My site has just been hacked and I suspect that it was a remote file inclusion attack. These are my server specs:
Windows Server 2008 R2 running ColdFusion 9 (9.0.1.274733) and IIS 7.5
This is the source code of the page that appeared after my site was hacked:
<!-- # sql_master : securiiity#gmail.com #-->
<html>
<head>
<title>0wned !</title>
<Meta http-equiv="content-type" content="text/html; charset=windows-1254">
<Meta http-equiv="content-type" content="text/html; charset=ISO-8859-9">
</head>
<body bgcolor="black">
<center>
<font color="#ffffff" size="3" face="Tahoma">0wned By <br>SQL_Master , Z0mbi3_Ma , xMjahd !</font>
<br><br>
<img src="http://fc08.deviantart.net/fs71/f/2010/255/e/7/never_look_back_by_arbebuk-d2yiadv.jpg" width="600" height="500"/>
<br><br> </div> </td>
<font color="#ffffff" size="3" face="Tahoma"><a class="__cf_email__" href="http://www.cloudflare.com/email-protection" data-cfemail="d389e3beb1bae08c9eb293bbbca7beb2babffdb0bcbe">
[email protected]</a>
<script type="text/javascript"> /* <![CDATA[ */ (function(){try{var s,a,i,j,r,c,l,b=document.getElementsByTagName("script");l=b[b.length-1].previousSibling;a=l.getAttribute('data-cfemail');if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})(); /* ]]> */ </script>
</font><br><br> <font color="#ffffff" size="3" face="Tahoma">FROM MOROCCO</font> </tr>
</table>
</body> </html>
My site and server are periodically scanned by Symantec and it only picked out the IP of the person who hacked my site.
After the site was hacked, I went and cleared the ColdFusion Verity search and in IIS, I made .cfm the default file type to give preference to and the site was back on line.
However, I did a whole site search but was unable to find the above code anywhere.
Can someone please explain to me how this types of attacks are made and how I can clean my site and server and prevent this from happening again in the future.
Thank you.
Related
Trying to learn IIS farming on Server 2016 - IIS 10,i'm able to configure farm setup but my ARR only get hits from second server all the time.
Here re my configuration details;
Main Server;
Windows Server 2016 Standart - 192.168.2.15 - IIS 10 - website name is servistest, it only contains one page as index.asp;
<!DOCTYPE html>
<head>
<meta name="description" content="Webpage description goes here" />
<title>Web Server 001</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="author" content="">
</head>
<body>
<%
Response.Write "<font color='red' size='35px'><b><center>"+FormatDateTime(date,format)+" "+FormatDateTime(time,format)+"<br>WEBSERVER 001</font></b></center>"
%>
</body>
</html>
Second Server ;
Windows Server 2016 Standart - 192.168.2.16 - IIS 10 - website name is servistest, it contains the same asp page as index.asp
<!DOCTYPE html>
<head>
<meta name="description" content="Webpage description goes here" />
<title>Web Server 002</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="author" content="">
</head>
<body>
<%
Response.Write "<font color='BLUE' size='35px'><b><center>"+FormatDateTime(date,format)+" "+FormatDateTime(time,format)+"<br>WEBSERVER 002</font></b></center>"
%>
</body>
</html>
Third Server ;
Windows Server 2016 Standart - 192.168.2.17 - IIS 10 - website name is servistest, it contains the same asp page as index.asp
<!DOCTYPE html>
<head>
<meta name="description" content="Webpage description goes here" />
<title>Web Server 003</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="author" content="">
</head>
<body>
<%
Response.Write "<font color='GREEN' size='35px'><b><center>"+FormatDateTime(date,format)+" "+FormatDateTime(time,format)+"<br>WEBSERVER 003</font></b></center>"
%>
</body>
</html>
Here are main server settings;
After these settings when i call 192.168.2.15 it hits to 192.168.2.16/index.asp and show this page
Refreshed page with shift+F5 multiple times, cleared browser and server's cache, no matter what i do it only shows page on Web Server 002/192.168.2.16 and never hits to main server/192.168.2.15 or third server/192.168.2.17.
On the almost all how to documents on the web, they are using domain instead of LAN IP addresses, is that what i am doing wrong? I'm working on local network that's why should i edit the hosts files of the servers and clients to work with domains? Does ARR requires at least 3 servers(main server for farm configuration +2 servers for balance) to work properly?
We get an error when running a application with custom UI for Sign-In/Sign-Up for Azure AD B2C:
Error Details:
[[
We're having trouble signing you in.
"OpenIdConnectMessage.Error was not null, indicating an error. Error: 'server_error'. Error_Description (may be empty): 'AADB2C90047: The resource 'https://checkmypaystorageadb2c.blob.core.windows.net/root/unified.html' contains script errors preventing it from being loaded. Correlation ID: 94ef88b7-1df4-49e4-baca-be932f0b77bc Timestamp: 2019-09-25 11:21:22Z '. Error_Uri (may be empty): ''."
