ColdFusion server hacked or Server compromised

We understand that your sever might have been compromised. It’s a situation critical and there are some preventive measures, which should be taken. First of all scan your site at If the scan report shows any vulnerability, then contact Adobe Product Security Incident Response Team at PSIRT(at)adobe(dot)com with the scan results.

What you can try at your end

There are few sanity checks, which may help you. Not to fix your application against the vulnerability, however, to identify whether the server is compromised or not.

You can try the following:-

  1. Check the application.cfm and remove any unwanted code added by this attack.
  2. Check if there are any unwanted files in your web root or in /CFIDE directory and remove them if present. This means that if there are h.cfm or i.cfm or any other unwanted files present, please remove them immediately.
  3. Also see if there is any unwanted modification to any of your files. You should be able to find that by looking at the timestamp of the files and remove the unwanted code added by this attack.
  4. Check if there is any unwanted scheduled task created in the administrator. If there is any, please remove that immediately.
  5. Once done with the above steps, please go through the latest Security bulletin

Adobe recommends, ColdFusion customers should update their installation using the instructions provided in the technote (as on today)

 It is also recommended that you apply the Lockdown guide on your server.

Some quick links

ColdFusion 11 lockdown guide: –

ColdFusion 10 lockdown guide: –

ColdFusion 9 lockdown guide: –

Note: – All the above suggestions are some preliminary ones and there could be other action items as well.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s