Troubleshooting - Possible Security Attacks!

In Dolphin 7, a new security feature was added called PHPIDS. This feature is to assist in blocking common attacks to your Dolphin website. Some of these attacks blocked are (but not limited to):

- Description: finds html breaking injections including whitespace attacks
- Description: finds attribute breaking injections including whitespace attacks
- Description: finds malicious attribute injection attempts
- Description: Detects obfuscated script tags and XML wrapped HTML
- Description: Detects common comment types
- Description: Detects comments to exploit firefox' faulty rendering and proprietary opera attacks
- Description: Detects possibly malicious html elements including some attributes
- Description: Detects classic SQL injection probings 2/2
- Description: Detects basic XSS DoS attempts
- Description: finds attribute breaking injections including obfuscated attributes

Unity Members here starting discovering that simple things that we were doing as Site Admins, such as adding HTML code to a HTML block, were causing these emails to be sent and possibly blocking your access to your site. With the many reports to the forums of this issue, below are the known ways to resolve the issue from getting these Possible Security Attack! messages.

First Option:

Navigate to your Admin Panel>Settings> Advanced Settings> Other

There you will notice to available entries to edit:

1) Total security impact threshold to send report: (This is the impact level defined to trigger an email sent to you)

2) Total security impact threshold to send report and block aggressor: (This is the impact level defined to trigger an email AND block access to your website)

You can adjust these levels to ANY HIGHER value based upon the Total Impact: number you received in the email alert.

Example: If you receive an Possible Security Attack email with a Total Impact level of 25, you can RAISE the current level in the Total security impact threshold to send report: to 26 in order to stop receiving email from attacks on impact levels of 25 or below. Same rules apply with the 2nd impact level setting.

Second Option:

Navigate to your Admin Panel>Settings> Advanced Settings> Other

replace the current impact level values to a -1  (negative 1) for both of the following

1) Total security impact threshold to send report: (This is the impact level defined to trigger an email sent to you)

2) Total security impact threshold to send report and block aggressor: (This is the impact level defined to trigger an email AND block access to your website)

Doing the Second Option will completely disable PHPIDS and you will no longer receive Possible Security Attack messages OR risk being blocked from your site. *** By disabling PHPIDS, you understand that your site could be a risk for an actual attack.

Hope this helps everyone understand better.

Chris

Nothing to see here
Quote · 11 Mar 2010

That accually explained a lot more than I thought, we always look for the simplest solution without even understanding the results.

I had like a lot others just set my settings at-1, but it seems that I should of set my settings a little higher maybe instead.

I play around with it, thanks Zarcon for clearing that up a little!:)

Derrick

Back to pulling my hair out! (ouch, ouch,ouch)
Quote · 12 Mar 2010

Could you tell me what is the desired level to allow post youtube videos in articles module? intending it's only for administrators use

Quote · 26 Mar 2010

Thanks Zarcon....i was stuck & didnt know what to do....u'r advice helped

Quote · 31 Mar 2010

It sent me almost 2000 emails today, after I added correct bugreport address. hehe.

This page is where just about all of them happened:
SCRIPT_FILENAME: /var/www/sexdate.no/htdocs/flash/XML.php

And here is some example info:

Total impact: 18
Affected tags: xss, csrf, id, rfe

Variable: REQUEST.pA_c.p | Value: S7QysqoutjI0s1IqyChwTCmOT04EUtGGprFK1olQSSulMiXrTCszazA7FcQ2NDIzMTe3NDExtq7Fpt0EU7shinZTA2MzAxNDC+vaWgA=
Impact: 9 | Tags: xss, csrf, id, rfe
Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID: 25
Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31

Had to increase the numbers earlier today, glad to find a post with more info.

Seems it did not like this users info. Is it not just an encrypted userpass or is there an actual script tag in there or something?

(perhaps randomly generated script tags :)

Moderators here get the security warning message often when saving profile text. (does it not like smileys or what :))

Maybe needs some exceptions and not just higher threshold.
mod_security solves this nicely also, so might try to disable this built in IDS if emails continue.
(no problems in d7 so far, but lots of attempts on older bugs in d6. Search access logs for: txt?   shows most of the rfi attempts)

Edit: Got a more precise one from when support approved profiles..

