why is dolphin so vulnerable to attacks?

I am fed up with security issues with this software. The cache gets filled up with crap and all the stupid threshold stuff is junk.. doesnt work.. i tried working with .htaccess and thats useless too.. I tried installing spambot of Denre but the installation does not happen.. whats wrong with it.. i know i am not the only one suffering from this.. can anyone suggest any solutions that works and is practical?

Thanks in advance.

First of all, every public facing website gets attacks.  Actually, form my server logs it seems most of the attempts on my server are trying to exploit WordPress.

Denre is travelling at the moment but stated that support would continue so send a message and state you need help with the module.

thx for the response.. i have been trying to allow access only to my IP for the time being till i am able to install botstop.. do you know a way of doing it? probably thru htaccess?

What kind of server are you on?  You can block access through the .htaccess and only allow your IP.

The order matters and you can read up on this or wait for someone to answer as well, I don't use .htaccess much because I operate on Nginx.

I think the order you want is allow deny with deny from all, allow from your IP Address.  HL is an .htaccess guy, maybe he will step in.  Meanwhile I will go check.

here is the apache page explaining allow deny and how the order matters.

http://httpd.apache.org/docs/2.2/howto/access.html

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order

Order Deny,Allow
Deny from all
Allow from IP Address

You would place that in a .htaccess file in your web root.

I am on windows.. the htaccess for cache, cache_public and tmp, i used is as follows:

order deny,allow

deny from all

allow from 1.2.3.4

I tried with changed order too in the cache folder htaccess.. allow, deny.. but still the folder is getting filled.. If this is the right way of testing then its not working.. 

Do we need to add any file matching tag as well like <FilesMatch "^.*\.php|.*\.php5$"> around the above set of commands?

ok saw ur reply.. thats not working.. don't know the reason.. found this myself on google too.. 

How are you testing it?  If you PM me the site URL, I will see if I can see the site or not.

Dolphin is filling the cache with things it needs to fill the cache with.

If you want to block your site, you place that in the web root of the site.

Dolphin ships with an .htaccess in the /cache and /cache_public that denies from all; which prevents that directory from being browsed.  Dolphin will have access to the caches for the things it needs to cache.  Don't worry about that.

just pm'd u.. see wat is happening is, the site is not officially launched... so i know its only me who is manually logging in.. ther can be no other user at the moment.. so what happens is, even without me logging in as any user, files keep getting generated in cache, cache_public and tmp folders.. i checked the stats on godaddy and saw large number of hits and lost of bots listed too who accessed the site.. 

OK, I keep forgetting that people often install dolphin differently than I.

You would add the code to the top of your regular Dolphin .htaccess file; you need to keep the Dolphin .htaccess file in place for your site to work.

already did that too.. the snippet from the top portion of the file is:

order deny,allow

 deny from all

 allow from 1.2.3.4

Options -MultiViews -Indexes

<IfModule mod_php4.c> 

    php_flag register_globals Off

</IfModule>

.....

....

......

this is the htaccess under the dolphin root.. 

Yes, the cache directories are meant to populate with a bunch of files. /cache houses DB cache, and /cache_public keeps the CSS and JavaScript cache. These directories can fill up with a lot of cache files, especially /cache. It's normal and happens automatically.

Don't use PHPIDS. It's broken and needs to be removed. If you have spammers, try enabling the China DNS blocklist under Administration -> Tools -> Antispam Tools. Also make sure the DNS blocklist is enabled under the Antispam settings, and the behavior option is set to block. Having the DNS blocklists enabled will keep out 99% of spammers.

hey Nathan.. so yes i kinda blocked all that was there to.. all under DNS block list.. uridns blocklist.. and under settings checked everything except enable Akismet.. donno wat it is.. needs some key etc.. let me see if anything changed.. 

also.. have a question.. will files be added in cache folders without anyone users accessing the site? bcos thats happening here.. 

still getting the issue.. the site randomly responds with internal server error and after a refresh or two will come up.. and under admin, module install isnt happening

Dolphin generates the cache, so I'm not sure why this is a concern. If you don't want the cache to generate for some reason, simple turn it off under Administration -> Tools -> Cache -> Settings. However, some DB cache will still be generated regardless of these settings by Dolphin when the cache is cleared.

What happens when you try to install a module? Is there an error message? For the Internet Server Error, check for an error_log file under /public_html. Is this shared hosting, and is there some form of resource limiting?

internal server error is often a cause of errors in the .htaccess file.

hi Nathan.. yes its shared hosting.. the log files are large.. trying to have a look.. I have tried to locate the errors earlier but nothin really showed when i checked.. will do it again.. and yes it just says internal server error in the browser.. 

i understand cache gets generated. The concern as i said is only that, its getting generated even when the site is not being pinged by any actual user. Its like, i delete all the files in cache folder and in a fraction of a second its full again.. and this is while no user is accessing the site.. So obviously in that case, it would be hack bots or watever.. atleast not someone friendly.. 

let me download the error logs on my machine n see if i find something..

