ASP.NET site getting hacked - links appended to aspx files

A friend is asking about their ASP.NET site that has been getting hacked. It's on a hosted server - cheapo hosting.

I haven't seen it myse开发者_高级运维lf just yet, but I'm hoping for ideas on where to look once I do.

The symptoms reported are that links, some mangled, are appearing appended to the .ASPX file (aspx/html on the disk).

Before I learned this, I thought it was SQL injection with links getting appended to their poorly written (I've seen that one) "content manager" content. So I don't think that SQL injection could do this.

Anyone else seen this kind of hack?

why wouldn't they just take the entire site over?

Because then you'd notice. The usual aim is to add linkfarming and trojan-loading exploits to a popular site for as long as possible before the admin notices and takes it off-line.

If your actual .aspx files are being appended to, then that's probably a trivial automated attack on an FTP site using stolen passwords. Most commonly today, this happened because a client machine that has been used to connect to the FTP has been hacked and a password-stealing trojan installed.

Check all client machines that have been anywhere near the FTP thoroughly (and reinstall dirty systems completely rather than using today's unreliable anti-virus software to attempt to ‘clean’ them). Then change the password for FTP access (much better: use SFTP. FTP is an insecure pile of crud that no-one should be using in this century).