Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN 7.01.01 website hacked!DNN 7.01.01 website hacked!
Previous
 
Next
New Post
9/4/2013 2:05 PM
 
Fwahba

Joined: 1/11/2008
Posts: 12
I have a DNN 7.01.01 instance hosted on GoDaddy.  This site has been hacked where someone uploaded Trojan:JS/Quidvetis.A

Are there any known security issues with this version?  Is there anyways I can find out how the site was hacked?  or where the vulnerability is?


Note that everytime I replace the infected scripts/pages with the backed up copy, I find the site infected again within a day.

Please help!
 
New Post
9/4/2013 5:35 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

Sorry to hear about your sites troubles, you're welcome to email security@dnnsoftware.com but I’m afraid we typically can’t offer much help for virus’s on websites.

 

Typically when a site has virus files added to it, it happens in one of four ways

·        An upload vulnerability with the sites code (i.e. DNN) – this does not appear to be the case, unless the hackers have found an issue that we do not know of. However (to date) no-one else has reported a similar problem, suggesting that this is not the case.

·        A server level issue e.g. missing Microsoft patches or an issue with a 3rd party tool on the server (such as plesk or a mail server) that has meant the server is compromised – the exploit will then drop copies of the payload into various locations (often these are semi-intelligent and search for directories such as “portals” [for dnn] or “wp_content” [for wordpress] etc.). I’d recommend checking with your hosting provider to see if other sites on the server have been exploited

·        The virus originated from someone with access to the sites files e.g. either via FTP or windows explorer. Looking into the QuidVetis.A virus shows it’s based on the Blacole kit. I’ve seen a number of Blacole based virus’s that used FTP to spread e.g. they get onto the developers machine and a background process looks for any requests outbound on an FTP port. When one occurs they capture the username/password and then use that to upload the viruses silently. This can typically be verified by looking at the IIS logs, and if that’s it you’ll have to sanitize the users local machines as well as fix the site and change the ftp details.

·        A 3rd party module with an upload vulnerability – you can check your IIS logs and see if they show anything (look at the timestamps on the virus and try to associate it with the same timeframe in the logs – take care to factor any timezip/utc offsets)

 

Thanks,

Cathal

DNN Security team

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
9/4/2013 5:36 PM
 
Matthias Schlomann


Joined: 8/10/2003
Posts: 3594

If you have anywhere attachment upload enabled any registered user (or Group you have setup) have permissions to uploading files.  On Host Settings you can specified what file extensions could be allowed for upload.  Also unused php configuration or wrong IIS and file permission Settings could open your instance for injections.  If you use 3rd parity modules this could also have security issues. I would suggest to check the upload date of the file, and check your IIS and DNN logs how this files infected your System.

On shared Hosting the issue must not be on your DNN instance, it could be anywhere on the System, and could infected all sites/Hostings on the Server.

Regards
Matthias
DNN MVP
www.aarsys.de
Metro7 Skin
ShoutCastStats Module for DNN
 
New Post
9/4/2013 5:38 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
further research shows this typically gets on a users machine via vulnerable java/flash installations - I recommend you follow the guidance from http://forum.webuser.co.uk/showthread.php?t=124573
Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
9/4/2013 8:04 PM
 
Fwahba

Joined: 1/11/2008
Posts: 12
Thank you all for the quick reply.

Matthias, what DNN logs are you referencing? Where can I find them?

Thanks again,

Fady
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN 7.01.01 website hacked!DNN 7.01.01 website hacked!


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out