Welcome to Geeklog, Anonymous Saturday, October 05 2024 @ 12:00 am EDT
Geeklog Forums
Bots that register and login
Page navigation
Status: offline
ByteEnable
Forum User
Full Member
Registered: 10/20/03
Posts: 138
Hi,
I was attacked last night by a php script/bot that was registering and logging in, then posting spam. It was pretty rapid. I just hacked users.php to die on those domains. The domain names were constant, but the username changed. As of today, the script/bot is still attempting registration.
4watcher dot com
koziavok dot net
pornoscop dot com
dro4ers dot net
1stflirt dot org
sweetsnet dot com
yamy dot net
strokersclub dot net
lovesnake dot net
I was attacked last night by a php script/bot that was registering and logging in, then posting spam. It was pretty rapid. I just hacked users.php to die on those domains. The domain names were constant, but the username changed. As of today, the script/bot is still attempting registration.
4watcher dot com
koziavok dot net
pornoscop dot com
dro4ers dot net
1stflirt dot org
sweetsnet dot com
yamy dot net
strokersclub dot net
lovesnake dot net
44
32
Quote
Status: offline
jmucchiello
Forum User
Full Member
Registered: 08/29/05
Posts: 985
This is how I solved the problem on my site. I just deny certain emails in COM_isEmail. So my change is in lib-common and affects all email validation in geeklog.
http://www.geeklog.net/forum/viewtopic.php?forum=3&showtopic=68531
http://www.geeklog.net/forum/viewtopic.php?forum=3&showtopic=68531
36
25
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
We had the same problem on geeklog.net on Thursday night and the short-term fix I chose was to block the entire IP ranges the bots were coming from:
205.252.0.0 - 205.252.255.255
206.161.0.0 - 206.161.255.255
209.8.0.0 - 209.9.255.255
bye, Dirk
205.252.0.0 - 205.252.255.255
206.161.0.0 - 206.161.255.255
209.8.0.0 - 209.9.255.255
bye, Dirk
35
25
Quote
Status: offline
Robin
Forum User
Full Member
Registered: 02/15/02
Posts: 725
Looks like I'm not alone
I've been wondering whether adding a validation during registration process would prevent form bots registration. I mean adding a picture with random characters that you need to enter to the field.
This is like a common thing around the net now.
Just a thought,
Robert
Geeklog Polish Support Team
I've been wondering whether adding a validation during registration process would prevent form bots registration. I mean adding a picture with random characters that you need to enter to the field.
This is like a common thing around the net now.
Just a thought,
Robert
Geeklog Polish Support Team
32
32
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
As much as I dislike CAPTCHAs, they would probably have helped in this case There's an implementation for Geeklog in the downloads section if you want to try it out (I haven't yet).
Geeklog's current signup process (sign up, receive password by email, log in with that password) was designed on the assumption that it would ensure that the user was legit. Now that throwaway email addresses - and even throwaway domains - are common, I guess it's time to rethink and re-evaluate that approach.
bye, Dirk
Geeklog's current signup process (sign up, receive password by email, log in with that password) was designed on the assumption that it would ensure that the user was legit. Now that throwaway email addresses - and even throwaway domains - are common, I guess it's time to rethink and re-evaluate that approach.
bye, Dirk
40
34
Quote
Status: offline
Robin
Forum User
Full Member
Registered: 02/15/02
Posts: 725
Quote by Dirk: As much as I dislike CAPTCHAs, they would probably have helped in this case
Me neither especially as it requires something like GD library or something similar.
Quote by Dirk:Geeklog's current signup process (sign up, receive password by email, log in with that password) was designed on the assumption that it would ensure that the user was legit.
Exactly and I believe that it works as I got several spammers registered with the site however never logged in. Maybe I'm missing something but how is it possible for a bot to spam as a registered user? Even if they register with a site they have to validate before logging in. Are they so clever these days?
