locked
Website Hacking RRS feed

  • Question

  • User-964141632 posted

    I have created and managed an asp.net website using C# through Visual Studio 2010 of our church denomination last year.

    After few months it was hacked but the hacker doesnot seem to interfere the SQL database but they redirect or replace the front page to their created Islam praising contents. 

    I have take the website down and report to the domain provider but he does not have any solution to the problem. He only knows about wordpress but since our old church website was done using php he was chose for the provider, after i take part in the commitee and since i want to use asp.net we told him and he dont know about windows based but gave us a space since we can manage the whole site.

    It was like talking to a wall about the hacking. My question here is, "how vulnerable asp.net site is compared to wordpress websites?" ..He blamed me for not securing the codes and chosing asp.net. I dont really know how comes? I work in a company and all our website is just like this website but never hacked. Does it means our work website is secure only because no one hacked it. How can i improve the coding or asp.net website?

    Please provide a cheap solution to resume our church website.. like a domain provider in our country (india). Is it possible to use the same domain name to other domain provider?

    Wednesday, January 13, 2016 6:00 AM

Answers

  • User177399542 posted

    Hi Teezet

    1) Your select queries can are very easily hacked by using SQL injections. Use Parameterised queries.

    Change like this:

    ------- Your queries ------
    SqlCommand PowerNewsDetail = new SqlCommand("select * from Notice where Notice_status ='Active' AND Notice_id='" + _id[i].ToString() + "'", cnn);
    
    ------- Change to parameterised queries like this ----------------------
    string commandText = "SELECT * FROM Customers WHERE Country=@CountryName";
    SqlCommand cmd = new SqlCommand(commandText, conn);
    cmd.Parameters.Add("@CountryName",countryName);

    2) You are sending your parameters via query strings which can also hacked easily. Use Sessions instead of query strings or Encrypt your query string parameters.

    http://www.codingfusion.com/Post/Query-String-Encrypt-Decrypt-in-asp-net

    3) Check your data It might be possible that hacker have inserted some Javascript code to redirect to some other website.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, January 16, 2016 6:44 AM
  • User177399542 posted

    Please checkout these 8 steps: http://www.iwms.net/trans.aspx?id=894

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 18, 2016 7:36 AM
  • User-718146471 posted

    Teezet, PM me and I can run a security scan evaluation on your web site to find any additional backdoors into the site. Being hacked is never fun especially trying to figure out what else is going on and having help from others who are more seasoned will always help. I would recommend you FTP into your site and make sure there are no new oddball pages or folders; those could contain malignant content the hacker can use to compromise your site. Any site can be compromised, experience is what tells you where to look.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, January 27, 2016 11:59 AM
  • User465171450 posted

    There are lots of possible attack vectors. It could very well be the server itself is open. Wordpress though does have a lot of possible issues due to the plug-ins themselves being attack vectors. The most popular carousel plug-in for wordpress was a huge attack vector for a while and I saw 8 sites of a client's attacked by this. Of course, it helps if the server is sufficiently protected so that once a user is able to upload a trojan or back door program to give them access, that the server setup stops them in their tracks.

    It's always best to go with a larger hosting provider nowadays with good knowledge of security, or at least very good security policies. I would think though that if he doesn't know about windows it's not good to host with him as there's a good chance he doesn't have the permissions or server locked down sufficiently.

    ASP.Net has had vulnerabilities here and there, but like any OS, there are patches released for discovered vulnerabilities. Watch out for using third-party components, especially rich text editors as those can be attack vectors especially when you don't keep up with upgrading them.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 28, 2016 12:46 PM

All replies

  • User177399542 posted

    Hi Teezet

                         Hacking is very vast topic and there are my backdoors hackers can use to hack website. This does not matters that sites build in wordpress or asp.net. 

    Here are some points I would like you to ask:

    1) Does your website contains dynamic content. (Means you pass ID to fetch content for several pages if so please share your code used to fetch content)

    2) Do you use cookies?

    3) It is also possible that hacker have hacked your service provider. (UR website URL?)

