site hacked url injection

harris9999 used Ask the Experts™
I have a number of websites on a Windows 2008 server running IIS 7.5 that have got hacked - webmater tools says url injection.

e.g.​brr​sae​ps/ would display a page with lots of words about ugg boots and links etc.

I removed all the malicious looking files from the server.
The malicious url's still loaded.

I then moved all the site files from the root directory of the site - so there was nothing in that folder - the homepage of the site didn't load or any other content - but the malicious url's loaded (but without the css files for styling)

I then update the basic site settings in IIS to point to the folder I had moved the contents to - the website worked fine and the malicious url's don't load any more.

Where is the issue here - I don't understand how the malicious url's loaded when there was no files in the root of the site?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dan McFaddenSystems Engineer

Here is an article from Google about the issue and some steps to take to regain control of your content.


As for how it got there...
1. What are the websites running?  ASP.NET, PHP
2. Are there any CMS's there?  Wordpress, Joomla, Drupal, etc.
2a. If so, are they update to date on being patched?  Running the latest version?
3. Is your Windows server fully patched?

Its quite possible that after you removed the files and re-setup the sites, that you pulled a locally cached copy of the site from your browser's cache.

As with any valid test after a reconfiguration occurs... you should recycle the AppPool that supports the website, purge the cache of any reverse proxy or reverse caching servers/services and purge your local browser cache (on all browsers to be used to test).  Otherwise you run the risk getting a cached copy of a page.



Hi Dan,

Sorry for the delay in the reply - missed the notification of the reply.

1.Few older sites - running .asp - I have checked that for any vulnerable area's and removed anything outdated. The permissions on the site had been locked down with the only directories requiring write access that got it. the malicious files appeared in the root though.

2. CMS - was my own custom written one - any area's on those checked and updated.

3. Windows Updates are up to date on it.

Yep recycled the app pool and local cache all deleted.

I have now just got the message from google webmaster tools about an increase I not found errors - a lot of the malicious url's no longer work:

Site search on google:
Still shows a lot of malicious urls

the first one on the list:
If that one is clicked on from google you get redirected to another website selling burberry products
But if you paste the url direct into the address bar a page loads on the website with the SPAMMY Content.
Systems Engineer
If you look at some of those spammy content pages, in the HTML Header section, you will find script tags like the following:

<script type="text/javascript" src=""></script>

Open in new window

The domain is owned by someone in China.

I would run a search on all your content files and delete these script references.  Also, I would verify that no unknown local accounts exist on the server.  I would also, change all account passwords on the server as a precaution.

How do you manage the content?  Is there an Admin login to the site?  If so, I would do the following:

1. create a new admin account with a strong password
2. verify that the new admin account provides all your needed functionality
3. disable all previous Admin accounts
4. if you have separate content editor accounts, I would also consider fixing these.

Do you have an idea when the spam content appeared?  If so, I would go thru and check your http logs for unusual activity around the timeframe when it appeared, and search back several days or weeks if you have the logs.

If you have the logs archived, you may find the activity that lead to the issue.

Big MontyWeb Ninja at large

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial