Posted on: 07/27/06 08:29pm
By: ByteEnable
Hi,
I was attacked last night by a php script/bot that was registering and logging in, then posting spam. It was pretty rapid. I just hacked users.php to die on those domains. The domain names were constant, but the username changed. As of today, the script/bot is still attempting registration.
4watcher dot com
koziavok dot net
pornoscop dot com
dro4ers dot net
1stflirt dot org
sweetsnet dot com
yamy dot net
strokersclub dot net
lovesnake dot net
Bots that register and login
Posted on: 07/27/06 10:35pm
By: jmucchiello
Bots that register and login
Posted on: 07/28/06 01:59am
By: Dirk
We had the same problem on geeklog.net on Thursday night and the short-term fix I chose was to block the entire IP ranges the bots were coming from:
205.252.0.0 - 205.252.255.255
206.161.0.0 - 206.161.255.255
209.8.0.0 - 209.9.255.255
bye, Dirk
Bots that register and login
Posted on: 07/28/06 07:33am
By: Robin
Looks like I'm not alone
I've been wondering whether adding a validation during registration process would prevent form bots registration. I mean adding a picture with random characters that you need to enter to the field.
This is like a common thing around the net now.
Just a thought,
Robert
Bots that register and login
Posted on: 07/28/06 08:16am
By: Dirk
As much as I dislike
CAPTCHA[*2] s, they would probably have helped in this case There's an implementation for Geeklog in the
downloads section[*3] if you want to try it out (I haven't yet).
Geeklog's current signup process (sign up, receive password by email, log in with that password) was designed on the assumption that it would ensure that the user was legit. Now that throwaway email addresses - and even throwaway domains - are common, I guess it's time to rethink and re-evaluate that approach.
bye, Dirk
Bots that register and login
Posted on: 07/28/06 08:40am
By: Robin
[QUOTE BY= Dirk] As much as I dislike
CAPTCHA[*2] s, they would probably have helped in this case [/QUOTE]
Me neither especially as it requires something like GD library or something similar.
[QUOTE BY= Dirk]Geeklog's current signup process (sign up, receive password by email, log in with that password) was designed on the assumption that it would ensure that the user was legit.[/QUOTE]
Exactly and I believe that it works as I got several spammers registered with the site however never logged in. Maybe I'm missing something but how is it possible for a bot to spam as a registered user? Even if they register with a site they have to validate before logging in. Are they so clever these days?
Robert
Bots that register and login
Posted on: 07/28/06 09:25am
By: Anonymous (macboy)
I've also had this on two of my sites. To help slow this down and give me some level of control over who registers, I've set:
$_CONF['usersubmission'] = 1; // 1 = new users must be approved
in config.php
That'll buy me some time until some other mechanism for confirming users is put in. I do like the graphic scrambeld text idea. Many sites use that to make sure there's a warm body on the other end...
Bots that register and login
Posted on: 07/28/06 02:37pm
By: Dirk
[QUOTE BY= Robin] Maybe I'm missing something but how is it possible for a bot to spam as a registered user? Even if they register with a site they have to validate before logging in. Are they so clever these days? [/QUOTE]
This is exactly what happened, though. The bot registered with the site and came back a minute later and logged in (and started spamming right away). It has obviously been written to wait for the email, read it and use the password to log in.
In a way, I guess, that's sort of a compliment: Geeklog is popular enough that it's worth going through the trouble of writing such a bot.
Actually, if it reads the email automatically, that would be another option to stop it (or at least make its author's life a little harder): Change the text and layout of the password email. Either by changing the language file or by using the built-it
welcome email hack[*4] .
bye, Dirk
Bots that register and login
Posted on: 08/08/06 06:41pm
By: Anonymous (Lex)
[QUOTE BY= ByteEnable] Hi,
I was attacked last night by a php script/bot that was registering and logging in, then posting spam. It was pretty rapid. I just hacked users.php to die on those domains. The domain names were constant, but the username changed. As of today, the script/bot is still attempting registration.
4watcher dot com
koziavok dot net
pornoscop dot com
dro4ers dot net
1stflirt dot org
sweetsnet dot com
yamy dot net
strokersclub dot net
lovesnake dot net
[/QUOTE]
I've been getting hit by these exact same people for two weeks now. I've been able to control their comment posts because they always use the same domains and they always use ".:." between their URLs. But they are racking up the fake user accounts.
All of their IP addresses are coming from btnaccess.com so I sent an email to their abuse address:
abuse@btnaccess.com
I'm waiting to hear back from them. If you check the IP address of the folks linking to the above URLs, and find they are coming from blocks on btnaccess.com, please report them ASAP so we can temporarily stop these *censored*ers.
