#1
  1. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jan 2004
    Posts
    7
    Rep Power
    0

    My website is hacked, what can I have missed?


    My website has been hacked. Someone have put spam links in some of the files (not in the database).
    Its a classic asp website with a mysql database.

    I canīt figure out how they have done this, can someone give me some ideas?

    The only form on the website is a contact form where you can send an e-mail to my mail. The form is not saved in the database. And the message is not written out on the screen.

    The website have a "homemade" admin folder where I can log in with a password encrypted with MD5.

    The password entered in the login form is checked for sql injection with this replace code
    strNewSql = Replace(strText, "\", "\\")
    strNewSql = Replace(strNewSql, "'", "''")

    There is also a small javascript made by someone else that handle the viewing of a photo gallery. Could it be a vulnerability?

    And on the admin pages I use WYZZ editor to style the text. Could it be a vulnerability?
  2. #2
  3. Contributing User
    ASP Skiller (1500 - 1999 posts)

    Join Date
    Mar 2005
    Location
    Columbus, OH
    Posts
    1,548
    Rep Power
    278
    check you log files and find from where you get injection, if any. Is any possibility for someone to just find your user name password combination for admin part of your site or just ftp to your site?
    GK
    __________________________________________________ _____
    if you found this post is useful click Give Rep button (bottom side on this reply ) and agree
  4. #3
  5. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jan 2004
    Posts
    7
    Rep Power
    0
    Originally Posted by gk53
    check you log files and find from where you get injection, if any. Is any possibility for someone to just find your user name password combination for admin part of your site or just ftp to your site?
    Thank you so much for your answer! :-)

    But I donīt understand where I can find these log files. Iīve checked the control panel on the web hosting company and the only thing I found was ftp logs but they didnīt save the old ones so I could not see anything from that time there.
    What kind of information is in the log files you are suggesting?

    There is only a password for the admin part, no user name. There is only one user for the admin part. Maybe someone tried a brute force on the password?

    I have a ftp account on the website, but I donīt see how someone could find it or find the admin password that is stored in the database?

    Sorry my bad english.
  6. #4
  7. No Profile Picture
    Contributing User
    ASP Explorer (0 - 99 posts)

    Join Date
    Oct 2012
    Posts
    49
    Rep Power
    2
    Go one step further....

    strNewSql = Replace(strNewSql, "&", "")
    strNewSql = Replace(strNewSql, ";", "")
    strNewSql = Replace(strNewSql, "--", "")

    Of course you won't be able to use those characters for your password.
  8. #5
  9. Contributing User
    ASP Skiller (1500 - 1999 posts)

    Join Date
    Mar 2005
    Location
    Columbus, OH
    Posts
    1,548
    Rep Power
    278
    Contact your provider and tell them you have been hacked and you need that info they should give you...
    I do not think
    strNewSql = Replace(strNewSql, "&", "")
    strNewSql = Replace(strNewSql, ";", "")
    strNewSql = Replace(strNewSql, "--", "")
    will really help, because you said it is just html page not database driven asp, so it is not sql injection...
    in this case only a few options to change your html code.
    1. Get in by ftp to server and replace pages
    2. log in throw your admin site
    3. Because your site in html pages and "homemade" script create html pages, check ability to submit page from different server to yours page which create html code... (that may be confused, but in another words if I set up page or form on my server which submit data to page on your server inside admin folder which take data from request from my form and create html page on your server) if it is more clear
  10. #6
  11. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jan 2004
    Posts
    7
    Rep Power
    0
    Originally Posted by gk53
    Contact your provider and tell them you have been hacked and you need that info they should give you...
    I do not think
    strNewSql = Replace(strNewSql, "&", "")
    strNewSql = Replace(strNewSql, ";", "")
    strNewSql = Replace(strNewSql, "--", "")
    will really help, because you said it is just html page not database driven asp, so it is not sql injection...
    in this case only a few options to change your html code.
    1. Get in by ftp to server and replace pages
    2. log in throw your admin site
    3. Because your site in html pages and "homemade" script create html pages, check ability to submit page from different server to yours page which create html code... (that may be confused, but in another words if I set up page or form on my server which submit data to page on your server inside admin folder which take data from request from my form and create html page on your server) if it is more clear
    Thank you again!

    But you missunderstood me...
    The files are written in classic asp so itīs not html files. But the links inserted was written in the file in html, it was not injected into the mysql database. So the content in the file was changed, not the content in the database.

