IMPORTANT. Security Alert!

glad to see you guys post, wish it had come a little quicker. this is the same thing i have been saying since it started though. there are critics that just dont believe you when you say something. i am the first to say when i think something is the developers problem, but guys this was absolutely nothing to do with the scripts development, and i will stand behind you on this one.

NOTE IXWEBHOSTING will not turn off their register_globals=on

Bad HOST

hostmonster has register_globals=on by default

hfw has register_globals= on by default

these are the three that i know about.

register_globals an be disabled per account, and if you are unsure if they are on, you can check your phpinfo() to see. you should look at the master value as well as the local value. the local value can be tweaked with php_flags if your host allows php access to your htaccess.

well enough about this. i have been dealing with this since wednesday. it appears to have slowed down. there are some sites that were affected that may still be up in the air, but other than that, i have not seen reports of other hacks.

later,
DosDawg

There are a few of us that have our own dedicated servers, and i dont mean cheap ones either, i know myself and DosDawd both pay over $230 a month for dedicated servers, and we are starting to offer other members hosting.

this is ideal because you have your olphin sites hosted on a dedicated server that is in effect setup just for dolphin sites, because we use them for our own dolphin sites and make sure we keep them secure.

maybe people need to understand that cheaper is just that, its cheap and setup for the masses, it causes your sites to be slow, you get dumped once you hog to much ram or cpu and bandwidth.,

i am moving all my sites over to dolphin, as i believe it is the most secure ECMS and most advanced ECMS out their,

i use hostmonster ... haven't been hacked yet... i don't think.... but where would i look to change the setting of this?

i just called hostmonster, they said that it is set to OFF by default...

I got hit hard and they got into my VPS at hostforweb and screwed up all my PHP sites. unfortunately, I had to go to a 2 week old back up and lost 150 members and many edits!

They came in through a test site running 6.1 and hot my other regular sites.

My host has it set off locally, but the master is on. So How did I get hacked?

Well I have had professionals look at my site that has been hacked,

And well they have informed me you have issues in your script this was the e-mail I received

Hello,
Whatever the script in /ray/ was, was exploitable and this is how the account was exploited and this malicious script uploaded.

Regards,
Richard F.
Network Security Administrator

Personally boonex is passing the issues on when it is there problem.

how is this boonex`s problem/issue???
what dont you get? The script got in b/c hackers put it in...hackers put it in b/c your globals were on.
Boonex cant control your servers hosting. Just do what you are told, and most importantly read/do every single step.
use this issue to pick up those IP and block them form accessing your account...
just my 2 cents...

DD are you sure? I'm almost positive HFW and Hostmonster both have them "off" by default?

My server is fine and follows boonex requirements, bonnex has holes in there script. Like i said a specialist looked into my site being hack and part of ray is exploitable.

Yes. They are definately exploiting the software and it's connection to all other communities. I took your "MUST" and NO DIFFERENCE regardless of RG is on or off in the Web2.0 enviro. So frustrated and irritated I began developing a list of "hack attacking servers" and the places they are coming from. Here is my list in the last 24 hours

RIPE Network Coordination Centre (50+ instances)
RackVibe LLC
Internet Specialties West ISWEST-BLK-1
HostForWeb Inc. SCNET (20+ instances)
Global Net Access (5+ instances)
HostForWeb Inc. HOSTFORWEB-1 (20+ instances)
Advanced Internet Technologies
Value Eyecare Network, INC (20+ instances)
Bluehost Inc
ADDD2NET COM INC DBA LUNARPAGES
Latin American and Caribbean IP address Regional Registry
Covad Communications Co
ThePlanet.com Internet Services, Inc
HostDime.com, Inc.tw telecom holdings, inc (10+ instances)
Asia Pacific Network Information Centre

Although they are not INFECTING my Dolphin environments...They are punching the server at 3-5 min intervals revolving the attack off different Dolphins hosted throughout the NET.

I'll keep playing withit and see if I can find a way to stop/block it.

Hostmonster told me they are off. Maybe they are doing them server by server. Use their live chat to ask about your specific server if you are not sure. Your server name is available in cpanel.

Hi,

Just a quicky - here if Hostforweb has globals on and Boonex recommend them as being perfect for Dolphin.... hmmm doesnt seem right somehow....

Cheers

Max

We were hacked as well, and yes, our register_globals was on. So, the problem was improper installation of Dolphin? Well, we paid Boonex to do our original Dolphin install!! Does this mean we can get our money back on that? It would hardly address the lost time we had fixing the problem, but it would be a start!

-- Jason

here is a snippet from my php.ini file I am using hostmonster, they recommend to copy this file to all directories and sub directories which contain php files.

You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
register_globals = Off

Let me comment something
I have a JOOMLA site www.guardiarepublicana.com/v02
Is hacked for someone how put a lot of links inside all files of the joomla
Maybe you could thing that this is not for this topic, but let me tell you that
The last week I installed a dolphin in the same site but with this URL:
www.guardiarepublicana.com/v03
today the v03 is emty, because was hacked
I goona give you some codes that this hacker put inside the files
Maybe that gonna be important in order to solve the problem

Sorry for my English

mscott....when I inquired about globals with hostforweb...first they asked fpr ftp and server login info...then they said that I need to switch them off myself. I assume they were on.
I got them off, deleted content.inc.php and uploaded one from dolphin script, same with safehtml ( I forgot the name of file now..) and since then I didnt get any warnings from HFW nor did I had any demages to the site.... I hope it stays that way.

I have last version SmartPro Pack 2.0.2 and my server have register global=off, but is reported as "attack-site" and has blocked for google, www.acting.com/index.php, I need help please.

My site was hacked, and for some reason my safehtml.php had permissions set to 777. I restored from backup, and changed settings to 766, and things are better. Could someone tell me the proper permission settings for the Plugins directory, the safehtml directory, and safehtml.php file? Also, is there a document listing the proper settings for all directories, or possibly a script to check my site for proper settings?

Thanks, I will check that out. But in ./inc, I had header.inc.php set to 666. I just changed that to 644. Is that correct?

Maybe this could help you guys. . ., before doing this, try to put on your root directory a php.ini file with a code inside that will disable register_globals to off.. .

then do this ff. steps. .

http://www.boonex.com/unity/forums/topic/fix-for-dolphin-exploit.htm

add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');


so it looks like this :


if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");


this stops any remote includes being used


next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once


if (isset($_REQUEST['dir']))
die ('Hacking attempt');


so it looks like this:


if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );


this stops remote access to your directories

as my dedicated server is under constant attack from hackers trying to access the server via dolphin i paid them to look at the issue and this is what they have added to kill any remote access attempts

i paid for it, you got it for free, enjoy and be safe.

i have tested this on my working sites and there is no problem

Hey Sammie! Thanks so much, I added this code to the two files...do you have a solution for the tiny_mce? I keep getting files like this inserted in there also.

Crap..I don't know...the C99 has probably opened up my entire site...I have no idea where all these backdoor trojans are at...

Can I download my site and use my virus scan to find some of these? Any ideas are welcome.

DoLaugh

the 1st code can apply to any file thats being exploited but test your site to make sure it does not affect its working

and yes i downloaded a hacked VPS and used my virus scanner to see what was infected.

it had 19 infections on the one dolphin site

Good Job sammie!

Or... I was working on this all day and...

I simply changed my name servers to a landing page...in this case a godaddy landing page. Waited 15 minutes and reset the name servers back to my own. Stop the attack cold. I broke the attack in mid stream and hasn't returned. Yea for me...That was annoying.

I simply removed my url as a potential attacking site probally from their master attack script. The attack only affects BoonEx hosted sites as many other sites on this particular server were unaffected.

Someone definately doesn't like Dolphin :( All of course monitor the situation over the next 48 hours to ensure no return. But for everyone else...Trying this will NOT affect your site and requires no script modifications for those who would rather not script write. Basically just hides your Dolphin in the Global Net for a few moments :)

Guys there are many other methods for hacking...even a completely secure script can be hacked...
It happened with me few weeks ago that a trojan came into my computer...and somehow copied my ftp account details while i was working through ftp. Then it added some coded script to all pages with names index.xxx, home.xxx and default.xxx . The task of the script was to download malware softwares to those computers which opened my site. Changing the ftp password and removing that script solved the issue...
But notice that it had copied my ftp details. So it could do anything with site files.
So guys be updated about various hacks...and try to avoid them.

We are about to release the Security patch. Everything is ready to go. But still waiting and looking at some details to be checked fully and unhurriedly.

We would appreciate you patience.

I added the above code suggested by Sammie in addition to some provided on expertzzz, for anyone, it goes it the root .htaccess file after the rewrite engine on statement, see below:

RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]

Hi,
What I want to know is, if this register-globals off is such an inmportant prerequisite for a secure site why do Boonex recommend HostForWeb who say they have them turned on by default?

Why Boonex are you recommending a hosting company that violates your hosting recommendations?

Cheers

Max

When these Security patchs are released....where do you go to download the patch?....expertzzz site or here on unity?

avhow, thats a very good question that I would like answering myself, why are they recommending a hosting company that dont meet the requirements?

