HomeNotesIMPORTANT. Security Alert!

Andrew Boon

1412 days ago in 
Tags: security
Reactions: 71 comments 14 points0 reports
 
 

IMPORTANT. Security Alert!

It has come to our attention that a few Dolphin-based sites have been hacked. We investigated the reported vulnerability and can assure you that proper installation of Dolphin is NOT vulnerable.

Attacks are only possible in case your host has the "register_globals=On" setting for PHP, which is expressly prohibited by the Dolphin installation manual and technical requirements.

Dolphin Technical Requirements

Also a quote from the technical requirements "Your host must have any Linux/Unix OS (RedHat, Debian, FreeBSD, Mandrake, etc). NOTE: SAFE_MODE must be OFF, register_globals must be OFF. " Note the "must" word there.

It is also very likely that attacks were executed through 3rd party scripts, such as phpBB.

So, if your site was attacked, make sure to get the "register_globals" setting rewritten to "Off" before reverting to backup. If your site is not affected, double check your PHP settings.

Meanwhile, we're preparing a security update, which will remove any potential vulnerabilities in Dolphin code even with "register_globals=On". It should be available within 24 hours. We still recommend, however, that you switch "register_globals=Off" if you're using any 3rd party scripts. Also check for updates of these 3rd party scripts, latest versions may have own patches to fix similar problem.

I would like to point out that we make thorough security testing before release, and Dolphin now holds an effective "HackerSafe" badge. This particular issue happened ONLY due to incorrect installations, so PLEASE be careful and attentive.

Plus
CommentReport
 

Plussed by

 
 
 
 

Comments

Oldest First
|
Threaded
 
 
Please login to post a comment.
DosDawg
DosDawg1412 days ago
 
glad to see you guys post, wish it had come a little quicker. this is the same thing i have been saying since it started though. there are critics that just dont believe you when you say something. i am the first to say when i think something is the developers problem, but guys this was absolutely nothing to do with the scripts development, and i will stand behind you on this one.

NOTE IXWEBHOSTING will not turn off their register_globals=on

Bad HOST

hostmonster has register_globals=on by see more default

hfw has register_globals= on by default

these are the three that i know about.

register_globals an be disabled per account, and if you are unsure if they are on, you can check your phpinfo() to see. you should look at the master value as well as the local value. the local value can be tweaked with php_flags if your host allows php access to your htaccess.

well enough about this. i have been dealing with this since wednesday. it appears to have slowed down. there are some sites that were affected that may still be up in the air, but other than that, i have not seen reports of other hacks.

later,
DosDawg
PermalinkReplyPlus0 pluses
sammie
sammie1412 days ago
 
There are a few of us that have our own dedicated servers, and i dont mean cheap ones either, i know myself and DosDawd both pay over $230 a month for dedicated servers, and we are starting to offer other members hosting.

this is ideal because you have your olphin sites hosted on a dedicated server that is in effect setup just for dolphin sites, because we use them for our own dolphin sites and make sure we keep them secure.

maybe people need to understand that cheaper is just that, its cheap see more and setup for the masses, it causes your sites to be slow, you get dumped once you hog to much ram or cpu and bandwidth.,

i am moving all my sites over to dolphin, as i believe it is the most secure ECMS and most advanced ECMS out their,
PermalinkReplyPlus0 pluses
shaneed
shaneed1412 days agoin reply to sammie
 
Hi sammie. Speaking of dedicated vs shared hosting... I'm not 100% agree with you. I'm on a shared hosting and i use Dolphin on it since 2 years. I don't have problems with it, register globals are off, safe mode also off. Perhaps i should consider myself lucky. And is also cheap, and they also got great support. So, with what unoboonex just said, that means i can sleep well. Both are OFF :) Lucky meee
PermalinkReplyPlus0 pluses
Tallyplayer
Tallyplayer1410 days agoin reply to sammie
 
