The last few days we've been having hacking issues with several of our asp.net 4.0 websites. The only problem is that we don't know how they are doing this.
The problem is the following:
Every now and then, links are being inserted at the very end of a page. When they're trying to insert the data, it does seem like they first put it at the very end of the page and then move their code upwards until it reaches the correct place. We've noticed
they added some test stuff "1111" at the end of a page with a master page which then resulted in an error but we've also noticed before that they can place the code in the correct place so it doesn't trigger errors.
Sometimes new files are added to the server as well.
We've already changed passwords several times and we're quite sure that they do not know the password data as the last time we've changed it, we didn't ftp or communicate the password anymore.
Does anyone have any idea as to how one can hack a site this easily?
Thanks in advance!
Can you provide the URL for the site? Perhaps a forum member can identify the vulnerability by looking at the site in question.
One of the most common methods of web site hacking is via a SQL injection attack. Your scenario has the characteristics of such an attack. Is your site using MSSQL for the back-end? Do you have a CMS system hooked up to it? During development, did you take
steps to prevent SQL injection?
We have our own CMS system which uses webform authentication.
For now we've also outruled SQL injection. So far the database seems untouched and it are just files on the server that are being edited.
We've also scanned the site with asafaweb and no problems were found.
I would like to give you the url but the site is confidential so, sadly, I'm not able to.
If the files themself are being edited on the server you may want to look for any out of place files located on the server such as a .asp .js etc.. If you do find any out of place files delete them. If your application contains any sort of file uploading
capabilities make sure that you have some form of file type validation in place blocking the ability to upload executable file types.
I have seen a particular classic asp file which pretty much gives the person accessing the page on a web server control to execute commands as the web server process as well as browse and write to any place on the server where the web server or everyone
has access to write. Said file does not necisarily need to exist in the exploited web sites directory so check any other sites which may be hosted on the server as well for anything out of place.
We've found an extra file. An .asp file.
When browsing to the asp file, the entire dir structure of the site is being read. Each file can be edited by clicking on an edit button.
Google learned me that we're not the only ones who have this file placed. I've found another similar file here:
http://www.deepocean.com/api/mapper/Inc.asp
So now we think we know how they edit files. Only question that remains is how they succeeded into putting this file on our hosting plan...
Yep seen that before.
As stated earlier if you have any file uploading functionality look to that being the attack vector they are using.
Make sure you are not allowing "executable" files to be uploaded or access to the uploader is actually blocked if it is in a protected area.
Also https://asafaweb.com/ only looks for configuration vulnerabilities. That being said just because a site passes a scan here does not mean it's without vulernabilities. IMO this is a good scanner for what it does but
it is only focused on ASP.NET/server configuration and is by no means thorough.
We've been browsing through a bunch of our sites. We've noticed that sites with an extensive CMS have been modified but also sites where the web.config is only at about 10 lines and where there is no vb code present in the vb files (just the default inherits
stuff when creating a new aspx + vb file). With this little data on the server, is it still an option that it comes from directly hacking our site or should we be thinking about a leak on the server?
Qbikaris
Member
26 Points
18 Posts
Website is being hacked
Jan 07, 2013 02:55 PM|LINK
Hello,
The last few days we've been having hacking issues with several of our asp.net 4.0 websites. The only problem is that we don't know how they are doing this.
The problem is the following:
Every now and then, links are being inserted at the very end of a page. When they're trying to insert the data, it does seem like they first put it at the very end of the page and then move their code upwards until it reaches the correct place. We've noticed they added some test stuff "1111" at the end of a page with a master page which then resulted in an error but we've also noticed before that they can place the code in the correct place so it doesn't trigger errors.
Sometimes new files are added to the server as well.
We've already changed passwords several times and we're quite sure that they do not know the password data as the last time we've changed it, we didn't ftp or communicate the password anymore.
Does anyone have any idea as to how one can hack a site this easily?
Thanks in advance!
joshj
Contributor
3205 Points
552 Posts
Re: Website is being hacked
Jan 07, 2013 03:20 PM|LINK
Can you provide the URL for the site? Perhaps a forum member can identify the vulnerability by looking at the site in question.