    Wednesday, January 13, 2016 7:50 AM
  • User-964141632 posted

    Thanks Anuj,

    1) Does your website contains dynamic content. (Means you pass ID to fetch content for several pages if so please share your code used to fetch content)

    ANS:

    Yes since, the website should contain local language and english, i have created a first page like a splash screen that contain two button "English and Mizo" language option, this selected information is stored in a variable which i put it on GlobalClass (GlobalClass.cs >public static string loginLanguage;).

    protected void English_Click(object sender, EventArgs e)
    {
    GlobalClass.loginLanguage = "English";
    Response.Redirect("index.aspx");
    }
    protected void Mizo_Click(object sender, EventArgs e)
    {
    GlobalClass.loginLanguage = "Mizo";
    Response.Redirect("index.aspx");
    }

    After it enters the main page (which is a masterpage), the contents (stored in <div>)is shown depending on the language stored in the Global class, 

    if (GlobalClass.loginLanguage == "Mizo")
    {
    divMizo.Visible = true;
    divEnglish.Visible = false;

    }

    (divMizo or divEnglish is fetch through literal between  aspx (page) and aspx.cs (coding page))

    Masterpage has a button which each page is then managed by this button on the top to chose the opposite language (if mizo is selected then this button show English, and if not vice versa) that can change/update the Global Class content, so that, we can browse the page showing the same language on every page. That was i think the only dynamic content passed on the whole page of the website. 

    2) Do you use cookies?

    ANS : No, dont  use cookies.

    3) It is also possible that hacker have hacked your service provider. (UR website URL?)

    ANS : This is my concern, but he did not say anything about it, the only website hacked is my website as far as i know.

    Thursday, January 14, 2016 5:17 AM
  • User177399542 posted

    1) Does your website contains dynamic content. (Means you pass ID to fetch content for several pages if so please share your code used to fetch content)

    ANS:

    Yes since, the website should contain local language and english

    Can you please post the code which you are using to get content from database?

    Thursday, January 14, 2016 7:16 AM
  • User-964141632 posted

    using System;
    using System.Collections.Generic;
    using System.IO;
    using System.Collections;
    using System.Configuration;
    using System.Data;
    using System.Linq;
    using System.Web;
    using System.Web.Security;
    using System.Web.UI;
    using System.Web.UI.HtmlControls;
    using System.Web.UI.WebControls;
    using System.Web.UI.WebControls.WebParts;
    using System.Xml.Linq;
    using System.Data.SqlClient;
    using System.Text.RegularExpressions;
    using System.Text;

    public partial class PageMaster : System.Web.UI.MasterPage
    {
    SqlConnection cnn = new SqlConnection(ConfigurationManager.AppSettings["ConnectionString"]);
    ArrayList _id = new ArrayList();
    ArrayList past_id = new ArrayList();
    ArrayList _content = new ArrayList();
    StringBuilder put, upcomingList, upcomingList2;
    string _pageurl, _titleurl;

    protected void Page_Load(object sender, EventArgs e)
    {
    //object ap = Session["Visitor"];
    if (Session["Visitor"] == "" || Session["Visitor"] == null)
    {
    Response.Redirect("Splash.aspx");
    }

    if (GlobalClass.loginLanguage == "Mizo")
    {
    section.Text = "Translate in English";
    try
    {
    cnn.Open();
    SqlCommand selectreport = new SqlCommand("select * from Notice WHERE Notice_status ='Active' Order by Notice_id desc", cnn);
    SqlDataReader dr;
    dr = selectreport.ExecuteReader();
    _id.Clear();
    _content.Clear();
    while (dr.Read())
    {
    _id.Add(dr["Notice_id"].ToString());
    _content.Add(dr["Notice_MizoTitle"].ToString());
    }
    dr.Close();
    put = new StringBuilder();
    put.Append("<div id=\"news-container\"><ul>");
    for (int i = 0; i <= (_id.Count - 1); i++)
    {
    SqlCommand PowerNewsDetail = new SqlCommand("select * from Notice where Notice_status ='Active' AND Notice_id='" + _id[i].ToString() + "'", cnn);
    SqlDataReader dr1;
    dr1 = PowerNewsDetail.ExecuteReader();
    while (dr1.Read())
    {
    _pageurl = "noticeDetails?pid=" + dr1["Notice_id"].ToString();
    _titleurl = dr1["Notice_MizoTitle"].ToString();
    put.Append("<li><div>->&nbsp;&nbsp;<a style=\"color:#c6f0ae;\" text-align:justify; href=\"" + _pageurl.ToString() + "\">" + _titleurl.ToString() + "</a></div></li>");
    }
    dr1.Close();
    }
    put.Append("<li><div style=\"padding-top:15px;\"><hr /></div></li></ul></div>");
    literals.Text = put.ToString();
    }
    catch { }
    finally { cnn.Close(); }

