Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Still under attack after upgrade from 6.2.9 to 7.4.2Still under attack after upgrade from 6.2.9 to 7.4.2
Previous
 
Next
New Post
6/20/2016 9:03 AM
 

I have already posted a long thread http://www.dnnsoftware.com/forums/forumid/108/postid/530273/scope/posts#530273

regarding my website being constantly under attack. I have upgraded to version 7.4.2 with no result. I'm still under attack and still vulnerable to the same scams.

I have read the vulnerability notice and removed all files (install, update wizards etc) from the directory even though the type of attack I have been experiencing was not as described but nothing changed on my DNN installation although something did change in my situation altogether. The attack spread to my other non DNN .asp website. Now I have 2 databases to restore on a daily basis.

I downloaded, installed and ran the new Security Analyzer which came up with a new vulnerability.

CheckDiskAccess : Checks extra drives/folders access permission outside the website folder
Hackers could access drives/folders outside the website
E:\website - Read:Y, Write:Y, Create:Y, Delete:Y
E:\ - Read:Y, Write:Y, Create:Y, Delete:Y
C:\ - Read:Y, Write:Y, Create:Y, Delete:N

It does not say how though.

How can I prevent this from happening? How do I limit access only to the DNN root folder?

Any help is appreciated thank you.

 

Edoardo 

 
New Post
6/20/2016 10:49 AM
 
What hosting company are you utilizing? You might also look at some of the IIS security analyzers to see if they have any suggestions for what can be locked down at the server level.

Chris Hammond
Former DNN Corp Employee, MVP, Core Team Member, Trustee
Christoc.com Software Solutions DotNetNuke Module Development, Upgrades and consulting.
dnnCHAT.com a chat room for DotNetNuke discussions
 
New Post
4/19/2017 11:50 AM
 
Hi Edoardo,

I wonder if you have a solution for the CheckDiskAccess issue already?

I'm having the same problem. I did a clean server setup and created a separate application pool for the DNN.

Also set with application pool identity, add the ID into the DNN folder security.

But the analyzer still showing DNN has full access to all Drives like yours.

Appreciate anyone can help one this. Thank you.

George.
 
New Post
6/24/2017 8:54 PM
 
Does anyone have an answer for the CheckDiskAccess problem?
 
New Post
6/26/2017 9:56 AM
 
As I mentioned in another thread, I would guess that this is because by default, any new user created in Windows are member of the "USERS" group which in turn has read and write access. The solution is probably to remove the IIS user from the USERS group,however, I am not sure what is recommended best practices here and if that might lead to other side effects.
 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Still under attack after upgrade from 6.2.9 to 7.4.2Still under attack after upgrade from 6.2.9 to 7.4.2


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.

Content Layout

Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  


Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out