IMPORTANT. Security Alert!

Andrew Boon posted 14th of July 2008 in . 71 comments.

It has come to our attention that a few Dolphin-based sites have been hacked. We investigated the reported vulnerability and can assure you that proper installation of Dolphin is NOT vulnerable.

Attacks are only possible in case your host has the "register_globals=On" setting for PHP, which is expressly prohibited by the Dolphin installation manual and technical requirements.

Dolphin Technical Requirements

Also a quote from the technical requirements "Your host must have any Linux/Unix OS (RedHat, Debian, FreeBSD, Mandrake, etc). NOTE: SAFE_MODE must be OFF, register_globals must be OFF. " Note the "must" word there.

It is also very likely that attacks were executed through 3rd party scripts, such as phpBB.

So, if your site was attacked, make sure to get the "register_globals" setting rewritten to "Off" before reverting to backup. If your site is not affected, double check your PHP settings.

Meanwhile, we're preparing a security update, which will remove any potential vulnerabilities in Dolphin code even with "register_globals=On". It should be available within 24 hours. We still recommend, however, that you switch "register_globals=Off" if you're using any 3rd party scripts. Also check for updates of these 3rd party scripts, latest versions may have own patches to fix similar problem.

I would like to point out that we make thorough security testing before release, and Dolphin now holds an effective "HackerSafe" badge. This particular issue happened ONLY due to incorrect installations, so PLEASE be careful and attentive.

 
Comments
·Oldest
·Top
Please login to post a comment.
DosDawg
glad to see you guys post, wish it had come a little quicker. this is the same thing i have been saying since it started though. there are critics that just dont believe you when you say something. i am the first to say when i think something is the developers problem, but guys this was absolutely nothing to do with the scripts development, and i will stand behind you on this one.

NOTE IXWEBHOSTING will not turn off their register_globals=on

Bad HOST

hostmonster has register_globals=on by see more default

hfw has register_globals= on by default

these are the three that i know about.

register_globals an be disabled per account, and if you are unsure if they are on, you can check your phpinfo() to see. you should look at the master value as well as the local value. the local value can be tweaked with php_flags if your host allows php access to your htaccess.

well enough about this. i have been dealing with this since wednesday. it appears to have slowed down. there are some sites that were affected that may still be up in the air, but other than that, i have not seen reports of other hacks.

later,
DosDawg
sammie
There are a few of us that have our own dedicated servers, and i dont mean cheap ones either, i know myself and DosDawd both pay over $230 a month for dedicated servers, and we are starting to offer other members hosting.

this is ideal because you have your olphin sites hosted on a dedicated server that is in effect setup just for dolphin sites, because we use them for our own dolphin sites and make sure we keep them secure.

maybe people need to understand that cheaper is just that, its cheap see more and setup for the masses, it causes your sites to be slow, you get dumped once you hog to much ram or cpu and bandwidth.,

i am moving all my sites over to dolphin, as i believe it is the most secure ECMS and most advanced ECMS out their,
shaneed
Hi sammie. Speaking of dedicated vs shared hosting... I'm not 100% agree with you. I'm on a shared hosting and i use Dolphin on it since 2 years. I don't have problems with it, register globals are off, safe mode also off. Perhaps i should consider myself lucky. And is also cheap, and they also got great support. So, with what unoboonex just said, that means i can sleep well. Both are OFF :) Lucky meee
Tallyplayer
I agree with Dos and Sammie. I have to say that my experience of being hacked was perhaps a blessing in disguise. I have made some strong alliances and the learning experience in a short period of time could not have been duplicated in any university. I completely wiped out my dolphin sites and reinstalled complete with .htaccess files rebuilt with the suggested security fixes. While this protected my site from the intrusions of the hackers they still continued to pop into my directories attempting see more to wreck havoc on the web, The problem, they were now coming through the shared server I was on that would not turn off the globals. I am now moved (moving) to DosDawgs servers, and although more costly, the hackers and their intrusions have not followed me. Had to be the shared, cheap server, as nothing else changed, did not even do a fresh install simply copied all files and databases over. If this is not effective proof for others on inexpensive shared servers then I do not know what to say, other then enjoy rebuilding. Also, I know long winded here, but I must thank DosDawg and sammie for their help in my time of despair as they both spent time trying to assist me, a lot of time (yes Sammie Dos told me you were working on it too). They did this with out asking for any compensation at all. This dedication and support led me to my decision to switch, and glad I did!
john26632
Sammy, I am just setting up a site now, what are you asking for hosting? thanks, john
Cleeto
i use hostmonster ... haven't been hacked yet... i don't think.... but where would i look to change the setting of this?
SergeyZ
Create a file with following content:
<? phpinfo(); ?>
then save it like phpinfo.php and upload it to your server. Then call it from your browser like http://yoursite.com/phpinfo.php and find a line containing 'register_globals'. If it's value is Off then everything is OK.
SergeyZ
You can change it by adding the following line to your .htaccess file:
php_flag register_globals Off
If it produce 500 Internal Server Error, please contact your hosting server provider.
Cleeto
i just called hostmonster, they said that it is set to OFF by default...
atomikjon
I got hit hard and they got into my VPS at hostforweb and screwed up all my PHP sites. unfortunately, I had to go to a 2 week old back up and lost 150 members and many edits!

