back to article Mass ASP.NET attack causes websites to turn on visitors

An infection that causes poorly configured websites to silently bombard visitors with malware attacks has hit almost 614,000 webpages, Google searches show. The mass infection, which redirects users to a site exploiting old versions of Oracle's Java, Adobe's Flash player and various browsers, was first disclosed by researchers …


This topic is closed for new posts.
  1. Will 28

    Very poor reporting

    From evidence given, nothing to do with ASP.NET. By the sound of it, it's about crap programmers from any database back end. Can you just clarify the ASP.NET vuln?

    1. Franklin

      The site that this article links to gives a bit more information, but not a lot.

      This attack is something that I've seen recently, and it is in fact targeting ASP, but not just ASP. Similar attacks are being conducted against sites using PHP as well.

      An overview of how it works:

      - Hackers gain entrance to a site, via SQL injection or by some other means. (This may, I believe, involve gaining access to a site on a badly configured shared hosting server and then attacking other sites on that same server.)

      - The hackers inject a heavily obfuscated piece of ASP code into .asp files or PHP code into .php files. The injected code is written in such a way that it's very difficult to read.

      - When the ASP or PHP code is executed, the malicious routines which have been injected in the code modify the HTML output produced by the code to place a link to a hostile JavaScript on another server.

      - This hostile JavaScript is also heavily obfuscated and difficult to read. It opens an invisible iFrame which redirects the user through a series of intermediates to a site which tries a number of different browser exploits to place a drive-by malware executable on the visitor's computer. If this is successful, the newly infected computer phones home to a command and control server.

      I first became aware of this attack against ASP and PHP sites while I was investigating a different, unrelated (I believe) attack against WordPress sites that also involves injecting obfuscated PHP code into a compromised Wordpress site. I've written about that attack at

      One of the commenters on that blog post mentioned that he had a Web site not using WordPress that was being attacked by the injection of obfuscated PHP code. I took a look to see if it was the same attack. It wasn't...but it was an attack that matches in almost all important regards to this ASP attack.

      So I don't think it's really 100% correct to characterize this as an attack on ASP or ASP.NET sites. Rather, what's happening is that sites running vulnerable ASP, ASPX, or PHP code are being exploited; the hackers have written code in both PHP and ASP which, when executed, inserts a call to the malicious JavaScript in the script's output. he similarity of the code and the JavaScript attack at least suggests the possibility that the same people are attacking both ASP and PHP sites.

    2. tantiboh


      I'm an ASP.NET programmer, so I was very interested to see what the author was trying to tell me was wrong with my sites.

      Come to find out, the "attack" on ASP.NET is SQL injection - a vulnerability even a rookie programmer knows how to avoid, and to which any web platform is vulnerable if its application is poorly designed.

      Reporting FAIL. Thanks for the time waste, Reg!

  2. TheItCat

    What an utterly terrible article

    How are these websites being compromised?

    You say it's SQL injection then go on to say that ASP.Net sites are being targetted - which is it? (Hint: ASP.Net sites can quite happily run without databases)

    This article gives me no information to be able to tell whether my servers are vulnerable to attack or not. Pathetic.

    1. Rick Giles

      If they a Microsoft servers

      They are always vulnerable.

      1. tantiboh
        Thumb Down

        Ignorance on parade

        That is all.

  3. Anon

    SQL Injection?

    Perhaps there are some people who shouldn't be allowed near code editors ever again, all the way down to ed and Notepad, if they don't code to prevent SQL injection attacks.

    So, when's the next XSS exploit due?

  4. Old n Cynical


    "Mass ASP.NET attack causes websites to turn on visitors"? Whatever. It's clearly a SQL injection attack. The fact that it may be more prevalent on Windows Servers does not make it 'ASP.NET attack'. Poor title, probably for bait.

    Any developer, on any platform, that does not explicitly distrust all incoming data and subsequently sanatise it, should not be a bloody developer. I am amazed just how many sites and prop/open-source solutions (on both MS/Linux) I have seen are susceptible to SQL injection. There's a lot of poor developers out there, on all platforms.

