Web Dev Matters and Me

Web Development Matters - HTML, XML, C#, .NET, AJAX/Javascript(jQuery), CSS, XML-XSLT

ME - LIFE,Philippines, Tokyo, ECE, PhilNITS/JITSE,情報処理, 日本語

things about Philippines, gaming, C# development and web development, how to make money in stock trading

Web Dev Matters and Me

Analysis of recent injection attack

Just few minutes ago, one of the websites I currently own was attacked. Since I am expecting this really soon (because the site is gaining high traffic recently), I wonder how it is made possible.



Due to security reasons, I won't be posting the screen cap of the site when I checked it. But, when I tried to load the page, First I saw the ASP Headers that should be kept visible. This provoked me to login to my CP account, and checked my settings. I confirmed that it is still kept invisible .  I returned to my site, and now it has an IFRAME pointing to other site now, and below the ASP headers,showing the connection state, ASP version. There is not much information disclosed, so still whoever it is, I'm sure the attack wasn't successful.

So, one by one, I tried to look for the possibilities that are available to the attacker. I know where should my inputs are and I'm sure it is properly filtered. Just to confirm, I checked the databases where appropriate contents are located, but I can't find any text that would lead to the *seemingly* injected string. tried to look for files, and yet no where to see it.

And all of a sudden, while checking my files, an FTP login is prompting me to enter user credentials, which I ignored. (haha, I know what you're thinking).

Checked twitter, it only streamed garbled text...

So, I tried to fetch the page as a googlebot, I see no header or iframe..

which leaves me down to 2 from pointless reason why it was possible.


1. It is injected from my Web Server (probably done by staff, or the web server is hacked)
2. From my ISP, which prepend text on every request that I will do to twitter and my site.


Now, each time I check it, it appears to be normal again. I'll ask my web hosting representative prior to this, just for clarification. Depending on the answer I will receive, I might consider migration of all the sites I control to a different one, or maybe consider using PHP for most of my sites.

1 comments:

it was done by your ISP. dont use ISP bonanza,they own that and the chinese website is their connivance

 

FB Connect