They came in through a test site running 6.1 and hot my other regular sites.
atomikjon
My host has it set off locally, but the master is on. So How did I get hacked?
SergeyZ
Possibly it can be security holes in other software installed on your server or issues of your hosting provider.
bambie
Well I have had professionals look at my site that has been hacked,

And well they have informed me you have issues in your script this was the e-mail I received

Hello,
Whatever the script in /ray/ was, was exploitable and this is how the account was exploited and this malicious script uploaded.

Regards,
Richard F.
Network Security Administrator

Personally boonex is passing the issues on when it is there problem.
SergeyZ
We know there is only one security issue in ray/modules/global/inc/content.inc.php (but it works only if register_globals=Off). This issue is fixed in 6.1.3.
But if you have more info about other issues please let us know.
SergeyZ
I mean "if register_globals=On". Sorry.
computortech
Well I was Hacked and SAFE_MODE=off and register_globals=off They Got In Through Ray. BOONEX Who ever You Have Testing Needs To Go Back To School! IT IS NOT NOT SECURE. This Is One Of The Hackers CebongDevils@kecebongcrew.co.cc >Bad email Address<
There Name=CebongDevils cebongcrew. This Is The 2nd Time For me The 1st was Shoutbox They put porn pics on it, Thats Not Good I have Kids That go to my site! Boonex Instead of Spending hours on a forum Just Fix it.
nurke
how is this boonex`s problem/issue???
what dont you get? The script got in b/c hackers put it in...hackers put it in b/c your globals were on.
Boonex cant control your servers hosting. Just do what you are told, and most importantly read/do every single step.
use this issue to pick up those IP and block them form accessing your account...
just my 2 cents...
mscott
DD are you sure? I'm almost positive HFW and Hostmonster both have them "off" by default?
bambie
My server is fine and follows boonex requirements, bonnex has holes in there script. Like i said a specialist looked into my site being hack and part of ray is exploitable.
VictorT
Can you please send me the details from your host about the part which they think are exploitable?

We would highly appreciate this information. So, we will be able to do investigation and fix this.
theGhost
Yes. They are definately exploiting the software and it's connection to all other communities. I took your "MUST" and NO DIFFERENCE regardless of RG is on or off in the Web2.0 enviro. So frustrated and irritated I began developing a list of "hack attacking servers" and the places they are coming from. Here is my list in the last 24 hours

RIPE Network Coordination Centre (50+ instances)
RackVibe LLC
Internet Specialties West ISWEST-BLK-1
HostForWeb Inc. SCNET (20+ instances)
Global see more Net Access (5+ instances)
HostForWeb Inc. HOSTFORWEB-1 (20+ instances)
Advanced Internet Technologies
Value Eyecare Network, INC (20+ instances)
Bluehost Inc
ADDD2NET COM INC DBA LUNARPAGES
Latin American and Caribbean IP address Regional Registry
Covad Communications Co
ThePlanet.com Internet Services, Inc
HostDime.com, Inc.tw telecom holdings, inc (10+ instances)
Asia Pacific Network Information Centre

Although they are not INFECTING my Dolphin environments...They are punching the server at 3-5 min intervals revolving the attack off different Dolphins hosted throughout the NET.

I'll keep playing withit and see if I can find a way to stop/block it.
VictorT
Stephen, thanks for your E-mail with logs. We are looking into it.
SergeyZ
Actually they use different servers/proxies/ip's to make the checks of vulnerable servers and sites. Also they use robots. This is why they check your site every 3-5 mins.
theGhost
Different Servers all over the NET this I know. I have been watching and tracking trying to find source which is a daunting process. But I eventually began making some head way on source. Also noticed some interesting patterns which I have forwarded to VictorT.
avhow
Hostmonster told me they are off. Maybe they are doing them server by server. Use their live chat to ask about your specific server if you are not sure. Your server name is available in cpanel.
avhow
Hi,

Just a quicky - here if Hostforweb has globals on and Boonex recommend them as being perfect for Dolphin.... hmmm doesnt seem right somehow....

