My site hacked

stech786 posted 30th of December 2008 in Community Voice. 22 comments.

My site was suspended by my hosting server (bluehost) that is was sending phishing emails. I have installed Boonex over 5-months ago.  I am 100% all the file permissions were correct and all the site was working.

 

I AM SO UPSET. that I have spent so much $$$$ on buying scripts for Dolphin and at the end Dolphins says, that its not designed for "Shared Hosting". I think wasn't it better to post this on the DOWNLOAD PAGE. So, I should not NEVER spent $$$$ and my TIME

 

 
Comments
·Oldest
·Top
Please login to post a comment.
gautam
on the download page there is a link to a TRAC page which specifies server requirements.

"Technical Requirements

Explore [http://www.boonex.com/trac/dolphin/wiki/DolTech] Dolphin Technical requirements."
If it has been installed over 5 months ago, then there are a few patches, or "security fixes" that you should have applied.

All of which are discussed openly in the forums.
sammie
there are 2 major security risks/mistakes people make,
register_globals On and allow_url_include On
from the php.ini files i have seen people use to over ride the local register_globals On setting, most then go on to put allow_url_fopen On and then not knowing what allow_url_include is, they think its the same as allow_url_fopen and turn it on.

allow_url_include On is as dangerous as register_globals On

If the server is running SuPHP you have to make a copy of the php.ini file and edit it see more making sure it has:
register_globals = 0
allow_url_include = 0
allow_url_fopen = 1

If the server is NOT running SuPHP you can place the following in the .htaccess file:
php_flag register_globals off
php_flag allow_url_include off
php_flag allow_url_fopen on

If the server is running SuPHP DO NOT try the .htaccess methord as it does not allow you to override php via .htaccess

apply this security patch if you want to make sure you have added protection

edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories.

Remember although this covers security issues locally on your servers site level, if the master setting are on, you are not 100% safe as a hacker can still get to your site if they hack the server above the account level.

the safest option, move to a host thats setup for Dolphin and know what they are doing.
Lloyd
I am just wondering how these hackers find a Dolphin site to hake in all the billions of sites on the web.

I wonder if it is because some Unity members list there site url in there posts and/or in there membership info.

Hackers who are familiar with Dolphin and looking for sites to hack, are going to come to Unity and Expertzzz for a list of sites to try and hack. You do not have to even join these sites to get this information.

I am not saying that that you should not protect your site see more by make the necessary changes to the code and your server to protect your site, but for gods sake, stop making it easier for these hackers, by giving them the url to your site.
stech786
To Lloyd,

I AGREE. What happen was I contacted Boonex admins, to get some help on installations. They ask for my FTP access, so I gave it to them, hoping that they would help. Instead this shit happen. so I think its inside job. But when I changed all passwords. Still my server was sending phishing emails.
sammie
boonex staff wouldnt do such a thing, your host is the problem. so to say boonex did it is wrong.
stech786
my site is not even PUBLIC. I am still testing all the features, and only people know my site address, and FTP info, is the Boonex admins, I am not trying to say Boonex team did it!!!!!!

After my site got hacked (including all the database, and my index file was changed ) I never got any email back from that adminator. I asked who did they forwarded my personal info, but NO RESPONSE. AT LEAST, they could have sent me letter, say SOMEthing.
Lloyd
To stech786,

Sammie is right, I do not think that anyone from Boonex would do this.

I think you might have misunderstood me. What I mean is by either mention your site in a post and/or listing your sites URL as part of your Unity profile, is in my opinion a bad idea. Just giving a hacker a map to your site and telling them that the key is under the mat. (LOL). I hope I have explained myself better
stech786
To Lloyd and Sammie,

I think you guys have misunderstood my comments tooo. I NEVER said Boonex team member hacked my site. Its just the timing of what happened makes it look like I am trying to say, its Boonex team member. BUT ITS NOT...rather its the host itself
Lloyd
Do you know how your site was hacked. There are many ways to hack a site. (sql injection, code injection, password hacked giving access to parts of your server.