One of the most common methods of web site hacking is via a SQL injection attack. Your scenario has the characteristics of such an attack. Is your site using MSSQL for the back-end? Do you have a CMS system hooked up to it? During development, did you take steps to prevent SQL injection?
Qbikaris
Member
26 Points
18 Posts
Re: Website is being hacked
Jan 07, 2013 03:28 PM|LINK
We have our own CMS system which uses webform authentication.
For now we've also outruled SQL injection. So far the database seems untouched and it are just files on the server that are being edited.
We've also scanned the site with asafaweb and no problems were found.
I would like to give you the url but the site is confidential so, sadly, I'm not able to.
jprochazka
Contributor
4992 Points
748 Posts
Re: Website is being hacked
Jan 07, 2013 03:36 PM|LINK
If the files themself are being edited on the server you may want to look for any out of place files located on the server such as a .asp .js etc.. If you do find any out of place files delete them. If your application contains any sort of file uploading capabilities make sure that you have some form of file type validation in place blocking the ability to upload executable file types.
I have seen a particular classic asp file which pretty much gives the person accessing the page on a web server control to execute commands as the web server process as well as browse and write to any place on the server where the web server or everyone has access to write. Said file does not necisarily need to exist in the exploited web sites directory so check any other sites which may be hosted on the server as well for anything out of place.
tiagosalgado
Contributor
2410 Points
544 Posts
Re: Website is being hacked
Jan 07, 2013 03:38 PM|LINK
Try to check your website here and see if detects anything:
https://asafaweb.com/
http://geekswithblogs.com/TiagoSalgado
@TiagoSalgado
Primillo
Star
8841 Points
1701 Posts
Re: Website is being hacked
Jan 07, 2013 04:51 PM|LINK
Hi
Did you report this issues with your hosting provider?
Also I highly recommend CHANGE YOUR HOSTING CONTROL PANEL PASSWORD
If you still having problems with it, then change your hosting provider.
Primillo
http://www.facebook.com/programandopuntonet
Qbikaris
Member
26 Points
18 Posts
Re: Website is being hacked
Jan 08, 2013 07:21 AM|LINK
Thanks for all your answers.
We've already checked the site with asafaweb and nothing bad came up.
The site is hosted on a webfarm so I can't check for any bad files but on our websites. When I see bad files I remove them right away.
We're currently looking into XSS but would it be possible to write completely new files to the hosting with XSS?
Qbikaris
Member
26 Points
18 Posts
Re: Website is being hacked
Jan 08, 2013 11:55 AM|LINK
I have got some updates on this subject.
We've found an extra file. An .asp file.
When browsing to the asp file, the entire dir structure of the site is being read. Each file can be edited by clicking on an edit button.
Google learned me that we're not the only ones who have this file placed. I've found another similar file here:
http://www.deepocean.com/api/mapper/Inc.asp
So now we think we know how they edit files. Only question that remains is how they succeeded into putting this file on our hosting plan...
jprochazka
Contributor
4992 Points
748 Posts
Re: Website is being hacked
Jan 08, 2013 12:22 PM|LINK
Yep seen that before.
As stated earlier if you have any file uploading functionality look to that being the attack vector they are using.
Make sure you are not allowing "executable" files to be uploaded or access to the uploader is actually blocked if it is in a protected area.
Also https://asafaweb.com/ only looks for configuration vulnerabilities. That being said just because a site passes a scan here does not mean it's without vulernabilities. IMO this is a good scanner for what it does but it is only focused on ASP.NET/server configuration and is by no means thorough.
For a more thorough scan you can look into free tools such as:
Skipfish http://code.google.com/p/skipfish/ (my personal favorite)
Wapiti http://wapiti.sourceforge.net/
If you have the extra money a great scanner is Acutentix.
http://www.acunetix.com/
Qbikaris
Member
26 Points
18 Posts
Re: Website is being hacked
Jan 08, 2013 12:41 PM|LINK
We've been browsing through a bunch of our sites. We've noticed that sites with an extensive CMS have been modified but also sites where the web.config is only at about 10 lines and where there is no vb code present in the vb files (just the default inherits stuff when creating a new aspx + vb file). With this little data on the server, is it still an option that it comes from directly hacking our site or should we be thinking about a leak on the server?
I'll check out the tools you recommended. Thanks!