Avatar of harris9999
harris9999
Flag for United Kingdom of Great Britain and Northern Ireland asked on

site hacked url injection

I have a number of websites on a Windows 2008 server running IIS 7.5 that have got hacked - webmater tools says url injection.

e.g. domain.com/6/​brr​sae​ps/ would display a page with lots of words about ugg boots and links etc.

I removed all the malicious looking files from the server.
The malicious url's still loaded.

I then moved all the site files from the root directory of the site - so there was nothing in that folder - the homepage of the site didn't load or any other content - but the malicious url's loaded (but without the css files for styling)

I then update the basic site settings in IIS to point to the folder I had moved the contents to - the website worked fine and the malicious url's don't load any more.

Where is the issue here - I don't understand how the malicious url's loaded when there was no files in the root of the site?
Microsoft IIS Web ServerWeb DevelopmentWeb ServersVulnerabilitiesASP

Avatar of undefined
Last Comment
Big Monty

8/22/2022 - Mon
Dan McFadden

Here is an article from Google about the issue and some steps to take to regain control of your content.

link:  https://support.google.com/webmasters/answer/3311329?hl=en

As for how it got there...
1. What are the websites running?  ASP.NET, PHP
2. Are there any CMS's there?  Wordpress, Joomla, Drupal, etc.
2a. If so, are they update to date on being patched?  Running the latest version?
3. Is your Windows server fully patched?

Its quite possible that after you removed the files and re-setup the sites, that you pulled a locally cached copy of the site from your browser's cache.

As with any valid test after a reconfiguration occurs... you should recycle the AppPool that supports the website, purge the cache of any reverse proxy or reverse caching servers/services and purge your local browser cache (on all browsers to be used to test).  Otherwise you run the risk getting a cached copy of a page.

Dan
harris9999

ASKER
Hi Dan,

Sorry for the delay in the reply - missed the notification of the reply.

1.Few older sites - running .asp - I have checked that for any vulnerable area's and removed anything outdated. The permissions on the site had been locked down with the only directories requiring write access that got it. the malicious files appeared in the root though.

2. CMS - was my own custom written one - any area's on those checked and updated.

3. Windows Updates are up to date on it.

Yep recycled the app pool and local cache all deleted.

I have now just got the message from google webmaster tools about an increase I not found errors - a lot of the malicious url's no longer work:

Site search on google: http://tinyurl.com/p9g4row
Still shows a lot of malicious urls

the first one on the list: http://tinyurl.com/op4kw4s
If that one is clicked on from google you get redirected to another website selling burberry products
But if you paste the url direct into the address bar a page loads on the website with the SPAMMY Content.
ASKER CERTIFIED SOLUTION
Dan McFadden

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Big Monty

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy