Telerik Forums / UI for ASP.NET AJAX
This is a migrated thread and some comments may be shown as answers.

Could this be the 2017 Telerik Vulnerability?

3 Answers 757 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
MarcB
Top achievements
Rank 1
MarcB asked on 18 Feb 2021, 08:16 PM

Log files show this

GET /Default.aspx Tabid=10&language=en&Server&Side=Telerik.Web.UI.DialogHandler 80 200 

and then some other logs with Telerik.Web.UI.DialogHandler with response codes equal to 302 and 200

 

...

 

POST /1555667.1415555.aspx act=file=C:/inetpub/wwwroot/Default.aspx 80 200

POST /1555667.1415555.aspx act=file=C:/inetpub/wwwroot/Default.aspx 80 200

POST /1555667.1415555.aspx act=file=C:/inetpub/wwwroot/Default.aspx 80 200

POST /1555667.1415555.aspx act=file=C:/inetpub/wwwroot/Default.aspx 80 200

 

after all of those, there is a 

POST /Default.aspx 80 302 

and another 

POST /Default.aspx 80 200

3 Answers, 1 is accepted

Sort by
0
Rumen
Telerik team
answered on 19 Feb 2021, 02:18 PM

Hi Marc,

Somebody may be scanning your network in order to exploit the vulnerability explained in this KB article: https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness.

The most secure way to handle it is to be on the latest version of Telerik.Web.UI.dll since it prevents all known vulnerabilities - see https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization

Best Regards,
Rumen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
MarcB
Top achievements
Rank 1
answered on 19 Feb 2021, 05:04 PM

Thanks. They hacked my website yesterday. I already deleted everything and re-installed everything, this time updated.

Could these logs be the hack? I don't remember my telerik version.

I don't really understand the GET requests with 404, 302, 301, 200 responses.

Thank you Rumen,

Marc.

0
Rumen
Telerik team
answered on 19 Feb 2021, 06:11 PM

I am sorry to hear that your server was hacked :(

Yes, the logs might be related to the hack - something that left from it. It might be helpful to review the vulnerability details available in the CVE-2017-9248:

https://www.exploit-db.com/exploits/43873

and also the resources at YouTube: https://www.youtube.com/results?search_query=CVE-2017-9248

 

Best Regards,
Rumen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Tags
General Discussions
Asked by
MarcB
Top achievements
Rank 1
Answers by
Rumen
Telerik team
MarcB
Top achievements
Rank 1
Share this question
or