• Welcome to Simple Machines Community Forum. Please login or sign up.
December 03, 2021, 03:19:51 AM

News:

Wondering if this will always be free?  See why free is better.


SPAM - Bots Bypassing Admin Approval!

Started by AlkaSeltxer, November 25, 2012, 06:17:39 AM

Previous topic - Next topic

AlkaSeltxer

November 25, 2012, 06:17:39 AM Last Edit: November 25, 2012, 03:36:15 PM by AlkaSeltxer
The past 3 or 4 week I've been having a huge issue with spam bots registering and posting. I installed httpBL, Stop Spammer and Bad Behavior. That stopped them for about two days. Suddenly a few hours ago it started up again. Bots getting through the three mods and spamming the boards. So I set registration to admin approval until I could do some looking around... I go back to the forum and to my amazement the bots were able to "admin approve" themselves and start posting spam again!

CAPTCHA and the questions are set up as well.

My question... Where do I even start looking... Mod related? I have disabled registration for the time being. Kinda curious if they are still able to get in. I'm at a loss.

SMF 2.0.2
w/mods:
Latest TP
Users mass actions 0.1.1
Menu Editor Lite 1.0.5
Add Social Media Icons To Profiles 1.0.7
Treasury 2.10
httpBL 2.5.1
Bad Behavior mod 1.5.13
Ohara YouTube Embed 1.0
BlogBridger 1.1.4
Bookmarks 2.5
SA Facebook 2.0 RC4 Rev58
Stop Spammer 2.3.9
~Josh~
Over 16 keyboards lost to raging.

Storman™

You seem to have done all the right things. I have httpBL and Stop Spammer on their own and they stop 99% so I'm not sure what's happening on your forum.

Makes me wonder if BlogBridger has a vulnerability despite registration being in SMF ? I know nothing about this bridge though so can't really comment further.

AlkaSeltxer

Quote from: Storman™ on November 25, 2012, 06:36:51 AM
You seem to have done all the right things. I have httpBL and Stop Spammer on their own and they stop 99% so I'm not sure what's happening on your forum.

Makes me wonder if BlogBridger has a vulnerability despite registration being in SMF ? I know nothing about this bridge though so can't really comment further.

BlogBridger was installed after the fact for the most part; But before I noticed the issue with admin approval being bypassed. I had never used admin approval before this so I couldn't say it wasn't already an issue that I just hadn't had a chance to notice.
~Josh~
Over 16 keyboards lost to raging.

Storman™

You could try something like CrawlProtect which gives some protection against code injection attempts.

I take it there's nothing in your SMF error log. A look in the main server/site logs would be interesting if you have access.

AlkaSeltxer

Quote from: Storman™ on November 25, 2012, 07:08:35 AM
You could try something like CrawlProtect which gives some protection against code injection attempts.

I take it there's nothing in your SMF error log. A look in the main server/site logs would be interesting if you have access.

I'll look into that.

Right now the bots are still getting accounts to register with registration disabled! It's even sending out Approval Notifications to these new registers.

Error logs are clean, server side and on SMF. As for the general server logs, I wouldn't know where to look. Never needed to. Would they be accessible through cpanel?

Could this be an issue with .htaccess, or a bad chmod on a file?
~Josh~
Over 16 keyboards lost to raging.

Storman™

QuoteCould this be an issue with .htaccess, or a bad chmod on a file?

Maybe...but don't think thats the issue.

Crawlprotect will actually analyse the chmod on all your files and folders and tell you if they are set incorrectly. It will also create a secure htaccess.

To be honest the reason for your issue is hard to ascertain without actually taking a look at your setup, in theory it sounds like you've done all the right things.


Kindred

I bet it has to do with the facebook integration. deactivate that.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.<br /><br />"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

AlkaSeltxer

Quote from: Kindred on November 25, 2012, 02:02:08 PM
I bet it has to do with the facebook integration. deactivate that.

Ehh, don't want to, but I'll try anything at this point.

Side note: I went through and did a clean file install of the forums, no change. I'll try killing face book integration.
~Josh~
Over 16 keyboards lost to raging.

Kindred

if there are users in the pending activation queue, then they can still ACTIVATE the accounts after you turn off registration
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.<br /><br />"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

AlkaSeltxer

Quote from: Kindred on November 25, 2012, 02:35:01 PM
if there are users in the pending activation queue, then they can still ACTIVATE the accounts after you turn off registration
Nada, list is and was empty after shutting down the registration, also when setting it to admin approval.
~Josh~
Over 16 keyboards lost to raging.

AlkaSeltxer

Quote from: Kindred on November 25, 2012, 02:02:08 PM
I bet it has to do with the facebook integration. deactivate that.

Didn't change a thing.
~Josh~
Over 16 keyboards lost to raging.

busterone

Double check all your membergroup permissions. You possibly have a permissions issue somewhere that is allowing them to admin approve themselves. 
It is possible that you accidentally set wrong primary or secondary permission level using the Users mass actions mod.

AlkaSeltxer

Quote from: busterone on November 25, 2012, 05:42:37 PM
Double check all your membergroup permissions. You possibly have a permissions issue somewhere that is allowing them to admin approve themselves. 
It is possible that you accidentally set wrong primary or secondary permission level using the Users mass actions mod.

As far as I can tell, memgroups looks ok...
~Josh~
Over 16 keyboards lost to raging.

Sir Osis of Liver

Quote from: AlkaSeltxer on November 25, 2012, 02:27:58 PM
Side note: I went through and did a clean file install of the forums, no change. I'll try killing face book integration.

Did you delete all forum files, and verify that all were gone, before reinstalling it?

"The best laid schemes o' mice an' men / Gang aft a-gley." - Robert Burns

busterone

That was my next question as well. There may be a rogue file that they are using to gain access.

MrPhil

Perhaps they have obtained one or more of your passwords, and are simply directly signing on as the Admin? If you haven't done so already, do a thorough spyware/virus scan of all PC's you use to access the site. Once they're clean, change every password in sight: SMF admin account, FTP, host site access, perhaps even the database password.

AlkaSeltxer

Things, so far, seem to be ok now. Here's what I did...

Changed MySQL password.
Changed all admin account passwords after all admins ran a virus scan as mentioned, serverside as well.
Installed the KeyCAPTCHA mod.
Added CrawlProtect.

So far, there have not been any new spam accounts created, or been attempted to be created. Since I'm not sure if this is just an attack lull, I'm not ready to mark as solved just yet. Going to give it a week and see what happens.

Not sure which did the trick if this isn't a lull, I would have tried each individually if I had the time.

Thanks to all for the suggestions and help.
~Josh~
Over 16 keyboards lost to raging.

Advertisement: