Hello!

We are facing some strange behaviour with DotNetnuke 7.4.0 installation. Some months ago, there was an attack to our website / installation through InstallWizard.aspx ("2016-06 (Critical) Unauthorized users may create new SuperUser accounts") - see details at: http://www.dnnsoftware.com/community/security/security-center

There were some thing done after the attack - we've copied clean installation over the existing files (there were no CORE modifications from our side - we've developed some custom modules, as usual). What we are facing now is, that from time "DEFAULT USER DATA - UserId = 0" is missing in aspnet_Users table. The consequence is, that we're unable to login with that account.

So, what we are doing is, that we re-fill data in aspnet_Users table (ApplicationId, UserId, UserName, LowereduserName, MobileAlias, IsAnonymous, LastActivityDate). Everything is OK after that, but we are afraid that this will happen again. Once again, there were no CORE modification, there are no additional HOST accounts created, everything is OK with SQL base users. All other users has no issues with login, there are problem just with HOST account. All other functionalities are OK.. Did someone came across with the similar issue? It looks like out DotNetNuke instance is still infected..

Thank you for you time and answers!

Sebastian thank you for your answer. I think you misunderstood my question. There is a default (first/host) user UserId = 1- every DNN installation of course has one :). What we are facing is, that the data in "aspnet_Users" for this user is missing in this table from time to time. As you know, the consequence is, that we are unable to login with the host user. Our DNN installation was under attack ("2016-06 (Critical) Unauthorized users may create new SuperUser accounts") - see details at: http://www.dnnsoftware.com/community/...) so it may be somehow related to that.

So, if i understand you correctly this is the first time to see that kind of problem (we've already done some research in JIRA Issue Tracker and Google but were unable to find similar / related issue).

Any thoughts, what could go wrong? Is there any job in DNN core that could affect "aspnet_Users" table. It is everything OK with Users table all the time. Really strange and unpleasant thing / behaviour, especially in the production environment + a lot of users active all the time. We haven't made any changed in DNN core, so we are started to think this is realted to the attack through "InstallWizard.aspx" some months ago.

Sebastian, thank you! I think the reason for such behaviour is creating HOST user which already exists - other accounts were not affected "However, if it tried to create a host user which already exists, the reoutine might have deleted assumed "leftovers"."

Thank you! We've added new host user and marked current one as "not active". As we've found out the "hard delete" of previously active "Host user" is not a recommendable thing to do. There are quite some modules on the DNN market, which have huge problems if first user does not exists - we've already experienced such things on the production environment. :)

Regards!