In Dolphin 7, a new security feature was added called PHPIDS. This feature is to assist in blocking common attacks to your Dolphin website. Some of these attacks blocked are (but not limited to):
- Description: finds html breaking injections including whitespace attacks
- Description: finds attribute breaking injections including whitespace attacks
- Description: finds malicious attribute injection attempts
- Description: Detects obfuscated script tags and XML wrapped HTML
- Description: Detects common comment types
- Description: Detects comments to exploit firefox' faulty rendering and proprietary opera attacks
- Description: Detects possibly malicious html elements including some attributes
- Description: Detects classic SQL injection probings 2/2
- Description: Detects basic XSS DoS attempts
- Description: finds attribute breaking injections including obfuscated attributes
Unity Members here starting discovering that simple things that we were doing as Site Admins, such as adding HTML code to a HTML block, were causing these emails to be sent and possibly blocking your access to your site. With the many reports to the forums of this issue, below are the known ways to resolve the issue from getting these Possible Security Attack! messages.
First Option:
Navigate to your Admin Panel>Settings> Advanced Settings> Other
There you will notice to available entries to edit:
1) Total security impact threshold to send report: (This is the impact level defined to trigger an email sent to you)
2) Total security impact threshold to send report and block aggressor: (This is the impact level defined to trigger an email AND block access to your website)
You can adjust these levels to ANY HIGHER value based upon the Total Impact: number you received in the email alert.
Example: If you receive an Possible Security Attack email with a Total Impact level of 25, you can RAISE the current level in the Total security impact threshold to send report: to 26 in order to stop receiving email from attacks on impact levels of 25 or below. Same rules apply with the 2nd impact level setting.
Second Option:
Navigate to your Admin Panel>Settings> Advanced Settings> Other
replace the current impact level values to a -1 (negative 1) for both of the following
1) Total security impact threshold to send report: (This is the impact level defined to trigger an email sent to you)
2)
Total security impact threshold to send report and block aggressor:
(This is the impact level defined to trigger an email AND block access
to your website)
Doing the Second Option will completely disable PHPIDS and you will no longer receive Possible Security Attack messages OR risk being blocked from your site. *** By disabling PHPIDS, you understand that your site could be a risk for an actual attack.
Hope this helps everyone understand better.
Chris
Nothing to see here |
That accually explained a lot more than I thought, we always look for the simplest solution without even understanding the results.
I had like a lot others just set my settings at-1, but it seems that I should of set my settings a little higher maybe instead.
I play around with it, thanks Zarcon for clearing that up a little!:)
Derrick
Back to pulling my hair out! (ouch, ouch,ouch) |
Could you tell me what is the desired level to allow post youtube videos in articles module? intending it's only for administrators use |
Thanks Zarcon....i was stuck & didnt know what to do....u'r advice helped |
It sent me almost 2000 emails today, after I added correct bugreport address. hehe.
This page is where just about all of them happened:
SCRIPT_FILENAME: /var/www/sexdate.no/htdocs/flash/XML.php
And here is some example info:
Total impact: 18
Affected tags: xss, csrf, id, rfe
Variable: REQUEST.pA_c.p | Value: S7QysqoutjI0s1IqyChwTCmOT04EUtGGprFK1olQSSulMiXrTCszazA7FcQ2NDIzMTe3NDExtq7Fpt0EU7shinZTA2MzAxNDC+vaWgA=
Impact: 9 | Tags: xss, csrf, id, rfe
Description: Detects obfuscated JavaScript script injections | Tags: xss, csrf | ID: 25
Description: Detects common XSS concatenation patterns 2/2 | Tags: xss, csrf, id, rfe | ID: 31
Had to increase the numbers earlier today, glad to find a post with more info.
Seems it did not like this users info. Is it not just an encrypted userpass or is there an actual script tag in there or something?
(perhaps randomly generated script tags :)
Moderators here get the security warning message often when saving profile text. (does it not like smileys or what :))
Maybe needs some exceptions and not just higher threshold.
mod_security solves this nicely also, so might try to disable this built in IDS if emails continue.
(no problems in d7 so far, but lots of attempts on older bugs in d6. Search access logs for: txt? shows most of the rfi attempts)
Edit: Got a more precise one from when support approved profiles..