Victor, would this be a full patch to go from 6.0x to latest version? We have not yet upgraded our site and are planning to do so this week.

the boonex patch will be listed here with the links to it. as i understand it they are working on patches to fix all versions

I got hacked hard and almost lost my hosting account because of this,and this all happened while i was off line for 9 days. I got my hosting to unsuspend my account and found folders in my cpanel belonging to banks and so forth. My host has my globals and safe mode off and my site was not even open to the public yet. It was a fresh install with no added mods or scripts then what came with Dolphin-v.6.1.2-Free. But they still hacked me. This scares me as i read about others with same issues. Hope we don't lose this awesome software,don't want to go somewheres else. Guess it's a waiting game now.

Lightwolf, check google and search for your site. See if anything is listed. Google has a habit of getting peoples sites online even when they dont think its possible. I've been surprised once or twice myself at the speed sites and posts get on there. Do you have a robots.txt file to keep them out until you are readyy?
Cheers
Max

No robots txt file yet..lol Never had this problem before with all the other dolphin software.

I also use hfw, and had Boonex do my install.....My Globals are OFF, and to the best of my knowledge I have NOT been hacked, there has been no unusual bump in bandwidth usage, no files out of the ordinary and the only problem I have is something I gummed up when I did the latest update that I haven't figured out how to fix yet.....But that's an issue for another day.....

For me Boonex has been great, and with some help with minor issues from some very cool people at Unity and Expertzzz I've had alot of fun getting my site off the ground.....I'm actually excited for our 7 months of winter to come back to Alaska so things will slow down at my day job and I can really spend some time developing my site!

I think it's a little ironic actually that people blame both the developer and/or Dolphin / Ray itself as a problem. All PHP scripts have vulnerabilities... and I mean all. People have released little hacks above, recommendations, etc... this is a blanket hack, not a specific targeted event. Hackers really have better things to do that target individuals running a boonex community. This is some kiddy hackers who more importantly found a loophole that allows Dolphin IN CONJUNCTION with a server with holes an access point. I have two servers... one VPS and one dedicated. One has globals on, one has globals off. Both have Dolphin installed and neither got hacked. Why? Rough guess.... the first thing I do with a server is install a firewall and maximise its level and close as many PHP and related holes as possible. A hacker cannot gain access if holes are closed so that root level only can make adjustments. It really does just rule out blanket nonsense such as this and gets down to the odd chance a hacker really wants to target your site. If that is the case... nothing you do will stop them regardless if they are worth their weight as a hacker. Hackers really do have better things to do with their life.... this one is kiddy stuff with an exploit that Dolphin warned about.

As recommended above... put your site on a secure server to begin with... cheaper really is not better. Dedicated or VPS is not better either if you do not secure the thing in the first place then only open what you absolutely need open to run your loaded sites. Servers are default set to allow thousands plus exploits to be input. Hell... if you didn't know, spam assassin itself is exploited that if you have it on your server, chances are all your server emails are actually receiving spam within 30 days off opening the email account. Get a VPS and learn how to firewall it tight... then back it off only where needed so your sites work from a user perspective. The rest... you just really shouldn't have any problems with such issues from then on as PHP exploits are closed at the server level... not the script level which doesn't do much at all.

Just my two cents on this topic. Not Boonex issue though...

As a New admin of my dolphin, I dunno what should I need to start off. I am shocked today when I read this article. and first installed 6.1.2 a month ago and i read there is a 6.1.3....

But I do not know what do I need to do to upgrade it.

Please teach me.

well i got hacked sunday night. and they took out all my add on domain websites also. got complete control over my cpanel and changed the pass word and now i am hoping my gatorhost will reset everything for me so i can get the dolphin crap off mt site for good. this is the 3rd time i have been havked with thie buggy crap. here is the link to the file they used to get in my site. maybe dolphin should look at this and figure out how to keep this from happening again. as of now i am not messing with dolphin again till i can see they have a secure script.
the link here. http://www.brazebo.it/echo.txt

uh, we have boonex-installed communities, and they are still getting (w)hacked.

Most installed are 6.1.2 dated May 2006 according to the index.php contents.

[cCdD]are to comment, Boonex?

oh, yeah, I work for hfw

Just interesting,

Are someone here read
http://www.boonex.com/trac/dolphin/wiki/DolTech
before installing? :)

all imports via global variables of unwanted scripts like http://www.brazebo.it/echo.txt etc etc would failed in this case

here are:
register_globals must be Off
(in bold font)

this is main issue of total hacks,

yes, possible other ways to hack, but 90% of all cases - just register globals ...

this is my 5 cents

My site was also affected by these hackings. I am barely getting the site back now after changing hosts from 1and1.com to gigapros.com. Excellent hosting so far. Tell them I sent you if you sign up! Anyhow not only me but a programmer I was working with got their dolphin site hacked, and she had her own server! I hope these new fixes make things right.