    else
    {
    section.Text = "Translate in Mizo";
    try
    {
    cnn.Open();
    SqlCommand selectreport = new SqlCommand("select * from Notice WHERE Notice_status ='Active' Order by Notice_id desc", cnn);
    SqlDataReader dr;
    dr = selectreport.ExecuteReader();
    _id.Clear();
    _content.Clear();
    while (dr.Read())
    {
    _id.Add(dr["Notice_id"].ToString());
    _content.Add(dr["Notice_EngTitle"].ToString());
    }
    dr.Close();
    put = new StringBuilder();
    put.Append("<div id=\"news-container\"><ul>");
    for (int i = 0; i <= (_id.Count - 1); i++)
    {
    SqlCommand PowerNewsDetail = new SqlCommand("select * from Notice where Notice_status ='Active' AND Notice_id='" + _id[i].ToString() + "'", cnn);
    SqlDataReader dr1;
    dr1 = PowerNewsDetail.ExecuteReader();
    while (dr1.Read())
    {
    _pageurl = "noticeDetails?pid=" + dr1["Notice_id"].ToString();
    _titleurl = dr1["Notice_EngTitle"].ToString();
    put.Append("<li><div>->&nbsp;&nbsp;<a style=\"color:#c6f0ae;\" href=\"" + _pageurl.ToString() + "\">" + _titleurl.ToString() + "</a></div></li>");
    }
    dr1.Close();
    }
    put.Append("<li><div style=\"padding-top:15px;\"><hr /></div></li></ul></div>");
    literals.Text = put.ToString();
    }
    catch { }
    finally { cnn.Close(); }

    }}

    something like this, i extract different tables like News, Programme, Events in addition to the above table, but the step is the same, i just include them in the code. 

    Friday, January 15, 2016 10:21 AM
  • User177399542 posted

    Hi Teezet

    1) Your select queries can are very easily hacked by using SQL injections. Use Parameterised queries.

    Change like this:

    ------- Your queries ------
    SqlCommand PowerNewsDetail = new SqlCommand("select * from Notice where Notice_status ='Active' AND Notice_id='" + _id[i].ToString() + "'", cnn);
    
    ------- Change to parameterised queries like this ----------------------
    string commandText = "SELECT * FROM Customers WHERE Country=@CountryName";
    SqlCommand cmd = new SqlCommand(commandText, conn);
    cmd.Parameters.Add("@CountryName",countryName);

    2) You are sending your parameters via query strings which can also hacked easily. Use Sessions instead of query strings or Encrypt your query string parameters.

    http://www.codingfusion.com/Post/Query-String-Encrypt-Decrypt-in-asp-net

    3) Check your data It might be possible that hacker have inserted some Javascript code to redirect to some other website.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Saturday, January 16, 2016 6:44 AM
  • User-964141632 posted

    Thank you Anuj,. I never thought of security improvement by using parameters. I'll change that and do that from now on, its just that i never experienced hacking and how do they do it.

    Please tell me any security improvements to my coding and overall asp.net web pages, Thanks again.

    Monday, January 18, 2016 6:34 AM
  • User177399542 posted

    Please checkout these 8 steps: http://www.iwms.net/trans.aspx?id=894

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 18, 2016 7:36 AM
  • User-718146471 posted

    Teezet, PM me and I can run a security scan evaluation on your web site to find any additional backdoors into the site. Being hacked is never fun especially trying to figure out what else is going on and having help from others who are more seasoned will always help. I would recommend you FTP into your site and make sure there are no new oddball pages or folders; those could contain malignant content the hacker can use to compromise your site. Any site can be compromised, experience is what tells you where to look.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, January 27, 2016 11:59 AM
  • User465171450 posted

    There are lots of possible attack vectors. It could very well be the server itself is open. Wordpress though does have a lot of possible issues due to the plug-ins themselves being attack vectors. The most popular carousel plug-in for wordpress was a huge attack vector for a while and I saw 8 sites of a client's attacked by this. Of course, it helps if the server is sufficiently protected so that once a user is able to upload a trojan or back door program to give them access, that the server setup stops them in their tracks.

    It's always best to go with a larger hosting provider nowadays with good knowledge of security, or at least very good security policies. I would think though that if he doesn't know about windows it's not good to host with him as there's a good chance he doesn't have the permissions or server locked down sufficiently.

    ASP.Net has had vulnerabilities here and there, but like any OS, there are patches released for discovered vulnerabilities. Watch out for using third-party components, especially rich text editors as those can be attack vectors especially when you don't keep up with upgrading them.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, January 28, 2016 12:46 PM