we're not running ColdFusion. These files aren't on our server and they are met with a 403 anyway... I'm puzzled, though. It there ColdFusion package with gaping security holes out there? What are these files?

No comments: