Attack and new files created RRS feed

  • Question

  • User1622967042 posted

    Hi everyone,

    I have suffered an attack to my site. The hackers got to execute server code so that every time a user uploads a file, this new file includes the pool user with every privilege (you can go to security properties of the file and find the app pool user added to the list of authorized users with all the permissions on).

    Do you know if this behaviour can be deactivated? I am refering just to security issue. I found why they could upload files and that part is fixed already.

    Thank you!


    Monday, May 11, 2020 3:16 PM

All replies

  • User-848649084 posted


    First, you need to use the trusted CA SSL certificate in your site. 

    The application should use a whitelist of allowed file types. This list determines the types of files that can be uploaded and rejects all files that do not match approved types.

    The application should use client- or server-side input validation to ensure evasion techniques have not been used to bypass the whitelist filter. These evasion techniques could include appending a second file type to the file name (e.g. image.jpg.php) or using trailing space or dots in the file name.

    The application should set a maximum length for the file name, and a maximum size for the file itself.

    The directory to which files are uploaded should be outside of the website root.

    All uploaded files should be scanned by antivirus software before they are opened.

    The application should not use the file name supplied by the user. Instead, the uploaded file should be renamed according to a predetermined convention.

    in iis you could also do below setting to do not allow a user to execute the script:

    1)open IIS, select your site

    2)Navigate to and click the upload folder for the relevant website, and then under the IIS section, double-click Handler Mappings.

    3)In the Actions pane, click Edit Feature Permissions.

    4)In the Edit Feature Permissions dialog box, clear the Script and Execute checkboxes and click OK.



    Tuesday, May 12, 2020 3:30 AM
  • User1622967042 posted

    Thank you so much for your answer Jalpa.

    Though all you are sharing is very very useful (and I take note of it), it's not what I am worried the most about.

    The problem is that in my application users can legitimate upload files (for example, images of a blog), but when I check the uploaded file, it's like this:

    As you can see, system has added a new group (Site1) which is the applicationIdentity of the pool for the application.

    Two more images:

    As you can see, system has added that group (Site1) for the uploaded file with Full Control, but it's not an inherited permission (though it seems to be in image 2) as you can see in image 3.

    Tuesday, May 12, 2020 9:51 AM
  • User-848649084 posted

    Sorry for the misunderstanding. could you please share where your site folder is located? and what permission did you set to the site folder and the upload folder? 

    Wednesday, May 13, 2020 8:50 AM
  • User1622967042 posted

    The site folder is a normal folder in C:\

    Relative to the upload folder, there is not an upload folder in concrete. The question is that they could exploit a vulnerability in one of our components (Telerik asyncupload) and execute arbitrary code. The code they executed allowed them to upload a file with "full control". Now, every single file uploaded to the application, adds the pool user with full permissions.

    Wednesday, May 13, 2020 10:43 AM
  • User-848649084 posted

    then you could set the handler mapping for the ist level or the server level as I suggested before to do not allow execute the file. 

    Tuesday, May 26, 2020 9:26 AM
  • User1622967042 posted

    Jalpa, thanks again for your interest. Your comments are very helpful.

    But in this case, I would like to go to the root of the problem. What I want is to know why now every file uploaded to the server (images were just an example, sometimes are docs, zip, etc.) is uploaded with the "pool user" added and full permissions (as shown in the captures). 

    Wednesday, May 27, 2020 8:45 AM