Thanks,
Lex
Bots that register and login
Posted on: 08/10/06 11:53pm
By: TrappedOnEarth
Could the bots now be using gawab.com email addresses? I say this because a couple of weeks ago, I had switched from automatic user registrations to me having to manually approve new users because of the bot spam coming from the domains previously mentioned in this thread. But in the last few days, I have found an unusual amount of new users using email domains of gawab.com... Whereas over a year running Geeklog, and over 535 users, there haven't been any, and now within the last few days, there had to be a dozen new users with gawab.com addresses... makes me wonder if they are real or not.
Anyone else notice this?
Cheers,
Louis
Bots that register and login
Posted on: 08/11/06 02:28pm
By: milfodd
Sort of glad to hear that it's not just me....
My new friends are punting cheap drugs spam with user names such as:
buy_ci***s
Order phen****n
cheap a*****x 200
(starred out to keep Geeklogs spam filters calm)
and email domains:
bfr.net
msn.com
myrx.com
octelera.com
etc
I've now switched to approving user requests but am having a problem deleting the bogus applications. When I attempt to do so I am faced with this error....
phpBB : Critical Error
Could not delete user 275 from phpBB groups table
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2
DELETE FROM phpbb_groups WHERE group_id =
Line : 360
File : functions.inc
Not being the best at understanding such can anyone please give me some pointers to get on top of this.
Thanks.
Oh and they've also been spamming my Chatterblock. Industrious critters...
Bots that register and login
Posted on: 08/11/06 03:19pm
By: Dirk
[QUOTE BY= milfodd] I've now switched to approving user requests but am having a problem deleting the bogus applications. When I attempt to do so I am faced with this error....[/QUOTE]
Can't help you with phpBB problems, but if you're on Geeklog 1.4.0, you could also ban those users and keep their accounts. Unless those are really throwaway addresses, it would also have the added benefit of preventing those addresses from being reused.
bye, Dirk
Bots that register and login
Posted on: 08/12/06 11:12am
By: milfodd
Looking at upgrading to 1.4 (currently 1.3.11sr2). The snag is I have phpBB and Gallery2 currently integrated and working and ,the truth be told, am scared of messing the whole thing up.
This could be the reason to make the leap though.
Thanks.
Bots that register and login
Posted on: 08/14/06 04:02pm
By: Anonymous (Wade)
I would comment not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:
1. setting "custom_registration" in config.php to true (line 246)
2. making sure that your template includes ../custom/memberdetail.thtml
3. enhancing the "custom_usercheck" function in lib-custom.php to:
// fight the porn spammers
$domain = substr(strrchr($email, "@"), 1);
$baned_domains = array('dro4ers.net',
'koziavok.net',
'pornoscop.com',
'4watcher.com',
'strokersclub.net',
'sweetsnet.com',
'1stflirt.org',
'hotmail.com',
'yamy.net',
'lovesnake.net',
'126.com');
if (in_array($domain, $baned_domains))
{
$msg = 'Your email address is hosted on a banned domain. Please resubmit with alternate address.';
}
Bots that register and login
Posted on: 08/14/06 04:03pm
By: Anonymous (Wade)
I would recommend not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:
1. setting "custom_registration" in config.php to true (line 246)
2. making sure that your template includes ../custom/memberdetail.thtml
3. enhancing the "custom_usercheck" function in lib-custom.php to (starts on line 326):
// fight the porn spammers
$domain = substr(strrchr($email, "@"), 1);
$baned_domains = array('dro4ers.net',
'koziavok.net',
'pornoscop.com',
'4watcher.com',
'strokersclub.net',
'sweetsnet.com',
'1stflirt.org',
'hotmail.com',
'yamy.net',
'lovesnake.net',
'126.com');
if (in_array($domain, $baned_domains))
{
$msg = 'Your email address is hosted on a banned domain. Please resubmit with alternate address.';
}
Bots that register and login
Posted on: 08/14/06 07:17pm
By: Anonymous (Yeraze)
same here.. I've deleted about 60 of these today, by hand.
I just integrated & tested the custom login stuff mentioned... Here's hopin it works.
Bots that register and login
Posted on: 08/15/06 09:24pm
By: Anonymous (Agent X20)
I've had to enable spam-x filters and have to make the custom registration changes listed above.
My GL site is currently being attacked every day by these same guys posting dozens of spam-comments. Spam-X seems to be doing the trick for now - or until such time as they change their ad content.
I've had to manually delete over a hundred automatically created users with no end in sight. There's no point banning these users - they just create more and more and more.
Personally this is going to force the GL registration system to include some sort of protection against this abuse.