Robert
Geeklog Polish Support Team
31
32
Quote
macboy
Anonymous
I've also had this on two of my sites. To help slow this down and give me some level of control over who registers, I've set:
in config.php
That'll buy me some time until some other mechanism for confirming users is put in. I do like the graphic scrambeld text idea. Many sites use that to make sure there's a warm body on the other end...
Text Formatted Code
$_CONF['usersubmission'] = 1; // 1 = new users must be approvedin config.php
That'll buy me some time until some other mechanism for confirming users is put in. I do like the graphic scrambeld text idea. Many sites use that to make sure there's a warm body on the other end...
29
33
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Robin: Maybe I'm missing something but how is it possible for a bot to spam as a registered user? Even if they register with a site they have to validate before logging in. Are they so clever these days?
This is exactly what happened, though. The bot registered with the site and came back a minute later and logged in (and started spamming right away). It has obviously been written to wait for the email, read it and use the password to log in.
In a way, I guess, that's sort of a compliment: Geeklog is popular enough that it's worth going through the trouble of writing such a bot.
Actually, if it reads the email automatically, that would be another option to stop it (or at least make its author's life a little harder): Change the text and layout of the password email. Either by changing the language file or by using the built-it welcome email hack.
bye, Dirk
38
33
Quote
Lex
Anonymous
Quote by ByteEnable: Hi,
I was attacked last night by a php script/bot that was registering and logging in, then posting spam. It was pretty rapid. I just hacked users.php to die on those domains. The domain names were constant, but the username changed. As of today, the script/bot is still attempting registration.
4watcher dot com
koziavok dot net
pornoscop dot com
dro4ers dot net
1stflirt dot org
sweetsnet dot com
yamy dot net
strokersclub dot net
lovesnake dot net
I was attacked last night by a php script/bot that was registering and logging in, then posting spam. It was pretty rapid. I just hacked users.php to die on those domains. The domain names were constant, but the username changed. As of today, the script/bot is still attempting registration.
4watcher dot com
koziavok dot net
pornoscop dot com
dro4ers dot net
1stflirt dot org
sweetsnet dot com
yamy dot net
strokersclub dot net
lovesnake dot net
I've been getting hit by these exact same people for two weeks now. I've been able to control their comment posts because they always use the same domains and they always use ".:." between their URLs. But they are racking up the fake user accounts.
All of their IP addresses are coming from btnaccess.com so I sent an email to their abuse address: abuse@btnaccess.com
I'm waiting to hear back from them. If you check the IP address of the folks linking to the above URLs, and find they are coming from blocks on btnaccess.com, please report them ASAP so we can temporarily stop these *censored*ers.
Thanks,
Lex
37
45
Quote
Status: offline
TrappedOnEarth
Forum User
Junior
Registered: 07/13/05
Posts: 15
Could the bots now be using gawab.com email addresses? I say this because a couple of weeks ago, I had switched from automatic user registrations to me having to manually approve new users because of the bot spam coming from the domains previously mentioned in this thread. But in the last few days, I have found an unusual amount of new users using email domains of gawab.com... Whereas over a year running Geeklog, and over 535 users, there haven't been any, and now within the last few days, there had to be a dozen new users with gawab.com addresses... makes me wonder if they are real or not.
Anyone else notice this?
Cheers,
Louis
33
36
Quote
Status: offline
milfodd
Forum User
Newbie
Registered: 11/13/05
Posts: 10
Sort of glad to hear that it's not just me....
My new friends are punting cheap drugs spam with user names such as:
buy_ci***s
Order phen****n
cheap a*****x 200
(starred out to keep Geeklogs spam filters calm)
and email domains:
bfr.net
msn.com
myrx.com
octelera.com
etc
I've now switched to approving user requests but am having a problem deleting the bogus applications. When I attempt to do so I am faced with this error....
phpBB : Critical Error
Could not delete user 275 from phpBB groups table
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2
DELETE FROM phpbb_groups WHERE group_id =
Line : 360
File : functions.inc
Not being the best at understanding such can anyone please give me some pointers to get on top of this.
