Coldfusion CFIDE bitcoin mining exploit – URL attack vectors

Posted on by thaddeus

The MinerD / m32.exe file, the MD5 HASH for the file confirms it to be a variant of miner daemon. (lightcoin / bitcoin mining daemon)


2014-03-13 08:20:44 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/administrator/enter.cfm - 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:45 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/adminapi/base.cfc wsdl 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:47 W3SVC1313602513 XX.XXX.XXX.234 POST /CFIDE/adminapi/administrator.cfc method=login 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:49 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/administrator/settings/mappings.cfm - 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:50 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/administrator/settings/mappings.cfm - 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:51 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/administrator/scheduler/scheduleedit.cfm submit=Schedule+New+Task 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:53 W3SVC1313602513 XX.XXX.XXX.234 POST /CFIDE/administrator/scheduler/scheduleedit.cfm - 443 - 193.0.202.101 WWW-Mechanize/1.73 302 0 0
2014-03-13 08:20:53 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/administrator/scheduler/scheduletasks.cfm - 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:55 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/administrator/scheduler/scheduletasks.cfm runtask=update 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:55 W3SVC1313602513 XX.XXX.XXX.228 GET /CFIDE/administrator/enter.cfm - 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:57 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/updates.cfm - 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:57 W3SVC1313602513 XX.XXX.XXX.228 GET /CFIDE/adminapi/base.cfc wsdl 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0
2014-03-13 08:20:58 W3SVC1313602513 XX.XXX.XXX.234 GET /CFIDE/administrator/scheduler/scheduletasks.cfm action=delete&task=update 443 - 193.0.202.101 WWW-Mechanize/1.73 200 0 0

The evidence shows that a scheduled task is created in the CF scheduler which fetches this URL: http://64.55.115.3/CFIDE/updates.txt and saves it to the CFIDE directory as updates.cfm.

The same IP address – 193.0.202.101 was the origin for attacks on several servers.

Leave a Reply

Your email address will not be published. Required fields are marked *