It has come to our attention that a few Dolphin-based sites have been hacked. We investigated the reported vulnerability and can assure you that proper installation of Dolphin is NOT vulnerable.
Attacks are only possible in case your host has the "register_globals=On" setting for PHP, which is expressly prohibited by the Dolphin installation manual and technical requirements.
Dolphin Technical Requirements
Also a quote from the technical requirements "Your host must have any Linux/Unix OS (RedHat, Debian, FreeBSD, Mandrake, etc). NOTE: SAFE_MODE must be OFF, register_globals must be OFF. " Note the "must" word there.
It is also very likely that attacks were executed through 3rd party scripts, such as phpBB.
So, if your site was attacked, make sure to get the "register_globals" setting rewritten to "Off" before reverting to backup. If your site is not affected, double check your PHP settings.
Meanwhile, we're preparing a security update, which will remove any potential vulnerabilities in Dolphin code even with "register_globals=On". It should be available within 24 hours. We still recommend, however, that you switch "register_globals=Off" if you're using any 3rd party scripts. Also check for updates of these 3rd party scripts, latest versions may have own patches to fix similar problem.
I would like to point out that we make thorough security testing before release, and Dolphin now holds an effective "HackerSafe" badge. This particular issue happened ONLY due to incorrect installations, so PLEASE be careful and attentive.
NOTE IXWEBHOSTING will not turn off their register_globals=on
Bad HOST
hostmonster has register_globals=on by see more
this is ideal because you have your olphin sites hosted on a dedicated server that is in effect setup just for dolphin sites, because we use them for our own dolphin sites and make sure we keep them secure.
maybe people need to understand that cheaper is just that, its cheap see more
<? phpinfo(); ?>
then save it like phpinfo.php and upload it to your server. Then call it from your browser like http://yoursite.com/phpinfo.php and find a line containing 'register_globals'. If it's value is Off then everything is OK.
php_flag register_globals Off
If it produce 500 Internal Server Error, please contact your hosting server provider.
They came in through a test site running 6.1 and hot my other regular sites.
And well they have informed me you have issues in your script this was the e-mail I received
Hello,
Whatever the script in /ray/ was, was exploitable and this is how the account was exploited and this malicious script uploaded.
Regards,
Richard F.
Network Security Administrator
Personally boonex is passing the issues on when it is there problem.
But if you have more info about other issues please let us know.
There Name=CebongDevils cebongcrew. This Is The 2nd Time For me The 1st was Shoutbox They put porn pics on it, Thats Not Good I have Kids That go to my site! Boonex Instead of Spending hours on a forum Just Fix it.
what dont you get? The script got in b/c hackers put it in...hackers put it in b/c your globals were on.
Boonex cant control your servers hosting. Just do what you are told, and most importantly read/do every single step.
use this issue to pick up those IP and block them form accessing your account...
just my 2 cents...
We would highly appreciate this information. So, we will be able to do investigation and fix this.
RIPE Network Coordination Centre (50+ instances)
RackVibe LLC
Internet Specialties West ISWEST-BLK-1
HostForWeb Inc. SCNET (20+ instances)
Global see more
Just a quicky - here if Hostforweb has globals on and Boonex recommend them as being perfect for Dolphin.... hmmm doesnt seem right somehow....
Cheers
Max
-- Jason
You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
register_globals = Off
I have a JOOMLA site www.guardiarepublicana.com/v02
Is hacked for someone how put a lot of links inside all files of the joomla
Maybe you could thing that this is not for this topic, but let me tell you that
The last week I installed a dolphin in the same site but with this URL:
www.guardiarepublicana.com/v03
today the v03 is emty, because was hacked
I goona give you some codes that this hacker put inside the files
Maybe that gonna be important in order to solve see more
I got them off, deleted content.inc.php and uploaded one from dolphin script, same with safehtml ( I forgot the name of file now..) and since then I didnt get any warnings from HFW nor did I had any demages to the site.... I hope it stays that way.
then do this ff. steps. .
http://www.boonex.com/unity/forums/topic/fix-for-dolphin-exploit.htm
php_flag register_globals Off
It is more popular way to configure PHP locally. But sometimes it can result to "500 Internal Server Error". That's why we removed php flags from Dolphin package.
add it at the top above the 1st require once command
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
so it looks like this :
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");
this stops any remote includes being used
next see more
Very kind of you to put this information out there for the rest of the community. I updated the two files and I feel better already.
Juker
Crap..I don't know...the C99 has probably opened up my entire site...I have no idea where all these backdoor trojans are at...
Can I download my site and use my virus scan to find some of these? Any ideas are welcome.
DoLaugh
and yes i downloaded a hacked VPS and used my virus scanner to see what was infected.
it had 19 infections on the one dolphin site
I've used your code into the Ray folder content.inc, into the HTMLSax3.php file, into the safehtml.php file. I keep getting these .gzr files into tiny_mce. I take it these are program C99 shell programs. I keep deleting them, but I'm still getting hacked, it seems.
Dolaugh
Or... I was working on this all day and...
I simply changed my name servers to a landing page...in this case a godaddy landing page. Waited 15 minutes and reset the name servers back to my own. Stop the attack cold. I broke the attack in mid stream and hasn't returned. Yea for me...That was annoying.
I simply removed my url as a potential attacking site probally from their master attack script. The attack only affects BoonEx hosted sites as many other sites on this particular see more
So it was a Temp Fix at best...But damn see more
It happened with me few weeks ago that a trojan came into my computer...and somehow copied my ftp account details while i was working through ftp. Then it added some coded script to all pages with names index.xxx, home.xxx and default.xxx . The task of the script was to download malware softwares to those computers which opened my site. Changing the ftp password and removing that script solved the issue...
But see more
We would appreciate you patience.
Juker
RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]
What I want to know is, if this register-globals off is such an inmportant prerequisite for a secure site why do Boonex recommend HostForWeb who say they have them turned on by default?
Why Boonex are you recommending a hosting company that violates your hosting recommendations?
Cheers
Max
Cheers
Max
For me Boonex has been great, and with some help with minor issues from some very cool people at Unity and Expertzzz I've had see more
How you maximise the firewall level or what firewall settings are you using? please.
But I do not know what do I need to do to upgrade it.
Please teach me.
Most installed are 6.1.2 dated May 2006 according to the index.php contents.
[cCdD]are to comment, Boonex?
Are someone here read
http://www.boonex.com/trac/dolphin/wiki/DolTech
before installing? :)
all imports via global variables of unwanted scripts like http://www.brazebo.it/echo.txt etc etc would failed in this case
here are:
register_globals must be Off
(in bold font)
this is main issue of total hacks,
yes, possible other ways to hack, but 90% of all cases - just register globals ...
this is my 5 cents