[How do I know if my DNN site was hacked?]

DotNetNuke (DNN) is an ideal choice for your web CMS and application requirements due to its robust, scalable, and highly customizable platform. It offers a powerful content management system with extensive module support, allowing for easy integration of new features and functionalities. DNN is built on the Microsoft stack, ensuring strong security, performance, and compatibility with existing enterprise environments. With a large community and a wealth of resources, DNN provides both flexibility and reliability, making it well-suited for businesses seeking a dynamic, secure, and user-friendly solution for their web applications.

DotNetNuke has undergone several security penetration tests conducted by various entities, with generally positive outcomes. Any identified vulnerabilities have been addressed, and now multiple layers of integrated security measures are in place to counter common web application attacks. However, in security, diversity is key. By taking the time to harden your installations and customize them beyond the default setup, you add an additional layer of protection.

MODULE SECURITY

When developing DotNetNuke modules, it's essential for developers to prioritize security by addressing common vulnerabilities and providing guidance on how to identify and mitigate potential risks. One fundamental security principle to follow is "Defense in Depth," which involves layering multiple protective measures to safeguard against various types of attacks. A hacker skilled in one area, such as SQL injection, may struggle to bypass multiple layers of defense. To enhance security, avoid making assumptions in your code and implement validation at multiple levels. For instance, if you're developing a module that handles file uploads, ensure that you validate the user, restrict file types to a safe set of extensions, and don't assume that any incoming request is safe. This layered approach significantly strengthens the security of your modules.

HOSTING SECURITY

Administrators or webmasters are responsible for securing the installation and configuration of DotNetNuke. Given the wide variety of environments where DotNetNuke can be deployed, this guide is not prescriptive but is intended to help you assess and choose the settings that best suit your specific deployment.

DotNetNuke has been around for several years, and like any evolving project, certain historical decisions and scenarios have shaped its development. With careful consideration, some of these areas can be fortified to offer a higher level of protection against potential threats. This guide provides recommendations for securing both new installations and tightening the security of existing deployments. Before planning your DotNetNuke installation, it's crucial to first secure your servers, including both IIS and, if applicable, SQL Server.

How to Identify if My DNN Website Has Been Hacked

To determine if your DotNetNuke (DNN) site has been hacked, you can follow these steps:

1. Check for Unusual Activity:
   • Look for unexpected changes or additions to content, modules, or user accounts.
   • Monitor your site's logs for unusual access patterns or errors.
2. Verify File Integrity:
   • Compare your current files with a known good backup. Look for unauthorized changes or new files that you didn't add.
3. Examine User Accounts:
   • Review user accounts and permissions for any that seem unfamiliar or have elevated privileges without your authorization.
4. Review Security Logs:
   • Check DNN’s security logs for suspicious login attempts or changes.
5. Scan for Malware:
   • Use a reputable security scanner to check for malware or malicious code on your server.
6. Check for Vulnerabilities:
   • Ensure that your DNN installation, modules, and extensions are up-to-date and patched against known vulnerabilities.
7. Monitor Performance:
   • Notice if your site’s performance has degraded, which could be a sign of unauthorized activity.
8. Consult with Security Experts:
   • If you suspect a breach but cannot identify it yourself, consider consulting with a security expert familiar with DNN.

DotNetNuke Security Analyzer Tool: https://github.com/DNNCommunity/DNN.SecurityAnalyzer/releases

The DotNetNuke Security Analyzer Tool is a utility designed to help administrators assess the security posture of their DotNetNuke (DNN) installation. It scans the DNN environment for potential vulnerabilities, configuration issues, and outdated components that could pose security risks. The tool provides detailed reports and recommendations for mitigating identified issues, helping ensure that the DNN site is secure against threats and adheres to best practices for security management.

The DNN Security Analyzer is a module designed to enhance the security of your DNN website. This initial version automatically addresses a recently discovered vulnerability in the Install Wizard and offers guidance on other potential configuration issues that could leave your site exposed. Additionally, it includes a feature to scan your database and files for specific words or phrases, which is useful for identifying defacement issues. This module will become a standard component of the DNN Platform starting with version 7.4.1, but we have made it available for DNN 6.2.0 and later to benefit the community as soon as possible.

