Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...My DNN Got Hacked. How to Harden a DNN installation server?My DNN Got Hacked. How to Harden a DNN installation server?
Previous
 
Next
New Post
1/31/2007 1:57 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

BTW, I would also recommend people read the Hardening DotNetNuke installations document @ the bottom of http://www.dotnetnuke.com/tabid/940/Default.aspx

Cathal

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
2/5/2007 2:06 PM
 
Melih Eroglu


Joined: 3/13/2006
Posts: 41

My Website has been attacked by using forum module.

I contacted with Chatal about the problem and he responded very quick.

After I received Chatal's email I tried setting word filter on Forum module. And it worked :)

I have just changed every "script" word to br "sccript" in order to be able to prevent any script insertion... Do not for get to enable word filter for subject field too...

I hope this will protect you from attacks, until the new release...

Thank you for your quick response Chatal....

Melih Eroglu
DotNetNuke Türkiye | Domain Registration
 
New Post
2/6/2007 4:04 PM
 
Declic Video


Joined: 11/25/2006
Posts: 1069

psidrum wrote
I message the tech support and this is what he said..

"For your folder permission, it seem you had given the write access for the user ehbIUSR_www2 to access your folder. So it will lead the security hole for another hacker to write the file to your dnn site. For this issue, i had removed that user for you. If you had any enquiry, please let us know. Thanks!"

So what user should i allow full write access?

Hello,

I have already asked one question of file permission here, but without success. I am very concerned with security for one of my customer, and I would like to know if this security setting is correct or not. I have read everything on the topic, some people saying that the root and all folders must be read/write, and the opposite (only some folders write, but which one ???)

What do you think, and what is your advice ???

DV FX
 
New Post
2/6/2007 4:14 PM
 
Erik van Ballegoij


Erik van Ballegoij's Avatar

erikvanballegoij.com
Joined: 4/7/2004
Posts: 4445

DV, not sure what control panel you are using, but you have to remember there are 2 identities at work when running any ASP.NET application under  IIS. One is a user that is used by IIS to access files and folders in your webroot. For public websites that is usually an anymous user (not authenticated by windows), by default called IUSR_[Machinename], and it seems that this is the screen that is used by the control panel to define rights for the anonymous user in IIS.

The other identity is the one that is used by the IIS application pool where your application runs. This is the identity that is assigned to the ASP.NET process, and in turn is used by ASP.NET when any file based operations are performed. The windows default name for that user is IWAM_[Machinename]. You can find out what user is used to run your DNN application, by logging on as host and view Host Settings. (look for ASP.NET account)

You really should talk to your provider about stuff like this, and ask him whether you can set access rights on physical files somewhere in your control panel

 

Erik van Ballegoij, Former DNN Corp. Employee and DNN Expert

DNN Blog | Twitter: @erikvb | LinkedIn: Erik van Ballegoij on LinkedIn
 
New Post
2/6/2007 4:20 PM
 
Declic Video


Joined: 11/25/2006
Posts: 1069

Ok, I will do this way, asking my provider, thank you very much !

DV
 
 Page 3 of 4
Previous1234Next 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...My DNN Got Hacked. How to Harden a DNN installation server?My DNN Got Hacked. How to Harden a DNN installation server?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out