My website has been hacked. Someone have put spam links in some of the files (not in the database).
Its a classic asp website with a mysql database.
I canīt figure out how they have done this, can someone give me some ideas?
The only form on the website is a contact form where you can send an e-mail to my mail. The form is not saved in the database. And the message is not written out on the screen.
The website have a "homemade" admin folder where I can log in with a password encrypted with MD5.
The password entered in the login form is checked for sql injection with this replace code
strNewSql = Replace(strText, "\", "\\")
strNewSql = Replace(strNewSql, "'", "''")
And on the admin pages I use WYZZ editor to style the text. Could it be a vulnerability?