Here are some essential tasks to help secure your DNN site, though this list is not exhaustive:

1. Download and Install the DNN Security Analyzer Module: This free tool performs a thorough scan of your site for common vulnerabilities and can help identify if your site has been compromised. For more details, you can check out this 2015 link: DNN Security Analyzer. Given the age of this post, it's crucial to act if you haven't already.
2. Change Your FTP Passwords and Close Unnecessary FTP Accounts: FTP can be a target for brute-force attacks and may be exploited in conjunction with other vulnerabilities.
3. Change Host and Admin Passwords: This is crucial, especially if you suspect a compromise. The DNN Security Analyzer can also advise on this, but securing admin access is a critical step.
4. Remove Wizard and Install Files: These files are known vulnerabilities in DNN 7 and older versions, so removing them is essential.
5. Look for Backdoors: Check for any unauthorized ASP or PHP files that hackers might have installed. These could be hidden in obscure directories or the root folder and identifying them is crucial.
6. Turn Off Public Registration: Disable public registration unless necessary. By default, DNN enables this, but it can be exploited to create bot accounts that may lead to further vulnerabilities.
7. Install Google ReCAPTCHA: This helps secure your forms and prevent bot activity.
8. Upgrade to the Latest Secure Version of DNN: While upgrading can be challenging, especially with large sites or custom code, it's vital for maintaining security.

These steps are foundational for securing your site. After updating passwords, installing the DNN Security Analyzer module is highly recommended as it helps audit for malicious code, permission issues, and dangerous applications.

DOTNETNUKE ATTACKS

DotNetNuke (DNN) RCE SQL: A SQL console is accessible under the Settings page where can enable xp_cmdshell and run operating system commands via Remote Code Execution.

DotNetNuke Cookie Deserialization: DNNPersonalization cookie XML value, because the XML cookie value can be user-supplied through the request headers, you can control the type of the XmlSerializer. Result in unrestricted file upload, arbitrary files read, deleted files, and various other actions. You can see an example payload below, using the Write File method of the DotNetNuke.Common.Utilities.FileSystemUtils class, to read files from the target system.

ASP/ASPX webshell: FTP Add/upload asp or aspx files (if extension allowed to run for asp) and then in /admin/file-management upload an asp webshell called shell.asp.

DNN Administration Authentication Bypass: The installation wizard in DotNetNuke (DNN) before 7.4.1 allows remote attackers to reinstall the application and gain SuperUser access via a direct request to Install/InstallWizard.aspx.

File upload vulnerability through bypassing client-side file extension check: As a standard user, you are permitted to upload files with the following extensions by default: bmp, gif, ico, jpeg, jpg, jpe, png, and svg. The file upload module used by superusers is also available to normal users, but with additional validation that excludes certain extensions, such as CSS.

Zip Slip vulnerability: Zip Slip is a type of "directory traversal" attack that exploits inadequate validation of directory names during archive extraction. This vulnerability allows an attacker to overwrite files with specific extensions on the system and potentially execute malicious code.

Telerik Web UI Controls: Insecure file upload mechanisms allowed attackers to upload malicious files, gaining unauthorized access to the site. This exploit was particularly severe in older versions of Telerik that were not updated or properly secured https://www.dnnsoftware.com/community-blog/cid/155449/critical-security-update--september2017

All DotNetNuke attacks are handled by the DNN Security team, which provides a central point of contact for reporting incidents and discussing the details of any security attempts. You can communicate with the team and find more information at DNN Security Center at http://security.dotnetnuke.com

NON-TECHNICAL WAYS TO KNOW

• Google Chrome (or another browser) Shows A Warning When Visiting Your Website
• View “Security Issues” in Google Search Console
• Use Google’s Safe Browsing tool
• Watch for notifications from hosting providers, browsers, and more
• Google Search Console Sends a Message Saying Your Website Is Hacked or Has Malware
• Check for cloaked hacked content with Google’s URL Inspection Tool
• Outbound Ports 80, 443, 587 and 465 For Your Account Are Blocked
• Customers Complain About Their Credit Card Being Hacked
• Your Emails Are Sent to The SPAM Folder
• Ads & Pop-ups Open When Visiting Your Website
• Your Website Becomes Very Slow and Shows Error Messages
• Your Website Is Being Redirected to Hacked Sites
• You See a Traffic Spike, Sometimes On Pages That Don’t Exist

