I just found something very disturbing after having 4 of my D7 Websites hacked I have found a file that mysteriously appeared a couple of weeks prior to the hackers doing anything noticeable to my sites.
The file in question is located here /xmlrpc/sys.php so if you type in e.g http://yourwebsite.com/xmlrpc/sys.php If your website is compromised you will see an input box asking for a password. Obviously I don't know the password so don't know what info it gives the hackers.
I know what you're gonna say that my Mac or PC has a trogon, but guess what? when you go down the list of Websites at http://www.boonex.com/websites you don't have to go far down the list before you start finding other exploited websites.
This must be a vulnerability in the Boonex Software and needs fixing ASAP!
I also found that the last modified date on member_menu_queries.php is the same as the hackers file sys.php
The file sys.php is encoded so I can't even tell what it's supposed to do.
If anyone else has this exploit, please add a note here to get Andrews attention.
|
I Also found this in a file left on one of my servers by the hacker..
/*
----------------------------------------------------------------------------
Dolphin <= 7.0.7 [cut] Remote PHP Code Injection Exploit
----------------------------------------------------------------------------
author...............: EgiX
mail.................: n0b0d13s[at]gmail[dot]com
software link........: http://www.boonex.com/dolphin
affected versions....: from 7.0.0 to 7.0.7
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] vulnerable code in [cut]
Then it shows the Vulnerable code and instructions on how to hack. Then continues....
[-] Disclosure timeline:
[25/09/2011] - Vulnerability discovered
[26/09/2011] - Issue reported to http://www.boonex.com/forums/topic/PHP-Code-Injection.htm
[26/09/2011] - A moderator hide the topic
[29/09/2011] - Vendor contacted again through http://www.boonex.com/help/contact
[04/10/2011] - Vendor replied that there is a designated place for this kind of report: "Dolphin Bug Reports" forum
[04/10/2011] - I replied that I've already posted in this forum, but the topic has been hidden
[05/10/2011] - Vendor reply: "It may has been hidden because it WASN'T posted in the proper place"
[05/10/2011] - My reply: "It has been hidden for security reason, the moderator told me to report the issue through http://www.boonex.com/help/contact"
[08/10/2011] - Vendor replied that a patch will be released as soon as possible
[13/10/2011] - Vendor update released: http://www.boonex.com/n/dolphin-7-0-8-beta-1
[18/10/2011] - Public disclosure
*/
|
So it looks like Boonex already knew about this and chose to keep it a secret. Tut Tut Tut Boonex, thanks a lot! If I had known it would have saved me a big headache!
Yes you might have fixed the vulnerable file but thats only Good for those that didn't get hacked before updating and have backdoor trogons inserted.
|
Can you do a compare and see what the hacker actually did to your "member_menu_queries.php" file that made the file date change? The reason I ask is I'm trying to figure out why he would need to edit the file that allowed him to get in in the first place. Also it's really odd the hacker left a file describing exactly how he got in on your server. I have always heard of "white hat" hackers that find back doors and actually help the people fix them.. but I didn't know any of them did it for free, lol.
This would be really nuts, he didn't replace your member_menu_queries.php with the fixed one from 7.0.8 did he?
Anyway, thanks for this posts.. I just updated the member_menu_queries.php on all my sites.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
I dont have the old version to compare with.
It does seem odd that he left that file there, maybe he did it to show that he had already contacted Boonex but they had swept it under the carpet until 7.0.8 got released.
Remember this was reported to Boonex in September and they hid the fact and wasn't fixed until D7.0.8.
The sickening thing is that if I had known about this back in September I could have done something before it was too late, but now the hacker or hackers probably have the details of over 14000 members just from my websites never mind everyone elses.
I know now that Boonex will more than likely remove this post but at least they could inform everyone so that they could check if they have been hacked and at least update their scripts.
|
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
The problem is fixed in 7.0.8, it is strongly recommended to update to the latest 7.0.8.
We don't disclose the exact vulnerability (and encourage other to NOT do it eiher) to not compromise the sites which was not updated yet.
Rules → http://www.boonex.com/terms |
The problem is fixed in 7.0.8, it is strongly recommended to update to the latest 7.0.8.
We don't disclose the exact vulnerability (and encourage other to NOT do it eiher) to not compromise the sites which was not updated yet.
what was the ticket for it since i do not run upgrades i apply all the changes one by one.
|
AlexT, this is one time where a newsletter should have been sent out, there are many who are using Dolphin v7.x.x who were not made aware of this and are still vulnerable to being hacked. if you fixed the issue, then i dont see where it would be wrong to disclose the exact problem, since the exact problem is what should have been fixed and a patch released.
why would an update be necessary if you created a patch. not everybody upgrades, so therein lies a serious problem.