Variable: REQUEST.DescriptionMe.0 | Value: <p>Kanskje finnes det en frøken eller frue som vil hjelpe meg med mine syndige drømmer. <img title=\"Laughing\" src=\"http://sexdate.no/plugins/tiny_mce/plugins/emotions/img/smiley-laughing.gif\" border=\"0\" alt=\"Laughing\" /></p>
Impact: 13 | Tags: xss, csrf
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23
Description: finds attribute breaking injections including obfuscated attributes | Tags: xss, csrf | ID: 68


Seems to not like that Smiley-Laughing tag :)   (also tripped on encrypted password in cookie, so this scored 44 - just over my increased threshold, so combining many trivial scores is not so good here it seems)

--

Alright, thanks for pointing out this was called phpids (php-ids.org)

Default config file is said to be config.ini
Here is the path on dolphin7:
plugins/phpids/IDS/Config/Config.ini

and then regex filters,
plugins/phpids/IDS/default_filter.xml


Think I'll just decrease the impact of some of the regexes for now, like the one that cathed smileys :)
It seems like a nice IDS script though :)

Quote · 8 Apr 2010

Thank's Zarcon

Post Reply - if you going to help - No for - bla bla bla bla
Quote · 7 Jun 2010

Perfect solution. Thanks so much :)

Quote · 27 Jun 2010

Zarcon, how does this apply for 7.0.2?

Darkestar Holdings www.darkestar.com
Quote · 30 Jun 2010

Zarcon, how does this apply for 7.0.2?

7.0.2 comes with PHPIDS disabled by default. The values are already set to -1 so it does not apply at all. You can see this in the Admin Panel> Settings>Advanced Settings>Security

Nothing to see here
Quote · 30 Jun 2010

The same. But they should have been automatically disabled (set to -1) during the install of 7.0.2 which disabled is now the default.


https://www.deanbassett.com
Quote · 30 Jun 2010

Arg. Did not type fast enough. LOL.

https://www.deanbassett.com
Quote · 30 Jun 2010

Arg. Did not type fast enough. LOL.

Nah Nah Nah boo boo stick your face in doo doo.. lol

Nothing to see here
Quote · 30 Jun 2010

Is that the same thing that cuts your code apart?  Is it not possible to do what the admin wants at -1 -1 then choose to return to the security settings later if you want?

Csampson
Quote · 13 Aug 2010

 

Is that the same thing that cuts your code apart?  Is it not possible to do what the admin wants at -1 -1 then choose to return to the security settings later if you want?

The code-cutting is done by HTMLPurifier, not PHPIDS.

BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin
Quote · 13 Aug 2010

and what is a good setting? I started at 5, increased to 25 for sending reports, and still get this with level 32 around every second:

Total impact: 32
Affected tags: xss, csrf, id, rfe, sqli, lfi

Variable: COOKIE._pk_ref_8_a443 | Value: [\"\",\"\",1304170626,\"http://www.gmxattachments.net/de/cgi/g.fcgi/mail/print/fullhtml?mid=babgebhh.1304102306.641.b500ahqysy.73&type=full\"]
Impact: 32 | Tags: xss, csrf, id, rfe, sqli, lfi
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8
Description: Detects basic obfuscated JavaScript script injections | Tags: xss, csrf | ID: 24
Description: Detects common XSS concatenation patterns 1/2 | Tags: xss, csrf, id, rfe | ID: 30
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67
Centrifuge detection data  Threshold: ---  Ratio: ---  Converted: ((++::

REMOTE_ADDR: 77.190.77.72
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /var/www/vhosts/XXXX.com/httpdocs/modules/index.php
QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.5641540063949156&registered_chat_boxes=
REQUEST_URI: /modules/?r=simple_messenger/get_operation/new_messages&_r=0.5641540063949156&registered_chat_boxes=
QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.5641540063949156&registered_chat_boxes=
SCRIPT_NAME: /modules/index.php
PHP_SELF: /modules/index.php

 

it looks like the simple messenger pulls some data, but I honestly can't decide what to set the level :(

Quote · 30 Apr 2011

A good setting is -1. Thats negative 1 for both. Which disables it.

Dolphin ships with it off now for the last couple of versions. It is broken. You should not have it enabled.

https://www.deanbassett.com
Quote · 30 Apr 2011

Now you have me confused, Zarcon recommends it if I understand it correctly, you say it doesn't work at all.... so what??? Undecided

Quote · 30 Apr 2011

I did not say it does not work at all. I said it's broken. In this case i mean it's not accurate. Way to many false positives to make it useful.

That post is also a year old. Made before dolphin disabled it by default. Disabling it is now what most of us recommend.

https://www.deanbassett.com
Quote · 30 Apr 2011

Ok, now you got me again, indeed its 2010 :D I just saw it on top of the forum and read March, 11th... so its old :)

I have it enabled now with a rating of 40 and it seems to work pretty well now, 37 was the last wrong negative impact, and I still get (blocked) attacks from severals sites with 100% spam.

and it stopped my spam attacks, I have not one spam profile for two days now...

