Improve company productivity with a Business Account.Sign Up


Hacked website or something else?

Posted on 2008-06-11
Medium Priority
Last Modified: 2012-08-13
I have  a website that is ASP based.
As of yesturday whe someone goes on to the site and does a query (looks up informaiton) the site starts to do some sort of redirection and trys to load a virus on the client PC.

I took the site offline, formatted the server, reloaded windows 2003.  

I restored a copy of the site from a week ago,prior to anything going on.
The server is patched 100% and AV is installed.

I put the site back up and went to the page and bam, same issue.  I am stumped.

We have a windows 2003 server behind a cisco firewall and a MS SQL server that the website talks to.  Any ideas how I can get ahead of this?

Question by:lefty431
  • 5
  • 3
  • 2
  • +2
LVL 23

Expert Comment

ID: 21766342
how do you know its a sql injection hack, usually the sql backend is not web accessible...

Has the server been hardened?
Best practices on IIS?

Complex non human passwords?
Limited accounts?

>20 Char admin password?

Have you got an infected backup that can be checked?

Author Comment

ID: 21766345
Yes to all of your questions.
15 char admin password not 20.  It could be a cross hack too. which in reading it sounds more like the case.   how do you get rid of it?

Accepted Solution

Dozer42 earned 672 total points
ID: 21766357
Yep, it's been hacked.

Compare the source code or at least filesizes of the web page that you originally uploaded to the server with what is there now. Find the infection and kill it. (Or check it against archives, you do have backups, right?)

When you say 'AV is installed', I'm guessing you're talking about one of the worthless mass market products like Norton, McAfee, etc.

Try something a bit more powerful like ESET's NOD32 or Kaspersky.

But even they might have trouble finding a virus directly embedded into ASP code, as it's not an 'everyday' infection. At least they do have 'intelligent' heurestic scanning engines that could pick the virus up even if it's unknown or a variant of some other virus.

If those two programs can't find the infection, feel free to send those companies a copy of your website directory structure and files, and have them comb through it manually.

These guys are good. Very good, and they will find it.

Or just toss this Microsoft garbage in the trash where it belongs and run a secure Linux variant. =)

We've been running Linux on our servers for 15 years now. Never had a server hacked, never had a page compromised except for spammers using an insecure Forms.Pl script that someone uploaded and used on their webpage.

Good luck sir.

You will beat this.
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

LVL 32

Assisted Solution

r-k earned 664 total points
ID: 21766407
Good advice from Dozer42 but I don't think you need to anything so drastic as switching platforms to solve this problem...

From the description it seems like your backup may also be infected, so I would start with restoring an even older backup.

I posted some other tips in your other thread that seems on the same topic:

Good luck.
LVL 12

Expert Comment

ID: 21768577
If it were SQL injection, then the html that performs the redirections/loads iframe will be in the SQL database, your asp code will be unaffected.
Maybe you should check there.

Author Comment

ID: 21768601
where in SQL?  Any ideas

Author Comment

ID: 21768695
dude your a genious
LVL 32

Expert Comment

ID: 21770066
That's great. Were you able to find the problem?

Author Comment

ID: 21770196
I found the database table that had all of the bad code..  I don't know what to look for in the ASP that would show the hole or how they got the exploit...

any ideas on that.
LVL 12

Assisted Solution

jahboite earned 664 total points
ID: 21770298
Recent SQL injection against MS SQL involves sending a query that contains statements to determine fields in tables that can have text appended to them and to append a string to those fields for all rows.  You may find <iframe> tags in these fields.
An example of  HTTP request parameters to perform the attack can be found here:

and as you can see, the request includes DECLARE and CAST statements which might help you to find both entries in your web access logs and in your SQL transactions.

Shadowserver has a list of domains used for hosting the malware which might also help you find stuff in your tables (this list is a bit old now, but it's probably worth a look):

A lot of other people who use EE have had problems with SQL injections and it's worth searching for some of the questions for more information on how to prevent the attacks:

This little lot should at least help you to identify whether this is indeed what happened to you and what you can do about it if it was.
Good Luck!

LVL 12

Expert Comment

ID: 21770396
Bit of a lag there! Glad you found the table.
You're looking for asp code that takes input from the client (forms with POST or GET methods) or takes input from the HTTP request parameters (usually the GET method).  It then uses the input in forming a SQL statement.
Tolomir pointed to some info on how to prevent SQL injection in this post:
One of the links was this very handy article:
and you might be interested in URLscan:

Author Comment

ID: 21770417
this is from the website..
Malicious SQL injection

We have blogged a few times recently about a fairly widespread and aggressive attack used to compromise web pages by inserting a malicious script tag (which loads a malicious script from a remote site) [1,2,3]. Aside from the usual plethora of small site victims, the attack has had notable success against several quite well known targets.

Last week, some interesting information was posted to the SANS Handlers Diary [4]. Whilst investigating some malicious files, the tool used by the attackers to identify and attack vulnerable web servers was found. The tool provides a simple interface in order to perform SQL injection attacks against sites identified via a Google query.

This morning, I was investigating another attack that is most likely related. The target of the malicious script tag has changed, but the underlying malicious SQL is very similar. The malicious injection can be seen below:

[Dump of the malicious SQL injection]

As you can see, the main guts of the malicious SQL (within @S) are obfuscated within the CAST(0x&) block (which is trimmed for clarity). Decryption is trivial, enabling us to identify how the attack works.

[Decrypted SQL]

In brief, the SQL will concatenate a malicious script tag into all (n)text and (n)varchar fields of all user tables in the MS SQL database. Nasty. Particularly for webmasters who have been hit, leaving them with a cumbersome cleanup process, and the challenge of preventing the same attack hitting them again.

And the purpose of the attack? Feeding the 1.js file into our automation system, we see a whole mass of pages that will get loaded as a result of browsing a compromised page. This is represented in the flowchart below (click to enlarge):

    * yellow blob: malicious 1.js file loaded from compromised pages
    * green arrows: page loads via an iframe (or similar)
    * red arrows: exploit payload, in this case resulting in the download of some Win32 malware

this clearly looks like the issue...  what do you think I should search for on the web pages?

I am not a web programmer, but I can hash through the code.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Windocks is an independent port of Docker's open source to Windows.   This article introduces the use of SQL Server in containers, with integrated support of SQL Server database cloning.
In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question