]]
custom UI :
1)Storage account Details:
Storage account details
2) CORS settings:
CORS Settings
3) Set Custom Page URL in Signup-signin policy
Custom Page url in Signup SignIn Policy
4) Error Page:
Error Page
5) Test CORS:
Test Cors Result
6) unified.html
<!DOCTYPE html>
<html>
<head>
<title>Sign in</title>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css" rel="stylesheet" type="text/css" />
<link href="https://checkmypaystoragetest.blob.core.windows.net/customsignup/global.css" rel="stylesheet" type="text/css" />
<link rel="shortcut icon" type="image/png" href="https://checkmypaystoragetest.blob.core.windows.net/customsignup/favicon.png"/>
</head>
<body>
<div class="container unified_container">
<div class="row">
<div class="col-md-6 col-md-offset-3 col-sm-8 col-sm-offset-2">
<div class="panel panel-default">
<div class="panel-body">
<div class="image-center">
<img alt="Check My Pay" class="login-logo" src="https://checkmypaystoragetest.blob.core.windows.net/customsignup/logo.png" />
</div>
<h3 class="text-center">Sign in with your existing account</h3>
<div id="api" data-name="Unified">
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
The pictures are not clear. But it seems a CORS error. This is the link to customization guide.
You need to add PUT as well to the allowed headers.
We got this when blocking javascript and/or cookies in the browser.
Two things to check here
Try turning on Enable JavaScript enforcing page layout in your user
flow under Properties.
Check the CORS setting where custom UI pages are hosted. It should point to the Allowed Origins to https://yourb2ctenantname.b2clogin.com and should have GET, OPTIONS Allowed Methods.
I developed a Outlook Web Add-in using Visual Studio 2017, and so far all my testing is based on hosting the Add-in from localhost, and I had no issues with that, everything worked fine. Now, I moved my Add-in to a shared folder on my Sharepoint server, so that others can test my Add-in.
Within my manifest file, I changed the line which defines the URL of my function file to point to where it is hosted:
<FunctionFile resid="FunctionFile.Url" />
I also added in a line under
<AppDomain>https://<My URL Domain></AppDomain>
The image of my add-in icon loads find, however when I click on my add-in icon from my OWA page, I get the following error:
SEC7120: [CORS] The origin 'https://' failed to allow a cross-origin document resource at 'ms-appx-web:///assets/errorpages/forbidframingedge.htm#https:///Functions/FunctionFile.html?et='.
Is there any way to allow my add-in to run? I'm currently doing my testing on the Edge Browser.
Thanks!
Update:
Here's my function file html code:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<title></title>
<script src="../Scripts/jquery-3.3.1.min.js" type="text/javascript">
</script>
<script src="../Scripts/Office/MicrosoftAjax.js" type="text/javascript">
</script>
<script src="../Scripts/Office/1/office.js" type="text/javascript">
</script>
<script src="FunctionFile.js" type="text/javascript"></script>
</head>
<body>
<!-- NOTE: The body is empty on purpose. Since this is invoked via a button, there is no UI to render. -->
</body>
</html>
A web page hosted on Node.js server in Azure cloud displays the page correctly (confirmed with browser console), but Azure webserver console stil creates/logs detailed error pages for various "missing" files (js, ico, css, ttf...).
Example error page in server console (from azure site log tail <site>):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS Detailed Error - 404.0 - Not Found</title>
...
<table border="0" cellpadding="0" cellspacing="0">
<tr class="alt"><th>Requested URL</th><td> http://servername:80/js/ripples.min.js</td></tr>
<tr><th>Physical Path</th><td> D:\home\site\wwwroot\js\ripples.min.js</td></tr>
<tr class="alt"><th>Logon Method</th><td> Anonymous</td></tr>
<tr><th>Logon User</th><td> Anonymous</td></tr>
</table>
...
How can I "fix" IIS not to raise/log these false positives?
I was able to solve this by disabling 'Detailed Error Messages' in the Azure website configuration:
I have a website (just for my own references, nothing interesting for the public.)
When I load my page (Test Page) inside IE9 and view the source of the page - I can see the HTML as expected.
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<title>Test Page</title>
</head>
<body>
<div id="body">
Simple test page, with an image. <br />
<img src="http://www.w3.org/2008/site/images/logo-w3c-mobile-lg" alt="WC3 logo" />
</div>
</body>
</html>
But when I look at the developers toolbar (by pressing f12) the HTML appears in a <framset> tag.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Marrowbrook.com </title>
</head>
<frameset rows="100%,*" border="0">
<frame src="http://217.118.128.188/wotney//TestFiles/testpage.htm" frameborder="0" />
<frame frameborder="0" noresize />
</frameset>
<!-- pageok -->
<!-- 02 -->
<!-- ->
</html>
Using Chrome, if I right click and View Source, I see the above <frameset> code, but I can also right click and select View Frame Source where I can see the HTML as expected.
Can anyone tell me why I'm seeing this ?
Thanks.
This could happen because your host name was bought with one provider, but you are hosting it on another - and you got a frame based redirect setup.
What platform is your site hosted on? It looks like the server is doing something, because the src of the frame in the frameset points to your page. It could be some kind of 'preview mode' or something of the server/cms. So it looks like the server is using a default page with a frameset on it, that pulls your actual page into it after you deploy it
It also happens when the domain you are using to get to the site is set as "Masked" Forwarding.
Check with the domain manager on your hosting and remove masked forwarding.