Cheers

Max
brenaris
We were hacked as well, and yes, our register_globals was on. So, the problem was improper installation of Dolphin? Well, we paid Boonex to do our original Dolphin install!! Does this mean we can get our money back on that? It would hardly address the lost time we had fixing the problem, but it would be a start!

-- Jason
tango3d
here is a snippet from my php.ini file I am using hostmonster, they recommend to copy this file to all directories and sub directories which contain php files.

You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
register_globals = Off
houseperu
Let me comment something
I have a JOOMLA site www.guardiarepublicana.com/v02
Is hacked for someone how put a lot of links inside all files of the joomla
Maybe you could thing that this is not for this topic, but let me tell you that
The last week I installed a dolphin in the same site but with this URL:
www.guardiarepublicana.com/v03
today the v03 is emty, because was hacked
I goona give you some codes that this hacker put inside the files
Maybe that gonna be important in order to solve see more the problem

Sorry for my English
VictorT
Yes, please send me those codes. Perhaps, this information will helpful.
nurke
mscott....when I inquired about globals with hostforweb...first they asked fpr ftp and server login info...then they said that I need to switch them off myself. I assume they were on.
I got them off, deleted content.inc.php and uploaded one from dolphin script, same with safehtml ( I forgot the name of file now..) and since then I didnt get any warnings from HFW nor did I had any demages to the site.... I hope it stays that way.
mmijangos
I have last version SmartPro Pack 2.0.2 and my server have register global=off, but is reported as "attack-site" and has blocked for google, www.acting.com/index.php, I need help please.
VictorT
Can you send me more details about the report to look at?
Rob1960
My site was hacked, and for some reason my safehtml.php had permissions set to 777. I restored from backup, and changed settings to 766, and things are better. Could someone tell me the proper permission settings for the Plugins directory, the safehtml directory, and safehtml.php file? Also, is there a document listing the proper settings for all directories, or possibly a script to check my site for proper settings?
gameutopia
I think the perfect file and folder permissions are highly debatable and will vary from one server setup to another server setup. You can go much lower than what you have. You can easily go 755 on folders/directories and 644 on files like safehtml.php, you could probably go even lower. Important part is make sure they are not writeable...no 777 and no 666.
Rob1960
Thanks, I will check that out. But in ./inc, I had header.inc.php set to 666. I just changed that to 644. Is that correct?
gameutopia
Hey rob, if you follow the boonex installation there are some php files they state to be 666 and I believe /inc/header.inc.php is one. There are a few others that need to be in ray for your changes you make in your admin panel/ray to be able to write to them. A few others they state 666 which again could be debatable depending on hosting type. There are a few 777 folders in order to upload files. This could vary by hosting type. Your host might only need 755 in order upload. 777 can cause some security see more issues, and it is not recommened unless a script actually needs it for your type of hosting. Most often if php is apache module then a 777 would be required for upload. If php as cgi you might only need 755 or even less.
clubk1d
Maybe this could help you guys. . ., before doing this, try to put on your root directory a php.ini file with a code inside that will disable register_globals to off.. .

then do this ff. steps. .

http://www.boonex.com/unity/forums/topic/fix-for-dolphin-exploit.htm
SergeyZ
Another one way is to put following line in your .htaccess file:
php_flag register_globals Off
It is more popular way to configure PHP locally. But sometimes it can result to "500 Internal Server Error". That's why we removed php flags from Dolphin package.
sammie
add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');


so it looks like this :


if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");


this stops any remote includes being used


next see more edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once


if (isset($_REQUEST['dir']))
die ('Hacking attempt');


so it looks like this:


if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );


this stops remote access to your directories

as my dedicated server is under constant attack from hackers trying to access the server via dolphin i paid them to look at the issue and this is what they have added to kill any remote access attempts

i paid for it, you got it for free, enjoy and be safe.

i have tested this on my working sites and there is no problem
VictorT
Sammie, your contribution is highly appreciated.
Juker
Thank you Sammie!

Very kind of you to put this information out there for the rest of the community. I updated the two files and I feel better already.

