A fresh version of a website running 7.2.1 was hacaked today. Its the payloan hack. www.notar.dk Normally wordpress are affected by this.
We tried this before when they were running 4.0.3 on exact same server.
The a new website was created and it happen again.
I cant find anybody that can tell me how to stop this problem and fix it, doing a full restore of tonights backup will fix it, but ho to avoid it from happning again??
If you're finding that your server keeps getting hacked it's unlikely to be the software but more likely to be a server security issue.
Is it a shared server - if so it might be that full trust is allowed and other users of the server can hack your sites - if so MOVE!?
I think at the least you need to review the following:
* Revoke ALL FTP user accounts and create a new one with a new password
* check any user security permissions on the inetpub / www folders
* Change all passwords for any server admin accounts (if it's a shared / hosted server then any user accounts to the server admin)
* DB passwords - change them including the SA account.
* Do you allow file uploads on this site - have you secured this from allowing unscruplious execution of code?
Might be worth checking any access logs around the time the site changed - was there anything in the logs (server and umbraco) that would indicate someone was posting something malicous.
It is shared hosting. I also began to suspect this is the problem.
We tried changing all passwords for both FTP and sql. That wasnt enough.
Its all dabase fields (of type text or nvarchar) in the database which got hte following added:
</title><style>.arwk{position:absolute;clip:rect(458px,auto,auto,448px);}</style><div class=arwk>Bank account should choose <a href=http://paydayloansforlivey.com >pay day loan</a> it offers.</div></title><style>.ape7{position:absolute;clip:rect(430px,auto,auto,439px);}</style><div class=ape7>Sadly there is best <a href=http://paydayloansforlivey.com >payday advance</a> to spot.</div></title><style>.ajkp{position:absolute;clip:rect(488px,auto,auto,490px);}</style><div class=ajkp>Good lenders so popular <a href=http://paydayloansforlivey.com >loans online</a> millions of conduct.</div>
Mmmm that does sound like either you have a vulnerability somewhere that allows remote execution of SQL or the SQL DB on the shared host is a free-for-all. I've seen this problem before but I can't comment specifically on your host - there is nothing coming up with issues with them on Google searches - have you tried contacting them to see if there is an issue on the server?
But to be safe, if you don't have anything funky that might be being exploited (e.g. any other sites?) then I'd move host I'm afraid.
They just say its not their problem, there are nothing wrong at thier end, I think they answer to quick, without acually chicking anything.
The forms we have dont have any connection to sql, just mails form submissions to visitor and admin. So i can figure out how the malicious code is added.
I found this thread by searching Google for the payday loans SQL injection. We don't use Umbraco but we do use ASP.NET and SQL server. We have scripts we've been using for years that have finally become vulnerable.
We're running IIS 7.5 and I did find a URL that may be helpful for those with dedicated web servers running IIS:
This link provides instructions for adding blocks for certain types of requests. It apparently intercepts them at the IIS level before they have a chance to hit the vulnerable scripts. We've applied it today and are monitoring to see how effective it is.
We've also identified some very old Classic ASP files that appear to be the source of the vulnerability. They have some old SQL statements that aren't parameterized queries, which is a big no-no.
Did you perhaps find the cause of it? I have restored a database earlier this year after an attack, changed all passwords, but this weekend the same hack has happened again. Although we do Umbraco a lot, this is the first and only site that got hit. I noticed the NewsLetter Plugin is installed, with a file upload module. I have disabled this module, to see if that might be the cause. An analysis of the IIS log files did not show any sign of sql injection whatsoever, so I'm a bit lost here and afraid it might happen again.
Tom are you on a shared host too or is it your own server? Is it fully patched and updated? There was an MS MVC security vulnerability - I take it you've patched that?
It was an old website, which had been 95% reprogrammed. Unfortunaly there were no validation checks on querystring parameters, this originated from the old code base and wasnt touched.
Therefore the hacker could send something like this:
thnx. Yes, it is our own server, fully patched. I dit not build this particular site (it is a couple of years old), so I have to check the code for errors. @Peter, thanx for the url. Although underscores are stripped out, I managed to find the article.
Website hacked
Hi all,
A fresh version of a website running 7.2.1 was hacaked today. Its the payloan hack. www.notar.dk
Normally wordpress are affected by this.
We tried this before when they were running 4.0.3 on exact same server.
The a new website was created and it happen again.
I cant find anybody that can tell me how to stop this problem and fix it, doing a full restore of tonights backup will fix it, but ho to avoid it from happning again??
Can anyone help?
Screenshots of the problem:
http://www.pcl.dk/web.jpg
http://www.pcl.dk/sql.jpg
Its hosted at unoeuro.com
If you're finding that your server keeps getting hacked it's unlikely to be the software but more likely to be a server security issue.
Is it a shared server - if so it might be that full trust is allowed and other users of the server can hack your sites - if so MOVE!?
