So with the most recent attack on ColdFusion (detailed by Charlie Arehart, Part #1, Part #2) there was a comment left on the post that got me a bit concerned where the comment said all you had to do is search for
h.cfm to remove the file placed by the attacker. My experience has been if an attacker has had access to the server there is no absolute way of knowing what they might have done, even with good log reconstruction. As I noted in my comment in one instance I have previously encountered a situation where an attacker put a file called
CFIDE/scripts/ajax/FCKeditor/editor/dialog/common. At first glance of the directory it looks right, but inactuallity it a file that was buried and hidden so the attacker could come back through it instead of the original entry point.
The only way to know is to have a way of doing file integrity checks against a good known source. The initial attack that was posted to the Adobe forum was found because an intrustion detection system (IDS) alerted the administrator that a file had been written to CFIDE that was called