It’s the email that makes your blood run cold. “Our website is distributing ransomware.”
Surely there must be some mistake. Some user did something silly, and panicked. “False alarm,” you tell yourself. “I’ll check the site real quick in my Windows VM, aaaaand—“
“Listen to this message. Your computer has been—“
Now it’s real.
This is the situation for many websites built with DotNetNuke or DNN. NetNuke is a popular platform on which to build .NET websites. However, a vulnerability has recently been discovered with DNN that allows an attacker to do the following:
- Update host records and tables
- Clear SMTP settings
- Upgrade/alter installed modules
- Create a Host account – HOLY COW!
If you are using DNN for your company websites, version 8.0.3 of DNN just released and it fixes the issue, and you should update ASAP. If you cannot update DNN, you should apply the following workaround from DNN:
The following steps are required to safeguard your site against this vulnerability:
- Remove the Install.aspx, Install.aspx.cs,InstallWizard.aspx, InstallWizard.aspx.cs, UpgradeWizard.aspx and UpgradeWizard.aspx.cs files from the Website Root/Install folder immediately.
- Go to Host > Host Settings page > Other Settings section > under Allowable File Extensions > and ensure that the .aspx extension is NOT allowed to be uploadable.
- Go to Host > SuperUser Accounts page and review the list of users in the Super User section to ensure that only known and authorized users are listed. Remove any unauthorized users.
- Search the Root folder and subfolders of your site for any files with .aspx or .php extensions. Some .aspx files might be required for your site. Carefully inspect any files before deleting.
For more information, you can visit DNN’s security center.
In this case, the compromised system created a new account and added ransomware ads to the website. We were able to track the created user and determine when the account was created, restore the servers with Veeam Backup and Recovery, and apply the workaround. DNN will update on the pilot system followed by the production system.