I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼

Question

I\'m also putting up the contents of the .aspx file that was uploaded. When I try to access it, I get prompted for a password, looking at the code, there\'s a harcoded passw

Answer 1

This is a bit late, but I have been able to successfully block ASPXSpy from running on my Windows 2003 farm, it also works on 2008, and 2012 as long as you have UrlScan installed...

http://www.larmib.com/2013/how-to-block-hackers-who-upload-aspxspy/

Answer 2

If you running asp.net and only as you tagged, then you only need to add this web.config on the root directory that your users upload files. With that web.config you do not allow anyone to run aspx pages on this directory tree.

The web.config on the protected must only contains:

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

With this web.config your program can still read and write images and other files on this directory, but can not run aspx and other running asp.net extensions.

Check the file extension upload

Of course you must check for all the knowing running files extensions on uploading and on rename, including but not limited to .exe .php .aspx .com .asp .ashx This is I believe the first that some must do, but to be sure that not found any other way to run something unknown is the web.config and the limited to dot.net only.

For the password you ask

just comment/remove all this lines on http://jsbin.com/uhoye3/edit#html and you see it running, because on this point is check the password and return false if fail. If you let it continue you cancel the password part.

if (Request.Cookies[vbhLn].Value != Password)
    {
    tZSx();
    return false;
    }