Securing DotNetNuke and the potential module problems
Recently I was viewing my log files and noticed that every other day people were trying to hack into the DNN Creative Magazine website by trying to log in as host.
Therefore I decided to further secure the host account by creating a new superuser account with a different username and a 21 letter password. I then deleted the original host account.
(This way a potential hacker has to guess the host username as well as the password to gain access.)
This is where the problem occurred. - The News Articles module by Scott McCulloch that DNN Creative uses for RSS feeds and easy searching via categories of the various articles / tutorials etc. no longer displayed any articles.
(I now start to panic)
I have somehow managed to delete the entire websites articles. (Or has someone managed to hack into the site and deleted everything?!) - After further investigation I discovered the articles still existed within the database, but for some reason they were no longer displaying within the website.
It took me a full day to realise what had actually happened....
The News Article module has a reference to the user that created the original article, if that user is deleted - the News Articles module no longer displays the article. All of the articles were created while logged in as Host, so all of the articles no longer displayed.
Therefore I had to do two updates to the DNN Forge Articles table.
I had to update the column that contained the AuthorID and the LastUpdatedID as these contained the User ID of the original host account that I deleted.
Therefore, I just ran this query to update both of these columns to the new User ID of the new SuperUser account (The ID here is not the correct ID number!)
UPDATE DnnForge_NewsArticles_Article
SET AuthorID = 2034, LastUpdateID = 2034
WHERE (AuthorID = 1) OR
(LastUpdateID = 1)
Panic over! - So there is a valuable lesson, if you have a module that references a user when you create content, what happens when you delete that user?? - Perhaps module designers should programme for this possibility?
Hope this will be of some use to someone else...
Therefore I decided to further secure the host account by creating a new superuser account with a different username and a 21 letter password. I then deleted the original host account.
(This way a potential hacker has to guess the host username as well as the password to gain access.)
This is where the problem occurred. - The News Articles module by Scott McCulloch that DNN Creative uses for RSS feeds and easy searching via categories of the various articles / tutorials etc. no longer displayed any articles.
(I now start to panic)
I have somehow managed to delete the entire websites articles. (Or has someone managed to hack into the site and deleted everything?!) - After further investigation I discovered the articles still existed within the database, but for some reason they were no longer displaying within the website.
It took me a full day to realise what had actually happened....
The News Article module has a reference to the user that created the original article, if that user is deleted - the News Articles module no longer displays the article. All of the articles were created while logged in as Host, so all of the articles no longer displayed.
Therefore I had to do two updates to the DNN Forge Articles table.
I had to update the column that contained the AuthorID and the LastUpdatedID as these contained the User ID of the original host account that I deleted.
Therefore, I just ran this query to update both of these columns to the new User ID of the new SuperUser account (The ID here is not the correct ID number!)
UPDATE DnnForge_NewsArticles_Article
SET AuthorID = 2034, LastUpdateID = 2034
WHERE (AuthorID = 1) OR
(LastUpdateID = 1)
Panic over! - So there is a valuable lesson, if you have a module that references a user when you create content, what happens when you delete that user?? - Perhaps module designers should programme for this possibility?
Hope this will be of some use to someone else...
posted by Lee Sykes at
8:34 am
2 Comments:
Good info, I think that a better lesson would be use a super user account from the get-go to stop hacking attempts. Thanks for blogging.
By
Sean, at 2:45 pm
Yes, it is best practice to change the name of the host and admin username before creating your website.
I have created a video tutorial on how to pre-configure DotnetNuke before installing DotNetNuke which covers how to do this here:
Configuring DotNetNuke before installation
By
Lee Sykes, at 2:52 pm
Post a Comment
<< Home