site hacked url injection

I have a number of websites on a Windows 2008 server running IIS 7.5 that have got hacked - webmater tools says url injection.

e.g. domain.com/6/​brr​sae​ps/ would display a page with lots of words about ugg boots and links etc.

I removed all the malicious looking files from the server.
The malicious url's still loaded.

I then moved all the site files from the root directory of the site - so there was nothing in that folder - the homepage of the site didn't load or any other content - but the malicious url's loaded (but without the css files for styling)

I then update the basic site settings in IIS to point to the folder I had moved the contents to - the website worked fine and the malicious url's don't load any more.

Where is the issue here - I don't understand how the malicious url's loaded when there was no files in the root of the site?
LVL 3
harris9999Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Here is an article from Google about the issue and some steps to take to regain control of your content.

link:  https://support.google.com/webmasters/answer/3311329?hl=en

As for how it got there...
1. What are the websites running?  ASP.NET, PHP
2. Are there any CMS's there?  Wordpress, Joomla, Drupal, etc.
2a. If so, are they update to date on being patched?  Running the latest version?
3. Is your Windows server fully patched?

Its quite possible that after you removed the files and re-setup the sites, that you pulled a locally cached copy of the site from your browser's cache.

As with any valid test after a reconfiguration occurs... you should recycle the AppPool that supports the website, purge the cache of any reverse proxy or reverse caching servers/services and purge your local browser cache (on all browsers to be used to test).  Otherwise you run the risk getting a cached copy of a page.

Dan
0
harris9999Author Commented:
Hi Dan,

Sorry for the delay in the reply - missed the notification of the reply.

1.Few older sites - running .asp - I have checked that for any vulnerable area's and removed anything outdated. The permissions on the site had been locked down with the only directories requiring write access that got it. the malicious files appeared in the root though.

2. CMS - was my own custom written one - any area's on those checked and updated.

3. Windows Updates are up to date on it.

Yep recycled the app pool and local cache all deleted.

I have now just got the message from google webmaster tools about an increase I not found errors - a lot of the malicious url's no longer work:

Site search on google: http://tinyurl.com/p9g4row
Still shows a lot of malicious urls

the first one on the list: http://tinyurl.com/op4kw4s
If that one is clicked on from google you get redirected to another website selling burberry products
But if you paste the url direct into the address bar a page loads on the website with the SPAMMY Content.
0
Dan McFaddenSystems EngineerCommented:
If you look at some of those spammy content pages, in the HTML Header section, you will find script tags like the following:

<script type="text/javascript" src="http://www.bestq.org/o/tr.js"></script>

Open in new window


The domain bestq.org is owned by someone in China.

I would run a search on all your content files and delete these script references.  Also, I would verify that no unknown local accounts exist on the server.  I would also, change all account passwords on the server as a precaution.

How do you manage the content?  Is there an Admin login to the site?  If so, I would do the following:

1. create a new admin account with a strong password
2. verify that the new admin account provides all your needed functionality
3. disable all previous Admin accounts
4. if you have separate content editor accounts, I would also consider fixing these.

Do you have an idea when the spam content appeared?  If so, I would go thru and check your http logs for unusual activity around the timeframe when it appeared, and search back several days or weeks if you have the logs.

If you have the logs archived, you may find the activity that lead to the issue.

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big MontySenior Web Developer / CEO of ExchangeTree.org Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.