HomeUnityBlogs
 
 
unoboonex

IMPORTANT. Security Alert!

It has come to our attention that a few Dolphin-based sites have been hacked. We investigated the reported vulnerability and can assure you that proper installation of Dolphin is NOT vulnerable.

Attacks are only possible in case your host has the "register_globals=On" setting for PHP, which is expressly prohibited by the Dolphin installation manual and technical requirements.

Dolphin Technical Requirements

Also a quote from the technical requirements "Your host must have any Linux/Unix OS (RedHat, Debian, FreeBSD, Mandrake, etc). NOTE: SAFE_MODE must be OFF, register_globals must be OFF. " Note the "must" word there.

It is also very likely that attacks were executed through 3rd party scripts, such as phpBB.

So, if your site was attacked, make sure to get the "register_globals" setting rewritten to "Off" before reverting to backup. If your site is not affected, double check your PHP settings.

Meanwhile, we're preparing a security update, which will remove any potential vulnerabilities in Dolphin code even with "register_globals=On". It should be available within 24 hours. We still recommend, however, that you switch "register_globals=Off" if you're using any 3rd party scripts. Also check for updates of these 3rd party scripts, latest versions may have own patches to fix similar problem.

I would like to point out that we make thorough security testing before release, and Dolphin now holds an effective "HackerSafe" badge. This particular issue happened ONLY due to incorrect installations, so PLEASE be careful and attentive.

bad
13
good
 
 

Comments

DosDawg
DosDawg(positive) 55 days agocomment permalink
 
glad to see you guys post, wish it had come a little quicker. this is the same thing i have been saying since it started though. there are critics that just dont believe you when you say something. i am the first to say when i think something is the developers problem, but guys this was absolutely nothing to do with the scripts development, and i will stand behind you on this one.

NOTE IXWEBHOSTING will not turn off their register_globals=on

Bad HOST

hostmonster has register_globals=on by default

hfw has register_globals= on by default

these are the three that i know about.

register_globals an be disabled per account, and if you are unsure if they are on, you can check your phpinfo() to see. you should look at the master value as well as the local value. the local value can be tweaked with php_flags if your host allows php access to your htaccess.

well enough about this. i have been dealing with this since wednesday. it appears to have slowed down. there are some sites that were affected that may still be up in the air, but other than that, i have not seen reports of other hacks.

later,
DosDawg
 
bad
7
good
 
 
sammie
sammie(positive) 55 days agocomment permalink
 
There are a few of us that have our own dedicated servers, and i dont mean cheap ones either, i know myself and DosDawd both pay over $230 a month for dedicated servers, and we are starting to offer other members hosting.

this is ideal because you have your olphin sites hosted on a dedicated server that is in effect setup just for dolphin sites, because we use them for our own dolphin sites and make sure we keep them secure.

maybe people need to understand that cheaper is just that, its cheap and setup for the masses, it causes your sites to be slow, you get dumped once you hog to much ram or cpu and bandwidth.,

i am moving all my sites over to dolphin, as i believe it is the most secure ECMS and most advanced ECMS out their,
 
bad
3
good
 
View 3 replies to this comment
 
Cleeto
Cleeto 55 days agocomment permalink
 
i use hostmonster ... haven't been hacked yet... i don't think.... but where would i look to change the setting of this?
 
bad
1
good
 
View 2 replies to this comment
 
Cleeto
Cleeto 55 days agocomment permalink
 
i just called hostmonster, they said that it is set to OFF by default...
 
bad
1
good
 
 
atomikjon
atomikjon 55 days agocomment permalink
 
I got hit hard and they got into my VPS at hostforweb and screwed up all my PHP sites. unfortunately, I had to go to a 2 week old back up and lost 150 members and many edits!

They came in through a test site running 6.1 and hot my other regular sites.
 
bad
1
good
 
 
atomikjon
atomikjon 55 days agocomment permalink
 
My host has it set off locally, but the master is on. So How did I get hacked?
 
bad
1
good
 
View 1 replies to this comment
 
bambie
bambie(negative) 55 days agocomment permalink
 
Well I have had professionals look at my site that has been hacked,

And well they have informed me you have issues in your script this was the e-mail I received

Hello,
Whatever the script in /ray/ was, was exploitable and this is how the account was exploited and this malicious script uploaded.