Quote · 1 May 2011

I changed it once and turned back to -1, but now it recognizes 0 or something like this, thus, the site isn't anything than an anti-attack mechanism. I can't reach the admin-panel. Where do I find the option in the database?

Quote · 15 Jun 2011

so does that all mean its nothing serious when getting notified like:

Total impact: 5<br/>
Affected tags: xss, csrf<br/>
<br/>
Variable: COOKIE.memberSession | Value:
whnrb&amp;Hqp3YzE=7=DeMCa23NtPX5ch3b<br/>
Impact: 5 | Tags: xss, csrf<br/>
Description: Detects JavaScript location/document
property access and window access obfuscation |
Tags: xss, csrf | ID: 23<br/>
<br/>
REMOTE_ADDR: 71.228.251.50
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME:
/xxxxx/xxxxxxx/public_html/modules/index.php
QUERY_STRING:
r=photos/get_image/browse/ea567786d4b72317f4016d12a773c628.jpg
REQUEST_URI:
/m/photos/get_image/browse/ea567786d4b72317f4016d12a773c628.jpg
QUERY_STRING:
r=photos/get_image/browse/ea567786d4b72317f4016d12a773c628.jpg
SCRIPT_NAME: /modules/index.php
PHP_SELF: /modules/index.php

my settings at admin are -1

Diddy is not greedy and has time. Dolphin is cool and its not just mine :-)
Quote · 23 Oct 2011

Ok here's one for you. What happens if your own ip is blocked. It has happened to me and I can not get to the ip black list to remove my ip. How does one get on.Any help would be gladly accepted

 

 

Quote · 17 Jul 2012

 May I ask why you blocked your own IP?  It's not something you can do accidentally

 

 

 

 

 

Ok here's one for you. What happens if your own ip is blocked. It has happened to me and I can not get to the ip black list to remove my ip. How does one get on.Any help would be gladly accepted

 

 

 

My opinions expressed on this site, in no way represent those of Boonex or Boonex employees.
Quote · 17 Jul 2012

I've got 7.0.9, and I STILL get these damn emails. I hadn't checked my email associated with my dolphin, but now that I'm checking it, I've been getting them all along. It's never the same page on my site, or the same files supposedly being compromised. It has NO rhyme or reason, it's just a royal PIMA.

 

Total security impact threshold to send report: -1

Total security impact threshold to send report and block aggressor:-1

 

I've had it set to those all along, and I even have the "Send report to admin if spam content discovered" unchecked, yet I STILL get these emails. How the hell can I turn this off?

Quote · 12 Sep 2012

I'm sure that was triggered by this member that has been spamming your site, as of couple minutes ago..

Sent in a PM to you.

Also that looks to be from the shoutbox as well

ManOfTeal.COM a Proud UNA site, four years running strong!
Quote · 12 Sep 2012

It's never the same page, and it always seems to be hits from a search engine. I don't get why I'm even receiving them, I have my settings set to -1, I always have.

Quote · 13 Sep 2012

Is this anything to worry about ??

 

Total impact: 7

Affected tags: xss, csrf, id, rfe, lfi

 

Variable: COOKIE.fbsr_278800235555256 | Value: 0jjLeCQFJpSQC0zIwCdXs2alK4nE65F-ly02J6AC5_k.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiIyLkFRQVVtM0RxVXJmWGZVLXYuMzYwMC4xMzQ4NjcxNjAwLjEtNjkyNjgyMDA2fDEzNDg2NjUxMDZ8bzJYcFpvOHdWXzYtNmtHWnlGOFhqamMwT1dBIiwiaXNzdWVkX2F0IjoxMzQ4NjY0ODA2LCJ1c2VyX2lkIjoiNjkyNjgyMDA2In0

Impact: 7 | Tags: xss, csrf, id, rfe, lfi

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

Centrifuge detection data  Threshold: 3.49  Ratio: 3.2

 

REMOTE_ADDR: 86.26.21.36

HTTP_X_FORWARDED_FOR: 

HTTP_CLIENT_IP: 

SCRIPT_FILENAME: /modules/index.php

QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.9039344051852822&registered_chat_boxes=945%3A1999%2C

REQUEST_URI: /modules/?r=simple_messenger/get_operation/new_messages&_r=0.9039344051852822&registered_chat_boxes=945%3A1999%2C

QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.9039344051852822&registered_chat_boxes=945%3A1999%2C

SCRIPT_NAME: /modules/index.php

PHP_SELF: /modules/index.php

Quote · 26 Sep 2012

I got the email and my dolphin was both set to -1

 

Quote · 27 Sep 2012
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.