|
Try locking access, just flag up if it is currently being accessed and stop further access to it.
------------------------------------
I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave
CCC Link[ ^]
Trolls[ ^]
|
|
|
|
|
Hi and happy new year to westerns.
I've a website based on ASP.NET 2 and Sql server 2000 as storage. I use FTP for updating website. Site has a administrators part for content management. The site has been hacked twice since a month ago. Records of some of tables gets deleted . These tables are germane to public webpages not secured parts of the site. and besides some photos from website directories gets deleted. When the site was first hacked I scrutinized directories and found some ASP.NET pages with "aspx" extension placed in some directories. I downloaded those files and check them out. With a cursory look I ascertained that those are programs that analyse the security of sites and faciliate hacking.
After the first atack I encrypted my sql server 2000 database user password and placed it in web.config file but the second attack was happened. Site is protected from sql injection attacks.
The shell files were deleted from the website after the first attack.
Some questions arise here :
1. How those files were placed in the website directories by someone ?
2. Is there anyway to avoid such unwanted upload to website ?
3. How is it possible for hacker to access the database while I have encrypted the password in web.config and site
is protected from sql injection attacks.
Any solution is highly appreciated.
|
|
|
|
|
Well my first thought was that you need to check your DB layer for sql injection attacks. You mentioned that your site is protected, so double check that, because maybe you just check some techniques of sql injection hacks, but there are many ways to do it.
Also check your credentials to upload that files in the Server, and maybe you should change them.
luisnike19
|
|
|
|
|
There isn't a one size fits all answer for this (hence the subject line). I'm a little rusty at the security side of things, but the following might be a start:
- Did you change your password when you encrypted it: if not the hacker could still be using your original password.
- You should consider locking down your FTP setup, so that you arrange to have FTP open only when you are uploading. This is most likely how they got in. You could also change your firewall so it only accepts incoming FTP requests from internal/known IPs.
- The presence of files on your site indicates that whoever has hacked you *might* have some level of user access to you machine (ftp is more likely, but there are tools to bootstrap yourself an account using known vulnerabilities) : Check for new users (especially with administrative rights) and strap your server down.
- If the hacker has their own login account, they might no longer need the password, their kerberos identity could be enough if authentication is in mixed mode. Check the SQL logs to see who has been in on your system, again strap down who can log in to your SQL server, but they sound clever enough to cover their own tracks. If your SQL server isn't on a different machine, move it. Only allow specific windows accounts to login (say the DB admin's and yours), or none at all (SQL only mode).
- Put some code security in place so that only code signed by yourselves can be actually executed.
- Change your SQL password again: they may already have a new one.
Securing a website isn't easy, there are several vulnerabilities (tools to get admin access, social engineering etc) and any is a potential route in. If you can't do it yourself you should consider getting someone in who can:- it is a skilled job, but before doing this you need to asses what level of risk is acceptable and how much you are willing to pay to secure your site.
|
|
|
|
|
You might want to engage the services of a penetration tester (a white hat hacker) to identify the weaknesses in your site. Also, analyse your logs for details, and if I were you, I'd get in touch with the police; I assume that hacking is a crime in the country you live in.
|
|
|
|
|
Guys, I've just created an auto post-back user control. this control used to work really good but suddenly it threw an exception on post-back saying :
Message: Sys.ArgumentNullException: Value cannot be null.
Parameter name: postBackElement
this exception was thrown in the auto-generated function:
Sys.WebForms.BeginRequestEventArgs = function Sys$WebForms$BeginRequestEventArgs(request, postBackElement) {
var e = Function._validateParams(arguments, [
{name: "request", type: Sys.Net.WebRequest},
{name: "postBackElement", domElement: true}
]);
if (e) throw e;
Sys.WebForms.BeginRequestEventArgs.initializeBase(this);
this._request = request;
this._postBackElement = postBackElement;
}
Please help me.
I used
onchange="__doPostBack('ctl00$ContentPlaceHolder1$ddlStartDate','')"
where ctl00$ContentPlaceHolder1$ddlStartDate is the name of my control.
|
|
|
|
|
hi
how to write to text file or any other way - who Visited in my web ?
i need ip and computer name of the client
how to do it ? (if it possible at all)
thank in advance
|
|
|
|
|
Gali1978 wrote: how to write to text file or any other way - who Visited in my web ?
Go with this URL:
http://www.mycsharpcorner.com/Post.aspx?postID=27[^]
Gali1978 wrote: i need ip and computer name of the client
if(Context.Request.ServerVariables["HTTP_VIA"]!=null)
{
ip=Context.Request.ServerVariables["HTTP_X_FORWARDED_FOR"].ToString();
}
else
{
ip=Context.Request.ServerVariables["REMOTE_ADDR"].ToString();
}
Note:
1. Some time Proxy Servers is not sending real client IP so in that case there is no way to find the client IP.
2. I am not sure we can find client computer name without any extra effort with only Asp.Net.
Thanks
Parwej Ahamad
ahamad.parwej@gmail.com
modified on Wednesday, January 26, 2011 2:26 AM
|
|
|
|
|
|
You'r most welcome!
