Dolphin disguise????

Hi all,

The hacking saga continues. I now have my site being port scanned from Taiwan, and I have people trying random username and password combinations. If I was the next facebook, then I could understand this, but I'm not.

They are obviously looking for Dolphin sites and then looking for weaknesses. Is there any way to disguise a dolphin site so that it does not show as dolphin when they come looking for it? Kind of like a virtual camoflague?

It is a daily situation that is really beginning to piss me off big time now, and I do think its about time dolphin stepped in and did something about security. Boonex is very aware that its platform is purposly being singled out for attack. Do something about it please. Can anyone tell me if Ning sites have these problems?

Also, it is my belief that the hackers have infiltrated Unity in order to gain information. I do not know who to trust on here, who to help and who to ignore.

Can you explain what you mean by being port scanned and how you know this is happening?

I get periodic updates from the server that tells me whats happening and when, and recently theyy have been telling me that the ports are being scanned and giving me the IP. I am then blocking the IP. someone is pretty much continualy looking for weaknesses. I spoke to richard who confirmed that the server was port scanned and advised me on how to block the IP.

I also got an update informing me of the randon username and password attempts - things like "abcd" "1234" etc.  I believe that dolpin is being singled out to some extent as it is proving a bit of a push over for hackers at the moment. I figure that they are searching out dolphin sites. If there is a way to hide in searches that the site is diolphin then it will be more difficult for them to find.

Oh.... I have been unwell (man Flu) but will e-mail you tonight from the office.

Nathan

 port scans and random login attempts are common. i dont think that is something targetted to dolphin. most of the time, that is robots as some people have nothing better to do with their time. 

 you can set most common protocols on non-standard ports, make sure your passwords are secure

using special characters and mixing uppercase with lowercase and using at least 2 numbers

something like $uPer5tUff$2012

or something a little less complex, which basically you take a common word if you will, randomize letters with numbers such as 3 for E, 5 for S 4 for H

5H37701L --> ShellOil

then you take this same word --> and add special char to it

&&5437701L%%

so that password becomes something like 100, billion to one to crack

same with your username, typical on a cpanel install, the first 8 characters of your domain will end up being your username on cpanel. if you are on VPS or Dedicated, you can change that, and its recommended that you do so. 

Something happened the week before Thanksgiving, I think maybe a vulnerablility in one of the packages that comes with Cpanel/WHM must have been revealed on the exploit sites. My normal 1 or 2 port scans a day shot up to CONSTANT scans from all over the world. Every time I checked my email I would have 30 or 40 of those warnings. I ended up blocking the worst countries with the firewall and today it looks like things have gone back to normal so I un-blocked them.

But Dawg is correct, port scans don't really have anything to do with Dolphin. Any time an exploit is released they set those bots to scan every IP range to find servers that are running whatever package the exploit is in.

Thanks Guys,

Glad its not as bad as i thought. I know the server is tied down securely now after my run in with HFW the other week.

though i do agree with you, on how dolphin sites get targeted. and this goes right back to the post that seems to be getting ignored in regards to the security patch for the vulnerability that was discovered and reported, then boonex pushed in the security patch with an update. the issue is that not everybody is interested in upgrading their site, so those sites are essentially vulnerable.

so this goes back to my complaints about the branding where andrew boone thinks it to be clever to have his name or assumed name in the modules name. so if you are a hacker, and know there are exploits, then its easy to use google to find something to play with. 

allinurl:boonex modules boonex

that search will reveal 5.5M  SERP's, which most are sites that would in general understanding never know they had an association with boonex's name. so the would be hacker using advanced search methodology can search all sites that would have the above string, and there you have your exposure, whereas, if the term boonex were not so blatantly distributed across the application, it would be a bit difficult to find you.

so the issue is that we are a target because of the boonex name, not so much dolphin. the exploits are reported, and the name dolphin could be mentioned, but the developer is most always mentioned, that being boonex, so the search begins. 

there are all kinds of advanced search queries that can get dolphin sites revealed. 

so how do you get around this, outside of rewriting where and how these modules are stored, or setting up some elaborate method of having the /modules directory outside of public root, then using a symlink, or SSI to get the information, there is no way to mask out this issue. 

want to see an interesting search return:

allinurl:*boonex WOW gold

27 thousand returns, you know that these are all compromised sites from spammers. even though you shut off the site and think you have it secured, and require email verification, these emails are being verified by bots, so this is not really a security feature that is viable any longer, as the spammers have found a work around for that method. 

so the bot registers on the site, the email gets sent out for verification, a bot verifies the email, and the spam bot or spammer goes to work on your dolphin site.

want to see a funnier return:

allinurl:*boonex shoes

1 MILLION+ returns 

these too are spammers

http://www.google.com/webhp?sourceid=chrome-instant&ie=UTF-8&ion=1&nord=1#sclient=psy-ab&hl=en&nord=1&site=webhp&source=hp&q=allinurl:*boonex+shoes&pbx=1&oq=allinurl:*boonex+shoes&aq=f&aqi=&aql=&gs_sm=e&gs_upl=241314l242598l3l242796l7l6l0l0l0l0l212l782l0.4.1l5l0&bav=on.2,or.r_gc.r_pw.r_cp.,cf.osb&fp=885af3d11e70f017&ion=1&biw=1280&bih=612

you can get really funky with queries, and find some interesting stuff. now why is this relevant here, if you read through these forums, there are folks in here who dont even have a clue how to change a font color, muchless guard themselves from spammers, who are advanced in their fields. these few queries i mention here are crap compared to what you can query google for. so as you can see just from this little experiment, we are all vulnerable and exposed because of the "boonex" name.

then looking at how vulnerabilities are sought out, this is one method, not the only method:

when error logs are publicly accessible, that is a problem. so looking at how dolphin is getting exposed:

allinurl:*boonex + ~error_log

will return 25K

from a search where boonex error logs are showing up on google. where all take precaution when adding their errors on the forums, here thinking they are protecting their site from being exposed, the site is heavily exposed from the error logs being cached on the search engines. 

would you consider this a security issue? i would!~

So kindly educate me please, as I am just starting to build my site. Yes, I too have been getting these crazies signing up on my site. Right now I am manually deleting them.

