K12 - make.aspx

Julian C. asked on July 26, 2023 19:32

Kentico 12 with the latest hot fix (v12.0102)

For the past few weeks, Google is indexing a page on my site that does not exits in Kentico: make.aspx followed by a random query string. (Examples: https://mydomain.com/make.aspx?LinulraY.html, https://mydomain.com/make.aspx?ivUTOoZu.html)

make.aspx page triggers 404 on my site but Google redirects the page to random weird sites in the search results.

About 20 of these make.aspx pages are indexed by Google each day. I blocked the make.aspx page on robots.txt and placed a temporary removal on Google Search Console. So, for now the make.aspx page is not indexed by Google anymore but it is still there.

It started to happen on K10, and it continues now even after Kentico upgrade to K12.

I checked the SQL DB, all the JavaScript files, all custom widgets. Nothing. No sign of make.aspx.

Anyone familiar with this issue?

Recent Answers

Juraj Ondrus answered on July 27, 2023 07:12

I would say it is described here. In the past year we have seen lots of hacked sites - 99% of them was running old, unsupported or not hotfixed instances. The old versions are not secured against modern attacks. It is like using 5 year old anti-virus software. And also, make sure your media libraries are secured because by default they are not!

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on July 27, 2023 15:19 (last edited on July 27, 2023 15:23)

Julian,

Whats happened is your site has been compromised by the link Juraj has provided. We have dealt with several clients who have had a similar experience. Eventually it will lead to a ransomware attack on your company/site when the access to your site is sold to the right person/attacker.

Upgrading to the latest version and hotfix you can possibly upgrade to is a great start. The second thing you need to do is look in the code base and find where that make.aspx call is being made. I'd suggest starting with the following files and checking the contents of those files:

  • Default.aspx
  • *.ashx
  • /CMSPages/PortalTemplate.aspx
  • /CMSWebParts/*
  • Search for code similar to this in those pages (or your project in general). The make.aspx page probably doesn't exist, but the code to show others it does may in those .aspx, and .ashx` pages.

Image Text

I have to say though, removing the code DOES NOT FIX the problem. There is some other underlying code still residing on your server that will be executed, at some point and time, which will cause further problems. The best course of action is if you have CI/CD set up and backups, would be to spin up a new server, redeploy the site(s) and database(s).

On the couple instances we worked on, we found the breach was done anywhere from 3-7 months prior to us actually discovering this issue. What happens is an attacker finds access, messes around, sells the access to another attacker, they then mess around and do things, then they sell the access to another attacker. This cycle goes on and on until someone decides to do something that can possibly bring your whole site down, for good.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.