Juker
DoLaugh
Hey Sammie! Thanks so much, I added this code to the two files...do you have a solution for the tiny_mce? I keep getting files like this inserted in there also.

Crap..I don't know...the C99 has probably opened up my entire site...I have no idea where all these backdoor trojans are at...

Can I download my site and use my virus scan to find some of these? Any ideas are welcome.

DoLaugh
sammie
the 1st code can apply to any file thats being exploited but test your site to make sure it does not affect its working

and yes i downloaded a hacked VPS and used my virus scanner to see what was infected.

it had 19 infections on the one dolphin site
DoLaugh
Thanks Sammie....the problem is I dont' know all of the files that are being exploited! LOL

I've used your code into the Ray folder content.inc, into the HTMLSax3.php file, into the safehtml.php file. I keep getting these .gzr files into tiny_mce. I take it these are program C99 shell programs. I keep deleting them, but I'm still getting hacked, it seems.

Dolaugh
theGhost
Good Job sammie!

Or... I was working on this all day and...

I simply changed my name servers to a landing page...in this case a godaddy landing page. Waited 15 minutes and reset the name servers back to my own. Stop the attack cold. I broke the attack in mid stream and hasn't returned. Yea for me...That was annoying.

I simply removed my url as a potential attacking site probally from their master attack script. The attack only affects BoonEx hosted sites as many other sites on this particular see more server were unaffected.

Someone definately doesn't like Dolphin :( All of course monitor the situation over the next 48 hours to ensure no return. But for everyone else...Trying this will NOT affect your site and requires no script modifications for those who would rather not script write. Basically just hides your Dolphin in the Global Net for a few moments :)
DoLaugh
Can you give more information on the godaddy landing page? I might want to try that.
theGhost
If you register Domains with GoDaddy or anyother Registrar then you have control on Parked, Hosted or Custom name servers. Since I use GD as a Registrar but not a host I always am setting custom name servers. So this attack just allowed me to switch the NS to Parked for a few minutes. Stop it. But then a single check after this post and at 1am a restart this time with a fix in the attack which tells me alot about the attackers and their methods of exploit.

So it was a Temp Fix at best...But damn see more if I didn't try to find an easy Turn Off button :)
gkcgautam
Guys there are many other methods for hacking...even a completely secure script can be hacked...
It happened with me few weeks ago that a trojan came into my computer...and somehow copied my ftp account details while i was working through ftp. Then it added some coded script to all pages with names index.xxx, home.xxx and default.xxx . The task of the script was to download malware softwares to those computers which opened my site. Changing the ftp password and removing that script solved the issue...
But see more notice that it had copied my ftp details. So it could do anything with site files.
So guys be updated about various hacks...and try to avoid them.
VictorT
We are about to release the Security patch. Everything is ready to go. But still waiting and looking at some details to be checked fully and unhurriedly.

We would appreciate you patience.
Juker
Thnk you brother for working hard to fix this problem.

Juker
DoLaugh
Victor, where would one download this Security patch?
theoneroom
I added the above code suggested by Sammie in addition to some provided on expertzzz, for anyone, it goes it the root .htaccess file after the rewrite engine on statement, see below:

RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]
avhow
Hi,
What I want to know is, if this register-globals off is such an inmportant prerequisite for a secure site why do Boonex recommend HostForWeb who say they have them turned on by default?

Why Boonex are you recommending a hosting company that violates your hosting recommendations?

Cheers

Max
DoLaugh
When these Security patchs are released....where do you go to download the patch?....expertzzz site or here on unity?
theoneroom
avhow, thats a very good question that I would like answering myself, why are they recommending a hosting company that dont meet the requirements?
chitro
Victor, would this be a full patch to go from 6.0x to latest version? We have not yet upgraded our site and are planning to do so this week.
sammie
the boonex patch will be listed here with the links to it. as i understand it they are working on patches to fix all versions
LightWolf
I got hacked hard and almost lost my hosting account because of this,and this all happened while i was off line for 9 days. I got my hosting to unsuspend my account and found folders in my cpanel belonging to banks and so forth. My host has my globals and safe mode off and my site was not even open to the public yet. It was a fresh install with no added mods or scripts then what came with Dolphin-v.6.1.2-Free. But they still hacked me. This scares me as i read about others with same issues. Hope see more we don't lose this awesome software,don't want to go somewheres else. Guess it's a waiting game now.
avhow
Lightwolf, check google and search for your site. See if anything is listed. Google has a habit of getting peoples sites online even when they dont think its possible. I've been surprised once or twice myself at the speed sites and posts get on there. Do you have a robots.txt file to keep them out until you are readyy?
Cheers
Max
LightWolf
No robots txt file yet..lol Never had this problem before with all the other dolphin software.
Swiftcreek1
I also use hfw, and had Boonex do my install.....My Globals are OFF, and to the best of my knowledge I have NOT been hacked, there has been no unusual bump in bandwidth usage, no files out of the ordinary and the only problem I have is something I gummed up when I did the latest update that I haven't figured out how to fix yet.....But that's an issue for another day.....

