New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN 6.2 and DNN 7.2 Hacked already... HELP ME....DNN 6.2 and DNN 7.2 Hacked already... HELP ME....
Previous
 
Next
New Post
10/2/2014 5:53 PM
 
(using the forum with IE10/11 causes all of these weird sections to be entered... )

Where are the exact instructions of what we should be doing to resolve this issue?

 
New Post
10/2/2014 6:53 PM
 

How can anyone say they don't use real email addresses. The issue is they are using real email addresses because I have people emailing me about being registered or having a verification for registering.

Spammers are only interested in creating user accounts to add spam to the user profile. When verification is on, the user profile is not visible until the user is verified which can only be done with an email address they can receive an email to. Most of the reports we see are spam accounts with randomly generated emails (some of which then turn out to be real - but these users did not register). Note whave some evidence that they return at a later point and try to log in, as the user is not verified they cannot do so.

 Maybe not all but this is an issue which should make you even more concerned because it is making dnn based websites look really bad (for the owners). I upgraded to 7.3.2 the day it came out. It has not solved the problem. I have captcha on, it has not solved the problem. The ONLY one of many dnn websites I have that is not having the problem is one that I moved the login page to a new name (as suggested somewhere in the forums). That is a great idea.. and one that dnn could have scripted into 7.3.2 very easily.

The advice is to upgrade to 7.3.2 or above. Upgrading to 7.3.2 or above resolves this for the majority of users - some sites still see a small number of registrations, but at a guess we're seeing a tiny percentage of registrations succeed (i.e. automated captcha crackers still crack a captcha just one at a time, and not one cracked captcha used to create dozens/hundreds of accounts) - so if your site got 500 registrations before, upgrading to 7.3.2+ likely means you see no new registrations. Some sites that saw tens of thousands of registrations likely still see 5 or 10 registrations (short of getting peoples IIS logs I can't see for sure). Finally, regarding reCaptcha, I have reports that it doesn't fully solve the issue - it (similar to the 7.3.2 fix) dramatically reduces it. This suggests an increase in general spammer activity targeted at CMS's (if you check wordpress, joomla, drupal etc suffer from the same issue), alongside better automated Captcha cracking. The primary issue is that the DNN captcha from version 3.0-7.3.1 suffered from an issue where one cracked captcha could be reused (known as a "replay attack"). This was fixed in 7.3.2 so upgrading to 7.3.2 or above resolves that issue.

As to moving the login page that does not fix the issue, it's simply "security by obscurity" i.e. hiding the page defeats the current automated spammer. It would be trivial to change the script to make a request for a secured page (e.g. yoursite.com/host), then record the page it redirects to (the login page) and then use that to register accounts.


Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
10/3/2014 2:09 AM
 
cathal connolly wrote:
we have no real idea as we don't have access to the statistics of requests/captcha cracking - reCaptcha is regarded as an industry standard so it is the main target for captha-crackers so they tend to be quite good. DNN's captcha is not as complex as reCaptcha but as it's not explicitly being targeted it may be that it performs better. I'd recommend that you upgrade to 7.3.2 or above and switch to dnn's captcha and see if that changes anything - if it does please report back.

 Dear Cathal

Last night I Uninstall iWeb Registration Module and I use DNN 7.3.2 CAPTCHA for Register user.  When I using reCAPTCHA by using i-Web ReCAPCHA Registration module I had 10-20 SPAM Registration per day!!! When I Uninstall it from Extensions page and I used DNN 7.3.2 CAPTCHA, Last night until now (Less than 9 hours)  I had more than 30 Spam Registration and Right now I upgrade it to 7.3.3 and I'm waiting for new Result and I will inform you again.

I am sure DNN team should be Finish this Story because we are losing our client believe for DNN security and they will choose another CMS and it will big loss for DNN....

This proble should be on Blocked Level in your JIRA to fix it for ever. It's very simple and I saw many CAPTCHA using ask questions or combine questions and CAPTCHA together for keeping safe in front of spam registration. I really don't know why you don't think about Logical questions in your CAPTCHA....

 
New Post
10/3/2014 4:34 AM
 
Armin - I believe that logical questions are as easy to break as blurred images. Just because you have seen them on other sites does not mean they are any better. Do you have any real evidence that logical questions are better at identifying humans?

I do not see how DNN Core can 'fix' this. There is no hack. The spam registrations do exactly the same operations as a human operator does. How can they fix it? They can make it harder to register new users - that will mean more humans will be put off registering.

Best wishes,
- Richard
Agile Development Consultant, Practitioner, and Trainer
www.dynamisys.co.uk
 
New Post
10/3/2014 10:09 AM
 
Richard is correct, logical puzzles are extremely easy to crack, easier than captcha images - hence why they're not common.

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DNN 6.2 and DNN 7.2 Hacked already... HELP ME....DNN 6.2 and DNN 7.2 Hacked already... HELP ME....


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.