How to stop a hacker Arfaoui Firas?

Help, a couple of my sites, along with thousands of others have been hacked by Arfaoui Firas.  The hack seems to take over the homepage. How does this work?  And is there some vulnerability I can plug?
vstackAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

daveamourCommented:
Show me your site and maybe we can identify some issues?
0
vstackAuthor Commented:
Hi,

One of the sites is at www.humberhydraulics.com.  It uses asp.net (VB) with membership for log in etc.  Also, I use a text editor so that admin can change page contact.  There may be vulnerability here.

Upon further research, it is possible that a keylogger was used to grab my ftp password.  Since I am in Canada now, I cannot scan my home machine to see if that is the case.  My home machine, while I am on vacation is shut down and unplugged.

Thanks

Vince
0
daveamourCommented:
Firs thing I guessed was that there was an admin folder.
There is:
http://www.humberhydraulics.com/admin/
This  also has directory browsing enabled which isn't good.
At the very least rename the folder to something more obscure than just admin
I'm suspecting SQL injection may also be a possibility.  Do you know what that is?
You should also consider using SSL at least for your admin pages - you can do that for free.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

vstackAuthor Commented:
Dave, thank you so much.  I will take the directory browsing off immediately and rename the folder asap.

I know about sql injection.  I use all stored procedures.

There really isn't any dynamic sql created.
0
daveamourCommented:
Ok then you may be right about ftp then.
Ftp is generally pretty insecure anyway  - would be better if you could find a better way of updating your seb server.
Would definatley recomend using SSL over your admin screens - want some help with that?
0
vstackAuthor Commented:
Yes.  I would love some help.  Can I award you the points and still keep our line of communication open?
0
daveamourCommented:
Yes sure that's fine.
Tell me about your web server though - you may or may not be able to use SSL depending on what control you have over it.  Is it yours or hosted?
0
vstackAuthor Commented:
This site is hosted by DiscountASP.  I find them really good.  Just turned off directory browsing.  Will rename admin folder asap
0
daveamourCommented:
I that these guys
http://www.discountasp.net/features.aspx
On there it says they do ftp over SSL so that would be good depending on price of course.
I probably can't help with SSL on there as you have no control over the servers.  They will be able to do it for you of course but will charge no doubt but get in touch with them and ask.
Do you know how SSL works?
0
vstackAuthor Commented:
I don't know how SSL works but I can research and find out.  I will check with discount.

Dave, I appreciate your help.  I have a very good grasp of ASP.Net but obviously, I have a lot to learn about security.  It's one of those things you leave till later.  Well, later, is now.

Is there a decent book or something I could read about securing ASP sites.  I mean, leaving on directory browsing?  That's pretty lame.  But you know, I never though about it.

Thanks

Vince  
0
daveamourCommented:
I'm sure there must be loads of books but I haven't read any.  I've just picked stuff up over the years.  Also in my current contract I spent about 3 months identifying and fixing coding vulnerabilities left by a poor programmer so that helped me learn a lot.
Jut try googling around and read lots of articles and keep a nice list of bookmarks.  You should also be aware of cross site scripting as well as that's quite common.  Lots of it is a combination of common sense +  a healthy dose of paranoia!
For example if you have users who can register on your site then have a password policy  - eg passwords must be a certain length, contain at least 1 digit and at least 1 non alphanumeric character etc.
Then there is database access - only use an account with minimum permissions for example, do not use sa or anything like that.  Also if you store connection strings in your web.config then better to have that encryped.
SSL stands for Secure Sockets Layer and it is when a web address starts with https instead of http.  You will see a padlock somewhere depending on which browser + version you are using.  It basically encrypts network traffic from your pc to the server so anyone intercepting traffic cannot read it as it is not in plain text.  You can buy a SSL certificate and you can do them for free.  The latter normally would probably require that you have some control over your server though.  You will see SSL being used whenever you use an ecommerce site of course.
Personally I host at home as that gives me 100% control and with modern broadband speeds then it works pretty well.
This is hosted at home:
www.audacs.co.uk
 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.