I agree with Dos and Sammie. I have to say that my experience of being hacked was perhaps a blessing in disguise. I have made some strong alliances and the learning experience in a short period of time could not have been duplicated in any university. I completely wiped out my dolphin sites and reinstalled complete with .htaccess files rebuilt with the suggested security fixes. While this protected my site from the intrusions of the hackers they still continued to pop into my directories attempting see more to wreck havoc on the web, The problem, they were now coming through the shared server I was on that would not turn off the globals. I am now moved (moving) to DosDawgs servers, and although more costly, the hackers and their intrusions have not followed me. Had to be the shared, cheap server, as nothing else changed, did not even do a fresh install simply copied all files and databases over. If this is not effective proof for others on inexpensive shared servers then I do not know what to say, other then enjoy rebuilding. Also, I know long winded here, but I must thank DosDawg and sammie for their help in my time of despair as they both spent time trying to assist me, a lot of time (yes Sammie Dos told me you were working on it too). They did this with out asking for any compensation at all. This dedication and support led me to my decision to switch, and glad I did!
PermalinkReplyPlus0 pluses
john26632
john266321377 days agoin reply to sammie
 
Sammy, I am just setting up a site now, what are you asking for hosting? thanks, john
PermalinkReplyPlus0 pluses
Cleeto
Cleeto1412 days ago
 
i use hostmonster ... haven't been hacked yet... i don't think.... but where would i look to change the setting of this?
PermalinkReplyPlus0 pluses
SergeyZ
SergeyZ1410 days agoin reply to Cleeto
 
Create a file with following content:
<? phpinfo(); ?>
then save it like phpinfo.php and upload it to your server. Then call it from your browser like http://yoursite.com/phpinfo.php and find a line containing 'register_globals'. If it's value is Off then everything is OK.
PermalinkReplyPlus0 pluses
SergeyZ
SergeyZ1410 days agoin reply to Cleeto
 
You can change it by adding the following line to your .htaccess file:
php_flag register_globals Off
If it produce 500 Internal Server Error, please contact your hosting server provider.
PermalinkReplyPlus0 pluses
Cleeto
Cleeto1412 days ago
 
i just called hostmonster, they said that it is set to OFF by default...
PermalinkReplyPlus0 pluses
atomikjon
atomikjon1412 days ago
 
I got hit hard and they got into my VPS at hostforweb and screwed up all my PHP sites. unfortunately, I had to go to a 2 week old back up and lost 150 members and many edits!

They came in through a test site running 6.1 and hot my other regular sites.
PermalinkReplyPlus0 pluses
atomikjon
atomikjon1412 days ago
 
My host has it set off locally, but the master is on. So How did I get hacked?
PermalinkReplyPlus0 pluses
SergeyZ
SergeyZ1410 days agoin reply to atomikjon
 
Possibly it can be security holes in other software installed on your server or issues of your hosting provider.
PermalinkReplyPlus0 pluses
bambie
bambie1412 days ago
 
Well I have had professionals look at my site that has been hacked,

And well they have informed me you have issues in your script this was the e-mail I received

Hello,
Whatever the script in /ray/ was, was exploitable and this is how the account was exploited and this malicious script uploaded.

Regards,
Richard F.
Network Security Administrator

Personally boonex is passing the issues on when it is there problem.
PermalinkReplyPlus0 pluses
SergeyZ
SergeyZ1410 days agoin reply to bambie
 
We know there is only one security issue in ray/modules/global/inc/content.inc.php (but it works only if register_globals=Off). This issue is fixed in 6.1.3.
But if you have more info about other issues please let us know.
PermalinkReplyPlus0 pluses
SergeyZ
SergeyZ1410 days agoin reply to bambie
 
I mean "if register_globals=On". Sorry.
PermalinkReplyPlus0 pluses
computortech
computortech1406 days agoin reply to bambie
 