    I was thinking... to sql inject and write a file, or copy/edit in the actual file with Scripting.FileSystemObject you would have to have execute/writing permission on the folder I guess? In other words the ftp username/password?
    The files are not saved in the database. The database user donīt have such permissions on the folder. Is it right then to rule out the possibility of sql injection causing these links in the file?
  12. #7
  13. Contributing User
    ASP Skiller (1500 - 1999 posts)

    Join Date
    Mar 2005
    Location
    Columbus, OH
    Posts
    1,548
    Rep Power
    278
    If you do not have write permissions set on your folder in iis, so FileSystemObject can not write to drive and it is ftp problem or iis configuration (security problem), but in both cases it is problem of your service provider, they should check and fix configuration issues. And definitely change your passwords asap
  14. #8
  15. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jan 2004
    Posts
    7
    Rep Power
    0
    Well, Iīm not so good in these kind of things but if I check the permissions on the websites root folder in my ftp program Iīve got 3 columns, Owner, Group and World. The column Owner have Read, Write and Execute permissions. I guess "Owner" is the ftp user? To use Scripting.FileSystemObject I must check the box "Execute" in the column Group.
    I can also see the numer 700. And it says "Owner 80" and "Group www"
  16. #9
  17. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jan 2004
    Posts
    7
    Rep Power
    0
    No, I was wrong, Scripting.FileSystemObject works with only "Owner" read, write and execute permissions...
  18. #10
  19. Contributing User
    ASP Skiller (1500 - 1999 posts)

    Join Date
    Mar 2005
    Location
    Columbus, OH
    Posts
    1,548
    Rep Power
    278
    yes. but when you open page in browser from the internet you are came under guest account..., so if you have to use FileSystemObject from asp code you should understand you open that folder for hacker attacks... and do not keep in that folder your pages, keep just for upload files and after that move them to well protected folder. and keep your script in protected folder
    if you website in e:\websites\site1 folder and admin part in e:\websites\site1\admin (all pages in admin required login for access) you should have something like e:\websites\site1\admin\tmp and tmp folder has write access for upload/save files
    this is about IIS security.
    FTP is different you log in into FTP with system credentials and system knows your credentials and what rights you have... and you can not execute asp pages under FTP protocol only DOS like commands...
    So if somebody crack you user name and password he can login and do whatever he want... this is why everybody recommend to have very complicated and long passwords and change them on regular basis. (longer passwords more difficult to crack)
  20. #11
  21. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jan 2004
    Posts
    7
    Rep Power
    0
    Very kind of you to explain all for me, I really appreciate it :-)
    But I still donīt know what happend and have a hard time just let it go.
    Now Iīm thinking more about XSS, Iīve read a lot and earlier Iīve been told that all I have to do is to use server.htmlencode() for all input from forms if the text is written out on the screen. Have I misunderstood this? If I have this contact form where the text entered in the form by the visitors only is sent to me by e-mail, I put the content from the form in variables and send it to my e-mail. Do I have to use server.htmlencode() if I do so too (put the form input in variables)?
    I also read about javascript encoding, it says you cant use server.htmlencode in javascript, you have to use javascript encode. But I canīt find anywhere an explanation on how I encode input that is put directly in a javascript. Do I have to filter out some characters in asp before the value is sent to the javascript (in that case what characters)? Or do I need some javascript code to encode the value sent to the javascript?

Similar Threads

  1. Is my website been hacked?
    By jp50 in forum Windows Security
    Replies: 2
    Last Post: May 28th, 2012, 03:23 AM
  2. Website of Nintendo's US subsidiary hacked: report (AFP)
    By RSS_News_User in forum Technology News
    Replies: 0
    Last Post: June 5th, 2011, 01:00 AM
  3. Website critical of Myanmar regime hacked (AP)
    By RSS_News_User in forum Technology News
    Replies: 0
    Last Post: March 13th, 2011, 07:00 AM
  4. They hacked my website
    By Uriya in forum ASP Development
    Replies: 2
    Last Post: January 10th, 2011, 07:12 PM
  5. US Treasury website hacked, then suspended (AFP)
    By RSS_News_User in forum Business News
    Replies: 0
    Last Post: May 5th, 2010, 11:00 AM

IMN logo majestic logo threadwatch logo seochat tools logo