Hacked Again :(

[RedBaird]

Yes, I trust my Norton Security Suite!

 

Another keyword is Legion7sign

 

Here is automated domain-report on a site that was hacked, where you can see how some of the public information has been replaced or added to, such as tags:  http://nl.domainleia.com/www/fabulouswines.nl

 

 

Found another site holding it's hacked pages in a mirror, from November 13, 20013, with about 9 pages with simple text on it.  

 

A USA newspaper site has a hacked or added web-page that has the Legion7Sign words rotating in a red-backgound demo, with music from a YouTube vid for "Pirates of the Carribean , At World's End"  https://www.youtube.com/watch?v=cScVoZWVDLQ%26autoplay=1  The page code does not allow right-clicks, but Chrome can show the source-code text.

 

AV's rate the site safe and "Site Advisor" says 'caution'.

 

I don't know if it is related, but the active home page for the newspaper's site shows some missing link error statemens, and error statements about the error-messages that it can't display.

 

 

 

[CruelKind]

The problem was gone and now it's back, looking slightly different but behaving the same

 

 

Edit:

 

Looks like it's possibly coming in through SQL Server.. They are getting text files uploaded and then running them, which makes the changes to my .asp files

Edited June 23, 2014 by CruelKind

[PiNoY]

Tried scanning your files for vulnerability too? or phishing content? was it dedi server with windows and IIS?

 

It is possible that hacker leaves a trojan horse or backdoor, so maybe have a recheck? If it's a known security flaw, he might get back?

 

recently, some discussions remind me of other people using 6scan, dunno if that adds a bit benefit to you as well.

[CruelKind]

Thanks, mostly Im not sure on all of this... No doubt last time I did discover Trojans etc.. and there is an obvious vulnerability but to find out where is going to be quite the task. We are discussing rebuilding the server with Linux (apache w/ wine)

 

All in all it's a big guessing game, and that's what's frustrating the most. I'm running all the normal scans I can think of and doing some searching in the registry. I did find the offending txt scripts which are causing the routines to run, but I need to figure out where the main exe program is that's activating it all.

 

I really appreciate all the input, even if it seems worthless, any little thing might be a key to fixing it.

[daredevil]

Windows anh... But let's start with little basic:

 

1. Restrict remote access to specific IP ranges.

2. Restrict FTP to IP.

3. Clean the system with anti virus but since you have already found trojans re-install windows and do steps 1 and 2.

4. Change passwords.

 

Re install website from back up and check if your website in itself doesn't have security loopholes. Stop with AVG and use Norton or something better.

 

I would suggest to nuke your VM and re install windows and re load back up.

 

PS Run anti virus on your PC. Sometimes they target admin laptop/desktop and keep getting latest password from there. When even that doesn't work higher sys admin and let him do the work

 

Good luck.

[PiNoY]

btw what specific reasons do you need wine for ?

[Papito]

I was looking around, I will leave this here:

 

https://www.facebook.com/pages/Anonymous-Indonesia/428034573972092?fref=nf

http://www.zone-h.org/notify/single

http://www.zone-h.org/archive/notifier=Scream4.0.4

https://www.facebook.com/groups/official.Mcc/

[SneakyCr0w]

If the problem happens again, you could've requested a new server change & messed around with your code so instead of using "homepage.asp" it used let's say "home.asp". Or, you could even mess with your .htaccess file so you can use a custom extension like .home and it reads it as a .asp file, that way you can rename the file homepage.home or something of that way. But of course if your server has trojans then that might not work.

 

I don't use Windows for servers, so daredevil has the right idea:

 

Windows anh... But let's start with little basic:

1. Restrict remote access to specific IP ranges.
2. Restrict FTP to IP.
3. Clean the system with anti virus but since you have already found trojans re-install windows and do steps 1 and 2.
4. Change passwords.

Re install website from back up and check if your website in itself doesn't have security loopholes. Stop with AVG and use Norton or something better.

I would suggest to nuke your VM and re install windows and re load back up.

PS Run anti virus on your PC. Sometimes they target admin laptop/desktop and keep getting latest password from there. When even that doesn't work higher sys admin and let him do the work

Good luck.

 

 

Personal recommendation though is to find a host that doesn't use Windows as their primary OS. I personally think that Linux is Godlike when it comes to Webservers.

Edited June 24, 2014 by ChaosEdition

[daredevil]

Windows is well secured... It's just people don't maintain it and then it gets bad name. Windows is peace of mind if used wisely.

[fishdude]

You definitely have sql injection holes in the login form and probably security issues in other places on the site, since you can't normally upload files through sql injection.

 

For example: Enter this in the Username field '1 and see there is a SQL server error. Data passed in should never be used directly to create sql statements.

Consider this.

string sql = "select * from myTable where username = '" + Request.Form["username"] + "'"

If someone enters ' or '1'='1 your sql is going to be select * from myTable where username = '' or '1'='1' -- not what you want.

 

Maybe there is an upload form available after you log in? Remember the hacker can login without a username/password due to the sql injection. If the files are stored in a location that is accessible through the browser, a hacker could upload his own .asp file that can do anything he wants and run it just by accessing the file with the browser. If he uploads an .asp file, it could do almost anything, like overriding the homepage.asp file, installing apps, etc. 

 

Classic ASP isn't my thing, but I you can use named parameters instead of creating inline sql (which is vulnerable to injection). You could also switch to using all stored procedures which is called in a similar way.

 

Here is a link that might help: http://prepared-statement.blogspot.com/2006/02/asp-prepared-statements.html

 

Getting the machine cleaned up is important, but until you get the holes in your app fixed, this will just continue to be a problem for you.

 

Something else I just noticed. At the bottom of the page there is an admin link. I clicked on it, and it downloaded some Ammyy admin app. I tried to connect, but it didn't work. I looked through the Ammyy admin site, and it wasn't clear to me if a password is required or not. It didn't say anything about passwords. If it works while you have it running, and there is no password, anyone could connect. You'd be better of using the standard remote desktop capabilities built into Windows.

[Quovadis]

The main reason why windows is less secure than linux is bebause windows i way more used, there is 10000x more people trying to find it's flaws.

 

 

First thing first, before talking of a fix, you need to find your breach.

 

Could possibly be abrute force breach on your ftp server. Try limiting the number of failed atempts before refusing connection. Look in your access logs. I would suggest bumping your ftp server and replacing it with a SFTP server with public/privatekey system.

 

As of the sql injections, fish is right, you cannot upload files through an sql injection. Altough if your sql statement are prepared like fish pointed, it would be really to send 2 commands on the same line and drop the whole database. If you don't wanna redo logic, try escaping parameters before passing them.

 

What type of systems do you have implemented?

 

Do you have upload modules?

 

If you don't have access to the file transfert server, I doubt it is possible to upload that many files unless there is a big securoty leek in an upload script. Altough if one script is uploaded, this script could easily be the one downloading the rest.