Well I was Hacked and SAFE_MODE=off and register_globals=off They Got In Through Ray. BOONEX Who ever You Have Testing Needs To Go Back To School! IT IS NOT NOT SECURE. This Is One Of The Hackers CebongDevils@kecebongcrew.co.cc >Bad email Address<
There Name=CebongDevils cebongcrew. This Is The 2nd Time For me The 1st was Shoutbox They put porn pics on it, Thats Not Good I have Kids That go to my site! Boonex Instead of Spending hours on a forum Just Fix it.
PermalinkReplyPlus0 pluses
nurke
nurke1412 days ago
 
how is this boonex`s problem/issue???
what dont you get? The script got in b/c hackers put it in...hackers put it in b/c your globals were on.
Boonex cant control your servers hosting. Just do what you are told, and most importantly read/do every single step.
use this issue to pick up those IP and block them form accessing your account...
just my 2 cents...
PermalinkReplyPlus0 pluses
mscott
mscott1412 days ago
 
DD are you sure? I'm almost positive HFW and Hostmonster both have them "off" by default?
PermalinkReplyPlus0 pluses
bambie
bambie1412 days ago
 
My server is fine and follows boonex requirements, bonnex has holes in there script. Like i said a specialist looked into my site being hack and part of ray is exploitable.
PermalinkReplyPlus0 pluses
VictorT
VictorT1411 days agoin reply to bambie
 
Can you please send me the details from your host about the part which they think are exploitable?

We would highly appreciate this information. So, we will be able to do investigation and fix this.
PermalinkReplyPlus0 pluses
theGhost
theGhost1412 days ago
 
Yes. They are definately exploiting the software and it's connection to all other communities. I took your "MUST" and NO DIFFERENCE regardless of RG is on or off in the Web2.0 enviro. So frustrated and irritated I began developing a list of "hack attacking servers" and the places they are coming from. Here is my list in the last 24 hours

RIPE Network Coordination Centre (50+ instances)
RackVibe LLC
Internet Specialties West ISWEST-BLK-1
HostForWeb Inc. SCNET (20+ instances)
Global see more Net Access (5+ instances)
HostForWeb Inc. HOSTFORWEB-1 (20+ instances)
Advanced Internet Technologies
Value Eyecare Network, INC (20+ instances)
Bluehost Inc
ADDD2NET COM INC DBA LUNARPAGES
Latin American and Caribbean IP address Regional Registry
Covad Communications Co
ThePlanet.com Internet Services, Inc
HostDime.com, Inc.tw telecom holdings, inc (10+ instances)
Asia Pacific Network Information Centre

Although they are not INFECTING my Dolphin environments...They are punching the server at 3-5 min intervals revolving the attack off different Dolphins hosted throughout the NET.

I'll keep playing withit and see if I can find a way to stop/block it.
PermalinkReplyPlus0 pluses
VictorT
VictorT1410 days agoin reply to theGhost
 
Stephen, thanks for your E-mail with logs. We are looking into it.
PermalinkReplyPlus0 pluses
SergeyZ
SergeyZ1410 days agoin reply to theGhost
 
Actually they use different servers/proxies/ip's to make the checks of vulnerable servers and sites. Also they use robots. This is why they check your site every 3-5 mins.
PermalinkReplyPlus0 pluses
theGhost
theGhost1409 days agoin reply to theGhost
 
Different Servers all over the NET this I know. I have been watching and tracking trying to find source which is a daunting process. But I eventually began making some head way on source. Also noticed some interesting patterns which I have forwarded to VictorT.
PermalinkReplyPlus0 pluses
avhow
avhow1412 days ago
 
Hostmonster told me they are off. Maybe they are doing them server by server. Use their live chat to ask about your specific server if you are not sure. Your server name is available in cpanel.
PermalinkReplyPlus0 pluses
avhow
avhow1412 days ago
 
Hi,

Just a quicky - here if Hostforweb has globals on and Boonex recommend them as being perfect for Dolphin.... hmmm doesnt seem right somehow....

