Could this be the 2017 Telerik Vulnerability?

4 posts, 0 answers
  1. MarcB
    MarcB avatar
    2 posts
    Member since:
    Feb 2021

    Posted 18 Feb Link to this post

    Log files show this

    GET /Default.aspx Tabid=10&language=en&Server&Side=Telerik.Web.UI.DialogHandler 80 200 

    and then some other logs with Telerik.Web.UI.DialogHandler with response codes equal to 302 and 200

     

    ...

     

    POST /1555667.1415555.aspx act=file=C:/inetpub/wwwroot/Default.aspx 80 200

    POST /1555667.1415555.aspx act=file=C:/inetpub/wwwroot/Default.aspx 80 200

    POST /1555667.1415555.aspx act=file=C:/inetpub/wwwroot/Default.aspx 80 200

    POST /1555667.1415555.aspx act=file=C:/inetpub/wwwroot/Default.aspx 80 200

     

    after all of those, there is a 

    POST /Default.aspx 80 302 

    and another 

    POST /Default.aspx 80 200

  2. Rumen
    Admin
    Rumen avatar
    14459 posts

    Posted 19 Feb Link to this post

    Hi Marc,

    Somebody may be scanning your network in order to exploit the vulnerability explained in this KB article: https://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness.

    The most secure way to handle it is to be on the latest version of Telerik.Web.UI.dll since it prevents all known vulnerabilities - see https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization

    Best Regards,
    Rumen
    Progress Telerik

    Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

  3. MarcB
    MarcB avatar
    2 posts
    Member since:
    Feb 2021

    Posted 19 Feb in reply to Rumen Link to this post

    Thanks. They hacked my website yesterday. I already deleted everything and re-installed everything, this time updated.

    Could these logs be the hack? I don't remember my telerik version.

    I don't really understand the GET requests with 404, 302, 301, 200 responses.

    Thank you Rumen,

    Marc.

  4. Rumen
    Admin
    Rumen avatar
    14459 posts

    Posted 19 Feb Link to this post

    I am sorry to hear that your server was hacked :(

    Yes, the logs might be related to the hack - something that left from it. It might be helpful to review the vulnerability details available in the CVE-2017-9248:

    https://www.exploit-db.com/exploits/43873

    and also the resources at YouTube: https://www.youtube.com/results?search_query=CVE-2017-9248

     

    Best Regards,
    Rumen
    Progress Telerik

    Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Back to Top