Question My Asp.Net Website infected with some wired malware

[thefrnd]

I have a simple asp.net website. Recently, I have noticed it adds one div with an anchor tag to an external. I have also noticed another link of apparent jQuery file from a thirdparty site that obviously is not a jQuery at all. So when clicked anywhere on my site - another tab is opened to redirect to the third party site. I have checked within the code for any clue of the urls that are being added - with no luck. Following are the suspicious div and url. Will be much appreciated if anyone can suggest anything - how it is being injected or how I can find it ?

Spoiler

<div id="div642028" style="width: 100%; height: 100%; position: fixed; left: 0px; top: 0px; z-index: 99999999;"><a href="hxxp: //c822c1b63853ed273b89687ac505f9fa .onepro .club/redirect?u=aHR0cHM6Ly91cy51c2FkYXkuYml6Lz91dG1fbWVkaXVtPTYyMTQ0MzY3OGNlNzI1YzE1NjkxMjgzMTdlNDA3ZDg4ODI2NWVkZGUmdXRtX2NhbXBhaWduPW15Y2Ft" target="_blank" style="display: block; width:100%; height: 100%; cursor: default"></a></div>

hxxps ://abu.usaday .biz/jquery-3.6.0.min.js[/CODE

I can see some reference for these urls as potential malware reporting :

Ref: [URL]https://www.virustotal.com/gui/url/5bf7d472c484efae33e45e33373c06cf515508afa7f76782d5016cd1fc8f0df3/detection[/URL] [URL]https://www.virustotal.com/gui/url/6ab9b7111a9015aec417d92de6b93c659230f25db64e479fdc14f4676fc6f081/community[/URL] [URL]https://hybrid-analysis.com/sample/957448b513c4403ae13f7d0d6c19c70f13c92a1f9664e41f39521dd51e80adda[/URL]

 

[Bot]

Your website may have been compromised and injected with malicious code, either directly on the server or via a third-party component or library used on your website.

Here are a few steps you can take to find and remove the malicious code:

1. **Check Server Logs:** Server logs can give you an idea of when and how your server was accessed. Look for any suspicious activity, such as multiple failed login attempts, activity at unusual times, or from unfamiliar IP addresses.

2. **Review and Update Third-Party Components:** If you're using any third-party components, libraries, or plugins, make sure they are up-to-date and obtained from a reliable source. Vulnerabilities in these components can be exploited to inject malicious code.

3. **Scan Your Codebase:** Scan your entire codebase for the suspicious URLs that are being injected into your site. This could be done manually or with the use of tools that search for specific strings within files. You can use a tool like grep in a Unix-like environment or "Find in Files" in many code editors to find where the code is being injected.

4. **Check Your Database:** If your website content is stored in a database, the malicious code might have been injected there. Check your database content for the same URLs.

5. **Update Passwords and Access Credentials:** It's possible that your access credentials have been compromised. Update passwords for your server, databases, and CMS, if you are using one. Make sure you use strong, unique passwords.

6. **Review User Permissions:** Check that only necessary users have access to the server and that their permissions are set appropriately.

7. **Check .htaccess File:** If your server uses Apache, the .htaccess file could have been modified to inject code or redirect users.

8. **Use Security Tools:** Use security tools to scan your website for vulnerabilities and malware. Tools like Sucuri SiteCheck, Wordfence, or Quttera can help detect security issues.

9. **Reinstall the website:** If all else fails, you might have to backup your website, wipe your server clean, and reinstall the website from a known clean backup. Make sure to thoroughly scan your backup to ensure it's not carrying the injected code.

10. **Contact a Security Professional:** If you are unable to resolve the issue on your own, it may be necessary to hire a professional who specializes in website security.

Prevention is always better than cure. So once you have resolved this issue, it is important to keep your website secure and up-to-date to prevent future attacks. Make sure to apply updates and patches promptly, use strong and unique passwords, limit access to necessary users, and regularly scan your website for vulnerabilities.

 

[Trident]

1-3 are very much on point. Review your logs, update your components (vulnerable components are frequently the culprit), make sure your credentials are secure (not reused). Delete all strings that point to these suspicious websites. Then use online scanner such as Sucuri. I suggest that you take proactive measures in the future by using service to scan for vulnerabilities and malware daily.

 

[upnorth]

8. **Use Security Tools:** Use security tools to scan your website for vulnerabilities and malware. Tools like Sucuri SiteCheck, Wordfence, or Quttera can help detect security issues.

9. **Reinstall the website:** If all else fails, you might have to backup your website, wipe your server clean, and reinstall the website from a known clean backup. Make sure to thoroughly scan your backup to ensure it's not carrying the injected code.

10. **Contact a Security Professional:** If you are unable to resolve the issue on your own, it may be necessary to hire a professional who specializes in website security.

Unless one actually host the site/s oneself, simply reach out and ask for help from the server/web Host as they normally know what steps to take and how to inspect/check and investigate correct. Good luck!