Cheers

Max
PermalinkReplyPlus0 pluses
brenaris
brenaris1411 days ago
 
We were hacked as well, and yes, our register_globals was on. So, the problem was improper installation of Dolphin? Well, we paid Boonex to do our original Dolphin install!! Does this mean we can get our money back on that? It would hardly address the lost time we had fixing the problem, but it would be a start!

-- Jason
PermalinkReplyPlus0 pluses
tango3d
tango3d1411 days ago
 
here is a snippet from my php.ini file I am using hostmonster, they recommend to copy this file to all directories and sub directories which contain php files.

You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
register_globals = Off
PermalinkReplyPlus0 pluses
houseperu
houseperu1411 days ago
 
Let me comment something
I have a JOOMLA site www.guardiarepublicana.com/v02
Is hacked for someone how put a lot of links inside all files of the joomla
Maybe you could thing that this is not for this topic, but let me tell you that
The last week I installed a dolphin in the same site but with this URL:
www.guardiarepublicana.com/v03
today the v03 is emty, because was hacked
I goona give you some codes that this hacker put inside the files
Maybe that gonna be important in order to solve see more the problem

Sorry for my English
PermalinkReplyPlus0 pluses
VictorT
VictorT1410 days agoin reply to houseperu
 
Yes, please send me those codes. Perhaps, this information will helpful.
PermalinkReplyPlus0 pluses
nurke
nurke1411 days ago
 
mscott....when I inquired about globals with hostforweb...first they asked fpr ftp and server login info...then they said that I need to switch them off myself. I assume they were on.
I got them off, deleted content.inc.php and uploaded one from dolphin script, same with safehtml ( I forgot the name of file now..) and since then I didnt get any warnings from HFW nor did I had any demages to the site.... I hope it stays that way.
PermalinkReplyPlus0 pluses
mmijangos
mmijangos1411 days ago
 
I have last version SmartPro Pack 2.0.2 and my server have register global=off, but is reported as "attack-site" and has blocked for google, www.acting.com/index.php, I need help please.
PermalinkReplyPlus0 pluses
VictorT
VictorT1410 days agoin reply to mmijangos
 
Can you send me more details about the report to look at?
PermalinkReplyPlus0 pluses
Rob1960
Rob19601411 days ago
 
My site was hacked, and for some reason my safehtml.php had permissions set to 777. I restored from backup, and changed settings to 766, and things are better. Could someone tell me the proper permission settings for the Plugins directory, the safehtml directory, and safehtml.php file? Also, is there a document listing the proper settings for all directories, or possibly a script to check my site for proper settings?
PermalinkReplyPlus0 pluses
gameutopia
gameutopia1411 days agoin reply to Rob1960
 
I think the perfect file and folder permissions are highly debatable and will vary from one server setup to another server setup. You can go much lower than what you have. You can easily go 755 on folders/directories and 644 on files like safehtml.php, you could probably go even lower. Important part is make sure they are not writeable...no 777 and no 666.
PermalinkReplyPlus0 pluses
Rob1960
Rob19601411 days ago
 
Thanks, I will check that out. But in ./inc, I had header.inc.php set to 666. I just changed that to 644. Is that correct?
PermalinkReplyPlus0 pluses
gameutopia
gameutopia1411 days agoin reply to Rob1960
 
Hey rob, if you follow the boonex installation there are some php files they state to be 666 and I believe /inc/header.inc.php is one. There are a few others that need to be in ray for your changes you make in your admin panel/ray to be able to write to them. A few others they state 666 which again could be debatable depending on hosting type. There are a few 777 folders in order to upload files. This could vary by hosting type. Your host might only need 755 in order upload. 777 can cause some security see more issues, and it is not recommened unless a script actually needs it for your type of hosting. Most often if php is apache module then a 777 would be required for upload. If php as cgi you might only need 755 or even less.
PermalinkReplyPlus0 pluses
Show more comments »
 
 
 

Site Search

Market

Notes

Websites

 

About BoonExTermsPrivacyContacts© BoonEx (ACN 127966581)

PET:0.0869460105896