is my site hacked?

that means your guestbooks are being spammed

no need for profile commets and guest book, so delete the guestbook.php file or rename it to something different

Thanks, sammie!
The fact is, that I have already deleted guestbook.php file... Maybe it's something else..

i posted this fix awhile back,

add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

this stops any see more remote includes being used

next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories

you need to move to a more secure host

GuestBook was totally rewrote in 6.2,
just wait a little, nobody more can be able to spam in your dolphin

This line require_once('header.inc.php'); in ray/modules/global/content.inc.php of 6.1.4 version should help too. But solution from Sammie is useful too, thnx Sammie for helping other.

any time Leonid :)

This shows that somebody tried to attack your server by external file inclusion.

allow_url_fopen is safe but not allow_url_include
a server is only vulnerable if register_globals and allow_url_include are on, both should be off.

I applied all fixes. Unfortunately I still see in access log theese long links like

75.150.10.62 - - [30/Sep/2008:12:14:32 +0400] "GET /skandaloff464?CmtText=pharmacy%3B+http%3A%2F%2Fleto2005.variant.lv%2Fforum%2Ftopic.php%3Fforum%3D1%26topic%3D239998+soma%3B+http%3A%2F%2Fglebka.ru%2Fforum%2Fviewtopic.php%3Fp%3D314517%23314517+soma%3B+http%3A%2F%2Fantichp.mypressonline.com%2Ffor .... +soma+usa%3B+&CmtParent=0 HTTP/1.0" 200 37060 "http://samaroid.ru/skandaloff464" "Mozilla/4.0 see more (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

I tried to ban IPs in .htaccess file but it's impossible to do it every day. I'm thinking now to change webhoster company...

Is the spam being recorded in your guestbook or not? If it isn't then what they are trying isn't working.. people are always going to TRY and spam you, but I wouldn't swap hosts because of that??

so they are just logs of attempts, you will always get attempts you cant do anything about people trying

I agree with you, sammie :) I can't do anythig about people trying :) So, let them try! :)
I was very pleased to find here so nice people who, in spite of my very bad English, tried to help me :) Thank you all! I am conviced one more time, that I'm on right way I choose to use Dolphin.

That won't make any problems. When somebody tries to attack your site these errors will be logged.

To add to the (fairly dated) discussion, I suggest you log the error as opposed to just screaming "Hacking attempt" pointlessly. Try something like this:

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');
error_log("HACKING ATTEMPT. User with the IP of ".$_SERVER["REMOTE_ADDR"]." has attempted to hack us using ".$_SERVER["SCRIPT_FILENAME"]);

This should log the error in Apache's error log. Handy!