My GL site has been running for over three years now (I'm a big fan of GL and the work you guys do) and I like to think it's fairly visible in the search engines. This problem is only going to get worse, unless the present registration system gets tweaked.
Just my 5c.
Bots that register and login
Posted on: 08/16/06 02:29am
By: Anonymous (Blah)
I added "http" to my spamx log and no longer get any spam at all. Users can't post links but not a single user has complained yet and it's been months since I made the change.
Bots that register and login
Posted on: 08/16/06 03:54pm
By: tingo
[QUOTE BY= Wade] I would recommend not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:
[/QUOTE]
Thanks, this really saved my day. Implemented and tested it in about 20 minutes. Saved me a few hours i guess, if I had to come up with something like this myself.
In about three days, one of my sites got over 100 new users - I knew something was not right.
Bots that register and login
Posted on: 08/19/06 04:54pm
By: Dirk
As a very late follow-up: I just noticed that something from 209.8.40.26 is still trying to register automatically here on geeklog.net.
Now, if you do a ping on all those domain names that ByteEnable posted at the beginning of this thread, you'll notice that they are all hosted on IP addresses in the 209.8.22.* range. And the entire 209.8.* address range belongs to a "Beyond The Network America, Inc.". According to www.btnaccess.com, they are a hosting company, so it's one of their customers spamming.
I heartly recommend blocking that entire address range. If they are a hosting company, you won't see any regular visitors coming from that address range anyway.
bye, Dirk
Bots that register and login
Posted on: 08/20/06 01:54pm
By: thelusiv
There is a better CAPTCHA for Geeklog than the one for download on this site. It's written by the Media Gallery folks. It seems that even that one can be bypassed by the bots though, after using the "Geeklog CAPTCHA Hack" I have noticed that users are still able to be created by spammers, without even submitting a "Real name" field which I have required in the custom user registration function.
this thread[*5] on the MG forums has some details on the CAPTCHA and some users reporting that spammers still get through...
Bots that register and login
Posted on: 08/20/06 11:37pm
By: mevans
thelusiv,
Actually the CAPTCHA hack available here at geeklog.net is different from the one I have over at www.mediagallery.org. If you have been using one of them you might try the other and see if you have any better luck.
The one here uses Javascript, where the one at mediagallery.org just creates the random CAPTCHA graphic and places it into the custom registration form, then validates the results. The biggest difference besides the javascript is that the one here uses static images and I don't.
I would try which ever one you haven't used and see if the results change. This is still all new and I'm sure as we learn more about how the spambots work we can design better ways to block them.
Thanks!
Mark
Bots that register and login
Posted on: 08/22/06 10:26pm
By: ByteEnable
mevans, I've just implemented your CAPTCHA in the last few minutes and already have blocked two spammers.
Have you considered this for comments too?
Thanks,
Byte
Bots that register and login
Posted on: 08/22/06 10:53pm
By: mevans
I'm glad it is working for you, I just put out another beta a little while ago, v0.3 which now supports ImageMagick. I had some folks who were having a hard time getting the GD libs to work under OS X, so now there is a choice, GD or ImageMagick for CAPTCHA.
Once I'm satisfied this works as it should, I'll be happy to look into adding support for comments. But, right now I'm not aware of any hooks into the comment engine, it may have to be a hack, which I would prefer not to do. Anway, I'll start poking around the code and see what I can turn up, who knows....
Thanks!
Mark
Bots that register and login
Posted on: 08/23/06 08:54pm
By: ByteEnable
Its working good!
Tue Aug 22 21:21:44 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 206.161.192.2
Wed Aug 23 00:25:42 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 70.87.100.194
Wed Aug 23 04:04:54 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 209.8.40.21
Wed Aug 23 04:56:07 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 209.8.40.23
Wed Aug 23 06:08:42 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 205.252.23.2
Wed Aug 23 06:20:41 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 205.252.23.8
Wed Aug 23 07:35:54 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 209.8.22.199
Wed Aug 23 07:52:57 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 206.161.192.6
Wed Aug 23 08:07:35 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 206.161.192.5
Wed Aug 23 09:46:19 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 206.161.205.179
Wed Aug 23 11:34:34 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 206.161.192.7
Wed Aug 23 12:21:03 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 206.161.192.13
Wed Aug 23 12:53:31 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 206.161.205.180
Wed Aug 23 13:23:29 2006 - CAPTCHA: Detected an attempt to bypass normal registration - IP Address: 209.8.40.30
Bots that register and login
Posted on: 08/25/06 03:16pm
By: Anonymous (webmaster jg)
[QUOTE BY= Wade] 3. enhancing the "custom_usercheck" function in lib-custom.php to:[/QUOTE]
I got all the way to this point, but there is no "custom_usercheck" function in my lib_custom file. There's a "custom_usercreate" function, but placing the code in there has had no effect...
