I believe this is a new exploit...
Since Feb 21, 2019, one of my DNN sites running on 8.2.2 is sending spams using the smtp relay setting stored in DNN. The email header looks like this, which definitely is generated inside DNN. and the spam are sent to the users inside DNN.
Return-Path: <[email protected]>
Received: from exampleServer ( exampleServer [xx.xx.xxx.xxx]) by xxxxxxx with SMTP;
Fri, 22 Feb 2019 12:43:00 +0800
Sender: "DotNetNuke" <[email protected]>
From: "example" <[email protected]>
To: [email protected]
1. event logs, there is no other login attempts beside super admin account.
2. None of the DNN files are being modified since 2017.
3. all are default DNN module except one PropertyAgent module by Ventrian.
4. Security Analyzer found nothing suspicious...