The problem is fixed in 7.0.8, it is strongly recommended to update to the latest 7.0.8.
We don't disclose the exact vulnerability (and encourage other to NOT do it eiher) to not compromise the sites which was not updated yet.
you dont have to disclose the exact vulnerability, but you should have the common courtesy to report to the community that there has been one detected and not just suggest that they upgrade to 7.0.8
but of course, quasi plu duratiem
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
We said about in in the post - http://www.boonex.com/n/dolphin-7-0-8-released
And sent newsletter.
So the patch is actually upgrade script, if we make patch especially for the security problem only, it will be very easy to detect the vulnerability and use it to attack not upgraded sites.
AlexT, this is one time where a newsletter should have been sent out, there are many who are using Dolphin v7.x.x who were not made aware of this and are still vulnerable to being hacked. if you fixed the issue, then i dont see where it would be wrong to disclose the exact problem, since the exact problem is what should have been fixed and a patch released.
why would an update be necessary if you created a patch. not everybody upgrades, so therein lies a serious problem.
The problem is fixed in 7.0.8, it is strongly recommended to update to the latest 7.0.8.
We don't disclose the exact vulnerability (and encourage other to NOT do it eiher) to not compromise the sites which was not updated yet.
you dont have to disclose the exact vulnerability, but you should have the common courtesy to report to the community that there has been one detected and not just suggest that they upgrade to 7.0.8
but of course, quasi plu duratiem
Rules → http://www.boonex.com/terms |
Granted yes, you mentioned it in passing, though it was not stressed that the security vulnerabilities were urgent, not critical to fix.
I for one, disagree with this methodology of where you release an upgrade and incorporate security vulnerabilities, when the vulnerabilities should have been a focal point given the information that was provided about the situation.
We said about in in the post - http://www.boonex.com/n/dolphin-7-0-8-released
And sent newsletter.
So the patch is actually upgrade script, if we make patch especially for the security problem only, it will be very easy to detect the vulnerability and use it to attack not upgraded sites.
AlexT, this is one time where a newsletter should have been sent out, there are many who are using Dolphin v7.x.x who were not made aware of this and are still vulnerable to being hacked. if you fixed the issue, then i dont see where it would be wrong to disclose the exact problem, since the exact problem is what should have been fixed and a patch released.
why would an update be necessary if you created a patch. not everybody upgrades, so therein lies a serious problem.
The problem is fixed in 7.0.8, it is strongly recommended to update to the latest 7.0.8.
We don't disclose the exact vulnerability (and encourage other to NOT do it eiher) to not compromise the sites which was not updated yet.
you dont have to disclose the exact vulnerability, but you should have the common courtesy to report to the community that there has been one detected and not just suggest that they upgrade to 7.0.8
but of course, quasi plu duratiem
yes, you did address the security issues in passing, but again not everybody is interested in upgrading to the next release, and I have been forewarned by Mr. Boone, that upgrading is an at your own risk task, and this should not be coupled with security patch releases. the security patch should not be an at your own risk implementation, and should be listed a critical requirement for security of the site.
my point in this is that when upgraded from Dolphin v 6.x --> Dolphin v7.x.x, there were functionalities that were left out of dolphin, the removal or exclusion of relevant functionality was never expressed, and there was no news to the unknowing site owners or dolphin users that functionality that had become depended on for operation of a business, had been removed.
Only after issues were reported was it stated by Mr. Boone that upgrades are "at your own risk" tasks. Upgrades should not be an at your own risk task, and functionality that was in place, and then omitted or removed, should be as strongly focused on as the eye-candy, and unnecessary addons that are placed in dolphin to distract from actual problems.
at any rate, my point here is AlexT, the security patch should be different from an optional upgrade. it has already been published how the site can be hacked with the vulnerabilities, and with that, measures should have been taken to protect dolphin users and members of this community. and that has not been the case. the other problem with release a security vulnerability patch with an upgrade, is that site owners are responsible for utilizing the "at your own risk upgrade", and bundling the security patch with an upgrade is at minimum, and underhanded method of releasing the developers from responsibility of the security vulnerabilities.
yes you mention security in passing on this, then the post goes on to an elaborated explaination of what great things have been done that has prompted the 7.0.8 upgrade, and there is no real focus on the security vulnerability.
so what about all the dolphin users of 7.0.x that had no intention of upgrading, how is their site patched for the security issue?
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
As a license holder of Dolphin I should have been notified, as should everyone!!! I dont give a damn if you e-mail me, call me or whatever. but we should have been informed - period!!!
