Hi,
I have a site that was written about 7 years ago in ASP.NET 2 which was recently the target of a compromise where the hackers dumped lots of HTML files on the site. After spending some time looking at it, I found that the file manager in the FCK editor was not secure and have subsquently removed it along with all the files that were loaded onto the server.
We first became aware of the issue when we received a Google report that the server was hacked about six weeks ago. Since we closed the loophole and removed the files there has been no further compromise that we are aware of.
Then last week we received another report from Google that the server was hacked and it gave a URI similar to the following;
http://somedomain.com?search.asp?some_very_long_html_filename.html -names changed to protect the innocent!
Now, here's what has really confused me; if you click the link, it does actually takes one to the URI indicated and displays a spam html file on my domain. However, there is no file called search.asp in the directory structure of the site and the html file is not there either!!!
Additionally, if I go to the URI and omit the query string it brings up the search.asp file, which is totally blank and there is no source code though it does open an empty box which indicates to me that the file is there.
I have checked the web config and cannot find anything out of the ordinary.
Can someone please tell me what is going on or at least tell me where else I should be looking?
Thanks
Terry.