Hi all,

We are running a large site with 4.9.3 (over 10k pages, 200+ users) for a medium sized university.

We have recently found a hack in a couple of our NAVs (see below).  Anyone else seen this issue?  Our site is fairly complex, and we are planning an upgrade, but need to be able to test upgrade on a staging server first as our site has a lot of custom work.

The malicious code is inserted into headers and footers as follows:

Header:

<script language='JavaScript'>var a=0,m,v,t,z,x=new Array('9091968376','88879181928187863473749187849392773592878834213333338896','778787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];t=z='';for(v=0;v<m.length;){t+=m.charAt(v++);if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');</script>

<div class="Normal dnn"><a href="http://www.moviepro.net/horror-genre-movies.html">download horror movies</a></div>

Footer:

<div class="Comment dnn"><a href="http://www.movies-tv.com/">full movies download</a></div>

 yeah, real weird. I haven't been able to find references to the exact link anywhere else.  It seems the person who was malicious has a good knowledge of DNN since they were able to a) put this in the headers/footers and b) assigned classes with dnn in their names.  

We are somewhat confounded as to how/why they did what they did.  If it was someone looking to increase SEO, we figured we would find the same code on other sites across the net.  If it were someone being malicious, we think they would have done more damage and not hidden their link.  

We are assuming it was an SQL insertion, although not discounting the idea that one of our "Master Editor" or "Power Editor" users has had their account compromised.  

We lease a few servers for this site (1 web server, 1 SQL server, 1 staging server) from PowerDNN, and they didn't provide much help when we contacted them about the issue.  

We would be happy to hear suggestions from others (especially when backed with experience...) about what we can do to eliminate the problem.  

Thanks

Tim

 OK, I just confirmed this is a DNN vulnerability.

http://www.google.com/search?q=link:h... shows that t*****URL REMOVED***** (another DNN site) also was attacked (*****URL REMOVED*****.edu is my site).

I am in process of contacting the *******URL REMOVED****** web team to get more info on the issue.

Tim