Variable: REQUEST.DescriptionMe.0 | Value: <p>Kanskje finnes det en fr&oslash;ken eller frue som vil hjelpe meg med mine syndige dr&oslash;mmer. <img title=\"Laughing\" src=\"http://sexdate.no/plugins/tiny_mce/plugins/emotions/img/smiley-laughing.gif\" border=\"0\" alt=\"Laughing\" /></p>
Impact: 13 | Tags: xss, csrf
Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1
Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID: 23
Description: finds attribute breaking injections including obfuscated attributes | Tags: xss, csrf | ID: 68
Seems to not like that Smiley-Laughing tag :) (also tripped on encrypted password in cookie, so this scored 44 - just over my increased threshold, so combining many trivial scores is not so good here it seems)
--
Alright, thanks for pointing out this was called phpids (php-ids.org)
Default config file is said to be config.ini
Here is the path on dolphin7:
plugins/phpids/IDS/Config/Config.ini
and then regex filters,
plugins/phpids/IDS/default_filter.xml
Think I'll just decrease the impact of some of the regexes for now, like the one that cathed smileys :)
It seems like a nice IDS script though :)
|
Post Reply - if you going to help - No for - bla bla bla bla |
Perfect solution. Thanks so much :) |
Zarcon, how does this apply for 7.0.2? Darkestar Holdings www.darkestar.com |
Zarcon, how does this apply for 7.0.2?
7.0.2 comes with PHPIDS disabled by default. The values are already set to -1 so it does not apply at all. You can see this in the Admin Panel> Settings>Advanced Settings>Security
Nothing to see here |
The same. But they should have been automatically disabled (set to -1) during the install of 7.0.2 which disabled is now the default.
https://www.deanbassett.com |
Arg. Did not type fast enough. LOL.
https://www.deanbassett.com |
Arg. Did not type fast enough. LOL.
Nah Nah Nah boo boo stick your face in doo doo.. lol
Nothing to see here |
Is that the same thing that cuts your code apart? Is it not possible to do what the admin wants at -1 -1 then choose to return to the security settings later if you want? Csampson |
Is that the same thing that cuts your code apart? Is it not possible to do what the admin wants at -1 -1 then choose to return to the security settings later if you want?
The code-cutting is done by HTMLPurifier, not PHPIDS.
BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
and what is a good setting? I started at 5, increased to 25 for sending reports, and still get this with level 32 around every second:
Total impact: 32
Affected tags: xss, csrf, id, rfe, sqli, lfi
Variable: COOKIE._pk_ref_8_a443 | Value: [\"\",\"\",1304170626,\"http://www.gmxattachments.net/de/cgi/g.fcgi/mail/print/fullhtml?mid=babgebhh.1304102306.641.b500ahqysy.73&type=full\"]
Impact: 32 | Tags: xss, csrf, id, rfe, sqli, lfi
Description: Detects JavaScript with(), ternary operators and XML predicate attacks | Tags: xss, csrf | ID: 7
Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8
Description: Detects basic obfuscated JavaScript script injections | Tags: xss, csrf | ID: 24
Description: Detects common XSS concatenation patterns 1/2 | Tags: xss, csrf, id, rfe | ID: 30
Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67
Centrifuge detection data Threshold: --- Ratio: --- Converted: ((++::
REMOTE_ADDR: 77.190.77.72
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /var/www/vhosts/XXXX.com/httpdocs/modules/index.php
QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.5641540063949156®istered_chat_boxes=
REQUEST_URI: /modules/?r=simple_messenger/get_operation/new_messages&_r=0.5641540063949156®istered_chat_boxes=
QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.5641540063949156®istered_chat_boxes=
SCRIPT_NAME: /modules/index.php
PHP_SELF: /modules/index.php
it looks like the simple messenger pulls some data, but I honestly can't decide what to set the level :(
|
A good setting is -1. Thats negative 1 for both. Which disables it.
Dolphin ships with it off now for the last couple of versions. It is broken. You should not have it enabled. https://www.deanbassett.com |
Now you have me confused, Zarcon recommends it if I understand it correctly, you say it doesn't work at all.... so what???  |
I did not say it does not work at all. I said it's broken. In this case i mean it's not accurate. Way to many false positives to make it useful.
