Last post Nov 24, 2014 07:57 AM by terryrey
Nov 24, 2014 05:14 AM|terryrey|LINK
I have a site that was written about 7 years ago in ASP.NET 2 which was recently the target of a compromise where the hackers dumped lots of HTML files on the site. After spending some time looking at it, I found that the file manager in the FCK editor
was not secure and have subsquently removed it along with all the files that were loaded onto the server.
We first became aware of the issue when we received a Google report that the server was hacked about six weeks ago. Since we closed the loophole and removed the files there has been no further compromise that we are aware of.
Then last week we received another report from Google that the server was hacked and it gave a URI similar to the following;
http://somedomain.com?search.asp?some_very_long_html_filename.html -names changed to protect the innocent!
Now, here's what has really confused me; if you click the link, it does actually takes one to the URI indicated and displays a spam html file on my domain. However, there is no file called search.asp in the directory
structure of the site and the html file is not there either!!!
Additionally, if I go to the URI and omit the query string it brings up the search.asp file, which is totally blank and there is no source code though it does open an empty box which indicates to me that the file is there.
I have checked the web config and cannot find anything out of the ordinary.
Can someone please tell me what is going on or at least tell me where else I should be looking?
Nov 24, 2014 05:20 AM|smirnov|LINK
(slash instead of ?)
or search.asp is a parameter of one of your page, e.g.
Nov 24, 2014 05:41 AM|terryrey|LINK
Thanks for the response and my apologies, it was a typo. It should read http://somedomain.com/search.asp?some_very_long_html_filename.html
Nov 24, 2014 05:53 AM|smirnov|LINK
If url is somedomain.com/search.asp then
To check #2 just try to enter search2.asp or look if you have any rewrite logic in web.config.
Also check if you have global.asa or global.asax or if you have any custom error page that might redirect unexising page to a certain script.
Also you said it is asp-file, a classic asp?
Regardless if you find it or not you need to either redeploy your site again or check every script if there are no other "changes" made. Even google will not report you about problems it might happen that there will be any other code/files that were hacked
and still exist in your system.
Nov 24, 2014 07:57 AM|terryrey|LINK
I thought I was going mad because I had checked all you mentioned. Anyhow, your post got me thinking and I hadn't checked whether they'd made it a system file or not so when I unchecked show hidden files it didn't show up and it wasn't until I unchecked
show system files that it became visible.