Parwej Ahamad
ahamad.parwej@gmail.com
|
|
|
|
|
hi
i have gridView that has column that contain e-mail on my web-form.
when i press this cell - how to send mail (througt the client mail)
i try to add hyperlink column to the gridview - but not working
how to do it ?
thanks
|
|
|
|
|
Gali1978 wrote: when i press this cell - how to send mail (througt the client mail)
i try to add hyperlink column to the gridview - but not working
how to do it ?
What is not working ? Are you getting any error ? What code you have written ?
|
|
|
|
|
If you write out the email column in the following format
<a href="mailto:user@domain.com">Send email</a>
it will send the email using the default email client. But, that is not recommended way of doing it. For starters, since the email is exposed, it can be harvested by bots easily. Instead handle it at the back-end or use some email address obfuscation javascript code.
|
|
|
|
|
have you tried mailto:address?
|
|
|
|
|
Hi All,
I am writing documents for my asp.net web application, web service and windows service integration with other web service application. I want to know the differences between Proof of Concepts, Technical Specifications and other documents which are mostly or likely related to the developer some times.
The other thing is that a company approached me for some sort of work, it has explained me some thing about whats thier issue and what they want then I did some research and given them a POC document with different approaches to resolve those issues. Did I do correct here by naming my document as POC? Is it right to give the approaches in the POC?
After that they have accepted for one approach, then I again did some research and given them architecture of the application and how it looks and data flow diagrams etc and system harware and software requirements. But the system is not implemented yet. It should be implemented yet but have given the complete architecture how it looks, data flow diagrams every thing.
Should I name this document as POC with different version only or Technical specifications document. What kind of document it is now?
Please give me any sort of help or any links are ok for me.
Thanks and your help would be appreciated.
Thanks & Regards,
Md. Abdul Aleem
NIIT technologies
|
|
|
|
|
You need to do some reading. Start here, How to get an answer to your question[^] and look at item #3. "Documents" is certainly brief but no where near descriptive enough.
A Proof of Concept is not a document. In the software world it is a small application that demonstrates the concept being proposed.
Quite frankly if you don't know the meaning and purpose of these documents I would question your entire design/architecture. The company who hired you will likely get exactly what they paid for and after it has failed, miserably most likely, someone like me will end up correcting it for a healthy profit.
I know the language. I've read a book. - _Madmatt
|
|
|
|
|
Hi,
I am researching for it but finding the difference and when should I give which document.
If there is any document or white paper which descrubes all these steps when to do what document, am not finding any where.
If you could really help me that would be appreciated.
Thanks.
Thanks & Regards,
Md. Abdul Aleem
NIIT technologies
|
|
|
|
|
I make Dynamic Checkbox.
After postback, Checkbos's check property is true.
But Page's CheckBox is not checkded and Text Property was changed.
reference blow code, if i clicked some button, j2j2 checkbox's check property is false,
but checkbox is checked and Text was changed to fail.
What should i do?
CheckBox j2j2 = (CheckBox)Table2.FindControl("m_adminList30");
if (j2j2.Checked == false)
j2j2.Text = "fal!";
else
j2j2.Text = "good";
j2j2.Checked = j2j2.Checked;
hi
My english is a little.
anyway, nice to meet you~~
and give me your advice anytime~
|
|
|
|
|
buffering83 wrote: make Dynamic Checkbox.
After postback, Checkbos's check property is true.
But Page's CheckBox is not checkded and Text Property was changed.
reference blow code, if i clicked some button, j2j2 checkbox's check property is false,
but checkbox is checked and Text was changed to fail.
Not clear what do you want to meant. Do you want your checkbox to main to postback details when checked or unchecked ? While creating the checkbox did you set CheckBox.Autopostback = "true" and in which events you have created the checkboxes ?
|
|
|
|
|
buffering83 wrote: I make Dynamic Checkbox.
Make sure you have set 'EnableViewState=True' for the checkbox control as well as it's container. Since, you need to re-create your checkbox during postback it might be getting reset to nothing and hence the value & text.
|
|
|
|
|
Sandeep Mewara wrote: Make sure you have set 'EnableViewState=True' for the checkbox control as well as it's container
Sandeep, For Checkbox EnableViewState property works in some different way. CheckBoxControl Implement from IPostBackDataHandler . This value is not read from view state but from Postback from and this is true for those control which implements the IPostBackEventHandler. Because in Page Lifecyle, before Page_Load we have LoadViewState() and LoadPostbackData(). So, though you disable the viewstate for Checkbox, It will load the data in LoadPostbackData() method. This is same for a text box control as well.
|
|
|
|
|
Thanks!
|
|
|
|
|
|
Good Explanation. Every input control like checkbox, radio, textbox, hidden etc... loads its data from the form collection during LoadPostbackData() event.ASP.NET implements IPostBackDataHandler on every input control and it actually uses form collection to update the control in the LoadPostbackData() event.
|
|
|
|
|
Abhijit Jana wrote: This value is not read from view state but from Postback from and this is true for those control which implements the IPostBackEventHandler.
Just a minor change required here AJ. The value is read from the ViewState but overridden in the LoadPostbackData() method of the page life cycle for the controls which implement IPostBackDataHandler .
Cheers!
Ankur
..Go Green..
|
|
|
|