I'm still using Geeklog 1.3, could that be why?
JG
Bots that register and login
Posted on: 08/26/06 03:40pm
By: brahm2
[QUOTE BY= Blah] I added "http" to my spamx log and no longer get any spam at all. Users can't post links but not a single user has complained yet and it's been months since I made the change.[/QUOTE]
Simple and brilliant. Thanks.
Over the summer I have converted my student society's website over to Geeklog (kudos, Dirk!) and I have been getting a lot of comment spam.
Catch is, registration is disabled because only student society members can get accounts.. but I want all students to be able to comment on news postings, so anonymous comments are enabled. I hope this is the fix I have been waiting for. Thanks again!
Bots that register and login
Posted on: 09/01/06 11:05pm
By: billyboy
Just installed CAPTCHA v0.4 For Geeklog from
here... [*6]
Installed nicely and worked. So will see whether spammers have any luck bypassing it
Bots that register and login
Posted on: 09/22/06 08:28am
By: donm1021
[QUOTE BY= Dirk] As a very late follow-up: I just noticed that something from 209.8.40.26 is still trying to register automatically here on geeklog.net.
Now, if you do a ping on all those domain names that ByteEnable posted at the beginning of this thread, you'll notice that they are all hosted on IP addresses in the 209.8.22.* range. And the entire 209.8.* address range belongs to a "Beyond The Network America, Inc.". According to www.btnaccess.com, they are a hosting company, so it's one of their customers spamming.
[/QUOTE]
How do you ban the entire range?
Bots that register and login
Posted on: 10/08/06 01:17am
By: Anonymous (Th3Cleaner)
I use CHX-i I cant recomend it unless your a strong admin thats exactly what your doing.
Bots that register and login
Posted on: 10/08/06 02:59am
By: Anonymous (ironmax)
[QUOTE BY= Th3Cleaner] I use CHX-i I cant recomend it unless your a strong admin thats exactly what your doing.
[/QUOTE]
Thats fine for those that host on there own machine(s) that don't have a decent firewall. What about those that are hosted someplace that don't have that access? The next best thing you can do otherwise is to have spam-x, bad behavior and ban plugins installed.
Bots that register and login
Posted on: 10/23/06 11:35am
By: timf
[QUOTE BY= milfodd]
I've now switched to approving user requests but am having a problem deleting the bogus applications. When I attempt to do so I am faced with this error....
phpBB : Critical Error
Could not delete user 275 from phpBB groups table
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2
DELETE FROM phpbb_groups WHERE group_id =
Line : 360
File : functions.inc
Not being the best at understanding such can anyone please give me some pointers to get on top of this.
[/QUOTE]
resynch your phpbbbridge database - I had the same error and that cleared it right up.
to resynch you have to go to the phpbbridge install page:
i.e. http://www.yourdomanin.com/admin/plugins/phpbbbridge/install.php
and click on the re-synch button
at least that's what worked for me (I was getting your same error)
good luck
Bots that register and login
Posted on: 10/30/06 06:28am
By: bieffe
I have the same problem where lots of bots registering themself but lucky me, they didn't post comment or whatever. I have about 50 bots registering a day.
I tried to install mevan's captcha hack with no luck. My registration page keep on showing broken image. (FYI: my php4 compiled with gd2)
So i take a look at geeklog.net's registration page & they added new field (confirmation email) & immediately i did some fix/hack on my users/registrationform.thtml & users.php to include new field. This fix/hack works. After 24 hours, there are only 1 bot can bypass this fix/hack - email from users@mail.ru
Question for geeklog.net's maintainer (sorry if the Qs sounds stupid):
1. does this fix/hack works well for your site?
2. bots still can bypass this fix/hack? if there are, how many of them?
I know i should'nt modifying geeklog's core file but i have to. I'm using latest stable GL (1.4.0sr5-1). My site at http://www.chatzradio.net
(Sorry with my bad english)
Bots that register and login
Posted on: 10/30/06 12:14pm
By: mevans
bieffe,
There are two methods to implement the gl-captcha, one will randomly generate the image using either GD or ImageMagick. For sites that have a difficult time getting the on-the-fly generation, there is also an option to use static images, this should work on all sites.
From the README:
9. Configure gl-captcha for your environment by editing the
public_html/captcha/captcha.php file.
$gfxDriver - specifies which graphics driver to use:
0 - GD Libs
1 - ImageMagick
2 - No Graphics driver, use Static Images
So in the case where you are seeing broken images, try setting the $gfxDriver to 2 and use the static images.
Thanks!
Mark