Thanks.
Oh and they've also been spamming my Chatterblock. Industrious critters...
My new friends are punting cheap drugs spam with user names such as:
buy_ci***s
Order phen****n
cheap a*****x 200
(starred out to keep Geeklogs spam filters calm)
and email domains:
bfr.net
msn.com
myrx.com
octelera.com
etc
I've now switched to approving user requests but am having a problem deleting the bogus applications. When I attempt to do so I am faced with this error....
phpBB : Critical Error
Could not delete user 275 from phpBB groups table
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2
DELETE FROM phpbb_groups WHERE group_id =
Line : 360
File : functions.inc
Not being the best at understanding such can anyone please give me some pointers to get on top of this.
Thanks.
Oh and they've also been spamming my Chatterblock. Industrious critters...
38
43
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by milfodd: I've now switched to approving user requests but am having a problem deleting the bogus applications. When I attempt to do so I am faced with this error....
Can't help you with phpBB problems, but if you're on Geeklog 1.4.0, you could also ban those users and keep their accounts. Unless those are really throwaway addresses, it would also have the added benefit of preventing those addresses from being reused.
bye, Dirk
33
31
Quote
Status: offline
milfodd
Forum User
Newbie
Registered: 11/13/05
Posts: 10
Looking at upgrading to 1.4 (currently 1.3.11sr2). The snag is I have phpBB and Gallery2 currently integrated and working and ,the truth be told, am scared of messing the whole thing up.
This could be the reason to make the leap though.
Thanks.
This could be the reason to make the leap though.
Thanks.
32
28
Quote
Wade
Anonymous
I would comment not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:
1. setting "custom_registration" in config.php to true (line 246)
2. making sure that your template includes ../custom/memberdetail.thtml
3. enhancing the "custom_usercheck" function in lib-custom.php to:
$domain = substr(strrchr($email, "@"), 1);
$baned_domains = array('dro4ers.net',
'koziavok.net',
'pornoscop.com',
'4watcher.com',
'strokersclub.net',
'sweetsnet.com',
'1stflirt.org',
'hotmail.com',
'yamy.net',
'lovesnake.net',
'126.com');
if (in_array($domain, $baned_domains))
{
$msg = 'Your email address is hosted on a banned domain. Please resubmit with alternate address.';
}
1. setting "custom_registration" in config.php to true (line 246)
2. making sure that your template includes ../custom/memberdetail.thtml
3. enhancing the "custom_usercheck" function in lib-custom.php to:
Text Formatted Code
// fight the porn spammers$domain = substr(strrchr($email, "@"), 1);
$baned_domains = array('dro4ers.net',
'koziavok.net',
'pornoscop.com',
'4watcher.com',
'strokersclub.net',
'sweetsnet.com',
'1stflirt.org',
'hotmail.com',
'yamy.net',
'lovesnake.net',
'126.com');
if (in_array($domain, $baned_domains))
{
$msg = 'Your email address is hosted on a banned domain. Please resubmit with alternate address.';
}
35
42
Quote
Wade
Anonymous
I would recommend not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:
1. setting "custom_registration" in config.php to true (line 246)
2. making sure that your template includes ../custom/memberdetail.thtml
3. enhancing the "custom_usercheck" function in lib-custom.php to (starts on line 326):
$domain = substr(strrchr($email, "@"), 1);
$baned_domains = array('dro4ers.net',
'koziavok.net',
'pornoscop.com',
'4watcher.com',
'strokersclub.net',
'sweetsnet.com',
'1stflirt.org',
'hotmail.com',
'yamy.net',
'lovesnake.net',
'126.com');
if (in_array($domain, $baned_domains))
{
$msg = 'Your email address is hosted on a banned domain. Please resubmit with alternate address.';
}
1. setting "custom_registration" in config.php to true (line 246)
2. making sure that your template includes ../custom/memberdetail.thtml
3. enhancing the "custom_usercheck" function in lib-custom.php to (starts on line 326):
Text Formatted Code
// fight the porn spammers$domain = substr(strrchr($email, "@"), 1);
$baned_domains = array('dro4ers.net',
'koziavok.net',
'pornoscop.com',
'4watcher.com',
'strokersclub.net',
'sweetsnet.com',
'1stflirt.org',
'hotmail.com',
'yamy.net',
'lovesnake.net',
'126.com');
if (in_array($domain, $baned_domains))
{
$msg = 'Your email address is hosted on a banned domain. Please resubmit with alternate address.';
}
34
37
Quote
Yeraze
Anonymous
same here.. I've deleted about 60 of these today, by hand.
