Link to home
Start Free TrialLog in
Avatar of harris9999
harris9999Flag for United Kingdom of Great Britain and Northern Ireland

asked on

site hacked url injection

I have a number of websites on a Windows 2008 server running IIS 7.5 that have got hacked - webmater tools says url injection.

e.g.​brr​sae​ps/ would display a page with lots of words about ugg boots and links etc.

I removed all the malicious looking files from the server.
The malicious url's still loaded.

I then moved all the site files from the root directory of the site - so there was nothing in that folder - the homepage of the site didn't load or any other content - but the malicious url's loaded (but without the css files for styling)

I then update the basic site settings in IIS to point to the folder I had moved the contents to - the website worked fine and the malicious url's don't load any more.

Where is the issue here - I don't understand how the malicious url's loaded when there was no files in the root of the site?
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Here is an article from Google about the issue and some steps to take to regain control of your content.


As for how it got there...
1. What are the websites running?  ASP.NET, PHP
2. Are there any CMS's there?  Wordpress, Joomla, Drupal, etc.
2a. If so, are they update to date on being patched?  Running the latest version?
3. Is your Windows server fully patched?

Its quite possible that after you removed the files and re-setup the sites, that you pulled a locally cached copy of the site from your browser's cache.

As with any valid test after a reconfiguration occurs... you should recycle the AppPool that supports the website, purge the cache of any reverse proxy or reverse caching servers/services and purge your local browser cache (on all browsers to be used to test).  Otherwise you run the risk getting a cached copy of a page.

Avatar of harris9999


Hi Dan,

Sorry for the delay in the reply - missed the notification of the reply.

1.Few older sites - running .asp - I have checked that for any vulnerable area's and removed anything outdated. The permissions on the site had been locked down with the only directories requiring write access that got it. the malicious files appeared in the root though.

2. CMS - was my own custom written one - any area's on those checked and updated.

3. Windows Updates are up to date on it.

Yep recycled the app pool and local cache all deleted.

I have now just got the message from google webmaster tools about an increase I not found errors - a lot of the malicious url's no longer work:

Site search on google:
Still shows a lot of malicious urls

the first one on the list:
If that one is clicked on from google you get redirected to another website selling burberry products
But if you paste the url direct into the address bar a page loads on the website with the SPAMMY Content.
Avatar of Dan McFadden
Dan McFadden
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.