Regards,
Richard F.
Network Security Administrator

Personally boonex is passing the issues on when it is there problem.
 
bad
1
good
 
View 3 replies to this comment
 
nurke
nurke 55 days agocomment permalink
 
how is this boonex`s problem/issue???
what dont you get? The script got in b/c hackers put it in...hackers put it in b/c your globals were on.
Boonex cant control your servers hosting. Just do what you are told, and most importantly read/do every single step.
use this issue to pick up those IP and block them form accessing your account...
just my 2 cents...
 
bad
1
good
 
 
mscott
mscott(positive) 55 days agocomment permalink
 
DD are you sure? I'm almost positive HFW and Hostmonster both have them "off" by default?
 
bad
1
good
 
 
bambie
bambie(negative) 55 days agocomment permalink
 
My server is fine and follows boonex requirements, bonnex has holes in there script. Like i said a specialist looked into my site being hack and part of ray is exploitable.
 
bad
1
good
 
View 1 replies to this comment
 
theGhost
theGhost 55 days agocomment permalink
 
Yes. They are definately exploiting the software and it's connection to all other communities. I took your "MUST" and NO DIFFERENCE regardless of RG is on or off in the Web2.0 enviro. So frustrated and irritated I began developing a list of "hack attacking servers" and the places they are coming from. Here is my list in the last 24 hours

RIPE Network Coordination Centre (50+ instances)
RackVibe LLC
Internet Specialties West ISWEST-BLK-1
HostForWeb Inc. SCNET (20+ instances)
Global Net Access (5+ instances)
HostForWeb Inc. HOSTFORWEB-1 (20+ instances)
Advanced Internet Technologies
Value Eyecare Network, INC (20+ instances)
Bluehost Inc
ADDD2NET COM INC DBA LUNARPAGES
Latin American and Caribbean IP address Regional Registry
Covad Communications Co
ThePlanet.com Internet Services, Inc
HostDime.com, Inc.tw telecom holdings, inc (10+ instances)
Asia Pacific Network Information Centre

Although they are not INFECTING my Dolphin environments...They are punching the server at 3-5 min intervals revolving the attack off different Dolphins hosted throughout the NET.

I'll keep playing withit and see if I can find a way to stop/block it.
 
bad
2
good
 
View 3 replies to this comment
 
avhow
avhow(positive) 55 days agocomment permalink
 
Hostmonster told me they are off. Maybe they are doing them server by server. Use their live chat to ask about your specific server if you are not sure. Your server name is available in cpanel.
 
bad
1
good
 
 
avhow
avhow 55 days agocomment permalink
 
Hi,

Just a quicky - here if Hostforweb has globals on and Boonex recommend them as being perfect for Dolphin.... hmmm doesnt seem right somehow....

Cheers

Max
 
bad
1
good
 
 
brenaris
brenaris(negative) 54 days agocomment permalink
 
We were hacked as well, and yes, our register_globals was on. So, the problem was improper installation of Dolphin? Well, we paid Boonex to do our original Dolphin install!! Does this mean we can get our money back on that? It would hardly address the lost time we had fixing the problem, but it would be a start!

-- Jason
 
bad
0
good
 
 
tango3d
tango3d 54 days agocomment permalink
 
here is a snippet from my php.ini file I am using hostmonster, they recommend to copy this file to all directories and sub directories which contain php files.

You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
register_globals = Off
 
bad
2
good
 
 
houseperu
houseperu(positive) 54 days agocomment permalink
 
Let me comment something
I have a JOOMLA site www.guardiarepublicana.com/v02
Is hacked for someone how put a lot of links inside all files of the joomla
Maybe you could thing that this is not for this topic, but let me tell you that
The last week I installed a dolphin in the same site but with this URL:
www.guardiarepublicana.com/v03
today the v03 is emty, because was hacked
I goona give you some codes that this hacker put inside the files
Maybe that gonna be important in order to solve the problem

Sorry for my English
 
bad
0
good
 
View 1 replies to this comment
 
nurke
nurke 54 days agocomment permalink
 
mscott....when I inquired about globals with hostforweb...first they asked fpr ftp and server login info...then they said that I need to switch them off myself. I assume they were on.
I got them off, deleted content.inc.php and uploaded one from dolphin script, same with safehtml ( I forgot the name of file now..) and since then I didnt get any warnings from HFW nor did I had any demages to the site.... I hope it stays that way.
 
bad
0
good
 
 
mmijangos
mmijangos 54 days agocomment permalink
 
I have last version SmartPro Pack 2.0.2 and my server have register global=off, but is reported as "attack-site" and has blocked for google, www.acting.com/index.php, I need help please.
 
bad
0
good
 
View 1 replies to this comment
 
Rob1960
Rob1960 54 days agocomment permalink
 
My site was hacked, and for some reason my safehtml.php had permissions set to 777. I restored from backup, and changed settings to 766, and things are better. Could someone tell me the proper permission settings for the Plugins directory, the safehtml directory, and safehtml.php file? Also, is there a document listing the proper settings for all directories, or possibly a script to check my site for proper settings?
 
bad
0
good
 
View 1 replies to this comment
 
Rob1960
Rob1960 54 days agocomment permalink
 
Thanks, I will check that out. But in ./inc, I had header.inc.php set to 666. I just changed that to 644. Is that correct?
 
