D7.0.6 Security Holes

422 posts

Greetings -

Hey Boonex Team - I think you need to pay a close attention to this Phenomena..

You might find this very strange to believe. I have a server which has about 15 sites from my clients. Two of them are mine and happened to be D7.0.6. Today, strangely enough, both of my D7 sites went down, but all of my clients sites which are NOT D7 are still functioning just fine.

It gets better, one of my D7 site has been parked with a message "under maintenance" for about 4 months, yet, today, the site went down because it appears to exceed its Bandwidth usage. Isn't that strange ? How could possibly for this site to generate such a heavy traffic which exceeded 6Gb of Bandwidth in 2 wks while the site is NOT even live ? Could anyone explain this mystery for me ?

Please note, before I shutdown this site, I was getting bombarded with Blogs from China. Even though I use a confirmation email, they still somehow get to my system and post SPAM Blogs, but they never make it to the front page cz I have to approve them first, and thankfully the Blogs approval does work, otherwise, my site would have looked like Jurassic Park. Having said that, how these users are able to create Accts even though they have to be confirmed and even though the site is NOT live ?

I asked the company I am co-locating with about this issue as to whether I've been under DDoS attack, they said No. The only thing I can think of is that there is a major security hole somewhere within D7 which allows these robot scripts to send an overwhelming Blogs & SPAM behind the doors even though the site is not live.

In fact, I saw a recent thread on Boonex Forum called "Is there a way to stop these FAKE New User Sign Ups" which you can see at http://tinyurl.com/3dm2vn7 - which has similar issues I am having - Apparently I am not the only person who is having these issues where fake users are getting created behind the doors despite the fact we have an approval system on D7 which I am afraid to say is obsolete !

At one point, it really doesn't matter if you are running a Cadillac site, which look great from the outside, but if the site has no borders at all, then anyone is welcome to invade my country, trash it, then leave.. and I ended up doing the clean up.. It is a nightmare, I invested in Boonex a great deal, I would hope that Boonex do pay a close attention to these security holes issues that some of us are complaining about, I am really not interested to see new features on the upcoming releases, but rather, a TIGHTER SECURITY around D7 so we can run our sites more effectively.

It defeats the purpose to drive a Porche with a Toyota engine so to speak..

Could someone shed some lights please. My sites are down as we speak. Thank you.

Quote · 30 Jul 2011

mscottAdvanced

2088 posts

I don't have an explanation for your bandwidth problem but I do have some solutions for your (and everyone elses) spammer problem. I have been watching my log files over the last few months and I can tell you every spammer in China has their bots looking for "join.php". When the bot finds it then it dumps all those links in it and submits (yes, they have cracked the Dolphin capture long ago). So then the spammer confirms the links in his email at his leisure. Or not at all sometimes. Having said that here is my two cents:

1. Rename join.php, this will stop the automated ones. You'll notice your log is full of "404 File not found: join.php". You will have to edit 5 or 6 files and change the references from join.php to whatever you rename it. You can use SSH and "grep" to find which files reference join.php.

2. I have my "block attacker" set at 27 in advanced settings, this seems to stop most of them from joining because they try and post like 3 links in the "Description me" field.

3. This is a GOOD one but it only works if you have a VPS or dedicated... Mod_security and CSF firewall. I have mod security rules in place that block ANY post payload that contains "prada purse", "prada replica" and so on and so forth. HOW MANY %$@# FAKE PRADA SITES CAN THERE BE?!! A LOT obviously because the domain names are different every day. I also have a filter that blocks any payload with @gmx.com, @163.com, @126.com, I have NEVER had a real member sign up with these as they are just spammer havens. So mod_security does the work for me most of the time.

Oh and while I'm at it this has nothing to do with Dolphin but did you guys know there is a master exim file you can put mail rules in for the whole server? You can fill it with "viagra" rules and never have to read that garbage again!

Hope this was helpfull, I'll post again in a year or two :-)

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin

Quote · 30 Jul 2011

Nathan PatonUndefined

9604 posts

You haven't been hacked, and no security holes have been exploited. The spammers most likely found your site through search engines that indexed your site's content (and used Dolphin-specific links as the search criteria), and made accounts to spam the blogs and other sections of your site.

You can enable the invitation-only feature, but it's my guess that the spammers have figured out how that works (it's a simple system, no real security behind it). You should look into using the anti-spam tools and restricting access to only certain countries or regions (which can be done using allow, deny in the main .htaccess file). You can also change the moderation settings to have accounts require administrator approval before posting anything.

Dolphin uses a lot of dynamic content, and the member menu can be a major culprit in processor usage. You should check with your hosting provider to see where the intensive resource usage that brought your sites down is coming from, and make the appropriate changes.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin

Quote · 30 Jul 2011

MoroccoAdvanced

422 posts

Correction: My server has 6TB bandwidth, not 6gb.

Thank you mscott & Nathan ! This is very helpful info. indeed.

Is it possible to block any traffic that is coming form China? I don't care if their president himself wants to access my site, I don't want any traffic from China. Do they have one main IP@ that I can block altogether or are they several IPS ? if so, could you advise what these IPs are & how to set them up in the Admin or even within the source code if I have to..

Dedicated Mod_Security - where can I find this Mod please ?

You also mentioned CSF firewall, is this the right place to get it from:
http://www.configserver.com/cp/csf.html

You said: "did you guys know there is a master exim file you can put mail rules in for the whole server? Where I can Find this file please..