When my site was hacked it took 3 people 24 hours work to put it all right again. The cost of this was more than the cost of my Dolphin license! ALL users should be informed of ALL security issues at ALL times. Faliure to do so is simply another case of appauling customer service and bad business practice.
|
We always state it if there are security fixes. There's no way for us to tell who we can trust early information about vulnerability. It is a common (sense) practice to keep this information undisclosed for as long as possible.
Now, back to the update announcement that we made for 7.0.8, notified you via newsletter and you had it in Dolphin Admin feeds. It starts like this:
"Dolphin 7.0.8 is here with us, rectifying some security vulnerabilities and busting a mid-sized gang of virtual insects (aka bugs). There're also some useful system tweaks, but really, you should've stopped reading and started downloading right after that "security" word in the first sentence. Seriously."
There're no other means that we have to reach Dolphin users. I suggest paying more attention to version update announcements.
Heart Head Hands |
If you don't' want to upgrade, but you do need to apply security fixes, the only way is to do custom merging, taking only the bits of code that you need. This is tedious and needs knowledge of coding, but it's the only way to part-upgrade a modified site.
We can't release a separate security patch, because it would complicate everything. It may still brake your modified installation, it would expose vulnerability and it would potentially create an untracked "version" that needs to be accounted for in future updates. How do you apply a new security patch over a version with an older patch vs clean version vs modified version?
Heart Head Hands |
The exploit has been available on public sites for a while now. It should at least be appropriate to mention the file which needs to be replaced. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Something like this makes you question how secure dolphin really is. |
Andrew,
before you strike my post here, please understand that i think you guys are doing a far better job all around. i was not posting this to raise dander. i posted as a matter of concern.
now you say that you cant release a security patch only, not sure why not sir, everybody else does so. you would not really need to make it public, as you could put it in the users profile for download, and set it for x days, any member who was not registered during the era of release that required security patch, would be excluded from downloading the security patch.
i do believe that you are trying your best, though there are issues here sir that need to be addressed, you know that you and i have had discussions about upgrading, for the mere purpose of an upgrade, and this would be an ultimate example. there is no warning about what can break on your site if you upgrade. again, i think your mention of the security flaw was just brushed on, and should have been a focal point. because you know, Andrew, that the excitement from the unity members comes from the title of 7.0.8 being released, and they are downloading without completely reading, because of the bugs that they were facing that were possibly preventing their site from being released, the mere mention of security updates, was skipped. now from someone who reads, and reads between the lines at times, i would in any other given instance, suggest this was intentional.
when you get a new porsche, do you look at the battery, or the tires, not really you look at the eye candy, so to speak.
yes i think you had good intentions, but in this specific case, Andrew and crew, as good of a job as you guys are doing, there is still room for growth sir, and many of the members agree that we need some dedication and focus in the following areas:
Security
Seo
Email
Store
Payment Processors
Administrative Management
no more eye candy, not more extras, lets get this puppy locked down, and secured, and functional as a site should be functional.
again, Mr Boone, this was not posted to jab at you guys, i think you are doing leaps and bounds better, and i am still supporting dolphin, and still upgrading, with caution of course (LOL), as this application is set to be something someday.
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
If you don't' want to upgrade, but you do need to apply security fixes, the only way is to do custom merging, taking only the bits of code that you need. This is tedious and needs knowledge of coding, but it's the only way to part-upgrade a modified site.
We can't release a separate security patch, because it would complicate everything. It may still brake your modified installation, it would expose vulnerability and it would potentially create an untracked "version" that needs to be accounted for in future updates. How do you apply a new security patch over a version with an older patch vs clean version vs modified version?
just some kind words of encouragement:
if you released only the security patch, which you state you cannot release, yes, you are correct, it could possibly still cause problems with a custom site, however, in troubleshooting something on that magnitude, would be far more conducive to sanity, than upgrading with unneeded and additional corrections and adjustments.
so i would think it would be far less difficult to the dolphin site users, to apply just the security patch, if they were not opting to upgrade to the full latest release, due to major customizations.
just something to think on Mr. B, as this needs to be addressed sir as we move forward, because quite frankly sir, and yes, "it may very well be, the way it has been in the past" but evidence is presenting itself, "that it should not be the way of the future"
and what is the deal with those two security settings that we were advised to set to -1
security threshhold, and whatever that other one is/was, are these going to be fixed?
Happy Holidays to Boonex and Unity Members
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
revisiting this topic:
its not a matter of wanting to or not wanting to upgrade, its a matter of a security breach being discovered and reported and then the fix for the security flaw being bundled into an upgrade release, rather than patching the reported already known security issue. a security patch is by far in all circumstances separate from an upgrade of functionality where bugs are reported on releases.
