Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼

I'm also putting up the contents of the .aspx file that was uploaded. When I try to access it, I get prompted for a password, looking at the code, there's a harcoded password but it looks like some MD5 encryption is going on and I can't get in to look at what is behind the password protection on this hackers page. Can someone help with getting past the password protection?

Their file was called wjose.aspx and the I've pasted the code into jsbin for easy viewing: http://jsbin.com/uhoye3/edit#html

I've already got a server/host based version of the question on serverfault.com asking for steps to prevent this in the future: https://serverfault.com/questions/206396/attempted-hack-on-vps-how-to-protect-in-future-what-were-they-trying-to-do

like image 795
Moin Zaman Avatar asked Feb 25 '23 17:02

Moin Zaman


1 Answers

If you running asp.net and only as you tagged, then you only need to add this web.config on the root directory that your users upload files. With that web.config you do not allow anyone to run aspx pages on this directory tree.

The web.config on the protected must only contains:

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

With this web.config your program can still read and write images and other files on this directory, but can not run aspx and other running asp.net extensions.

Check the file extension upload

Of course you must check for all the knowing running files extensions on uploading and on rename, including but not limited to .exe .php .aspx .com .asp .ashx This is I believe the first that some must do, but to be sure that not found any other way to run something unknown is the web.config and the limited to dot.net only.

For the password you ask

just comment/remove all this lines on http://jsbin.com/uhoye3/edit#html and you see it running, because on this point is check the password and return false if fail. If you let it continue you cancel the password part.

if (Request.Cookies[vbhLn].Value != Password)
    {
    tZSx();
    return false;
    }
like image 152
Aristos Avatar answered Apr 28 '23 15:04

Aristos