Sanjay Mehrotra wrote   "One thing I have done is stopped PHP on my server which will more than likely help with allot of this."   Nick - I believe you've solved your own problem. Like I'd posted on the other thread which you made on the forums, the culprit is likely to be PHP and NOT DNN. You can take the exact script you've posted here and run it on any of the websites that have the feedback module installed (mothership included) and you will not see your problem. Someone probably did a scan on your machine and discovered that you have PHP installed and was able to take advantage of that via your website. I've done my limited research based on what you've posted so far and Cathal will probably comment on this shortly too. My problem with your original post is making it sound like feedback module is the culprit when you're not sure - or let me put it another way - Can you prove 100% that the feedback module caused your server to be hacked? I'm not going to get into the semantics but as mentioned before, any security issues need to be addressed differently than simply posting on a thread without any proper validation. Sanjay

Well regarding PHP I guess only time will tell whether the site is safe or not now, I'm reserving judgement as the last site this happened on was completely hosted and one would presume that it would have been allot more secure than the one i'm hosting myself.

If DotNetNuke wasn't eleviated in anyway, so what you are suggesting is that any site running PHP can be hacked extremely easily in this way?

"But with that aside, I think that one of the possible holes was actually this Feedback module."

That is what I said, and I chose my words carefully, I said that it is a possible hole, and the reason for that was that it was being targeted, so I can assure you that you misunderstood there by not reading thoroughly.  If on the other hand you are referring to the subject of the thread then I think it's a bit generic and anyone interested enough would actually read it before casting judgement themselves.

This is not an issue, as the path would not be resolved as it does not contain an asp.net page extension prior to the querystring i.e. an extension ending .aspx/.ashx/.asmx/.axd . I also checked the last 2 releases of the feedback module (going back to1/30/2007) and netiher has code that references a querystring, request or paramters variable called include_path. I also checked a few recent core releases and they do not reference it either, so what your'e seeing is random url requests (much like the recent sql worm) that will not cause any harm and simply get logged as invalid requests. As per other posters, I would recommend that you mail the security@dotnetnuke.com so that the security team can process any reported problems - i've been off for a few days holiday but there are at least another 6 people who monitor that alias.

And and as for your question, we've received messages from 55 different people so far this calendar year (we've responded to a couple of hundred reports and requests).

Cathal