EDIT: Sasha Security! This For real? Need advice AGAIN...

OK, so I have been getting some emails from a person the past few weeks with email sasha.web.security@gmail.com ....  WTF ?!

.......................................................................................................

Hello Sirs,

I will send you one more message and I will try to explain you how serious problem you have.
I hope this time you will see the message and answer on it.

I found serious security vulnerabilities in your website structure, a lot of data is accessible, for example I can show you some staff :

Username :  SocialMunch
Password :  93a59a24175ddda5274217f534e53e5713a2d040 ( md5 hash but it's very easy for cracking )
Full name : Josh Davey , Plymouth

Username :  kelan60741
Password :   a8dc6dd2209b1c0cd9bd446f2ec92f494188276f
Full name :   Kelan R. Carson

Username :   claireMOD  
Password :   55ec7d72224de34123a3f627a1b88df382978cc8

Username :  SocialMunch
Password :  93a59a24175ddda5274217f534e53e5713a2d040 ( md5 hash but it's very easy for cracking )
Full name : Josh Davey , Plymouth

since that is your main account, some of that is right...

did you actually go to your database and see if the md5 hash matches what he posted? If so then yes he is in your database..

If it's not, the hash, it's spam.

Maybe Andrew or other core Boonex members should answer how vulnerable Dolphin 7.1 really is ?!

 didn't think of that!  Where should I look exactly please ?

I do know this. Those hashes are not MD5. They are SHA1 hashes. The length is wrong for MD5

Compare with values in Profiles table.

 In your database.. 

Does your cache folder contain a .htaccess file?

 OK what happens if they have the right password codes ?!

Damn this has for sure got my attention !!    HELPPPPPPPP

 Josh, did the codes match?

[image removed by admin]

 THEY MATCH !!! ohhh shit are these people in my DB ???

I need some help guys  .... come on!   This has freaked me out now :(

I don't need this crap right now

Just to let you know .... in my last email from them they  are demanding £1000.00 "for information how to protect my network"

Your password hash is also stored in browser cookie and is useless without the salt chars.

 So it's a spam attempt?

 Change your database passwords now, and of course update the _header.inc.php

your /inc folder is at permission 555?

Deano, Prashank, would that matter?

 the codes they send match exactly .... plus as you see in mail it says "I will send you one more message and I will try to explain you how serious problem you have"   THIS SOUNDS LIKE A THREAT TO ME AND I NEED TO KNOW MY NETWORK IS SAFE !! We all know how large and active my network is and I cannot afford anything to go wrong or for others to have access when they feel like getting money from me ....

They probably somehow read the users cookie with some javascript that your user visited somewhere with their browser. Cookies of your site cannot be read on other sites as i remember.

What are the embedded services you are using other than adsense?

 you mean advertisements OR any embedded stuff ?

any script or stuff you include in your site. You think any one of them is questionable (excluding adsense). Either some javascript is reading cookies or someone is in your database. Only 2 things i can think of currently. Anybody else got any other idea?

You have not answered this question. So i will ask again.

Does your cache folder contain a .htaccess file?

Reason i ask is they may not be in your database. The information is available in the cache as well and the .htaccess file is what protects that folder from being publicly read.

Sorry Deano I am sweating here and totally missed your post!

I have checked and I do not see .htaccess there ...

I have just changed DB user's passwords .... changed admin passwords and other core users at my network...

Apart from modules, videos, and adsense I don't think there is anything else ? embedded !

I welcome you to browse my site for possible clues or weaknesses etc

Then i bet thats where he is getting the information.

Create a .htaccess file in the cache folder. The contents of it should be.

Deny from all

Or upload one from the full dolphin zip file.

You must have deleted it at one point when you manually emptied your cache.

 Yes, don't appear to have the htaccess file. Put one fast from default zip and check for same in inc folder and might other folders too.

EDIT: I am able to access your php file from your cache dir lol, of course to pull the content from it will require some more work.

 OK, I added the .htaccess to cache/

Where else should this be exactly please ....?    In public cache  ?

From the message, it appears the person does not have English as a first language.  I can not but wonder if this is related to the problem with the person claiming to be the one that created your website.  With your .htaccess file missing and with knowledge of the Dolphin structure, it would not have been hard to know to navigate to the cache folder to see what he/she might could find.