Thanks again!

Quote · 30 Jul 2011

Nathan PatonUndefined

9604 posts

You'll need to check the acceptable usage policy set by your hosting provider. You may have seemingly limitless hosting, but there are hidden limitations that you need to watch our for (such as processor usage, which is what most "unlimited" hosting providers use to meter accounts).

You should give this thread a read for how to block unwanted countries from accessing your site. It's a bit extreme, but should do the trick nicely enough.

You can try mod_security and other server-related tools, but you'll need to be on a VPS or dedicated server for these. I'm assuming you're on a shared hosting plan, which means these won't be available to you without action by your hosting provider.

Cheers.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin

Quote · 30 Jul 2011

MoroccoAdvanced

422 posts

Thanks Nathan -

No, I am indeed on dedicated server. I can do anything I want, of course if I know what I am doing :)
I have full access to root and WHM.

>> You said, You'll need to check the acceptable usage policy set by your hosting provider
Is this something I can do from WHM? I would appreciate directions how to do this.

Also, I am serious about removing China out of the picture, and not to offend the good chines folks, I am considering removing other countries as well. I am not running Facebook platform, my site target my own community ONLY, I have no plans to do business with China & other countries now or in the future. No offense to the good Chinese people, but my audience is simply not Chinese, that's the main reason, so I don't want to spend my resources chasing businesses that are irrelevant to me. If there is a way I can block China IP@, please advise. Thank you.

Quote · 30 Jul 2011

AlexTNavigator

6101 posts

If there is a way I can block China IP@, please advise. Thank you.

Turn on "Enable DNS Block Lists" option in Dolphin Admin Panel -> Settings -> Advanced Settings -> Security (You may also enable "Total block all spam content" option).

Then activate "cn.countries.nerd.dk." rule in Dolphin Admin Panel -> Tools -> Antispam Tools -> DNS Blocklist.

Please not than "cn" in the rule is China, to block or whitelist other country replace "cn" with any other country code.

Rules → http://www.boonex.com/terms

Quote · 1 Aug 2011

newton27Premium

7526 posts

Thanks again!

Before you go changing important core files which in my opinion will hinder your future upgrades..

Read this thread as well http://www.boonex.com/forums/topic/This-is-how-the-spammers-find-boonex-based-sites.htm

ManOfTeal.COM a Proud UNA site, six years running strong!

Quote · 1 Aug 2011

newton27Premium

7526 posts

If there is a way I can block China IP@, please advise. Thank you.

Turn on "Enable DNS Block Lists" option in Dolphin Admin Panel -> Settings -> Advanced Settings -> Security (You may also enable "Total block all spam content" option).

Then activate "cn.countries.nerd.dk." rule in Dolphin Admin Panel -> Tools -> Antispam Tools -> DNS Blocklist.

Please not than "cn" in the rule is China, to block or whitelist other country replace "cn" with any other country code.

I have this enabled on all sites and it does not stop them at all.

ManOfTeal.COM a Proud UNA site, six years running strong!

Quote · 1 Aug 2011

AlexTNavigator

6101 posts

If there is a way I can block China IP@, please advise. Thank you.

Turn on "Enable DNS Block Lists" option in Dolphin Admin Panel -> Settings -> Advanced Settings -> Security (You may also enable "Total block all spam content" option).

Then activate "cn.countries.nerd.dk." rule in Dolphin Admin Panel -> Tools -> Antispam Tools -> DNS Blocklist.

Please not than "cn" in the rule is China, to block or whitelist other country replace "cn" with any other country code.

I have this enabled on all sites and it does not stop them at all.

It will not work if china spammers are using other countries proxy servers, then Dolphin see proxy server's ip, but not spammer ip.

Rules → http://www.boonex.com/terms

Quote · 1 Aug 2011

newton27Premium

7526 posts

If there is a way I can block China IP@, please advise. Thank you.

Turn on "Enable DNS Block Lists" option in Dolphin Admin Panel -> Settings -> Advanced Settings -> Security (You may also enable "Total block all spam content" option).

Then activate "cn.countries.nerd.dk." rule in Dolphin Admin Panel -> Tools -> Antispam Tools -> DNS Blocklist.

Please not than "cn" in the rule is China, to block or whitelist other country replace "cn" with any other country code.

I have this enabled on all sites and it does not stop them at all.

It will not work if china spammers are using other countries proxy servers, then Dolphin see proxy server's ip, but not spammer ip.

I could understand that but looking at my site stats, the IP address are from China..not outside but China

Spammers

[edit]

here is just a couple of days of stats, with the spam on. So are my stats wrong on the address's and countries?

Jul 3001:01:23 AMFirefox 3.6

WinXP 1366x768Fuzhou,

Fujian,

ChinaChinanet Fujian Province Network (222.76.94.191)

www.webcamhowto.com/join.php

Jul 3012:57:44 AMFirefox 3.6

WinXP 1366x768Fuzhou,

Fujian, ChinaChinanet Fujian Province Network (222.76.94.191)

www.webcamhowto.com/join.php

www.webcamhowto.com/ads/my_page/add/

Jul 3012:56:37 AMFirefox 3.6

WinXP 1366x768Fuzhou,

Fujian, ChinaChinanet Fujian Province Network (222.76.94.191)

www.webcamhowto.com/ads/my_page/add/

www.google.com.hk — inurl:my_page/add/ #79

Jul 2803:55:50 AMFirefox 5.0

WinXP 1366x768Beijing,