    As with all SQL injection attacks, the problem is the developer - simples.

  5. Dave White


    This article contains absolutely zero information, and a whole lot of padding. Where's the information on the exploit? There's a link to the page, but no discussion about the exploit itself. There's a rather hysterical proclamation about ASP.Net, and then the linked page shows a piece of malicious JavaScript. Reporting standards seem to have taken a dive at El Reg Towers with this one.

    WTF? because WTF?

  6. kain preacher

    Crap all around

    Crappy web sites. But you make it sound like it's an issue with ASP sites. When in reality it's an issue with configuration. Outed software with holes in it . Finished of with a lousy reporting . In summation this requires a clueless web site designer and a clueless user for this attack to work. Nothing to do with

  7. Anonymous Coward
    Anonymous Coward

    very poor

    Expect better from an IT site like the reg.

    "The infection injects code into websites operated by restaurants, hospitals, and other small businesses"

    So that suggests a particular app these places might use is vulnerable, which may or may not be an ASP.NET app. But the headline looks like standard MS bashing fair and suggests the attack is against ASP.NET itself.

    Credit to the reg readers that so far there haven't been any tedious derogatory comments about MS (spelled with the dollar site, naturally) urging man and dog to adopt open source O/Ss to avoid such issues.

  8. Tatsky

    ';drop table users

    So if I understand this correctly, this is essentially the exploiter pasting some javascript code into an input control which saves that text in the DB (so something like a comments section, contact form, customer testimonial etc) and then when that info is rendered into a page, the script is also rendered and run.

    So as others have pointed out, this affects any website which takes info, stores in a DB, and then displays back to users. Well, any website that doesn't sanitise the input data.

    Are there really still developers out there who don't sanitise the input and parameterise their queries?

    1. John Smith 19 Gold badge


      "So as others have pointed out, this affects any website which takes info, stores in a DB, and then displays back to users. Well, any website that doesn't sanitise the input data."

      At last count the "designers" of about 614 000 of them.

      But I'll make a small bet this will rise *lots* higher.

    2. Anonymous Coward
      Anonymous Coward

      That's odd. Suddenly I'm an anonymous coward......

  9. eulampios

    Microsoft is the culprit anyways

    It is not the server side vulnerability that makes this interesting, but the ubiquitous client side Microsoft Windows virus friendly OS. Long live the Microshit!

    1. Old n Cynical

      Dear flamebait...

      Shall I call 'the men in white coats' or would you prefer to do that for yourself ;)

    2. kain preacher

      Really cause. it relies on out dated Java or adobe products. How is that MS fault ?

      1. Anonymous Coward
        Anonymous Coward


        "Really cause. it relies on out dated Java or adobe products. How is that MS fault ?"

        ...because it only affects sites using ASP.NET!

        1. Anonymous Coward
          Anonymous Coward

          I see, so by your logic, current and past SQL injection vunerabilities in phpCMS, Codice CMS, Voxpopulime CMS, BloofoxCMS, WordPress, Joomla and Drupal (to name but a tiny, tiny fraction) would the be fault of say Linux and/or Microsoft (or any other OS capable of running PHP)?

          I take it your are not a developer?

        2. kain preacher

          did you read

          Because it said that you had to badly configure the site. The fact that same can't code is not MS fault. It's the same as having the spare key under the front door mat. It's not the fault of the lock maker.

          1. eulampios

            once again

            Did you read mine? I said that on GNU/Linux I do not care about these web browsers' dangers resulting from whichever fault (bad SQL/PHP/.NET/JAVA)

            t is only the MS Windows users' worry. Now are you getting it?

    3. Microphage

      re: Microsoft is the culprit anyway

      I can't refute what you say, so I'll mod you down instead :)

  10. stephajn

    Pull the article or rename the title

    I agree with the other comments here. I'm an ASP.NET developer and this article in the end becomes a piece of false advertising by its title. It's almost as bad as saying the sky has mysteriously and dangerously turned grey on a cloudy day. Makes me wonder if the reporter just needed more readership and so threw in that title or if it's an article just meant to slam ASP.NET in general.

