Search for injected script code on the Windows Server for my ASP.NET site

StackOverflow https://stackoverflow.com/questions/20118074

Question

My site was probably hacked. I am finding script.js from bigcatsolutions.com in my page. It triggers a popup of an affiliate program. The script isn't on the page by default and I want to know how can I find where it was injected. The script sometimes injects other ad sites.

In chrome I see this:

enter image description here

The injected script code:

function addEvent(obj, eventName, func) {
    if (obj.attachEvent) {
        obj.attachEvent("on" + eventName, func);
    } else if (obj.addEventListener) {
        obj.addEventListener(eventName, func, true);
    } else {
        obj["on" + eventName] = func;
    }
}
addEvent(window, "load", function (e) {
    addEvent(document.body, "click", function (e) {
        if (document.cookie.indexOf("booknow") == -1) {
            params = 'width=800';
            params += ', height=600';
            params += ', top=50, left=50,scrollbars=yes';
            var w = window.open("http://booknowhalong.com/discount-news", 'window', params).blur();
            document.cookie = "booknow";
            window.focus();
        }
    });
})

My site is moved from my hosting company to Amazon EC2 Windows 2013 Server and still have the issues, so it means that the code still resides on the server somewhere. My site was build using ASP.ENT / C#.

Things I did:

  • tried to search the original aspx and aspx.cs code files
Was it helpful?

Solution

Have you checked the IIS logs to see if they are hitting a specific page and injecting it there?

Do you load any data from a database? You could check in the tables and see if anything out of the ordinary appears there.

It is unlikely that the .aspx pages have actually been physically modified and even more unlikely that the DLL have been as .aspx.cs files are compiled in to your BIN folder as DLL's. The more likely scenario is that you have an unsecure page that a malicious site is injecting its script into. The other possible attack vector is that you have had malicious code via SQL injection and are loading it each time.

OTHER TIPS

After deep searching and I missed it in the first run, I found that the script was injected into the ASP.NET masterpage.

I ran a search to search for a specific string in all the files and that's how I found it. It seems that the server itself was breached and the hacker put the code into several websites.

So for those of you who have this type of problem, I recommend running a text search and try to find the URL that is tights to the running script.

Hope that helps and thanks for your time.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top