You need to find out exactly how your server was compromised. Do you have access to your server log files. If so you need to take a look at the log files around the day you were hacked. Once you know who and how you were hacked, I can suggest was to prevent further hacks of this type. As you are on a shared hosting service, and not a VPS see more or dedicated server, you will need the help of your hosting provider.
stech786
are to talking about Raw access log
sammie
To Lloyd,

I AGREE. What happen was I contacted Boonex admins, to get some help on installations. They ask for my FTP access, so I gave it to them, hoping that they would help.

*****Instead this shit happen. so I think its inside job.*****

But when I changed all passwords. Still my server was sending phishing emails.


===============
no mistake in what you said.
Lloyd
there are many logs created by the many applications running on your server. (i.e apache, mysql, ssh, ftp, etc.) Need to look at these logs.
Lloyd
Sammie,

Please clarify you post.

Do you meant that you agree my post (Do you know how your site was hacked. .....)
sammie
i was copying his post to you where he said its an inside job
stech786
copy of my post:
"Its just the timing of what happened makes it look like I am trying to say, its Boonex team member. BUT ITS NOT...rather its the host itself"
DosDawg
Happy New Year,
as best that that could mean to you given the circumstances. i just read your post where you stated you were hacked. that is truly unfortunate. i have posted this many times and will just try to summarize it for you, and explain how and why sites get hacked.

shared environments where hosting is $1.99 (as an example) is the most prone to end up having sites hacked. why you might ask, well there are no script kiddies that are goin to pay for a dedicated server or vps server, for see more one, they dont have the funds. so they pool their pennies together and pick up a hosting account for $1.99 for a month. it will only take these kids about 30 mins and they own half the sites on a server on a shared environment. how you ask, well its simple, remote shell script. the setup the account on the shared host, they load up a remote shell script, and once that is loaded on the server they start navigating across the hard drive or root of the server. now this will not allow them to actually damage the server, however, this does gain them full access to any and all files that are in the /home directory. so once they navigate across the server, they are moving this remote shell script with them, planting it on each and every account they access. as they are doing this, there are others who are posting that a server has been compromised and they come in droves.

the phishing files you speak of is just another way of the kids accumulating funds, once the remote shell script is installed on lets say oh 3000 hosted accounts, the will then start selling the domains and the root login of that remote shell script. now the ones who are doing the phishing, are mostly from UK, Russia, and India, where cyber laws are non-conforming to the rest of the world, and they can get away with this type of behavior.

now this leaves you as the unknowing victim. host finds out or is reported to that you have phishing content on the server. you of course had no idea it existed, and this is from shear ignorance. you should read your server logs, or hire an admin to at least review your logs on a daily basis. had you been reading your log files, you would have noticed several 404's to start with, and the fact that calls were being made to obscure directories and subdirectories on your server should have raised a flag.

now how do you prevent this. get off the $1.99 hosting. as upset as you are about your site being down, this could have been prevented. reading the developers server requirements before jumping headlong into this and thinking you are getting a deal when you get your $1.99 hosting account. im not trying to bash you, just want you to understand that the accountability is not solely on the server, or the server security, this is a burden that must be carried by both the client and the host.

Regards,
Happy New Year All
DosDawg
sammie
DD
"UK, Russia, and India, where cyber laws are non-conforming to the rest of the world, and they can get away with this type of behavior."

UK? WTF? i think you mean the Ukrain Kr

i can assure you the UK has some of the stronest cyber laws on the planet
searchro
Hi. bluehost is one of the biggest hosting providers around the world and i can tell you that all the day 20-30 sites from their network are hacked ... i say 20-30 but it is not a surprise to be much more. Don't be upset .. you are not the first.
ErvanErfian
Change to others type of your hosting/server is not a good answer.
Right setting, stable of your script & keep tunning.. i think is a good answer.

I don't blame to anyone..
Hopefully this is a knowledge for us.
DosDawg
yep Ukraine, was actually going to spell it and some other thought came across my mind, so forgot to finish writing the country.

:D

ooops

DosDawg
Terabyte Hosting Solutions
RobertRun
Is it safe to assume that the way to go to keep things as secure as possible is to have a dedicated server?

I am also using a shared host to build the site, and will migrate when I feel the build is up to snuff. So what can I be doing to keep the site secure in the mean time?
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.066903829574585