    The bull horn because it's just a bunch of unwelcome noise rather than being informative

  11. markl66

    yes it is to do with ASP/ASP.NET

    if you read the blog entry and look at the link to google search results, you will see it IS targetting ASP/ASP.NET websites. Whether the attack would work against PHP sites is not the point, the google results clearly show .aspx pages being returned, so yes they are affecting ASP.NET sites. OK they may be poorly codes, and they may not be:

    As a PHP developer and an ASP.NET developer, I can say it is not always the case that developers are at fault, sometimes the framework code in .NET does not do what it should, as in the past I have had to code my own routines. Not saying that's whats going on here.

    1. Will 28

      Actually I would suspect it is more likely IIS

      The nature of the attack doesn't appear to use anything specific to ASP or ASP.NET. So my unfounded guess as to why there's such a high proportion of sites that are ASP.NET (yet not all of them) is that the automated script that is run once the server is comprimised is targetting IIS. This makes some sense to me, as IIS is easily locatable, and easily interrogated and manipulated by a script (by design, not by mistake). This would make it an easy target for someone wanting to do a mass automated attack. I'm sure they could have targetted other web servers, but I guess they haven't.

      1. Sentient

        suspect unfounded

        Attacking IIS is something different than a SQL injection attack.

        1. Will 28

          No Sentient, you misunderstand

          Not 'attacking IIS', I'm saying that once the system has been comprimised by the SQL injection attack, I suspect it is then using the fact you can easily find IIS and configure it (now that it has permissions) by writing an automated script to do it. Thus the websites that are seen as comprimised are ASP.NET, because most websites running on IIS are ASP.NET. I'm not suggesting an IIS vulnerability.

  12. herry

    WTF with the title?

  13. John Smith 19 Gold badge

    Looks like it works because of a basic misunderstanding.

    Store information.

    Hold in DB.

    Output information back to user.

    The implication is that this happens with text controls which deal with *passive* text.

    But the DB executes code *regardless* of what kind of control it originates from.

    The attackers know this. The "legitimate" developers do not seem to.

    Now how many times had this been done *already*?

  14. Captain Black

    Mass ColdFusion attack causes websites to turn on visitors

    This is a complete joke. Nothing here to suggest this has anything to do with ASP.NET, IIS, Microsoft, or anything else specific to a particular brand. There are almost as many ColdFusion pages in the linked Google results.

    It's an exploit that all dynamic data driven sites try to program against.the only newsworthy bit of this article is the information about what happens to the users after they're redirected off to malicious sites.

  15. NHS IT guy

    Next to useless article

    This is a pretty major development, especially for those of us working with ASP.NET directly, or supporting users of ASP.NET systems - and I'm the latter, working in one of the UK's largest hospitals.

    What you've written is a fairly lengthy article saying not very much. Useful things to include in your blathering might have been:

    - What actions developers should be taking

    - What actions server side support teams should be taking

    - What actions desktop support/end users should be taking

  16. Anonymous Coward
    Anonymous Coward

    WTF is going on at El Reg these days?!

    This article is symptomatic of the junk that's now being regularly churned out.

    You seem to think that launching a paper aeroplane once a year is enough to keep the geeks happy, and the advertising revenues rolling in.

    FFS sort yourselves out or you risk losing your readers.

  17. Just Thinking

    websites operated by restaurants, hospitals, and other small businesses

    Yep, whenever I think of small businesses, hospitals are one of the obvious examples.

  18. Anonymous Coward


    Again, to echo what everyone else has said: this article doesn't help in the slightest.

    Are there any examples of how this is an ASP.Net exploit? As it stands, it appears a number of web techs, including ASP.Net, have been struck by this issue - and as others have commented, it is likely to be some kind of SQL injection, which a well-coded .Net app should be protected against. So unless there is an issue with .Net's SQL Parameters, or some other part of the .Net db technologies, I fail to see how this is a "MASS ASP.NET ATTACK".

  19. Anonymous Coward
    Anonymous Coward

    Can we have a system with user input escaped by default

    so if you're going to open up an injection vuln you have to do it deliberately?

This topic is closed for new posts.

Other stories you might like