In recent weeks, many of our DNN websites have systematically been targeted for Spam New User Registrations. There has been some discussion around the how and why, and as much as we can tell, the problem is this:
1. Some script kiddy has bothered to write a bot that finds DNN websites. It is not even a good bot, because it is not capable of validating registrations to automated active email addresses. (If you are the creator of the bot… “YOU ARE DOING IT WRONG” as it is not going to bring the Google results you are looking for.)
2. The bot will attempt access to: www.yoursite.com /?ctl=Register
3. This brings into play the default DNN registration process module.
4. This page is currently available if your site has either Public or Verified registrations enabled.
5. Tricks on derating the bot by raising the password complexity appeared to work a short time only.
6. Enabling the inbuilt Captcha is as good as useless, as almost any OCR application can break it.
7. A better simple solution is needed.
Here at InteractiveWebs, we decided that we would enable Recapcha (a cleaver Google Initiative https://www.google.com/recaptcha/ ) that is harder to be machine broken, and test the results. We found that all the spam registrations stopped once Recaptcha was used.
To do this we created two Free DNN Modules to add Recaptcha to the URL that this bot is using to register on sites. The two modules are to support DNN 6.2 + and 7x +.
The modules replace the standard captcha control to a recaptcha
This is a good link explaining how Recaptcha came into existence, and why it works well: https://www.youtube.com/watch?v=cQl6jUjFjp4
The free modules are available of download here: http://www.interactivewebs.com/DotNetNukeModules/ModuleDownloads.aspx
To install them and fix your site you will need to follow the instructions below:
Go to: https://www.google.com/recaptcha/intro/index.html and register your domain, or domains. This will give you the ability to use recaptcha on your DNN sites on any domain you like.
You are going to need they keys that this site provides:
Similar to these.
Install our “iwebs- register” module, making sure you pick the one that is for your DNN version.
Once installed, you need to add the module to a page as you would any other. We recommend adding it to it’s own page in the DNN Admin menu, and keeping the page Admin Only.
The module you are looking for is called: iWeb’s – Register – You can select the Settings from the module drop down as you would any other DNN module.
Enter the Public Key and Private Keu information that you received from your Google Recaptcha registration of your domain. THEN SELECT UPDATE to save the information.
After saving your public and private keys by clicking “update” you are ready to:
Click on the “Install Register Control”
This will inject the recaptcha setting into your website. So when you hit any registration URL (www.yoursite.com /?ctl=Register) you now get the recaptcah box.
Google has released what they call V2 of Recaptcha. We have update the module to support this. The process of updating to V2 goes like this.
1. By default, previously created recaptcha keys are V1. Any updated installs of our module will need to be put into V1 mode (in the settings) to keep working with your V1 keys that you have previously configured into the module. So after updating our module to the latest release, go into the module settings and enable V1 mode for the module to keep working.
2. V2 recaptcha is better than V1. So we would suggest that all users of the module update to V2. To do this, you update our module to the latest release, then go into the Google Recaptcha management page, and delete your domains security keys, then generate new keys for V2. They have instructions on that process, all be is hard to understand.
Once you have new V2 recaptcha keys, you update these new keys back into our module and ensure that the V1 mode is NOT enabled. The V2 recaptcha will then run on your site.
This was a quick solution to some script kiddies attempt to attack DNN. I’m actually struggling to find the purpose (if you wrote the bot and you are reading this, I would love to hear why). There is little threat by the registrations that I can find. More annoying that anything else. While Recaptcah can be broken, it would take some smarts or costs to use online services for the bot, so I suspect they will not bother and recaptcha will reign for this problem. In any case, if they spend some time and effort making the bot work for recaptcah, it is easy enough for us to implement some of the loads of other solutions available to stop them.
We included a donation button. If you find the solution, blog, research we did, modules we created and responses we provide to be helpful. Please consider throwing us a few $
FileHelpers, Version=18.104.22.168, Culture=neutral, PublicKeyToken=3e0c08d59cc3d657′
Error: File Management is currently unavailable. DotNetNuke.Services.Exceptions.ModuleLoadException: (0): error CS1705: Assembly ‘DotNetNuke.Modules.DigitalAssets, Version=22.214.171.1245, Culture=neutral, PublicKeyToken=null’ uses ‘Telerik.Web.UI, Version=2013.2.611.40, Culture=neutral, PublicKeyToken=121fae78165ba3d4’ which has a higher version than referenced assembly ‘Telerik.Web.UI, Version=2013.1.403.40, Culture=neutral, PublicKeyToken=121fae78165ba3d4’ —> System.Web.HttpCompileException: (0): error CS1705: Assembly ‘DotNetNuke.Modules.DigitalAssets, Version=126.96.36.1995, Culture=neutral, PublicKeyToken=null’ uses ‘Telerik.Web.UI, Version=2013.2.611.40, Culture=neutral, PublicKeyToken=121fae78165ba3d4’ which has a higher version than referenced assembly ‘Telerik.Web.UI, Version=2013.1.403.40, Culture=neutral, PublicKeyToken=121fae78165ba3d4’ at System.Web.Compilation.AssemblyBuilder.Compile() at System.Web.Compilation.BuildProvidersCompiler.PerformBuild() at System.Web.Compilation.BuildManager.CompileWebFile(VirtualPath virtualPath) at System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean throwIfNotFound, Boolean ensureIsUpToDate) at System.Web.Compilation.BuildManager.GetVPathBuildResult(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile, Boolean ensureIsUpToDate) at System.Web.UI.TemplateControl.LoadControl(VirtualPath virtualPath) at DotNetNuke.UI.Modules.WebFormsModuleControlFactory.CreateModuleControl(TemplateControl containerControl, ModuleInfo moduleConfiguration) at DotNetNuke.UI.Modules.ModuleControlFactory.LoadModuleControl(TemplateControl containerControl, ModuleInfo moduleConfiguration) at DotNetNuke.UI.Modules.ModuleHost.LoadModuleControl() — End of inner exception stack trace —
The problem relates to a missing file that can be updated to the website /bin folder. The file is part of a free library that can be found here: http://sourceforge.net/projects/filehelpers/files/File%20Helpers%20Downloads/Version%202.0.0/
The file you need is: FileHelpers.dll front he 2.0 release from way back in 2010.
