A friend is asking about their ASP.NET site that has been getting hacked. It’s on a hosted server – cheapo hosting.
I haven’t seen it myself just yet, but I’m hoping for ideas on where to look once I do.
The symptoms reported are that links, some mangled, are appearing appended to the .ASPX file (aspx/html on the disk).
Before I learned this, I thought it was SQL injection with links getting appended to their poorly written (I’ve seen that one) “content manager” content. So I don’t think that SQL injection could do this.
Anyone else seen this kind of hack?
Because then you’d notice. The usual aim is to add linkfarming and trojan-loading exploits to a popular site for as long as possible before the admin notices and takes it off-line.
If your actual .aspx files are being appended to, then that’s probably a trivial automated attack on an FTP site using stolen passwords. Most commonly today, this happened because a client machine that has been used to connect to the FTP has been hacked and a password-stealing trojan installed.
Check all client machines that have been anywhere near the FTP thoroughly (and reinstall dirty systems completely rather than using today’s unreliable anti-virus software to attempt to ‘clean’ them). Then change the password for FTP access (much better: use SFTP. FTP is an insecure pile of crud that no-one should be using in this century).