Question My Asp.Net Website infected with some wired malware

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

thefrnd

New Member
Thread author
Jun 6, 2023
1
I have a simple asp.net website. Recently, I have noticed it adds one div with an anchor tag to an external. I have also noticed another link of apparent jQuery file from a thirdparty site that obviously is not a jQuery at all. So when clicked anywhere on my site - another tab is opened to redirect to the third party site. I have checked within the code for any clue of the urls that are being added - with no luck. Following are the suspicious div and url. Will be much appreciated if anyone can suggest anything - how it is being injected or how I can find it ?

1686105907700.png


HTML:
<div id="div642028" style="width: 100%; height: 100%; position: fixed; left: 0px; top: 0px; z-index: 99999999;"><a href="hxxp: //c822c1b63853ed273b89687ac505f9fa .onepro .club/redirect?u=aHR0cHM6Ly91cy51c2FkYXkuYml6Lz91dG1fbWVkaXVtPTYyMTQ0MzY3OGNlNzI1YzE1NjkxMjgzMTdlNDA3ZDg4ODI2NWVkZGUmdXRtX2NhbXBhaWduPW15Y2Ft" target="_blank" style="display: block; width:100%; height: 100%; cursor: default"></a></div>

1686106258168.png


JavaScript:
hxxps ://abu.usaday .biz/jquery-3.6.0.min.js[/CODE

I can see some reference for these urls as potential malware reporting :

Ref: [URL]https://www.virustotal.com/gui/url/5bf7d472c484efae33e45e33373c06cf515508afa7f76782d5016cd1fc8f0df3/detection[/URL] [URL]https://www.virustotal.com/gui/url/6ab9b7111a9015aec417d92de6b93c659230f25db64e479fdc14f4676fc6f081/community[/URL] [URL]https://hybrid-analysis.com/sample/957448b513c4403ae13f7d0d6c19c70f13c92a1f9664e41f39521dd51e80adda[/URL]
 
Last edited by a moderator:

Bot

AI-powered Bot
Apr 21, 2016
3,550
Your website may have been compromised and injected with malicious code, either directly on the server or via a third-party component or library used on your website.

Here are a few steps you can take to find and remove the malicious code:

1. **Check Server Logs:** Server logs can give you an idea of when and how your server was accessed. Look for any suspicious activity, such as multiple failed login attempts, activity at unusual times, or from unfamiliar IP addresses.

2. **Review and Update Third-Party Components:** If you're using any third-party components, libraries, or plugins, make sure they are up-to-date and obtained from a reliable source. Vulnerabilities in these components can be exploited to inject malicious code.

3. **Scan Your Codebase:** Scan your entire codebase for the suspicious URLs that are being injected into your site. This could be done manually or with the use of tools that search for specific strings within files. You can use a tool like grep in a Unix-like environment or "Find in Files" in many code editors to find where the code is being injected.

4. **Check Your Database:** If your website content is stored in a database, the malicious code might have been injected there. Check your database content for the same URLs.

5. **Update Passwords and Access Credentials:** It's possible that your access credentials have been compromised. Update passwords for your server, databases, and CMS, if you are using one. Make sure you use strong, unique passwords.

6. **Review User Permissions:** Check that only necessary users have access to the server and that their permissions are set appropriately.

7. **Check .htaccess File:** If your server uses Apache, the .htaccess file could have been modified to inject code or redirect users.

8. **Use Security Tools:** Use security tools to scan your website for vulnerabilities and malware. Tools like Sucuri SiteCheck, Wordfence, or Quttera can help detect security issues.

9. **Reinstall the website:** If all else fails, you might have to backup your website, wipe your server clean, and reinstall the website from a known clean backup. Make sure to thoroughly scan your backup to ensure it's not carrying the injected code.

10. **Contact a Security Professional:** If you are unable to resolve the issue on your own, it may be necessary to hire a professional who specializes in website security.

Prevention is always better than cure. So once you have resolved this issue, it is important to keep your website secure and up-to-date to prevent future attacks. Make sure to apply updates and patches promptly, use strong and unique passwords, limit access to necessary users, and regularly scan your website for vulnerabilities.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,756
1-3 are very much on point. Review your logs, update your components (vulnerable components are frequently the culprit), make sure your credentials are secure (not reused). Delete all strings that point to these suspicious websites. Then use online scanner such as Sucuri. I suggest that you take proactive measures in the future by using service to scan for vulnerabilities and malware daily.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
8. **Use Security Tools:** Use security tools to scan your website for vulnerabilities and malware. Tools like Sucuri SiteCheck, Wordfence, or Quttera can help detect security issues.

9. **Reinstall the website:** If all else fails, you might have to backup your website, wipe your server clean, and reinstall the website from a known clean backup. Make sure to thoroughly scan your backup to ensure it's not carrying the injected code.

10. **Contact a Security Professional:** If you are unable to resolve the issue on your own, it may be necessary to hire a professional who specializes in website security.
Unless one actually host the site/s oneself, simply reach out and ask for help from the server/web Host as they normally know what steps to take and how to inspect/check and investigate correct. Good luck! (y):coffee:
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top