Download the file directly here: https://dl.dropboxusercontent.com/u/6726341/FileHelpers.dll
And save that to the /BIN folder in your DNN website, this will fix the issue and leave any third party modules that reference it working.
Accessing your Google Analytic Data via API
To allow a third party module or application to view and display your Google Analytics data for your website. You need to get a few things organised.
Go to: http://www.google.com/analytics/ and follow their instructions to set up your URL under an account that you can manage and access with Admin permissions. We are not going to go through these steps here as it is a given that you will have this. Seek help from Google if you can’t manage.
Go to: https://developers.google.com/ and login with your account.
To get started using Google Analytics API, you need to first create or select a project in the Google Developers Console and enable the API. Using this link guides you through the process and activates the Google Analytics API automatically.
Alternatively, you can activate the Google Analytics API yourself in the Developers Console by doing the following:
In either case, you end up on the Credentials page and can create your project’s credentials from here.
From the Credentials page, click Create new Client ID under the OAuth heading to create your OAuth 2.0 credentials.
The newly created service account will have an email address, <projectId>-<uniqueId>@developer.gserviceaccount.com; Use this email address to add a user to the Google analytics account you want to access via the API. For this tutorial only Read & Analyzepermissions are needed.
Select User Management (in the Analytics Admin)
Enter the weird email address from the API credentials step above to give Read & Analyze permissions.
If you get all that right, then the module we use, will work to access your Google Analytics data from within your module.
When you attempt to open the forum module Control Panel, you receive a.net load error that says a critical error has occurred. Upon looking at the log files for the website within DNN, you’ll notice that the related error message looks something like this.
bsoluteURL:/Default.aspxDefaultDataProvider:DotNetNuke.Data.SqlDataProvider, DotNetNukeExceptionGUID:1012073d-d31d-4a73-a051-31478c9de05dAssemblyVersion:7.4.0PortalId:0UserId:3429TabId:107RawUrl:/Resources/Forum/ctl/EDIT/mid/506Referrer:http://website.com.au/Resources/ForumUserAgent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3ExceptionHash:eUa1nHF8hNveOCQzqX0zOg==Message:Object reference not set to an instance of an object.StackTrace:InnerMessage:Object reference not set to an instance of an object.InnerStackTrace: at DotNetNuke.Modules.ActiveForums.Controls.Callback.OnLoad(EventArgs e) at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Control.LoadRecursive() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)Source:FileName:FileLineNumber:0FileColumnNumber:0Method:Server Name: SERVERNAME
It is good practice to ensure that you have the latest version of the DotNetNuke forum module on your website. Especially if you are using the later versions of DNN. Currently the module project has been moved into an open source project on GitHub. The latest version can be found here: https://github.com/ActiveForums/ActiveForums
fixing the error
you need to ensure that the web.config file also includes the following reference.
<section name=”cryptography” requirePermission=”false” type=”DotNetNuke.Framework.Providers.ProviderConfigurationHandler, DotNetNuke” />
<add name=”CoreCryptographyProvider” type=”DotNetNuke.Services.Cryptography.CoreCryptographyProvider, DotNetNuke” providerPath=”~\Providers\CryptographyProviders\CoreCryptographyProvider\” />
To Set up your mac mail with and Exchange Connection using Mac Mail you will need to follow these instructions carefully.
Note: This page will still be available to those who know the URL of that page (if for example you had put the page in a news letter).
Select Edit / Page Settings
Page Details / Unselect the Include in Menu Option
The Page will no longer appear in the menu system. It can still be hit with the permissions that have previously been set.
Alternatively – To Change Permissions on the page to hide and stop access: http://www.interactivewebs.com/blog/index.php/general-tips/dnn-change-permissions-on-a-page-to-stop-users-being-able-to-access-the-page/
To Stop users (Either members or visitors) from being able to access a page on the DNN Site.
Select Edit / Page Settings
Select the Permissions Tab
Uptick the All users View Settings. With no view pages permissions set. No users other than the Default Administrator settings will be able to visit the page.
Note This hides the page from users in the menu too. Alternatively you can just hide the page from the menu, but still allow people how know where the page exists to still access it by following this post:http://www.interactivewebs.com/blog/index.php/general-tips/dnn-hide-a-page-from-the-menu/
How to enable TLS 1.2 on Windows Server 2008 R2?
QuoVadis recommends enabling and using the TLS 1.2 protocol on your server. TLS 1.2 has improvements over previous versions of the TLS and SSL protocol which will improve your level of security. By default, Windows Server 2008 R2 does not have this feature enabled. This KB article will describe the process to enable this.
Your server should now support TLS 1.2.
Note: This article cannot be used on a Windows Server 2003 (IIS 6). Windows Server 2003 does not support the TLS 1.2 protocol.
If you make a mistake or something just isn’t right, you can revert back to your previous registry settings by opening the Registry Editor and importing the backup you made in step x.