Doing a search for Sasha Security/Sasha Web Security only brings up this forum topic.  Therefore, they are a spam/scam outfit.  Besides, they are using a gmail address; and I would report them to Google.  I don't care what anyone says, if a company does not have their own email address then I question them.  As poor as I am, my emails are at my domain name.

Do as suggested by others, change passwords on your database, your admin account and perhaps even your server, just for good measure.

inc/ has .htcaacess already present ....

I know what must have happened .... I always knew that there should have been .htaccess in the cache folder >> I remember seeing it BUT when I have been manually clearing files within it I have been selecting all files in that directory and deleting them assuming the .htaccess file would still be there OR replaced itself ....

 phew.. thats good. change your passwords and have a coffee. 

 EDIT: OH! i can still access the cache folder file. check if your .htaccess is correct

 I have pretty much same opinion as far as email addresses BUT still I have been getting these mails a lot and though it was just come kid trying their luck for cash!  Now I see they had infact all the correct information's >> it's like being told someone is about to kidnap a loved one unless I will pay up!

I did Google them at first but no results returned ...

cache, cache_public and tmp are all suppose to have one.

Double check your cache folder because when you access that cache file you should get a error like on my site. Try it. http://www.deanbassett.com/cache/user1.php you should see the same error.

Coffee usually .... after my last one hour I NEED A BIG BOTTLE OF JACK DANIELS !!

Thank you to everyone that has helped me with this :)  I have had to many things go wrong in past years with my network and getting to the point it is now and I really really did / do not need this crap and worry ...

Did you look at just the cache folder or the actual file. There is a difference. The folder does and that would only be because the webserver is not allowing directory browsing, but if you attempt to access a file directly within that folder then it will be accepted if the .htaccess does not restrict it.

I cleared my cache repeatedly. It's still accepting it. And it is for Prashank25 as well.

And geek_girl deleted her post i responded to. LOL.

OK, let me try again.

my two cents: be very carefull - its highly probably that that spammers are members of community here and monitor this forum thread - so they will know exactly now what u did .. and adapt to that ...

 LOL, I thought it was not needed.

I checked the /cache and get forbidden.  When trying to access /user1.php, I get a white screen.

 just returns blank page for me ?!

http://www.socialmunch.com/cache/user10043.php

user10043.php > this is a file within cache now

any files I look for in cache return blank page

http://www.socialmunch.com/cache/user7654.php

Should not matter anyway. All of the cache files have a .php extension. So the server would process those first and display a white screen. The point is access should be denied by the browser so instead of a white screen there should be a error.

Anyhow. I can't see how a hacker can get info from that anyway because of the .php extension. But i am not a hacker, so i have no clue how to do stuff like that.

But i do know there should be a error if the .htaccess file is being processed correctly. The white page indicates the server is trying to run the script and it should not be.

The point i am trying to make is you should be seeing a error, not a blank page. So something is not right with the .htaccess file.

the cache file doesn't output anything, so its blank page, you should get 403 error not blank page. Just put print_r($aUser); in the bottom of the php page and its has all the info anybody needs to access someones account.

Upload the htaccess from dolphin zip 

one more thing - if I was you - I would hire some serious person from here to perform security audit of your site if thats really that valuable- if u guys discuss all that steps Detective should do now in public and that guys are monitoring boonex forum they will always be one step ahead you - seems they do have knowledge so they can act quick - I would lock whole site totally - only tied to your own IP address until all security holes fixed or site security reviewed....

Because they use " Sirs" in email its clear they are 99% from India as most indian use "Sir" - only India people are used to "Sir"

maybe including the file and dumping the data in it(after enabling url include) ? and might be many other ways a crackers knows.

 lol

 I uploaded the .htaccess directly from new dolphin zip

file shows : Deny from all

This is not good, i think your apache setup has some issue, i am able to access that cache file and strangely header.inc.php too.

Prashank: yeah I knew you gonna react to it :-) Im always wandering why Indian people use "Sir"  It was used in other countries like in 1850 :-) maybe becasue of British colony in back time ? :-) I always recognize Indian people ( nothing against u Prashank :-) ) because they use "SIr" as no one else use that :-)

Isn't the forbidden on listing the directory, not running a file in the directory?  If you know the file that exists in a directory, you can access it unless you use a <files> entry that forbids anyone accessing the file outside of local host. Is that how it works?

 Deano is correct. This is what I get now.

Not Found

The requested document was not found on this server.