Solved

Hacked website or something else?

Posted on 2008-06-11
14
514 Views
Last Modified: 2012-08-13
I have  a website that is ASP based.
As of yesturday whe someone goes on to the site and does a query (looks up informaiton) the site starts to do some sort of redirection and trys to load a virus on the client PC.

I took the site offline, formatted the server, reloaded windows 2003.  

I restored a copy of the site from a week ago,prior to anything going on.
The server is patched 100% and AV is installed.

I put the site back up and went to the page and bam, same issue.  I am stumped.

We have a windows 2003 server behind a cisco firewall and a MS SQL server that the website talks to.  Any ideas how I can get ahead of this?

thanks
0
Comment
Question by:lefty431
  • 5
  • 3
  • 2
  • +2
14 Comments
 
LVL 23

Expert Comment

by:debuggerau
Comment Utility
how do you know its a sql injection hack, usually the sql backend is not web accessible...

Has the server been hardened?
Best practices on IIS?

Complex non human passwords?
Limited accounts?

>20 Char admin password?

Have you got an infected backup that can be checked?
0
 
LVL 1

Author Comment

by:lefty431
Comment Utility
Yes to all of your questions.
15 char admin password not 20.  It could be a cross hack too. which in reading it sounds more like the case.   how do you get rid of it?
0
 
LVL 4

Accepted Solution

by:
Dozer42 earned 168 total points
Comment Utility
Yep, it's been hacked.

Compare the source code or at least filesizes of the web page that you originally uploaded to the server with what is there now. Find the infection and kill it. (Or check it against archives, you do have backups, right?)

When you say 'AV is installed', I'm guessing you're talking about one of the worthless mass market products like Norton, McAfee, etc.

Try something a bit more powerful like ESET's NOD32 or Kaspersky.

But even they might have trouble finding a virus directly embedded into ASP code, as it's not an 'everyday' infection. At least they do have 'intelligent' heurestic scanning engines that could pick the virus up even if it's unknown or a variant of some other virus.

If those two programs can't find the infection, feel free to send those companies a copy of your website directory structure and files, and have them comb through it manually.

These guys are good. Very good, and they will find it.

Or just toss this Microsoft garbage in the trash where it belongs and run a secure Linux variant. =)

We've been running Linux on our servers for 15 years now. Never had a server hacked, never had a page compromised except for spammers using an insecure Forms.Pl script that someone uploaded and used on their webpage.

Good luck sir.

You will beat this.
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 166 total points
Comment Utility
Good advice from Dozer42 but I don't think you need to anything so drastic as switching platforms to solve this problem...

From the description it seems like your backup may also be infected, so I would start with restoring an even older backup.

I posted some other tips in your other thread that seems on the same topic:

 http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_23478167.html

Good luck.
0
 
LVL 12

Expert Comment

by:jahboite
Comment Utility
If it were SQL injection, then the html that performs the redirections/loads iframe will be in the SQL database, your asp code will be unaffected.
Maybe you should check there.
0
 
LVL 1

Author Comment

by:lefty431
Comment Utility
where in SQL?  Any ideas
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:lefty431
Comment Utility
dude your a genious
0
 
LVL 32

Expert Comment

by:r-k
Comment Utility
That's great. Were you able to find the problem?
0
 
LVL 1

Author Comment

by:lefty431
Comment Utility
I found the database table that had all of the bad code..  I don't know what to look for in the ASP that would show the hole or how they got the exploit...

any ideas on that.
0
 
LVL 12

Assisted Solution

by:jahboite
jahboite earned 166 total points
Comment Utility
Recent SQL injection against MS SQL involves sending a query that contains statements to determine fields in tables that can have text appended to them and to append a string to those fields for all rows.  You may find <iframe> tags in these fields.
An example of  HTTP request parameters to perform the attack can be found here:
http://www.sophos.com/security/blog/2008/04/1329.html?_log_from=rss
http://www.secureworks.com/research/blog/index.php/2008/06/04/new-round-of-mass-sql-injections/
http://www.secureworks.com/research/threats/danmecasprox/?threat=danmecasprox

and as you can see, the request includes DECLARE and CAST statements which might help you to find both entries in your web access logs and in your SQL transactions.

Shadowserver has a list of domains used for hosting the malware which might also help you find stuff in your tables (this list is a bit old now, but it's probably worth a look):
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514

A lot of other people who use EE have had problems with SQL injections and it's worth searching for some of the questions for more information on how to prevent the attacks:
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23411125.html
http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23422326.html
http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23427846.html
http://www.experts-exchange.com/Security/Misc/Q_23391099.html
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23381980.html

This little lot should at least help you to identify whether this is indeed what happened to you and what you can do about it if it was.
Good Luck!

0
 
LVL 12

Expert Comment

by:jahboite
Comment Utility
Bit of a lag there! Glad you found the table.
You're looking for asp code that takes input from the client (forms with POST or GET methods) or takes input from the HTTP request parameters (usually the GET method).  It then uses the input in forming a SQL statement.
Tolomir pointed to some info on how to prevent SQL injection in this post:
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23411125.html
One of the links was this very handy article:
http://msdn.microsoft.com/en-us/library/ms998271.aspx
and you might be interested in URLscan:
http://technet.microsoft.com/en-gb/security/cc242650.aspx
0
 
LVL 1

Author Comment

by:lefty431
Comment Utility
this is from the website..
Malicious SQL injection

We have blogged a few times recently about a fairly widespread and aggressive attack used to compromise web pages by inserting a malicious script tag (which loads a malicious script from a remote site) [1,2,3]. Aside from the usual plethora of small site victims, the attack has had notable success against several quite well known targets.

Last week, some interesting information was posted to the SANS Handlers Diary [4]. Whilst investigating some malicious files, the tool used by the attackers to identify and attack vulnerable web servers was found. The tool provides a simple interface in order to perform SQL injection attacks against sites identified via a Google query.

This morning, I was investigating another attack that is most likely related. The target of the malicious script tag has changed, but the underlying malicious SQL is very similar. The malicious injection can be seen below:

[Dump of the malicious SQL injection]

As you can see, the main guts of the malicious SQL (within @S) are obfuscated within the CAST(0x&) block (which is trimmed for clarity). Decryption is trivial, enabling us to identify how the attack works.

[Decrypted SQL]

In brief, the SQL will concatenate a malicious script tag into all (n)text and (n)varchar fields of all user tables in the MS SQL database. Nasty. Particularly for webmasters who have been hit, leaving them with a cumbersome cleanup process, and the challenge of preventing the same attack hitting them again.

And the purpose of the attack? Feeding the 1.js file into our automation system, we see a whole mass of pages that will get loaded as a result of browsing a compromised page. This is represented in the flowchart below (click to enlarge):

    * yellow blob: malicious 1.js file loaded from compromised pages
    * green arrows: page loads via an iframe (or similar)
    * red arrows: exploit payload, in this case resulting in the download of some Win32 malware


this clearly looks like the issue...  what do you think I should search for on the web pages?

I am not a web programmer, but I can hash through the code.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Via a live example, show how to shrink a transaction log file down to a reasonable size.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now