If you don't' want to upgrade, but you do need to apply security fixes, the only way is to do custom merging, taking only the bits of code that you need. This is tedious and needs knowledge of coding, but it's the only way to part-upgrade a modified site.
We can't release a separate security patch, because it would complicate everything. It may still brake your modified installation, it would expose vulnerability and it would potentially create an untracked "version" that needs to be accounted for in future updates. How do you apply a new security patch over a version with an older patch vs clean version vs modified version?
yes, a security patch may very well break the site, however, in knowing that, it would be addressable on that level rather than unknowing if the upgraded instances across the board caused the site to break or if it was broken by applying the security patch. the vulnerability has been exposed, and that is how it was determined that it needed to be patched in the first place. as for creating an untracked version, this is where security patches and upgrade versions should differ for this very reason. consider windows in this instance, security patches are released though the OS is not upgraded or updated, but the security flaw is directly addressed.
yes i can see where it would involve more work on the part of boonex, but this essentially is the responsibility of boonex when releasing a version. i dont know what happened to the audit option you guys once were so attuned to reporting had been done. are these security audits not being done on each release?
and again i inquire, what became of the security impact threshhold to send report and security impact threshhold to send report and block agressor settings?
these were released as the NBT for security on dolphin, then shortly afterwards, we were directed to set those to -1 (off state) and they have not been addressed since then, though they are still listed in the admin panel as security settings. why are these still included if they do not work?
When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support |
It saddens me that we have an issue that can cause harm to sites and that the code for the removal of that issue seems to have been deleted from this thread.
I run sites under WordPress and Dolphin and have used others in the past. I have to say that the handling of security issues is a concern to me.
As a relatively naive user the way that Dolphin is built seems somewhat shonky. For example, because of the dependence upon modifications to code to attain many usability goals one can not easily upgrade a site. For this reason one may well make a choice to NOT follow the upgrade path. Indeed on one of my sites we recently went through a substantial roll forward only to have to undo all the work because of multiple breaks in the site.
We had not stepped outside of mods and templates from the Boonex Marketplace but in order to have a working site doing what I want to do, I needed to keep an older version of / running.
The other day I saw this thread, I read up, I hit Google, I checked my site, it was vulnerable. I added the code and it seems the problem is solved, the world has not ended, everything works just fine.
Now though, anyone else wanting to protect their site is stuck. Either they roll forward to 7.0.8 or they wait to be attacked.
Given that from one update to the next MOST code remains unchanged surely the marginal risk of breaking one's own site in fixing any one security issue is small. It is certainly a smaller job to undo a security patch and hire somebody to help make it work than it is to spend a long time rolling forward and paying substantial money to a coder to correct all the stuff broken by the upgrade process.
I was coming to the opinion that it was worth choosing a point and version of the software and sticking with it and maintaining that which works. But now I am worried because I can see that the information required to do this is now being withheld from us clients. It is not just that we don't have the patches but that we can now see that the very vulnerabilities themselves are being withheld.
Security through obscurity is a poor solution. The people who seek out vulnerabilities have different priorities to me and your clients. We clients are not a part of that milieu. Keeping info away from us does not help because the 'interested' are communicating using different channels and your attempts at secrecy do not really work, they just mean that we clients, webmasters, business owners are more vulnerable than we should be.
|
http://towtalk.net ... Hosted by Zarconia.net! |
Hi,
Just wanted to add my two cents. I normally stay away from the forums but was pointed to this topic by a customer.
I have had quite a bit of ear bashing off quite a few of my customers on my shared servers that have had their Boonex Dolphin Websites hacked recently. They all had Dolphin websites that were not upgraded but all Dolphin 7. My customers thought that my servers were insecure and I have spent endless hours trying to help them re-installing D7 trying to re-assure them that this wont happen again, I have basically given them all free upgrades at my own time and expense.
I do appreciate that vulnerabilities do happen with web software it wont be the first time and wont be the last with Boonex. But really we should have been informed, Boonex could have made a patch for this immediately and informed everyone by email that there was a major security issue and that it was essential to upload the patch.
Come on... the kiddie hackers will have known about this issue long before you! It would have been already posted among their networks. So you would not have raised awareness to them, you would have just saved us a load of hassle. After all looking at the Hackers Disclosure Timeline above all of my customers websites were hacked after that.
Regards
Ian
|
I am trying to log in to my admin at http://one1planet.com/administration/ and AVG blocks the page opening and tells me I have Exploit Blackhole Exploit Kit (type 2722). It says threat has been removed, then I try to go admin again and the same AVG message occurs. My computer is clean but don't know how to permanently remove this. Please Help.
I located the files with a site scan and replaced them will a back-up version ... problem fixed.
|