Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Massive Sql Injection problemMassive Sql Injection problem
Previous
 
Next
New Post
7/31/2008 10:06 AM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Tony Stallan wrote

What gets me is the fact that the code got added to all of my text columns in all of my tables. How does that happen.

The attack vector is designed to infect all databases and all tables that can be accessed on a given MSSQL instance (by iterating database, then table, then column).  Under a cross-application infection scenario, even an unrelated vulnerable application (ASP.NET, classic ASP, or anything that touches the database in an unprotected manner) is capable of infecting the DNN tables. 

Proper MSSQL security configuration can almost completely mitigate this.  Since DNN uses stored procedures as its exclusive means of communication with the database layer, you can eliminate your attack surface for these sorts of attacks by denying SELECT and UPDATE permissions on your database (allowing only EXECUTE) to IIS application pool users.  For non-DNN applications, this might not be feasible.

It really is quite a beautiful attack, if not also annoying and destructive.

Brandon

Brandon Haynes
BrandonHaynes.org
 
New Post
7/31/2008 10:13 AM
 
Tony Stallan

www.clearviewinternet.co.uk
Joined: 1/25/2006
Posts: 103

Hi Brandon and Mitch,

I'm sure this is a cross application infection, if it was a DNN issue then I'm sure I would not be the only one suffering.

Brandon, I agree is is a beautiful piece of coding and it brings up something I have always said about the people creating these sort of things. With their brains, why don't these people put their minds to constructive work. Even if they do not pray to the almighty dollar there are thousand of charities out there needing good systems to cut their operating costs.

Oh well.

Regards

Tony
 
New Post
7/31/2008 10:46 AM
 
Carlos Rodriguez

www.almacigo.com
Joined: 6/10/2003
Posts: 615

Tony:

I don't want to post the actual injection code, but from the entries in my IIS logs I can tell you that you should look for entries using the linkclick module followed by a very long encoded string.  That string, when decoded, contains SQL code to iterate through all the tables, and all text fields found (actually similar to the SP procedure I recommended to do the global search), and then inject the damaging code, which is then included in the served pages to call a javascript file from some infected server.

The techniques used are indeed clever but like it was said before, they depend on very old vulnerabilities, which DNN does not have due to the due diligence of the Core Team.

Carlos

 
 
New Post
7/31/2008 5:27 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

sorry to piggyback on this post:

FYI Carlos, I attempted to reply to the mail you sent, but I've got the following message twice (I removed your email address as I presume you don't want it public), you may want to check your mail server

This Message was undeliverable due to the following reason:

Your message was not delivered because the destination computer was not reachable within the allowed queue period.  The amount of time a message is queued before it is returned depends on local configura- tion parameters.

Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now.

Your message was not delivered within 4 days and 0 hours.
Host almacigo.com is not responding.

The following recipients did not receive this message:

     <email address removed@almacigo.com>

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
7/31/2008 8:51 PM
 
Paul Scarlett


www.tressleworks.ca
Joined: 4/16/2004
Posts: 493

If  you are "curious" if you site has been targeted ... and you have enabled you sitelog.   Try the following via the Host> SQL  .  Alternatively you can use the Reports module or SQLGridSelectedView.   Note: I have limited the url to 100 characters, but you will be able to see the initial part of the attack.  

The select will display the most recent attemps and the url that was "injected."

select 
  datetime, 
  left(url,100) as [URL]
from 
  sitelog 
where 
  url like '%declare%' 
order by 
  datetime desc

The above found 29 attempts to "break in" to my site in the last 30 days.  The most attempts (9) coming on July 23rd.

Hope this helps.
Paul.
 
 Page 2 of 3
Previous123Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...Massive Sql Injection problemMassive Sql Injection problem


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out