[BNM] Infected Site

[paul perrin]

Any hole in your security could let an ASP file be hijacked for dodgy
purposes - anyway that ASP could be injected into a page before it
gets sent to the browser (unsafe data entered into input fields, text
included from a database) could let someone update all your ASP.

I think it is more common for the database server to be attacked
(initially) than the webserver - find a data field that is shown as a
title or something on a  page and change it to something more
interesting than plain text...

Paul /)/+)

2009/6/1 Alan Braddish <alan at webspoke.co.uk>:
> I have a client whose web site has become infected with a virus (IFramer or
> something like that).  So every time you try to visit a page, AVG pops up a
> warning.
>
> The site is written in ASP, with a MySQL back-end.  There is very little
> database usage in the site, and I have checked all the data in the DB and
> nothing nasty seems to have been 'injected'.
>
> However, upon FTP'ing into the site, I can see that 2 days ago, the
> filestamp on all ASP files has been updated - so the file contents must have
> been re-written, with the nasty virus code.  I have tried to download
> default.asp to open it in Notepad, but AVG won't let me anywhere near it.
>
>
> Any advice on why this might of happened?  The site is hosted by...wait for
> it... Farcehosts.
>
> Could their security have been compromised somehow for this to happen?  As
> far as I know, the FTP passwords are pretty secure (i.e. complex), unless
> someone has hacked Fasthosts again and robbed all their passwords!
>
> Anyone else on Fasthosts have any similar issues?
>
> Or am I overlooking another route into the site for someone to be able to
> modify all files in the site?
>
> Thanks for any help.
>
> Alan
>
>
>
> --
>
> BNM Subscribe/Unsubscribe:
> http://www.brightonnewmedia.org/options/bnmlist
>
> BNM powered by Wessex Networks:
> http://www.wessexnetworks.com
>