TECHNICAL WAYS TO KNOW

• Strange Looking JavaScript in Your Website Code
• You Find Unexpected Error Messages in Your Error Logs
• Unknown Code or Redirects in The .htaccess File

DNN HARDENING AND SECURITY

Installing/Upgrading with Non-dbo Users: It's possible to install DotNetNuke using a non-dbo user. The minimum permissions required include membership in the db_datareader, db_datawriter, db_ddladmin, and db_securityadmin roles. Additionally, the user must have Execute rights for running stored procedures. However, some upgrades might encounter errors if db_owner permissions are not granted. In such cases, another user with db_owner permissions may need to manually modify database settings, such as incrementing the database compatibility level, especially when upgrading to DNN 7.4.0 or later.

Please be aware that third-party modules may require additional permissions. Specifically, modules that allow the use of direct SQL, including the core Reports module, will need more than just the ability to execute stored procedures.

DotNetNuke primarily requires elevated permissions during installation, upgrading, and when installing or upgrading certain extensions. This is because these processes involve executing scripts with DDL instructions, such as SQL commands to create and modify tables and stored procedures.

However, outside these scenarios, most sites only need to execute stored procedures with DML instructions like SELECT, INSERT, UPDATE, and DELETE. To accommodate this common setup, DotNetNuke offers an optional upgradeConnectionString. The connection defined in this string is used for core and module installations or upgrades, while the standard connection string is used for the site's daily operations. For enhanced security, a site can assign a dbo user to the upgrade connection string and a more restricted user with only read permissions (e.g., db_datareader) and the ability to execute stored procedures for daily use.

Password Complexity: Enhancing password complexity is one of the simplest and most effective methods to boost security significantly. The key elements are password length and complexity. A good starting point is a password with at least 8 characters, including one uppercase letter, one lowercase letter, and one number. You might also consider requiring a non-alphanumeric character and setting limits on how long a password can be used. However, even with strong password requirements, you're mainly protecting against brute-force attacks.

Update 'Host', 'Admin' Passwords: Setting highly complex passwords for the Host and Admin accounts is one of the most crucial security measures you can take. Since these accounts are well-known and frequently targeted by brute-force attacks, it's vital that their passwords go beyond the standard complexity recommendations. Additionally, restricting access to these accounts is important, as they hold the highest level of control over your site and could cause significant damage if compromised. Require users to change their passwords regularly.

Strong Password Storage Technique: DNN, by default, encrypts user passwords to offer a solid level of security and allows password retrieval since encryption is reversible. However, for enhanced security or if you prefer not to support password retrieval, you can opt for hashing instead. Hashing is a one-way process, meaning that even if your database is compromised, the original password cannot be reconstructed from the hash, providing an additional layer of protection.

Ensure SSL for all authenticated sessions: DotNetNuke provides a robust method for activating and enforcing SSL for individual websites (portals). To accomplish this, simply enable SSL for the site. Navigate to Admin > Site Settings, then select the Advanced tab and access the SSL Settings section. There, check the “SSL Enabled?” option and adjust the settings as needed. Ensure that the Login page is configured securely, set up the authentication method, and enable RequireSSL cookies in the configurations.

CONTACT AN EXPERTS

At DnnDeveloper.in, we've been deeply involved with DotNetNuke (DNN) development since 2006, making us one of the most experienced teams in the industry. Over the years, we've encountered and successfully managed a wide range of security challenges, giving us the expertise to handle even the most complex security breaches. Our extensive experience with DNN platforms means that we understand the intricacies of its architecture and know precisely where to look for vulnerabilities that hackers might exploit.

When your DNN site has been compromised, we take a systematic approach to cleanup and restoration. First, we thoroughly analyze the breach to identify the point of entry and understand the full extent of the damage. This includes scanning for malicious code, unauthorized files, and suspicious activity within the database. We then meticulously remove all traces of the hack, ensuring that your site is fully cleaned and restored to a secure state. Our goal is not only to eliminate the immediate threat but also to fortify your site against future attacks.

Beyond the cleanup process, we implement robust security measures to prevent future breaches. This includes updating your DNN platform and all extensions to the latest secure versions, strengthening password policies, and configuring security settings to minimize vulnerabilities. We also provide ongoing monitoring and support, keeping your site protected against emerging threats. With our extensive experience and expert knowledge of DNN security, we ensure that your site remains safe, stable, and secure in the long term.