Hacked

Anyone being hacked by hacktool FaTaLisTiCz_Fx Fx29SheLL v1.5 06.2008?

I have Dolphin 6.1.4

Register globals is off

My index.php is getting deleted by the hacker.

I deleted all files that do not belong in Dolphin. I changed my host password but still.

Anyone know about FaTaLisTiCz_Fx Fx29SheLL v1.5 06.2008?

Regards,

Harvliet

try to digit the name in google...a found 1 result

I did that but there is nothing about how to stop it

FaTaLisTiCz_Fx is the name he is using/ Fx29SheLL v1.5 06.2008 is the script that he is using

You could go on IRC and ask him about it, if you like:

.

CyBeRz@irc.allnetwork.org

.
.

One reason you don't find much on Google about them is because they don't talk normal

.

Link to one of his post - notice the comment about injecting the script on the target

.

Link to another script and post

.

I saw him on a few different hacker site - many offering free scripts/ bot nets/ rootkit hooking programs to use in attack

Hi all, thanks for the replies but Sammie already had the solution. Boonex has not added this fix to Dolphin 6.1.4

------------------------SAMMIE'S FIX--------------------

i did post a fix long back for this 3 months ago

add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

this stops any remote includes being used

next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories

Hmmm, my first require once line is not the same and what sammie shows. It looks like this:

require_once('header.inc.php');
require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

So should it be above the require_once('header.inc.php');   ???

Just checking.

Cheers

Paul

It's impossible. You need check your "register globals" again. If that param will turned off, the hacker will can't to replace original ray variable!!!

I am with hostgator. I think I read in a different post that they do no allow this to be switched off using your main .htaccess file. It certainly appears to be the case when I try it. I get a server 500 error. I have contacted support requesting more info on this. If this is the case then they should not be recommended on the boonex site as a host which supports dolphin.

In any case. The hacks have completely brought my site to its knees now... Some how my host admin has also been comprimised. I removed all dolphin code and mysql databases until I can figure out what to do. A pity really as the users were starting to sign up and I had around 40 in about four 4 weeks... Still better it happen now than when I have 100s or even 1000s of users.

Cheers

Paul

Thanks Sammie. I have implemented those changes, on the mentioned files and a few others. I managed to get my site back up and running after doing a low level file difference between original 6.1.4 code and the code from my site.

I also heard back from hostgator, who agreed to switch off the register_globals on my account. So panic over for the moment. Fingers crossed. I shall be keeping a close eye on the access/error logs from now on.

Cheers

Paul

I have been monitoring the logs for hacking attempts and it is working a treat.

Thanks again Sammie 

Cheers

Paul