Just want to share our experience of being hacked via our own hosting servers - #1 Windows Server 2012 DataCenter within Hyper-V VM Win2012. A site running NOP3,2 had been compromised and has been running slow for the past few days. We tested the site against test performance link here: http://www.webpagetest.org/ and found some interesting page loads during the initial landing page.
When viewing the landing page load we found this embedded into the top view:
<div style="position:absolute;top:-10001px;">
<a href="http://asicscanada.fmaadvantage.org/">onitsuka tiger canada</a>
<a href="http://www.saleasicsonlinesg.com/">onitsuka tiger singapore</a>
<a href="http://birkenstockcanada.jbandstar.com/">birkenstock canada</a>
<a href="http://www.birkenstockstw.com/">勃肯鞋</a>
<a href="http://www.achristmasadventure.com/fitflop/singapore/">fitflop singapore</a>
<a href="http://www.jordanviptw.com/">jordan鞋台灣官網</a>
<a href="http://www.pumashoestaiwan.com/">puma鞋</a>
<a href="http://www.fitfloptaiwan2015.com/">fitflop台灣</a>
<a href="http://www.birkenstockblog.com.au/">birkenstock australia</a>
<a href="http://buybirkenstocksingapore.knoxwhitleyanimalshelter.com/">birkenstock singapore</a>
<a href="http://achristmasadventure.com/fitflop/singapore/">fitflop singapore</a>
<a href="http://www.fitflopsonlineca.com/">fitflop canada</a>
<a href="http://www.fitflopindenmark.com/">fitflop</a>
<a href="http://www.runningonlinenz.com/">nike free</a>
<a href="http://www.buytoms.com/">toms鞋</a>
<a href="http://www.myadidastw.com/">愛迪達</a>
<a href="http://www.pumaonlineindia.com/">puma india</a>
<a href="http://www.buyflipflopoutletaustralia.com/">fitflop australia</a>
</div>
<div style="position:absolute;top:-10001px;">
<a href="http://www.tigershoesmalaysia.com/">onitsuka tiger malayasia</a>
<a href="http://www.tigershoesmalaysia.com/">asics malaysia</a>
<a href="http://www.dsquared2mall.com/">dsquared2 uk</a>
<a href="http://www.dsquared2mall.com/">dsquared2 jeans</a>
</div>
Further exploring the file contents for strings we found that this code had been inserted at the end of the file: ProductAttributes.cshtml.
We still have not been able to find the source of this hole but believe it maybe related to port 1433 open on the firewall for development purposes. No logs show evidence of this. Any possible in-site into it's origin would be appreciated.