For me Boonex has been great, and with some help with minor issues from some very cool people at Unity and Expertzzz I've had see more alot of fun getting my site off the ground.....I'm actually excited for our 7 months of winter to come back to Alaska so things will slow down at my day job and I can really spend some time developing my site!
anthonyparsons
I think it's a little ironic actually that people blame both the developer and/or Dolphin / Ray itself as a problem. All PHP scripts have vulnerabilities... and I mean all. People have released little hacks above, recommendations, etc... this is a blanket hack, not a specific targeted event. Hackers really have better things to do that target individuals running a boonex community. This is some kiddy hackers who more importantly found a loophole that allows Dolphin IN CONJUNCTION with a server with see more holes an access point. I have two servers... one VPS and one dedicated. One has globals on, one has globals off. Both have Dolphin installed and neither got hacked. Why? Rough guess.... the first thing I do with a server is install a firewall and maximise its level and close as many PHP and related holes as possible. A hacker cannot gain access if holes are closed so that root level only can make adjustments. It really does just rule out blanket nonsense such as this and gets down to the odd chance a hacker really wants to target your site. If that is the case... nothing you do will stop them regardless if they are worth their weight as a hacker. Hackers really do have better things to do with their life.... this one is kiddy stuff with an exploit that Dolphin warned about.

As recommended above... put your site on a secure server to begin with... cheaper really is not better. Dedicated or VPS is not better either if you do not secure the thing in the first place then only open what you absolutely need open to run your loaded sites. Servers are default set to allow thousands plus exploits to be input. Hell... if you didn't know, spam assassin itself is exploited that if you have it on your server, chances are all your server emails are actually receiving spam within 30 days off opening the email account. Get a VPS and learn how to firewall it tight... then back it off only where needed so your sites work from a user perspective. The rest... you just really shouldn't have any problems with such issues from then on as PHP exploits are closed at the server level... not the script level which doesn't do much at all.

Just my two cents on this topic. Not Boonex issue though...
Though Im not a tech guy but I agree with you! Securing server is the first thing... Would you mind posting here more specific tips on how you 'close' holes as I would like to apply it to my dedicated server as well.

How you maximise the firewall level or what firewall settings are you using? please.
merkado
As a New admin of my dolphin, I dunno what should I need to start off. I am shocked today when I read this article. and first installed 6.1.2 a month ago and i read there is a 6.1.3....

But I do not know what do I need to do to upgrade it.

Please teach me.
partytymekaraoke
well i got hacked sunday night. and they took out all my add on domain websites also. got complete control over my cpanel and changed the pass word and now i am hoping my gatorhost will reset everything for me so i can get the dolphin crap off mt site for good. this is the 3rd time i have been havked with thie buggy crap. here is the link to the file they used to get in my site. maybe dolphin should look at this and figure out how to keep this from happening again. as of now i am not messing with see more dolphin again till i can see they have a secure script.
the link here. http://www.brazebo.it/echo.txt
Habitual
uh, we have boonex-installed communities, and they are still getting (w)hacked.

Most installed are 6.1.2 dated May 2006 according to the index.php contents.

[cCdD]are to comment, Boonex?
Habitual
oh, yeah, I work for hfw
AndreyP
Just interesting,

Are someone here read
http://www.boonex.com/trac/dolphin/wiki/DolTech
before installing? :)

all imports via global variables of unwanted scripts like http://www.brazebo.it/echo.txt etc etc would failed in this case

here are:
register_globals must be Off
(in bold font)

this is main issue of total hacks,

yes, possible other ways to hack, but 90% of all cases - just register globals ...

this is my 5 cents
inkedhumans
My site was also affected by these hackings. I am barely getting the site back now after changing hosts from 1and1.com to gigapros.com. Excellent hosting so far. Tell them I sent you if you sign up! Anyhow not only me but a programmer I was working with got their dolphin site hacked, and she had her own server! I hope these new fixes make things right.
jaminunit
Where is the patch from boonex?
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.1638650894165