{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 何必那么认真 的问题《How Can I Find Out *HOW* My Site Was Hacked? How D》','https://www.manongdao.com/q-484724.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
One of my custom developed ASP.NET sites was hacked today: "Hacked By Swan (Please Stop Wars !.. )" It is using ASP.NET and SQL Server 2005 and IIS 6.0 and Windows 2003 server. I am not using Ajax and I think I am using stored procedures everywhere I am connecting to the database so I dont think it is SQL injection. I have now removed the write permission on the folders.
How can I find out what they did to hack the site and what to do to prevent it from happening again?
The server is up to date with all Windows updates.
What they have done is uploading 6 files (index.asp, index.html, index.htm,...) to the main directory for the website.
What log files should I upload?
I have log files for IIS from this folder: c:\winnt\system32\LogFiles\W3SVC1.
I am willing to show it to some of you but don't think it is good to post on the Internet. Anyone willing to take a look at it?
I have already searched on Google but the only thing I find there are other sites that have been hacked - I haven't been able to see any discussion about it.
I know this is not strictly related to programming but this is still an important thing for programmers and a lot of programmers have been hacked like this.
Well, for starters:
If you do have, or is unsure about, whether you have SQL Injection problems or not, then you can ask further here, but otherwise I would get some security experts to help you.
This is indeed a programming site, so unless your problem is programming-related, it will most likely be closed again.
IIS Process
Check that your ASPNET process does not have privilage to write files on the server. If you need the process to have write permissions, allow them only to do so on a specific folder, and deny execute permissions on that folder for all User accoutns.
SQL Injection
To see people looking for SQL vunrabilities have a look in your log files for the following text, "CAST(".
Do you have any places where you build up SQL in the code behind to query the database? These can be prone to SQL injection attacks. By replacing code such as the following you will be more safe.
then consider an alternative like the following.
and then adding the corresponding SQL PArameter to the sql command.