Had a few sites on the same server that suddenly stopped working and started having issues

looking into the issues found the following weird entry appear in the root web.config:

<location path="Telerik.Web.UI.WebResource.axd">
    <system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

Also found the following folders had been created:

"ScriptResource.axd" - Blank web.config

"Telerik.Web.UI.WebResource.axd" - contains a web.config as follows:

<configaration>
<location path="Telerik.Web.UI.WebResource.axd">
<system.webServer>
<httpRedirect enabled="true" destination="ROOT" httpResponseStatus="Permanent" />
</system.webServer>
</location>
</configaration>

"WebResource.axd" - Blank web.config

Anyone else ever seen this?

Is it a hack?

Thanks

Hello Jon,

If you are using a version prior to R1 2020, then this is a probable hack attack leveraging this vulnerability:

• https://www.telerik.com/blogs/blue-mockingbird-vulnerability-telerik-guidance 

If you have R1 2020 or later and all the encryption keys set to a strong value, then it is less likely to be an attack via the Telerik controls. 

The first entry is you have shared seems the one we suggest for loading properly the resources:

• https://docs.telerik.com/devtools/aspnet-ajax/general-information/troubleshooting/web-resources-troubleshooting#unauthorized-access-401-error 

The rest of the snippets and folders might be a result of an attack.

We recommend upgrading all public sites you maintain to at least R1 2020 version and setting the encryption keys with strong values generated similarly to the way demonstrated here:

• https://www.youtube.com/watch?v=J18zDKtiBFE
• https://docs.telerik.com/devtools/aspnet-ajax/general-information/web-config-settings-overview 

Regards,
Peter Milchev
Progress Telerik

Been using these tools for years 'encryption keys' is the first I have EVER heard that they had to be set also....

So is it now the case that EVERY site I have running telerik now SHOULD/MUST have encryption keys set?

Hello Jon,

The Encryption key is available since 2012, while the ConfigurationHashKey is available as of R1 2017.

• https://www.telerik.com/forums/telerik-asyncupload-configurationencryptionkey-setting 

Also, we have sent numerous mass emails recommending setting all of these keys for better security. A site would be able to work even without them but it is nearly mandatory for better security.

Another highly recommended, almost mandatory, is upgrading to at least R1 2020 for maximum security against the Blue Mockingbird vulnerability:

• https://www.telerik.com/blogs/blue-mockingbird-vulnerability-telerik-guidance   

Regards,
Peter Milchev
Progress Telerik

hmmm

I would have remembered seeing those emails...

The site in question didn't/doesn't use any upload

so I basically have to set both Encryption & ConfigurationHashKey 

just uploading Telerik dll to the bin folder from the latest release is all that's needed and these keys set?

How do I know if setting the keys has worked? will the site simply not load of it doesn't?

Hi Jon,

The only mandatory step is to upgrade to Telerik.Web.UI.dll version 2020.1.114 (R1 2020) or later.

If the ConfigurationEncryptionKey and ConfigurationHashKey keys are not set in the web.config, the control will use the machine key to encrypt (protect) its configuration settings.

There is no way to find out whether the configuration data is encrypted via the machinekey or custom keys since this is going to be a security breach. Both options are secure. The custom keys just give you the ability to use different keys in the different apps you have instead of using one single machine key for all of them. This is a kind of diversification.

Best Regards,
Rumen
Progress Telerik

Yes, exactly! This upgrade is the most important step.

Best regards,
Rumen