locked
Google reports server hacked RRS feed

  • Question

  • User-365041795 posted

    Hi,

    I have a site that was written about 7 years ago in ASP.NET 2 which was recently the target of a compromise where the hackers dumped lots of HTML files on the site.  After spending some time looking at it, I found that the file manager in the FCK editor was not secure and have subsquently removed it along with all the files that were loaded onto the server.  

    We first became aware of the issue when we received a Google report that the server was hacked about six weeks ago.  Since we closed the loophole and removed the files there has been no further compromise that we are aware of.  

    Then last week we received another report from Google that the server was hacked and it gave a URI similar to the following;

    http://somedomain.com?search.asp?some_very_long_html_filename.html -names changed to protect the innocent!

    Now, here's what has really confused me; if you click the link, it does actually takes one to the URI indicated and displays a spam html file on my domain.  However, there is no file called search.asp in the directory structure of the site and the html file is not there either!!!

    Additionally, if I go to the URI and omit the query string it brings up the search.asp file, which is totally blank and there is no source code though it does open an empty box which indicates to me that the file is there.  

    I have checked the web config and cannot find anything out of the ordinary.  

    Can someone please tell me what is going on or at least tell me where else I should be looking?  

    Thanks

    Terry.

    Monday, November 24, 2014 5:14 AM

Answers

  • User1508394307 posted

    If url is somedomain.com/search.asp then

    1. either file is there (maybe it is hidden?)
    2. or you have a rewrite engine that rewrites search.asp to other script.

    To check #2 just try to enter search2.asp or look if you have any rewrite logic in web.config.

    Also check if you have global.asa or global.asax or if you have any custom error page that might redirect unexising page to a certain script. 

    Also you said it is asp-file, a classic asp?

    Regardless if you find it or not you need to either redeploy your site again or check every script if there are no other "changes" made. Even google will not report you about problems it might happen that there will be any other code/files that were hacked and still exist in your system.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, November 24, 2014 5:53 AM

All replies

  • User1508394307 posted

    is it

    http://somedomain.com?search.asp?some_very_long_html_filename.html 

    or 

    http://somedomain.com/search.asp?some_very_long_html_filename.html

     (slash instead of ?)

    or search.asp is a parameter of one of your page, e.g.

    http://somedomain.com/unsecurepage.asp?otherdomain.com/search.asp?some_very_long_html_filename.html

    Monday, November 24, 2014 5:20 AM
  • User-365041795 posted

    Thanks for the response and my apologies, it was a typo.  It should read http://somedomain.com/search.asp?some_very_long_html_filename.html

    Terry

    Monday, November 24, 2014 5:41 AM
  • User1508394307 posted

    If url is somedomain.com/search.asp then

    1. either file is there (maybe it is hidden?)
    2. or you have a rewrite engine that rewrites search.asp to other script.

    To check #2 just try to enter search2.asp or look if you have any rewrite logic in web.config.

    Also check if you have global.asa or global.asax or if you have any custom error page that might redirect unexising page to a certain script. 

    Also you said it is asp-file, a classic asp?

    Regardless if you find it or not you need to either redeploy your site again or check every script if there are no other "changes" made. Even google will not report you about problems it might happen that there will be any other code/files that were hacked and still exist in your system.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, November 24, 2014 5:53 AM
  • User-365041795 posted

    Thanks Smirnov!  

    I thought I was going mad because I had checked all you mentioned.  Anyhow, your post got me thinking and I hadn't checked whether they'd made it a system file or not so when I unchecked show hidden files it didn't show up and it wasn't until I unchecked show system files that it became visible.  

    Thanks again,

    Terry.

    Monday, November 24, 2014 7:57 AM