My website is hacked, what can I have missed?

[Lena_25]

My website has been hacked. Someone have put spam links in some of the files (not in the database).
Its a classic asp website with a mysql database.

I canīt figure out how they have done this, can someone give me some ideas?

The only form on the website is a contact form where you can send an e-mail to my mail. The form is not saved in the database. And the message is not written out on the screen.

The website have a "homemade" admin folder where I can log in with a password encrypted with MD5.

The password entered in the login form is checked for sql injection with this replace code
strNewSql = Replace(strText, "\", "\\")
strNewSql = Replace(strNewSql, "'", "''")

There is also a small javascript made by someone else that handle the viewing of a photo gallery. Could it be a vulnerability?

And on the admin pages I use WYZZ editor to style the text. Could it be a vulnerability?

[gk53]

check you log files and find from where you get injection, if any. Is any possibility for someone to just find your user name password combination for admin part of your site or just ftp to your site?

[Lena_25]

check you log files and find from where you get injection, if any. Is any possibility for someone to just find your user name password combination for admin part of your site or just ftp to your site?

Thank you so much for your answer! :-)

But I donīt understand where I can find these log files. Iīve checked the control panel on the web hosting company and the only thing I found was ftp logs but they didnīt save the old ones so I could not see anything from that time there.
What kind of information is in the log files you are suggesting?

There is only a password for the admin part, no user name. There is only one user for the admin part. Maybe someone tried a brute force on the password?

I have a ftp account on the website, but I donīt see how someone could find it or find the admin password that is stored in the database?

Sorry my bad english.

[sqlconfused]

Go one step further....

strNewSql = Replace(strNewSql, "&", "")
strNewSql = Replace(strNewSql, ";", "")
strNewSql = Replace(strNewSql, "--", "")

Of course you won't be able to use those characters for your password.

[gk53]

Contact your provider and tell them you have been hacked and you need that info they should give you...
I do not think
strNewSql = Replace(strNewSql, "&", "")
strNewSql = Replace(strNewSql, ";", "")
strNewSql = Replace(strNewSql, "--", "")
will really help, because you said it is just html page not database driven asp, so it is not sql injection...
in this case only a few options to change your html code.
1. Get in by ftp to server and replace pages
2. log in throw your admin site
3. Because your site in html pages and "homemade" script create html pages, check ability to submit page from different server to yours page which create html code... (that may be confused, but in another words if I set up page or form on my server which submit data to page on your server inside admin folder which take data from request from my form and create html page on your server) if it is more clear

[Lena_25]

Contact your provider and tell them you have been hacked and you need that info they should give you...
I do not think
strNewSql = Replace(strNewSql, "&", "")
strNewSql = Replace(strNewSql, ";", "")
strNewSql = Replace(strNewSql, "--", "")
will really help, because you said it is just html page not database driven asp, so it is not sql injection...
in this case only a few options to change your html code.
1. Get in by ftp to server and replace pages
2. log in throw your admin site
3. Because your site in html pages and "homemade" script create html pages, check ability to submit page from different server to yours page which create html code... (that may be confused, but in another words if I set up page or form on my server which submit data to page on your server inside admin folder which take data from request from my form and create html page on your server) if it is more clear

Thank you again!

But you missunderstood me...
The files are written in classic asp so itīs not html files. But the links inserted was written in the file in html, it was not injected into the mysql database. So the content in the file was changed, not the content in the database.

I was thinking... to sql inject and write a file, or copy/edit in the actual file with Scripting.FileSystemObject you would have to have execute/writing permission on the folder I guess? In other words the ftp username/password?
The files are not saved in the database. The database user donīt have such permissions on the folder. Is it right then to rule out the possibility of sql injection causing these links in the file?

[gk53]

If you do not have write permissions set on your folder in iis, so FileSystemObject can not write to drive and it is ftp problem or iis configuration (security problem), but in both cases it is problem of your service provider, they should check and fix configuration issues. And definitely change your passwords asap

[Lena_25]

Well, Iīm not so good in these kind of things but if I check the permissions on the websites root folder in my ftp program Iīve got 3 columns, Owner, Group and World. The column Owner have Read, Write and Execute permissions. I guess "Owner" is the ftp user? To use Scripting.FileSystemObject I must check the box "Execute" in the column Group.
I can also see the numer 700. And it says "Owner 80" and "Group www"

[Lena_25]

No, I was wrong, Scripting.FileSystemObject works with only "Owner" read, write and execute permissions...

[gk53]

yes. but when you open page in browser from the internet you are came under guest account..., so if you have to use FileSystemObject from asp code you should understand you open that folder for hacker attacks... and do not keep in that folder your pages, keep just for upload files and after that move them to well protected folder. and keep your script in protected folder
if you website in e:\websites\site1 folder and admin part in e:\websites\site1\admin (all pages in admin required login for access) you should have something like e:\websites\site1\admin\tmp and tmp folder has write access for upload/save files
this is about IIS security.
FTP is different you log in into FTP with system credentials and system knows your credentials and what rights you have... and you can not execute asp pages under FTP protocol only DOS like commands...
So if somebody crack you user name and password he can login and do whatever he want... this is why everybody recommend to have very complicated and long passwords and change them on regular basis. (longer passwords more difficult to crack)

[Lena_25]

Very kind of you to explain all for me, I really appreciate it :-)
But I still donīt know what happend and have a hard time just let it go.
Now Iīm thinking more about XSS, Iīve read a lot and earlier Iīve been told that all I have to do is to use server.htmlencode() for all input from forms if the text is written out on the screen. Have I misunderstood this? If I have this contact form where the text entered in the form by the visitors only is sent to me by e-mail, I put the content from the form in variables and send it to my e-mail. Do I have to use server.htmlencode() if I do so too (put the form input in variables)?
I also read about javascript encoding, it says you cant use server.htmlencode in javascript, you have to use javascript encode. But I canīt find anywhere an explanation on how I encode input that is put directly in a javascript. Do I have to filter out some characters in asp before the value is sent to the javascript (in that case what characters)? Or do I need some javascript code to encode the value sent to the javascript?