On the signup screen what would Captcha do? Anything?

 the captcha with dolphin is a busted piece of shit, and does not work. 

How about a question on the sign up screen? I read somewhere on the forum; say What is 2+2?

hang on a second...... I have paid for a license, boonex branding is removed as it should be, but my site can still be tracked back to boonex? isnt this misleading? I thought ALL branding and associastion with the platform would be removed. Isnt that what we pay for?

 well you would think so, but its to remove the footer links only. the site is still heavily boonex branded. 

They will always, always, always leave a signature within the code in many places. 99% will never know and it will never hurt them.All software companies will do this.

It is great for SEO as well, but more importantly it a footprint that the product belongs to them or is there innovation.

That is what I think.

How about a question on the sign up screen? I read somewhere on the forum; say What is 2+2?

 that eliminates the bots, however, in my case studies, you are still getting spammers logged in, because those who are dropping those links, are being paid, so there is human intervention on these as well. 

So you mean to tell me there are people paying others to actually visit sites and sign up? What is the reason? Is it so they can post product info and other garbage?

 yes, you mentioned it yourself, SEO branding

yes its called link building so if some site gets many links from other sites site get higher grade in SEO term sothere are thousands people payd for sign in on forums and post links and other shit.. I end up with make all my sites membership 1 USD for one year and that way I get rid with 100% of spammers :-)

Yes branding and SEO. That is what I thought. So basically if they are legit humans and not bots, there is not much one can do except charge them or manually approve them.

So how do sites such Google, FB, Twitter take care of this problem? I mean I have seen many forums and they seem to be running just fine, nothing like this.

there is few services like akismet which analyze all posts and users and if there is spam it dont get throught alogether with other precautions like recaptcha, banning certain countries from access etc...thia way you can lower 90% of spam rest 10% u have to take care manually as adim or make your site paid and put something like one dollar fee and u will have nospam at all :-)ú

 most specifically because you ask, i will answer in summary, they pay server engineers, they have an IT budget which allows for updated technology, they are not hosting on a $4.95/month hosting package. 

firewalls, routers, load-balancers, server and network monitoriing, and besides that, the names you mention, have cash money to bust ones ass if they do this stupid shit on their servers. 

 but in true essence, fb, twitter, and the likes are also continuous targets, just not from spammers, and i am sure they are targets of spammers, specifically twitter and linkedIN, but they attend to their network, they, being facebook, twitter, google, and any other entity are in constant defense of their network. 

as you may or may not know, twitter was taken down a couple of weeks back by hackers, facebook was spawned with thousands of pornographic pictures. so even with their budgets and hi-tech equipment state of the art knowledge of network and server engineers, they fight the same battle, i would presume on a constant basis, its just that they manage it better, and the results are not cached. they also have a captcha that works. 

Kindly tell me how to determine if most are actual humans or bots? What distinguishes them apart. In looking at the many that have registered in the last few days have US as the origin, at least that is what shows on the admin side.

If I could determine if it is bot or human then it is a start.

 http://www.boonex.com/forums/?action=goto&my_threads=1#topic/China-is-invading-help-me-with-form-field-validation.htm

 you can try that. it seems to help with the bots. there is also a list of known spammer domains i.e. 163.com and such, that are pretty good indicators that the users are spammers. also if they go directly to posting ugg boots or gucci handbags, you know they are spammers and at that juncture, just ban them. 

a sure fired all out prevention, i dont think anybody has managed to accomplish that feat yet. 

My lady,

may i introduce myself...i am a former internet pro, twitter guru and SEO master.

Since 1998 i have created so many websites and resold them its not funny, one thing is now a problem and will never go away.

You can not and will not be able to stop the bots, they are here to stay and here to taker over the net BECAUSE it is in controls destiny.

If there is any type of signup form regarding any website that is a BLOG - SOCIAL NETWORK - FORUM and the likes - your are doomed.

I along with many other techs more capable than any you'll find here or on Facebook for that matter will guarantee you that nothing - upon NOTHING will stop the chinese and asian bots..

Even a billion dollar giant, whos script code was supported by many here at boonex, cannot keep the bots out.

it is written as they'd say in scripts - and i promise this - as soon as someone rips you off for a fix - you'll be ripped off by the next tech for another temporary server fix to prevent bots from accessing back-doors to your script.

The problem lies with billions of code searching bots figuring out the next move as fast as the coders can offer a patch.

 The solution? They will need to re-invent the internet.

 Get a grip on yourself and a real informed decision

Last response, you don't get as informed as I with out hands on experience, and heck with 6000 plus fans on twitter - I should be called - informed?!

And THIS could not have been asked - 1plus one is two.

 Ok great, we now have an expert with us. So I am not sure where all those quoted comments are coming from, but nonetheless. If you are who you say you are, or at least one with extreme knowledge, then kindly shed some light on how to at least reduce the impact it has on our sites.

Advise us on the different ways to reduce the crazy sign ups.

I do not have to yell that I am Doctor, people around me know and realize when I fix them up as to what I do. As they say; Action is louder then words.

as I already recommended make your site one dollar year memnbership fee. 100% guarantee all spammers will be out :-) for hackers consultation with an security engineer would solve 90% of attacks as he configure server properly, rest 10% is bad luck ... even Sony get hacked... :-)

 Can you give me link of your site to see how it is done?

Thanks