# Friday, May 05, 2006
You better take that DNN Security Breach SERIOUSLY..
I can't stress enough about this - having got stung again, on the weekend, because I didn't apply the patch.  And why didn't I??? Well I was going to - since I did believe it was a real problem, I thought OK -I'll download it and I did, but it broke locally so I thought I'd work on it on the weekend and see if I couldn't actually get it working - I've been using the forms module by DNN Modules but it's also had so many errors and issues with people using I was going to ditch it anyway.
However, just before calling it a night - 2 am- having jobs to hand over, getting things finished, I get an email stating that my server was hacked.. and sure enough.. it had been.  BUT HOW... and why didn't I just remove the module - WOW I WISH I HAD..
This time I really got hit.. I had had a security check on my server earlier in the week, after finding it had been compromised, and it was all good.  Thank goodness, and part of it is that I don't run much open.  Since it's mainly for DNN, I don't need much turned on, not even public FTP. And only one other person has host access on the server with their modules, and tells me when they are uploading them..   Call me fussy but THIS MODULE - BDPDT HAS A SECURITY HOLE - and it's not a matter of IF, it's a matter of WHEN your server will be affected.  This is because it's been running for a few years, but now a flaw has been detected.
And how far did it let someone go in my server... I'm not going to give all details to show you how they did it, but I will tell you the report given to me by Cathal - who went through the log files for the last 10 days.  And here's what he said..
 Parts of this have been edited by me - I don't want the details as you can understand... But this server is regarded as secure.  It wasn't DotNetNuke that was insecure - but the module... so PLEASE CHECK YOUR MODULES ARE PATCHED. 

I asked Cathal about this before putting online - he said it was ok and important to let people know as soon as possible... And it's been broadcasted already but this shows you WHY it's so important.  I had renamed the file, not deleted, in preparation for me to fix on weekend, when I had more time.

>>>
Ok, you were first hacked via the /DesktopModules/BDPDT/****** on 2006-04-29 from about 13:30 for about 40 minutes.

The hacker their file, and started to look about.They copied your ***licence file, and looked inside a few other files.
They then changed to  ***,had a look about ***(and subfolders), and then changed back to e:

They opened the *** connection string, so they could copy it into their file, and tried to use it to connect to your sql server (no doubt to steal any creditcard details , mess around etc.) - can't tell if they were succesful or not [assume they were]

They then took at look at your other drives (e.g.***),but having a look at other sites, again checks connectionstrings, and trying to connect to sql again .

Next the hacker downloads ***.mdb. They then deleted 2 flash files, ***.swf and ***.swf , obviously meaning to replace them with stupid hacker flash files - i can't see if they did at this point, i'd advise you check.
At this pojnt activity stopped.
They then returned @ 2006-05-02 23:16:44, did a bit of looking around, and then downloaded ***web.config, tried that connection to the database.

At this pojnt activity stopped.
They then returned on 2006-05-05 08:46:30, and tried to use *** again. By this point it was deleted, so they couldn't do anything.

Theres a short break of about 30 minutes, and then they posted a new hacker file called *** to get to /DesktopModules/BDPDT/***(which is the broken bit of BDPDT that was still there).

They used this time to get another hacker file, just in case their original was removed by a virus scanner.
They then disappear for a while, and finally return @ 2006-05-05 15:23:35 on a different IP and begin to upload copies of their hacker files as quickly as they can, as they believe they're found out.

Note: these guys are amateurs, as anyone with any sense would have deleted all the IIS logs before they did this step. They've mostly concentrated on folders on the *** so they can claim multiple site defacings, but they did flick back to ***, so be sure to check those directories as well. 

>>>

So guys, non DNN sites were also affected, they had access to files on the hard drive that no matter what permissions are set, if the security hole is there, it will make you vulnerable.  You might like to tell your hosting company too.  

I've reported this to authorities - I don't know what will occur but I suppose it all adds up to a pattern of events.. and I feel I should have acted sooner.   And thanks very much to Cathal - who I'm sure never sleeps - for his tireless efforts in keeping DotNetNuke a secure product to use.  IT WAS NOT DOTNETNUKE, it was a security flaw in the module.   Which is a big difference.     Cathal would be good to use for consultation in your company if you needed security reports for your projects.

Nina Meiers
DotNetNuke
posted on Friday, May 05, 2006 11:36:38 PM (AUS Eastern Standard Time, UTC+10:00)  #    Comments [0]
Related posts:
New Free DotNetNuke Skin - XDNewDesignAway
Is DNN right for graphic designers?
Handling multilingual content in a CMS
DNN 5 Beta Part 3
DNN 5 Beta Part 2
DNN 5 Beta Part 1
XD Design
XD Design Pty Ltd Over 50 Free DotNetNuke Skins
MVP Award
Navigation
Home
XD Design
FREE DNN Skins
Catalook eCommerce
Learn DNN Skinning
Download DotNetNuke
Connection Strings
DotNetSlackers
Nina's Free Skins

 RSS 2.0 | Send mail to the author(s)

Categories
 
 
 
 
 
 
 
Blogroll

Archive
<May 2006>
SunMonTueWedThuFriSat
30123456
78910111213
14151617181920
21222324252627
28293031123
45678910


October, 2008 (2)
September, 2008 (1)
August, 2008 (0)
June, 2008 (8)
April, 2008 (2)
November, 2007 (5)
October, 2007 (1)
July, 2007 (2)
June, 2007 (3)
May, 2007 (7)
April, 2007 (11)
February, 2007 (5)
January, 2007 (9)
December, 2006 (4)
November, 2006 (2)
October, 2006 (2)
September, 2006 (2)
May, 2006 (1)
July, 2005 (1)
March, 2005 (24)
February, 2005 (27)
January, 2005 (12)
December, 2004 (10)
November, 2004 (8)

Month View

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2009 Nina Meiers
Sign In