I think at the least you need to review the following:
* Revoke ALL FTP user accounts and create a new one with a new password
* check any user security permissions on the inetpub / www folders
* Change all passwords for any server admin accounts (if it's a shared / hosted server then any user accounts to the server admin)
* DB passwords - change them including the SA account.
* Do you allow file uploads on this site - have you secured this from allowing unscruplious execution of code?
Might be worth checking any access logs around the time the site changed - was there anything in the logs (server and umbraco) that would indicate someone was posting something malicous.
Thanks for your answer. Its much appreciated.
It is shared hosting. I also began to suspect this is the problem.
We tried changing all passwords for both FTP and sql. That wasnt enough.
Its all dabase fields (of type text or nvarchar) in the database which got hte following added:
</title><style>.arwk{position:absolute;clip:rect(458px,auto,auto,448px);}</style><div class=arwk>Bank account should choose <a href=http://paydayloansforlivey.com >pay day loan</a> it offers.</div></title><style>.ape7{position:absolute;clip:rect(430px,auto,auto,439px);}</style><div class=ape7>Sadly there is best <a href=http://paydayloansforlivey.com >payday advance</a> to spot.</div></title><style>.ajkp{position:absolute;clip:rect(488px,auto,auto,490px);}</style><div class=ajkp>Good lenders so popular <a href=http://paydayloansforlivey.com >loans online</a> millions of conduct.</div>Mmmm that does sound like either you have a vulnerability somewhere that allows remote execution of SQL or the SQL DB on the shared host is a free-for-all. I've seen this problem before but I can't comment specifically on your host - there is nothing coming up with issues with them on Google searches - have you tried contacting them to see if there is an issue on the server?
But to be safe, if you don't have anything funky that might be being exploited (e.g. any other sites?) then I'd move host I'm afraid.
Hi,
They just say its not their problem, there are nothing wrong at thier end, I think they answer to quick, without acually chicking anything.
The forms we have dont have any connection to sql, just mails form submissions to visitor and admin. So i can figure out how the malicious code is added.
I am in the process of moving hosts.
Hi:
I found this thread by searching Google for the payday loans SQL injection. We don't use Umbraco but we do use ASP.NET and SQL server. We have scripts we've been using for years that have finally become vulnerable.
We're running IIS 7.5 and I did find a URL that may be helpful for those with dedicated web servers running IIS:
http://blogs.iis.net/wadeh/archive/2008/12/18/filtering-for-sql-injection-on-iis-7-and-later.aspx
This link provides instructions for adding blocks for certain types of requests. It apparently intercepts them at the IIS level before they have a chance to hit the vulnerable scripts. We've applied it today and are monitoring to see how effective it is.
We've also identified some very old Classic ASP files that appear to be the source of the vulnerability. They have some old SQL statements that aren't parameterized queries, which is a big no-no.
Hope this information helps.
Thanks ill look into it.
Hi,
Did you perhaps find the cause of it?
I have restored a database earlier this year after an attack, changed all passwords, but this weekend the same hack has happened again. Although we do Umbraco a lot, this is the first and only site that got hit. I noticed the NewsLetter Plugin is installed, with a file upload module. I have disabled this module, to see if that might be the cause. An analysis of the IIS log files did not show any sign of sql injection whatsoever, so I'm a bit lost here and afraid it might happen again.
Umbraco 4.7.1 by the way.
If you have any more info, please let me know.
Kind regards,
Tom
Tom are you on a shared host too or is it your own server? Is it fully patched and updated? There was an MS MVC security vulnerability - I take it you've patched that?
Hi,
Yes i found the cause. It was SQL Injection.
It was an old website, which had been 95% reprogrammed. Unfortunaly there were no validation checks on querystring parameters, this originated from the old code base and wasnt touched. Therefore the hacker could send something like this:
http://www.website.com/page/?productID=10;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004 [+ hundreds more characters]
See: http://www.webmasterworld.com/databasessqlmysql/3657200.htm
So validate any form inputs and querystring parameters.
Cheers!
Hi,
thnx. Yes, it is our own server, fully patched. I dit not build this particular site (it is a couple of years old), so I have to check the code for errors.
@Peter, thanx for the url. Although underscores are stripped out, I managed to find the article.
Guess I have some work to do :-)
Tom
Peter - good to hear you've found the vulnerability and fixed it - even better news it wasn't Umbraco that was the source.
You can host umbraco with winhost.com for as little as 4$ a month, works great for me and I've never been hacked.
Ah SQL Injection, generally even having a design that has query parameters exposed to anything is bad design.
And this being umbraco 7, you should put it in MVC mode, then you could have routes like this,
http://www.website.com/page/product/10
Then it's impossible to specify additional parameters because it won't map to a valid url route, and they'll get a 404.
is working on a reply...