I just integrated & tested the custom login stuff mentioned... Here's hopin it works.
I just integrated & tested the custom login stuff mentioned... Here's hopin it works.
28
33
Quote
Agent X20
Anonymous
I've had to enable spam-x filters and have to make the custom registration changes listed above.
My GL site is currently being attacked every day by these same guys posting dozens of spam-comments. Spam-X seems to be doing the trick for now - or until such time as they change their ad content.
I've had to manually delete over a hundred automatically created users with no end in sight. There's no point banning these users - they just create more and more and more.
Personally this is going to force the GL registration system to include some sort of protection against this abuse.
My GL site has been running for over three years now (I'm a big fan of GL and the work you guys do) and I like to think it's fairly visible in the search engines. This problem is only going to get worse, unless the present registration system gets tweaked.
Just my 5c.
My GL site is currently being attacked every day by these same guys posting dozens of spam-comments. Spam-X seems to be doing the trick for now - or until such time as they change their ad content.
I've had to manually delete over a hundred automatically created users with no end in sight. There's no point banning these users - they just create more and more and more.
Personally this is going to force the GL registration system to include some sort of protection against this abuse.
My GL site has been running for over three years now (I'm a big fan of GL and the work you guys do) and I like to think it's fairly visible in the search engines. This problem is only going to get worse, unless the present registration system gets tweaked.
Just my 5c.
25
33
Quote
Blah
Anonymous
I added "http" to my spamx log and no longer get any spam at all. Users can't post links but not a single user has complained yet and it's been months since I made the change.
36
42
Quote
Status: offline
tingo
Forum User
Chatty
Registered: 06/05/02
Posts: 57
Location:Oslo, Norway
Quote by Wade: I would recommend not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:
Thanks, this really saved my day. Implemented and tested it in about 20 minutes. Saved me a few hours i guess, if I had to come up with something like this myself.
In about three days, one of my sites got over 100 new users - I knew something was not right.
31
42
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
As a very late follow-up: I just noticed that something from 209.8.40.26 is still trying to register automatically here on geeklog.net.
Now, if you do a ping on all those domain names that ByteEnable posted at the beginning of this thread, you'll notice that they are all hosted on IP addresses in the 209.8.22.* range. And the entire 209.8.* address range belongs to a "Beyond The Network America, Inc.". According to www.btnaccess.com, they are a hosting company, so it's one of their customers spamming.
I heartly recommend blocking that entire address range. If they are a hosting company, you won't see any regular visitors coming from that address range anyway.
bye, Dirk
Now, if you do a ping on all those domain names that ByteEnable posted at the beginning of this thread, you'll notice that they are all hosted on IP addresses in the 209.8.22.* range. And the entire 209.8.* address range belongs to a "Beyond The Network America, Inc.". According to www.btnaccess.com, they are a hosting company, so it's one of their customers spamming.
I heartly recommend blocking that entire address range. If they are a hosting company, you won't see any regular visitors coming from that address range anyway.
bye, Dirk
29
32
Quote
Page navigation
All times are EDT. The time is now 12:00 am.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content