That post is also a year old. Made before dolphin disabled it by default. Disabling it is now what most of us recommend.
https://www.deanbassett.com |
Ok, now you got me again, indeed its 2010 :D I just saw it on top of the forum and read March, 11th... so its old :)
I have it enabled now with a rating of 40 and it seems to work pretty well now, 37 was the last wrong negative impact, and I still get (blocked) attacks from severals sites with 100% spam.
and it stopped my spam attacks, I have not one spam profile for two days now...
|
I changed it once and turned back to -1, but now it recognizes 0 or something like this, thus, the site isn't anything than an anti-attack mechanism. I can't reach the admin-panel. Where do I find the option in the database? |
so does that all mean its nothing serious when getting notified like:
Total impact: 5<br/>
Affected tags: xss, csrf<br/>
<br/>
Variable: COOKIE.memberSession | Value:
whnrb&Hqp3YzE=7=DeMCa23NtPX5ch3b<br/>
Impact: 5 | Tags: xss, csrf<br/>
Description: Detects JavaScript location/document
property access and window access obfuscation |
Tags: xss, csrf | ID: 23<br/>
<br/>
REMOTE_ADDR: 71.228.251.50
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME:
/xxxxx/xxxxxxx/public_html/modules/index.php
QUERY_STRING:
r=photos/get_image/browse/ea567786d4b72317f4016d12a773c628.jpg
REQUEST_URI:
/m/photos/get_image/browse/ea567786d4b72317f4016d12a773c628.jpg
QUERY_STRING:
r=photos/get_image/browse/ea567786d4b72317f4016d12a773c628.jpg
SCRIPT_NAME: /modules/index.php
PHP_SELF: /modules/index.php
my settings at admin are -1
Diddy is not greedy and has time. Dolphin is cool and its not just mine :-) |
Ok here's one for you. What happens if your own ip is blocked. It has happened to me and I can not get to the ip black list to remove my ip. How does one get on.Any help would be gladly accepted
|
May I ask why you blocked your own IP? It's not something you can do accidentally
Ok here's one for you. What happens if your own ip is blocked. It has happened to me and I can not get to the ip black list to remove my ip. How does one get on.Any help would be gladly accepted
My opinions expressed on this site, in no way represent those of Boonex or Boonex employees. |
I've got 7.0.9, and I STILL get these damn emails. I hadn't checked my email associated with my dolphin, but now that I'm checking it, I've been getting them all along. It's never the same page on my site, or the same files supposedly being compromised. It has NO rhyme or reason, it's just a royal PIMA.
Total security impact threshold to send report: -1
Total security impact threshold to send report and block aggressor:-1
I've had it set to those all along, and I even have the "Send report to admin if spam content discovered" unchecked, yet I STILL get these emails. How the hell can I turn this off?
|
I'm sure that was triggered by this member that has been spamming your site, as of couple minutes ago..
Sent in a PM to you.
Also that looks to be from the shoutbox as well
ManOfTeal.COM a Proud UNA site, six years running strong! |
It's never the same page, and it always seems to be hits from a search engine. I don't get why I'm even receiving them, I have my settings set to -1, I always have. |
Is this anything to worry about ??
Total impact: 7
Affected tags: xss, csrf, id, rfe, lfi
Variable: COOKIE.fbsr_278800235555256 | Value: 0jjLeCQFJpSQC0zIwCdXs2alK4nE65F-ly02J6AC5_k.eyJhbGdvcml0aG0iOiJITUFDLVNIQTI1NiIsImNvZGUiOiIyLkFRQVVtM0RxVXJmWGZVLXYuMzYwMC4xMzQ4NjcxNjAwLjEtNjkyNjgyMDA2fDEzNDg2NjUxMDZ8bzJYcFpvOHdWXzYtNmtHWnlGOFhqamMwT1dBIiwiaXNzdWVkX2F0IjoxMzQ4NjY0ODA2LCJ1c2VyX2lkIjoiNjkyNjgyMDA2In0
Impact: 7 | Tags: xss, csrf, id, rfe, lfi
Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67
Centrifuge detection data Threshold: 3.49 Ratio: 3.2
REMOTE_ADDR: 86.26.21.36
HTTP_X_FORWARDED_FOR:
HTTP_CLIENT_IP:
SCRIPT_FILENAME: /modules/index.php
QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.9039344051852822®istered_chat_boxes=945%3A1999%2C
REQUEST_URI: /modules/?r=simple_messenger/get_operation/new_messages&_r=0.9039344051852822®istered_chat_boxes=945%3A1999%2C
QUERY_STRING: r=simple_messenger/get_operation/new_messages&_r=0.9039344051852822®istered_chat_boxes=945%3A1999%2C
SCRIPT_NAME: /modules/index.php
PHP_SELF: /modules/index.php
|
I got the email and my dolphin was both set to -1
|
