Our investigation turned up an unpatched security vulnerability that had been exploited, allowing unauthorized modification of the default.asp file. However, just patching the vulnerability and fixing the configuration file didn't solve the problem. The file soon reverted to its hacked state. It took a deeper investigation to find out just what was going on. What we discovered was devious.
The key piece of the problem, ironically, was the hackers' use of legitimate security software to protect their malware from removal. Easy File Locker protects files from deletion or alteration by keeping a hidden copy and using it to restore the file after any change or removal. It's normally used to protect critical files, but in this case, it was protecting files that shouldn't have been there.
This complicated the task of cleaning up the infection, but once we knew what was going on, we were able to remove the unauthorized Easy File Locker and make the redirection go away for good. Problem solved, traffic restored to all the hosted websites. The prompt cooperation of the hosting company was extremely valuable in finding and resolving the issue. Their many other customers shared in the benefit of the repair.
Threat DetailsMalicious action:
Black SEO techniqueBelow you can find the screenshots of code from the default.asp file.
The code responsible for the referrer identification: