Dolphin Security Roundup - Has Your Site Been Hacked?

At some point in your site's existence, there will be attempts that will be made to hack your site. I know several months ago there was a rash of Dolphin sites being compromised as hackers had intensely targetted the app.

To be clear, this is not relegated only to Dolphin but to all apps. All sites get hacked.

Hackers have compromised sites like Facebook , MySpace, Twitter and I am sure many that has been or has yet to be reported. While you can't stop a hacker from trying to get to your site, you can definitely make it more work by applying some of the techniques listed below. I've rounded the first batch in this blog. This is a compilation of the ones I've found very helpful. There are others, I am sure, and if you have a link, please send it to me for inclusion.

RAY FILES - HTMLSax3 Fix for dolphin exploit

SOURCE: sammie - http://www.boonex.com/unity/blog/entry/Fix_for_dolphin_exploit

1. Add the following to your ray/modules/global/inc/content.inc.php :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

So that, when you're done it looks like this:

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

This prevents hackers from using any remote include files to used against your site.

2. Add the following to your /plugins/safehtml/HTMLSax3.php:

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

So when you're done, it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

This prevents remotes access to your directories.

DOLPHIN ROOT - .htaccess file located in the root of your site

SOURCE: Dialme.com

This will block remote files from being included in your remote files:

RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

Block others from viewing your .htaccess files in a web browser:
yoursite.com/.htaccess (near the bottom add)

<Files .htaccess>
deny from all
</Files>

You can also deny ip addresses in single or in ranges:

<Files *>
order deny,allow
deny from 191.0.0.0
deny from 195.0.0.0
</Files>

<Files *>
deny from 124.187.
deny from 58.0.0.0/8
allow from 58.121.39.45
</Files>

FOR ALL DIRECTORIES THAT HAVE BEEN 777'D

SOURCE: Dialme.com

.htaccess files are recursive meaning that if you put one in a directory all the subdirectories are effected. So in my media directory I block ALL scripts like this:

That "limitexcept" blocks all "put" and "post" requests too. You CAN'T use this in a directory that has .php files inside it.. or any of the sub-dirs. But it SHOULD be inside ALL the /files directories for each ray widget, and the /media directory.

Sample locations:
yoursite.com/media/.htaccess
yoursite.com/ray/modules/movie/files/.htaccess
yoursite.com/ray/modules/mp3/files/.htaccess
yoursite.com/ray/modules/music/files/.htaccess

Code:

<LimitExcept GET>
Order deny,allow
deny from all
</LimitExcept>

<FilesMatch "\.(cgi|pl|py|bak|txt|htaccess|htpasswd|log|zip|asp|sh|shtml|js.*|gz|tgz|tar|php.*|htm.*)$">
Deny from all
</FilesMatch>

LOCK DOWN THE ADMIN FOLDER

SOURCE: Dialme.com

Let's make it so even if a hacker gets his credentials in your database he STILL can't get in the admin... put this inside the .htaccess that is in your /admin directory:

For example:

<Files *>
order deny,allow
deny from all
allow from 192.168.0.1
</Files>

The ip addresses listed will be allowed to access the admin.

This way even if someone gets YOUR password and login they STILL can't get inside the admin area.

*If your ip changes than this probably isn't the best solution. You will still be able to access ftp regardless of your ip address. This just blocks web access to your admin folder other than the 2 ip's specified. So even if your ip did change you can just ftp into your admin directory and update the ip's with your new ip addresses to allow.

HIDE THE HOMEPAGE

Source: MakeASocialNetwork.com

Several of the hacking groups only do one thing when they DO get in.. they change your homepage to their logo (defacement). Just like #1 this is automated.. they overwrite index.php or add one. Well what if your homepage isn't index.php?? Even if their bot gets one in none of your visitors will ever know :-) How? Simple, rename your index.php (in this example myindex.php) and then put this in your .htaccess:

DirectoryIndex myindex.php
and inside the mod_rewrite block:

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.yoursite.com/ [R=301,L]

So any request for http://www.yoursite.com/index.php will be directed to http://www.yoursite.com/ and the new homepage is really myindex.php
If you do this then you need put a line setting it back to index.php inside all the other directories (like admin and ray) OR change it in them too.
Let them wrap their minds around why they got their bogus file in but it isn't showing :-)

