Help! Deleted member still accessing my site. How do I block them?

I urgently need help. For the past two weeks someone has been attacking my website with automated scripts. I am using dolphin 6.

I have been programming non stop, trying to block attacks. As soon as I block them in one place, they attack in another. They had been sending out tens of thousands of classifieds ads and blog posts using multiple accounts. I stopped all that.

I deleted multiple accounts that they had been using. Somehow they are now still accessing the website, using the blog search by tags and causing 1,000s of database errors each day. I couldnt even find out where they were accessing the search function on the website. So I remarked that part of the program out.

When I check the error messages, it shows the now non-existent user names that I had deleted and the member id of "0".

Here is an example of a database error report I got.

It shows the error and then:

 [ownerName] => zhilin2742

[ownerID] => 0
[isOwner] => 1

I deleted this person's account. It does not show up in phpmyadmin and it does not show up in a search through the admin panel of dolphin.

There are three people attacking me. How can I stop them? Every time I block some part of my website, they find another place to attack. So far, no damage has been done, but they keep causing database errors. I am not an advanced php programmer.

If I could do a check for those three member names, then redirect them somewhere else, it would be great. Can anyone show me how?

Any help would be greatly appreciated.

Thanks in advance

They are trying to insert spam directly into your database, they don't know you have deleted them and that's why it's causing errors. If you're on a VPS or dedicated server you can block them using mod_security and CSF firewall. If you're on shared hosting you can try and block their IPs in the htaccess file.

 I tried ip address blocking. They have a script that attacks for an hour. Then they reset the ip address and start again.

I am hoping to be able to have my software look for a member with id number of "0" and shut them out. How can someone that has been removed from my database be able to log back in at all? Their nickname still shows up in the error reports, but the member number is now "0".

Where the problem lies is they are still logged in on their end (cookie) when you delete them, that is how it still shows up as their username. Dolphin doesn't let the post go through which is good, but it doesn't handle it exactly right or it wouldn't cause a database error. Anyone who isn't a member shows up as user number "0" so you can't block them completely or no one would be able to browse or join your site.

If you're on shared hosting your best bet is to prevent them from joining in the first place, here are some ideas:

http://www.boonex.com/forums/?action=goto&search=1#topic/spam-spam-spam-spam-IDEA-.htm

 Ok, thank you. That answers how they are still accessing my site. I guess I will just do a check for member number = 0 in each of the blog posting routines and then skip the database processing for them. I only want members accessing my blog posting and editing areas anyway.

If it works, I will post the results for others.

That should do the trick. Definitly post back if you come up with a good solution, I know tons of people have run into this same situation.

Thanks mscott for explanation as same problem I had long time ago on my dolphin 6 test site. DO you know if same cant happen on dolphin 7 ?

Unfortunately yes, most of the people who have been posting about this lately are using 7.

hmm than I just have been lucky it dont happened on my d7 testsite.THis is kinda serious problem as I remember this situatiuon from d6 it was very hard get rid of that spammers which was hammering my database permanently. This have to be solved somehow, can somebody with Track access open a ticket for this ...as this is really annoying and serious problem..

 Yeah, I think webman is on the right path.. anyone who is user 0 shouldn't be allowed to get close enough to posting to the database to even cause an error. Hopefully someone who is "premium" or a mod will open a ticket for us.

moderators or those with premium can u post ticket to DOLPHIN 7.0.9 TRAC  please ?

Can anyone please tell me where this function is located?

CheckLogged()

If I can find that, then I will simply look for member number = "0" and then send them to a warning message.

So far, I have come up with this little addition:

in blogs.php at about line number 47 find this line:

$_page['header_text'] = $oBlogs->GetHeaderString();

and add this under it:

// check for banned members

if ($sNickName == "zhilin2742")

{ header("Location: http://www.yoursite.com/Hackers-Warning.html"); }

Replace "www.yoursite.com" with your own website link. Replace "zhilin2742" with the known member nickname that is giving you trouble. My biggest one was this guy.

If you have multiple bad guys, use this:

if (($sNickName == "badguy1") || ($sNickName == "badguy2") || ($sNickName == "badguy3"))

{ header("Location: http://www.yoursite.com/Hackers-Warning.html"); }

replacing "badguy1" with the correct profile name.

Then create an html page named "Hackers-Warning.html" and add this to it:

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head><title>Access Denied! You are violating our policies!</title></head>

<body bgcolor="red"><font color="black">

<br><br><br><br><h1 align="center">You have been caught hacking our website.</h1><br><br>

<h2 align="center">Your ip address and contact details have been turned over to the authorities</h2>

</font>

</body></html>

It is simple, basic html and php, but it works. This guy is in for a shock when he comes back, hehe.

But I do want to find that CheckLogged() function. It shows up every time a database query is called up. If I can find this function and then check for member number 0, then I can shut them out.

I almost forgot. I nearly stopped all the database attacks by remarking out the function

GenSearchResult()

in BxDolBlogs.php around line 2,000.

Then in blogs.php I made this change:

case 'search_by_tag':

// $sRetHtml .= $oBlogs->GenSearchResult();

$sRetHtml = "Sorry, search has been disabled for security reasons";

break;

This is where they were attacking me the most because it allowed them to try to inject an sql query.

I went from 1,000s of error warnings per day, down to about 10-20 of them.

You might have better luck (and less work) if you check the email providers instead of the nicknames. The reason I say that is I have several spammers try and sign up every day and they always use different nicknames. If I used this method I would have a thousand names by now.

The list of email providers that the spammers use is a little smaller. I know this won't catch them all but it seems to stop the majority. Here's the list I block:

@126.com
@139.com
@163.com
@gmx.com
@110mail.net
@mx8168.net
@qq.com
@yahoo.cn
@yeah.net
@21cn.com
@sohu.com
@yahoo.com.cn
@tom.com

Yes, I have seen mods for this before. But wont that block a lot of innocent people as well? I have tons of valid members from Pakistan. The three bad guys are also from Pakistan. I hate to accidently block valid members as well.

If I can just block out the member 0, from database access, then all is well, I think. I still need to moderate and filter out junk, but still have open access to the site.

you might would't believe but spammers are using @gmail.com :(

i can't block it. if i block it half the world will not be able to join. 

hey mscott, i have a question.

will changing join.php to something else will help?

I have just changed join.php to register.php in my test site and its working can you test it?

its here www.buddy-net.co.cc

It depends, is your site in Chinese? Those email providers websites I listed are all in Chinese and the people who use them speak Chinese.

 Yes, just doing that will block the automated bots that are setup to search for "join.php". It won't stop the spammers that sign up manually though.

After you rename it you will have to edit several files too because it is referenced in about 5 or 6.

i have done changing join.php to register.php and soon i will implant it in my main site.

I have already blocked bots by simply adding a captcha code to join, contact, blogs and classifieds. Seems to stop most outside attacks.

i have read somewhere that dolphin captcha has been cracked long ago.

 I use securimage.

Most of hackers and hackers robots are from Russia and China and some others countries I dont need for my website, sot I have decided to ban these countries.

In your htaccess write this to ban some countries (CN is china by example)

RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^SN|NE|NG|CG|CN|DE|CI|BJ$

RewriteRule .* - [F]

And ban proxy servers in writing this:

RewriteCond %{HTTP:VIA}                 !^$ [OR]
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
RewriteRule ^(.*)$ - [F]

And you can say bye bye to china and others hackers coutries 

Just wanted to thank you all for the help. I have no more attacks for now. I think the warning page I wrote must have scared him off because he left my site.

can somebody check if this apply also to D7 or its not case in d7 as boonex saying. I cant test in now as I have currently no test sites...