Products

Solutions

Resources

Partners

Community

About

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...default.aspx being hackeddefault.aspx being hacked
Previous
 
Next
New Post
5/8/2017 2:48 AM
 

Recently our site is being hacked and it is happening several times a day. What is happening is that default.aspx is being modified and links to porn sites and other things are being placed inside it. I have scoured these forums and have read several posts but have not found any real solutions or anything that points me in the right direction. 

I am seeing this kind of thing:

Exception information: 

    Exception type: HttpException 

    Exception message: A potentially dangerous Request.Path value was detected from the client (:).

   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()

   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

 

Request information: 

    Request URL: http://programming.msjc.edu/http:/www.lei69.com/ 

    Request path: /http:/www.lei69.com/ 

    User host address: 138.197.7.66 

    User:  

    Is authenticated: False 

    I have read where hackers are somehow doing this kind of  thing to do html injection but I  cannot figure out how they are doing it. 

I have ran security adviser and fixed anything that was suggested. I have to assume that this is a permission problem somewhere but not sure where. 

I have disabled ftp, removed admin account from server. Checked all folder permissions, and checked to make sure the latest security patches have been installed. 

On the dnn side I have disabled login and registration and removed all but the administrator account. I have changed the password on it also. I have even tried setting the permissions to all pages to administrator only. 

At this point I am not sure what to do. Can someone tell me what accounts should have access to the web folder and what their permissions should be?

Also, I am running dnn version 7.00.06, Windows server 20012 R2 

I have tried upgrading but this has been very problematic and I have had to roll everything back. At this point I am not sure an upgrade will help. 

I have installed the latest version of DNN on a test site but trying to move the content over is REALLY problematic. Most of the skins and modules do not seem to work. 

Any help or advice would be welcomed here.  Also please note I am really not a web guy but know just enough to be dangerous and that may be the problem.

 

Thanks in advance!


 
New Post
5/8/2017 2:03 PM
 
 
New Post
5/8/2017 4:40 PM
 
This is either happening with a login, or without. If without, check the options on the page linked in the above message. The API and the Wizard ones caught my attention:
2017-02 (Low) Authorization can be bypassed for few Web APIs Published: 1/26/2017
2016-06 (Critical) Unauthorized users may create new SuperUser accounts Published: 5/26/2016

See if any SuperUser accounts are not familiar. Delete all but yours.

If you don't have any users, you can hide the login page. Even if you use the 'hide login' option in DNN, the login URL is still functional. See if any users are logging in. If they are, you can delete their accounts and hide the login page even further like this:  make a page with only a message on it that logins are disabled and then specify that page as the site login page in Settings. Then create a new page with a cryptic name and put a login module on it. Actually, do these steps in opposite order, in case you lose your connection half way through. Now, only you can login, using the URL for the page with the cryptic name.

Just a few thoughts. Hope you fix it.







 
New Post
5/15/2017 9:22 PM
 

I just wanted to follow up for anyone who may be having this problem. I have been using DNN for several versions now. We simply have been upgrading. There is a vulnerability that applies to older versions of DNN using the fck editor. You can read about it here:

http://blog.aggregatedintelligence.com/2010/02/dotnetnuke-version-zero-day.html

I didn't think I had anything to worry about but I followed through with the hack and low and behold my site was vulnerable. It appears that even though I was using the Rad editor the files for the Fck editor were still on the site. I removed the files but that hack kept happening. I noticed when I was copying the site from one  server to another to perform an upgrade some unusual files. It appears that  aspx files were uploaded and all the hacker had to do was execute them. If you examine the files you will see things inside them  like:

/* 

Thanks Snailsor,FuYu 

Code by Bin 

Make in China

Blog: http://www.rootkit.net.cn 

E-mail : master@rootkit.net.cn

*/

I had to use a utility to search all files on the site. It was amazing how many files I found that didn't belong. I have it all cleaned up and everything seems to be back to normal. So, if you have simply been upgrading your site then you should make sure that access to the file upload of the fck editor is not still there. 

 

 
New Post
5/22/2017 2:34 PM
 
I had a similar problem with several sites a couple of months ago, but I do no think it was a DNN permission problem. since it was the default.aspx file only that was affected, and one of the sites was not even live. If it were a DNN problem or the site had been compromised by username/password breech, I would have expected to find injections into the database tables as well (that actually happened a couple of years ago - a few DNN versions back) or changes to the skin files. Even with a superuser account, the default.aspx file is not normally accessible.
I suspected a problem with the hosting company's security. (and reported such to them) , or a breech in FTP credentials. particularly since it happened to a site that was not live. i changed all FTP logins and my hosting company says they improved their security - I have not had a problem since.I think some bot transected through the file system looking for and modifying default.aspx files.
 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...default.aspx being hackeddefault.aspx being hacked


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out