Forum


HomeHomePremiumPremiumAdministrationAdministrationSecurity WarningSecurity Warning
Previous
 
Next
New Post
5/27/2016 5:26 AM
 
Hi Aderson,

Just looking at the security announcement '2016-06 (Critical) Unauthorized users may create new SuperUser accounts':
http://www.dnnsoftware.com/platform/manage/security-center?mkt_tok=eyJpIjoiWXpWbVlUQXdZbVk0WkRVdyIsInQiOiJqdkhFanVTUnBOdlhEY1JMTTFaNXJ5c3drazJBU25MWUVmd1wvaGJQVFBCMHZma0VDeEJmS1pvOGRScmF6WStWT0tXXC9TN0lwMzl0S3RRS0oxbmRwQzNON3lcL2IxcGFsYzg5U2N6Unh1dTZCYz0ifQ%3D%3D

I've applied this to my sites as best I can but:
- If I look for aspx files in the root and sub folders, I'm not sure I'd spot a rogue file if I saw one.
- Also, I'm using ftp (FileZilla), there's no way to perform a search server side with ftp as far as i know. So to get a list of all aspx, php files and I'd either have to download each site and perform the search locally or search manually. Do you happen to know a better way to do this?

Steve

 
New Post
5/27/2016 5:37 AM
 

Hi Steve,

We have been dealing with a loot of this not only for DNNHero but for our clients at DeskPal.

Here is what I recommend for you:

1 - Download all your site files via FTP to your local computer;

2 - Using a program to do text search like NotePad++ or https://www.mythicsoft.com/agentransack - perform a search for .aspx or .asp file containing either "rootkit" or "Gönder" - These are terms found inside the files we have been finding. These hackers seem to like to advertise :)

3 - If you find any, there is a good indication that your site was hacked. If you don't find, I would perform another search just for .ASP or .PHP files. A normal DNN site shouldn't have either of these types of file extensions - If you find you may want to delete them;

That is what I recommend for now.

I hope it makes sense. This is what we have been doing.

Best regards,

Aderson

 
New Post
5/27/2016 5:55 AM
 

Hi Aderson,

Thank you for your reply.

OK that makes sense and sounds a good approach.

But the security warning states to search for aspx files rather than asp. No problem to delete php.
i.e. "Search the Root folder and subfolders of your site for any files with .aspx or .php extensions. Some .aspx files might be required for your site. Carefully inspect any files before deleting."

Steve


 
New Post
5/27/2016 6:00 AM
 

Hi Steve,

On my step #2 I suggested to search in .ASP and .ASPX files as well.

Best regards,

Aderson

 
New Post
5/27/2016 7:37 AM
 
Hi Aderson,

Yes you did, sorry, I take it you've discovered rogue files contain "rootkit" or "Gönder"

I thought we're supposed to check for any additional .aspx/php files. I suppose I need to find some tool to compare two directory structures.


Steve
 
Previous
 
Next
HomeHomePremiumPremiumAdministrationAdministrationSecurity WarningSecurity Warning



Try FREE
30 days money back guaranteed