I’ve been hacked. Evil aspx file uploaded called AspxSpy. They’re still trying. Help me trap them‼

I’m also putting up the contents of the .aspx file that was uploaded. When I try to access it, I get prompted for a password, looking at the code, there’s a harcoded password but it looks like some MD5 encryption is going on and I can’t get in to look at what is behind the password protection on this hackers page. Can someone help with getting past the password protection?

Their file was called wjose.aspx and the I’ve pasted the code into jsbin for easy viewing: http://jsbin.com/uhoye3/edit#html

I’ve already got a server/host based version of the question on serverfault.com asking for steps to prevent this in the future: https://serverfault.com/questions/206396/attempted-hack-on-vps-how-to-protect-in-future-what-were-they-trying-to-do

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

If you running asp.net and only as you tagged, then you only need to add this web.config on the root directory that your users upload files. With that web.config you do not allow anyone to run aspx pages on this directory tree.

The web.config on the protected must only contains:

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

With this web.config your program can still read and write images and other files on this directory, but can not run aspx and other running asp.net extensions.

Check the file extension upload

Of course you must check for all the knowing running files extensions on uploading and on rename, including but not limited to .exe .php .aspx .com .asp .ashx
This is I believe the first that some must do, but to be sure that not found any other way to run something unknown is the web.config and the limited to dot.net only.

For the password you ask

just comment/remove all this lines on http://jsbin.com/uhoye3/edit#html and you see it running, because on this point is check the password and return false if fail. If you let it continue you cancel the password part.

if (Request.Cookies[vbhLn].Value != Password)
    {
    tZSx();
    return false;
    }

Method 2

This is a bit late, but I have been able to successfully block ASPXSpy from running on my Windows 2003 farm, it also works on 2008, and 2012 as long as you have UrlScan installed…

http://www.larmib.com/2013/how-to-block-hackers-who-upload-aspxspy/


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x