Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Hacker upload .asp file to DNN 7.4.1 siteHacker upload .asp file to DNN 7.4.1 site
Previous
 
Next
New Post
9/2/2015 1:21 PM
 
Samuel Phung


Joined: 9/4/2012
Posts: 11

I received the following message from Google Webmaster a few days ago, telling me there are suspected hacking on the Embedded101.com site:

========================================================

Google has detected that your site may have pages added by a third party. These pages may contain spammy or malicious content which violate our Webmaster Guidelines.

Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

Sample URLs:

========================================================

When I check the site, I found some files were uploaded to the site's root folder by hacker.  The files are in set of 2, using the same file name with different extensions, such as the following:

  -  4FaEH.asp

  -  4FaEH.gif

Basically, it's a black hat SEO practices.  The .asp file contains script that direct site visitor to other URL.

I've recently updated the site to the latest version of DNN 7.4.1.  These hacking activities happen after the site is upgraded to 7.4.1.

It's this a known vulnerability for DNN?

Is there some settings or configuration I can change to prevent this from happening?

 

Thanks in advance for you help!

Sam

 

 

 

 

 
 
New Post
9/2/2015 2:51 PM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212
DNN does not support any UI to upload files to the root folder, most likely it is done either by FTP (weak password) or another software or a DNN 3rd party extension.
Which extensions are you running on your site? If the site had been created in DNN 5 or before, did you make sure to uninstall FCKeditor and remove /providers/htmleditorproviders/fck folder?
Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
9/3/2015 1:54 PM
 
Joe Brinkman


Joe Brinkman's Avatar

blog.theaccidentalgeek.com
Joined: 5/18/2003
Posts: 2356
Also, it is important that you configure your lock down your IIS installation to not allow ASP or PHP pages to run.  Most hosting providers offer a control panel that allows you to disable these extensions.  Ultimately, in order to track this down you will need to get a copy of your IIS logs.  Your hosting provider should be able to provide you access to those logs.
Joe Brinkman
DNN Corp.
 
New Post
9/3/2015 4:05 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

typically when you see unexpected filetypes such as asp that indicates that something external to the website is at fault i.e. compromised FTP account details or a security issue with a server level product (e.g. IIS/SQL/mail products). Most often it's a server level exception, as those hacks typically deploy "payloads" e.g. a server level issue exploits the machine and a copy of a number of files (typically asp/php) are dropped into the root folder of every website on the server.

The advice given by others is good -I'd suggest you follow it and also ensure your server is well patched (both windows and anything you run on it that has an endpoint e.g. mail servers, control panel products etc.)

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
9/15/2015 1:09 PM
 
Samuel Phung


Joined: 9/4/2012
Posts: 11
Sebastian, Joe, Cathal,

Thanks for your help!

The hosting platform I'm using requires FTP over TLS encryption to access the FTP server, along with the strong password I'm using, FTP is not likely the weak link.

I checked and make sure classic ASP is disabled.
Classic ASP may be the weak link.
I've been changing different Web-server setting and not certain whether classic ASP was enabled when the attack took place.

The website does have the "/providers/htmleditorproviders/fck" folder, which Sebastian mentioned.

When I access "Host/Installed Extensions" as Super-user, I see the following Html editor providers in the "Providers" section:
- DotNetNuke Fck Html Editor Provider
- Telerik Editor Provider"

From the "HTML Editor Manager", I see the following 3 options which can be set as "Current Provider":
- FckHtmlEditorProvider
- TelerikEditorProvider
- DotNetNuke.RadEditorProvider
When selecting any one of the above 3 options, the following warning message (yellow) is shown:
"The current HTML Editor Provider is not supported by this version of the HTML Editor Manager."
Note: The "Change" button is disabled (gray out).

Question about HTML Editor:
- Which HTML Editor provider should I use for DNN 7.4.1?

While going through the DNN system to review security related issue, I find the "Security Analyzer" to be very useful to help find all ASP and PHP files.
In addition to finding ASP and PHP files, the Security Analyzer also identified "Rich text field" is used by public profile: message:
- "CheckBiography: Check if public profile fields use richtext" --> "The field is richtext"

Question about Richtext field:
- How do I change the public profile field from "Richtext" to "Plaintext"?


Best Regards,
Sam
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Hacker upload .asp file to DNN 7.4.1 siteHacker upload .asp file to DNN 7.4.1 site


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out