bad
0
good
 
View 1 replies to this comment
 
clubk1d
clubk1d(positive) 54 days agocomment permalink
 
Maybe this could help you guys. . ., before doing this, try to put on your root directory a php.ini file with a code inside that will disable register_globals to off.. .

then do this ff. steps. .

http://www.boonex.com/unity/forums/topic/fix-for-dolphin-exploit.htm
 
bad
0
good
 
View 1 replies to this comment
 
sammie
sammie 54 days agocomment permalink
 
add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');


so it looks like this :


if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");


this stops any remote includes being used


next edit /plugins/safehtml/HTMLSax3.php add this at the top above the require once


if (isset($_REQUEST['dir']))
die ('Hacking attempt');


so it looks like this:


if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );


this stops remote access to your directories

as my dedicated server is under constant attack from hackers trying to access the server via dolphin i paid them to look at the issue and this is what they have added to kill any remote access attempts

i paid for it, you got it for free, enjoy and be safe.

i have tested this on my working sites and there is no problem
 
bad
4
good
 
View 2 replies to this comment
 
DoLaugh
DoLaugh 54 days agocomment permalink
 
Hey Sammie! Thanks so much, I added this code to the two files...do you have a solution for the tiny_mce? I keep getting files like this inserted in there also.

Crap..I don't know...the C99 has probably opened up my entire site...I have no idea where all these backdoor trojans are at...

Can I download my site and use my virus scan to find some of these? Any ideas are welcome.

DoLaugh
 
bad
1
good
 
 
sammie
sammie 54 days agocomment permalink
 
the 1st code can apply to any file thats being exploited but test your site to make sure it does not affect its working

and yes i downloaded a hacked VPS and used my virus scanner to see what was infected.

it had 19 infections on the one dolphin site
 
bad
1
good
 
View 1 replies to this comment
 
theGhost
theGhost(positive) 54 days agocomment permalink
 
Good Job sammie!

Or... I was working on this all day and...

I simply changed my name servers to a landing page...in this case a godaddy landing page. Waited 15 minutes and reset the name servers back to my own. Stop the attack cold. I broke the attack in mid stream and hasn't returned. Yea for me...That was annoying.

I simply removed my url as a potential attacking site probally from their master attack script. The attack only affects BoonEx hosted sites as many other sites on this particular server were unaffected.

Someone definately doesn't like Dolphin :( All of course monitor the situation over the next 48 hours to ensure no return. But for everyone else...Trying this will NOT affect your site and requires no script modifications for those who would rather not script write. Basically just hides your Dolphin in the Global Net for a few moments :)
 
bad
1
good
 
View 2 replies to this comment
 
gkcgautam
gkcgautam 53 days agocomment permalink
 
Guys there are many other methods for hacking...even a completely secure script can be hacked...
It happened with me few weeks ago that a trojan came into my computer...and somehow copied my ftp account details while i was working through ftp. Then it added some coded script to all pages with names index.xxx, home.xxx and default.xxx . The task of the script was to download malware softwares to those computers which opened my site. Changing the ftp password and removing that script solved the issue...
But notice that it had copied my ftp details. So it could do anything with site files.
So guys be updated about various hacks...and try to avoid them.
 
bad
3
good
 
 
VictorT
VictorT 53 days agocomment permalink
 
We are about to release the Security patch. Everything is ready to go. But still waiting and looking at some details to be checked fully and unhurriedly.

We would appreciate you patience.
 
bad
1
good
 
View 2 replies to this comment
 
theoneroom
theoneroom 53 days agocomment permalink
 
I added the above code suggested by Sammie in addition to some provided on expertzzz, for anyone, it goes it the root .htaccess file after the rewrite engine on statement, see below:

RewriteCond %{QUERY_STRING} ^http [OR]
RewriteCond %{QUERY_STRING} ^.+www\. [OR]
RewriteCond %{QUERY_STRING} ^.+https [OR]
RewriteCond %{QUERY_STRING} ^ftp
RewriteRule .* - [L,F]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget
RewriteRule .* - [F]
 
bad
0
good
 
 
avhow
avhow 53 days agocomment permalink
 
Hi,
What I want to know is, if this register-globals off is such an inmportant prerequisite for a secure site why do Boonex recommend HostForWeb who say they have them turned on by default?

Why Boonex are you recommending a hosting company that violates your hosting recommendations?

Cheers

Max
 
bad
2
good
 
 
DoLaugh
DoLaugh 53 days agocomment permalink
 
When these Security patchs are released....where do you go to download the patch?....expertzzz site or here on unity?
 
bad
0
good
 
 
theoneroom
theoneroom 53 days agocomment permalink
 
avhow, thats a very good question that I would like answering myself, why are they recommending a hosting company that dont meet the requirements?
 
bad
0
good
 
 
chitro
chitro 53 days agocomment permalink
 
Victor, would this be a full patch to go from 6.0x to latest version? We have not yet upgraded our site and are planning to do so this week.