REDIRECT THEM IF THEY'RE NOT SUPPOSE TO BE THERE USING PHP

Source: BoonexNerd.net

Add an index.php file in the root of a directory that you want to access only if the person knows the exact URL. You can add the following to the index.php file:

<?
header( "HTTP/1.1 301 Moved Permanently" );
header( "Status: 301 Moved Permanently" );
header( "Location: http://www.boonexnerd.net" );
//exit(0); //jt note - in some cases you may need to uncomment this out. To uncomment, delete the two forward slashes in front of exit(0)
?>

REDIRECT THEM IF THEY'RE NOT SUPPOSE TO BE THERE USING .HTACCESS

Source: BoonexNerd.net

Another way to redirect a curious user is by adding the following to your .htacess file. The example below redirects traffic from my Boonexnerd.com site over to my Boonexnerd.net site:

#-------------------------Redirect START --------------------------------------
#Apache Mod-Rewrite moduled must be enabled in order for this redirect to work
RewriteCond %{HTTP_HOST} ^www.boonexnerd.com [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]

RewriteCond %{HTTP_HOST} ^boonexnerd.com/testredirect/ [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]
#-------------------------Redirect END --------------------------------------

Just replace my domain with yours. One question you may ask is, "Where do I put this thing?". Here's an example of placement:

Open your .htaccess file and add this to the file:

<IfModule mod_rewrite.c>
RewriteEngine on

#-------------------------Redirect START --------------------------------------
#Apache Mod-Rewrite moduled must be enabled in order for this redirec to work
RewriteCond %{HTTP_HOST} ^www.boonexnerd.com [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]

RewriteCond %{HTTP_HOST} ^boonexnerd.com/testredirect/ [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]
#-------------------------Redirect END --------------------------------------

RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]
</IfModule>

SET REGISTER GLOBALS TO OFF

SOURCE: http://www.boonex.com/unity/forums/topic/Dolphin-not-secure-Hacked-.htm

gameutopia says:
First thing to do is to determine if register_globals is on or off. You can login to your admin panel first then visit:
yoursite.com/admin/phpinfo.php

Scroll down until you see register_globals
You should see to columns local and master. Master is what you host has specified. And local would be your site/directory. You can over ride your hosts master value by using .htaccess on php apache servers or php.ini with cgi servers.

The code varies slightly.

For php apache servers add to your main .htaccess file yoursite.com/.htaccess:
php_flag register_globals off

For cgi servers add to or edit your current php.ini file in yoursite.com/php.ini:
register_globals = Off

If you don't have php.ini make one with the above line and call it php.ini (cgi-servers only)
Else ask your host for certain and/or exact location to put php.ini

Go back to yoursite.com/admin/phpinfo.php and refresh page to verify the changes were successful ie...register_globals changed from on to off for certain in the local value, but if both local and master change that is ok too.

RUN A VIRUS CHECK ON YOUR FILES

Source: BoonexNerd.net

Keep your files healthy. Have a look at some of these FREE Antivirus Programs
http://www.avast.com/eng/download-avast-home.html
http://www.free-av.com/

OTHER SITES THAT ARE HELPFUL FOR SECURITY ISSUES

Source: BoonexNerd.net

http://www.wizcrafts.net/chinese-blocklist.html
This will list ip addresses for blocking.

http://www.wizcrafts.net/exploited-servers-blocklist.html
This will list exploited servers.

http://www.changedetection.com/
This will monitor your site

And this one is not necessarily a direct defense against hackers but services that will alert you if something has gone wrong with your site. These services will keep an eye on your site and will ping and xing your site based on intervals and will report any weirdness that may have occurred.

http://www.montastic.com/
http://mon.itor.us/
http://site24x7.com/

The last one on the list I've used and will also monitor if the content on your site has changed. For example, if the front page got defaced.

So there you have it, some of the fixes and updates that you may want to add to your own files in order to harden your site just a bit.

And finally, I have a daily list of ip addresses that have attempted to compromise my nerd site. If you are interested in getting the list please let me know. I will send you a daily/weekly report of suspected hackers based on my own server being attacked.

...sip...