 This morning I got an auto generated email via my host (not by my host), that my site was attacked, but the attacked was stopped, then of course there was a whole body of technical information. In chatting with my hosting company they advised me that someone tried inject scripts into my domain via SQL. They have given me the IP address. Does our system give us IP address for every member? What do I do next? Any help would be appreciated. |
i far as i remember deanos tools has a ip log. are you using it? so much to do.... |
Thanks I have that software I will take a look at it. Can you explain what it means, does one physically do it? Or perhaps if there computer is infected and the virus attaches on to links on members listings. |
It would be better if i can see the email but the information you provided is that someone tried to inject mysql code in database "mysql injection" and our awesome dolphin stopped it. In this process mr.hacker tries to send code to the DB to get or mostly insert some content in the DB. It can be done on forms like when you ask for a name to a user instead of a name he/she will give a sql statement. But it can be more complex. This is all i know about mysql injection. I think dolphin is very secure in the case of this injection. so much to do.... |
I will send you email. This is so scary, one of my computers must be infected, cause the IP on the email is referring to one of my systems at work. Interesting. I messing my own site, without even knowing it. Perfect. Talk about sabotage. |
Presscon, if it came from an IP you use it's probably a false alarm. Do you have the built in Dolphin security enabled? Before I disabled it I used to get those emails all the time when I would try to do certain things in the admin section. I think it's disabled on the newer versions of Dolphin when you first install because of all these false positives.
Having said that, if you ever get any free time and want a good scare look at the server logs. There are people trying to access your server 24/7 365 days a year. It's all automated programs so don't take it personally :-) If you install mod_security and CSF firewall you will get 15 to 20 emails a day telling you it blocked people port scanning, SQL injecting, XSS (cross site scripting), trying to login to your root account and email accounts.. and a million other dastardly things. The world is full of "Script Kiddies" who leave these programs running all day every day that just hunt down servers and attack them.
It's scary at first but if you have the proper protection they won't get in BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Now I found one that came from one of my most newest member and all he did was posted his website on the site module. So can you tell me where in admin I have triggered this security please? Yes, this only started this week, I guess the site is becoming more noticeable perhaps? Any advise would be much appreciated.
Presscon, if it came from an IP you use it's probably a false alarm. Do you have the built in Dolphin security enabled? Before I disabled it I used to get those emails all the time when I would try to do certain things in the admin section. I think it's disabled on the newer versions of Dolphin when you first install because of all these false positives.
Having said that, if you ever get any free time and want a good scare look at the server logs. There are people trying to access your server 24/7 365 days a year. It's all automated programs so don't take it personally :-) If you install mod_security and CSF firewall you will get 15 to 20 emails a day telling you it blocked people port scanning, SQL injecting, XSS (cross site scripting), trying to login to your root account and email accounts.. and a million other dastardly things. The world is full of "Script Kiddies" who leave these programs running all day every day that just hunt down servers and attack them.
It's scary at first but if you have the proper protection they won't get in
|
To change the built in security go to: administration -> settings -> advanced settings -> security Then look for: Total security impact threshold to send report: Total security impact threshold to send report and block aggressor: If you set these both to -1 it will turn them off completely. If you don't want to disable it but want to cut down on the false alarms you can change them to something like 60 or 70. About recommendations, if your on a VPS or dedicated server I would STRONGLY suggest you install CSF firewall and mod_security. They are both open source and free. They work together and block all the REAL attacks (unlike the built in Dolphin security that blocks the admin and members posting their sites, lol). If your on shared hosting you are sort of at their mercy when it comes to security. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
They are already set at -1, so does that these were legitimate and worrisome attacks?
To change the built in security go to: administration -> settings -> advanced settings -> security Then look for: Total security impact threshold to send report: Total security impact threshold to send report and block aggressor: If you set these both to -1 it will turn them off completely. If you don't want to disable it but want to cut down on the false alarms you can change them to something like 60 or 70. About recommendations, if your on a VPS or dedicated server I would STRONGLY suggest you install CSF firewall and mod_security. They are both open source and free. They work together and block all the REAL attacks (unlike the built in Dolphin security that blocks the admin and members posting their sites, lol). If your on shared hosting you are sort of at their mercy when it comes to security.
|
Hmmm, I guess we need to know where the information the host sent you came from. I'm inclined to believe if it's an IP that you use it's still a false alarm.
A good example is I had to disable one of the security rules on my server because any time someone tried to insert one of the smileys
Ask your host where that info they sent you came from. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
This looks like an auto generated email from Dolphin (my site), as the host was not aware of it. I sent it to them to analyze. It was IP I use, then there is also an IP a new member uses, he just added a site and this popped up. He had nothing of any suspicion on there, I checked immediately. He was still there editing his entry. I just edited some of his original entry to improve on his listing, nothing happened. So not sure what is going on, unless as you say, it just gets triggered on the smallest of things.
Hmmm, I guess we need to know where the information the host sent you came from. I'm inclined to believe if it's an IP that you use it's still a false alarm.
A good example is I had to disable one of the security rules on my server because any time someone tried to insert one of the smileys
Ask your host where that info they sent you came from.
|
That's really weird. If it came from Dolphin it was definitly from PHPIDS, which is supposed to be disabled if you set those two settings to -1. Bug maybe?
I just found this thread, it looks like I wasn't the only person who had problems with smileys, lol. http://www.boonex.com/forums/?action=goto&search=1#topic/Inserting-Smileys-PHPIDS.htm
Here's another thread about it, but again everyone said the -1 should stop the warnings: http://www.boonex.com/forums/?action=goto&search=1#topic/Disabling-PHPIDS-Possible-Attacks.htm BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Now I am totally lost, and worried. |
hey mscott i got a question is this security system can block actually attack if it is set to -1 thats make it disable? so much to do.... |
No, -1 is supposed to turn PHPIDS off completely. Boonex made the current versions set to -1 by default when you install because so many people complained about the false alerts and being blocked while doing normal admin functions.
If' it's set to -1 it shouldn't be blocking anything or sending any emails. There is something wrong with presscon's, or it's a bug. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
if its a bug it should happened to atleast few peoples but presscon is only one i think. so much to do.... |
Yep, of course it has to be only me. lol. Well nothing in the last 18 hours or so. Perhaps my hos t fixed something - maybe? |
Nope, spoke too soon. More messages of Attacked Stopped |
presscon,
Can you post one of the emails here?
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
I emailed you the copy of the body of the email. Titled read Attacked Stopped
presscon,
Can you post one of the emails here?
|
Just got it. It's phpids blocking something because Dolphin encoded normal symbols. It looks like all these emails are false positives so the real problem is that you can't turn phpids off. Try setting it to something like 100. Hopefully this will work, but it might not because if it isn't accepting the -1 to turn it off it might not use the 100 either?? BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
Bottom line is - nothing to worry about? Just got it. It's phpids blocking something because Dolphin encoded normal symbols. It looks like all these emails are false positives so the real problem is that you can't turn phpids off. Try setting it to something like 100. Hopefully this will work, but it might not because if it isn't accepting the -1 to turn it off it might not use the 100 either??
|
Nothing to worry about security wise.. but if setting it to 100 doesn't work it will get annoying if it keeps blocking your members from doing legitimate things around the site. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
in Dolphin it would block them and send me an email saying someone was attempting XSS.