 Yes, that is normal behaviour, certain files will be recreated by Dolphin after you delete them from the cache.  It is not bots hitting the cache; that is the purpose of the .htacess files you see in the cache folders.  They are set to deny from all; no allow, deny from all.

I wonder if in your attempt to block something that was not happening, you have made an error somewhere.  Back up your current .htaccess file in the web root to .htaccess.bck. and then upload the .htaccess file from the Dolphin version of your site.  Clear caches again, and see if your site operates as it should.

ok.. let me try this.. i just the logs.. no errors there.. but yes i have got msgs saying that the site has been hacked and info is being sent to the owner.. i guess from what i understand from you and Nathan, thr might be a mix of actual threat and some false perception on my part too.. give me some time, will try few things that u suggest.. 

Disable PHPIDS in admin.  It has never worked, and no one uses it.

Although note you might get a message about your site being hacked even with PHPIDS disabled.  One day I got this email about my site being hacked and yes, PHPIDS was disabled.  I knew to just ignore it.

heres a recent thread deano posted . May also be of help

http://www.boonex.com/forums/topic/Remove-PHPIDS.htm

 I use Denres Bot Stop and am very satisfied with the results, actually don't even have to have the captcha on the join form because of how it works...

I get hit all day long on my top three sites, and since the install have never had one spam bot get through.

I think he still does a money back deal if bots get in.

PM me if you need help with the install; I have worked extensively testing and using it.

I also have a anti-spam module as well. http://www.boonex.com/m/dolphin-anti-spam

I'm confident in my module and am suprised you did not contact me with any issues you experienced. I even offer a full refund if I can't get it to work. There should be no need to buy expensive spam modules from other vendors.

Please PM me with the issue(s) you have installing my module and I will resolve it asap!

That was a little uncalled for don't you think. Perhaps all the other vendors should tell people not to buy yours either.

 A lot uncalled for i would say. Although those of us who have been around know who does quality coding around here. Deano tops the list in my opinion. The awesome admin panel control and professionalism found in deans mods are your first clue to the effort and many intense hours of coding that goes into the mod. I wish the boonex modules were of this quality. hint hint boonex.

You can't compare boones farm to fine wine. Yeah they both get you drunk but....

I am interested in what customers (rather than other vendors) have to say about my modules, and with the exception of this one issue everyone is very happy with my BotStopper. Please read the reviews to back this up.

The way I see it, when someone is having issues with a module they've already purchased, the focus should be on getting that resolved (which is easily done), rather than opportunistically promoting a similar module that is almost 3 times more expensive and would mean the customer has to needlessly spend a lot more money.

Let's please not get into a flame war.  I think both Deano and Denre are great vendors and I can see where it may have appeared that it was suggested that the OP drop Denre's anti-spam module in favour of another vendor's module.  I don't think it was meant in that light at all though.  Vendors often mention their modules in posts.

CHILDREN!

I don't use any modules to block spam. If you search the word 'Spam' here you will find many different ways to stop it all. The best is the human check (or bot check).

Instead of starting a thread slamming Boonex for your own spam issues, it might be better to just take some time and do a little research here. If you have any skills at all you will be able to simply and effectively stop this problem.

If you need a search term, try this one === 'Spam'

 Sky, as you know I was one of the one's that participated in that experiment, I eventually had to change as the bot's somehow adapted to this and was getting in.

I went with Denres BotStopper after he approached me long ago to help test his module, which turn's out to be very good.

As he explained to me in some terms I could understand, lol, Bots fill in join forms instantly and humans take a bit more time... which make perfect sense. Now there are other features of the module that you cannot see work, but just try to submit some spam, hell I even got myself blocked from some of my sites. lol

Now for Deano, I have many clients that use his module as well and his provides good results too.

Both are great modules, both by very good coders IMO, too bad vendors do not provide admin demos to actually see how each module works.

 To clarify this claim; I work on many clients sites so I have seen just about every module on the market.

Have had lot's of experience with all of them.

I would not say this as a "regular" member, as I have a support site, and support ticket system that keeps me full of experience with all the modules, and their flaws.

I'm not trying to step on everyone's parade but My site has been up since 2009 and the towtalk domain name has been around since early 2000. I literally do not get any spam. Once it a while (like every 6 months or so) someone manages to get in, usually a manual spammer.....

I would venture to say that however you set that bot, you made the question and answer perfectly logical.... That's the ONLY way I can see a machine getting past it....

i did a fresh install.. put strong passwords and enabled all the block lists and set the thresholds to -1.. i still get random internal server errors which work just fine after a refresh or two.. i am talkin to Denre on pm to help with the installation issue.. will keep you guys posted.. thanks..