Strange file found in my application directory

Abdul Samad Patel 46 Reputation points
2022-02-22T11:13:21.933+00:00

I found a strange aspx file on my application, and deleted rapidly next day I found the same file again with different name, I didn't found any clue how these files got into my application directory.

below is the snap shot to know how it looks like, it seems that using this file all the directory structure been viewed and able to download any file, also some other options of SQL server been seen.

Please update how this file got into my application so I can close that door.

Thanks.

176777-untitled.png

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,834 questions
0 comments No comments
{count} votes

Accepted answer
  1. MotoX80 33,556 Reputation points
    2022-02-24T14:22:23.847+00:00

    Please help me understand how this file got into my application directory so I can close that door.

    Did you run the scan tool that I mentioned in my previous comment? Start with that.

    Sounds like you have enabled some file upload or publishing function within IIS and haven't secured it. Maybe WebDaV? Or FTP/SFTP/SSH? Do you have directory browsing enabled?

    Is your web site set up for anonymous access or do you authenticate users? What are the permissions on the site's root folder? Do you have security permissions set to allow update access for any of these accounts?

    Everyone
    Users
    IUSR
    IIS_IUSRS

    Since you have a virtual server, do you have a network based firewall or are you relying on the Windows Defender firewall to block access to ports like RDP and SMB? Do you have strong passwords on your accounts? Do you change them periodically?

    Did you have the Windows Defender run a full system scan to look for Malware?

    Nmap is good tool that you can use to scan your VPS to look for open ports.

    https://nmap.org/

    The OWASP Foundation has tools that you can use to scan your web site.

    https://owasp.org/www-project-web-security-testing-guide/stable/6-Appendix/A-Testing_Tools_Resource

    The bottom line is that we can't tell you what door to close because we have no idea what door you have open.

    0 comments No comments

6 additional answers

Sort by: Most helpful
  1. PMT 86 Reputation points
    2022-02-22T16:00:25.587+00:00

    Hi,

    Please provide more information about the issue .

    What is exact file name being created automatically ? Where it is Hosted ?

    What is this green tool called ?


  2. Abdul Samad Patel 46 Reputation points
    2022-02-23T09:16:03.883+00:00

    Thanks for your reply,

    First time the file name was logout-old.aspx and second time default.aspx
    My web application is hosted on my VPS taken from godaddy, and these file auto created on that same web application
    This is not a tool, this screen appears when I run this file in browser like https://mydomainname.com/default.aspx

    When I pasted the source code here and press "Post Your Answer" button the next screen shows you do not have permission to submit the answer that is why I am unable to paste the source code.

    Please let me know if you need anything further.
    Thanks in advance.


  3. Abdul Samad Patel 46 Reputation points
    2022-02-24T09:19:43.063+00:00

    It's not google file nor been uploaded for search engine optimization, it's malicious file.
    see my first post where the green screen shot showing all my directory structure of my server and capability to upload file.

    Please help me understand how this file got into my application directory so I can close that door.

    Thanks in advance.

    0 comments No comments

  4. Abdul Samad Patel 46 Reputation points
    2022-02-25T11:06:21.173+00:00

    Thanks for giving time to my post, here is the answers of your concerns:

    1- I ran the scan tool it showed "Low Security Risk".
    2- File upload is there in my web application but it upload files on specific directly not on root, also I only allow in code to upload document file, aspx file not allow to upload.
    3- We authenticate users in our web application, The permissions on root folder are ReadyOnly to IIS IUSRS, and only allow right permission to specific folders that need to upload images or documents
    4- We do not have network based firewall, I am relying on Windows Defender firewall.
    5- Yes I have very strong password for my RDP.
    6- I run Windows Defender it find some malicious file that has been removed/cleared, I again ran the Windows defender and it does not find any malicious file, after running this I do not find such aspx file anymore on my server.
    7- Didn't use nmap tool yet

    Please let me know if you need further information.

    Thanks in advance.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.