Welcome to Geeklog Wednesday, June 19 2019 @ 07:28 am EDT

Geeklog Forums

Bots that register and login


Status: offline

ByteEnable

Forum User
Full Member
Registered: 20/10/03
Posts: 138
Hi,

I was attacked last night by a php script/bot that was registering and logging in, then posting spam. It was pretty rapid. I just hacked users.php to die on those domains. The domain names were constant, but the username changed. As of today, the script/bot is still attempting registration.

4watcher dot com
koziavok dot net
pornoscop dot com
dro4ers dot net
1stflirt dot org
sweetsnet dot com
yamy dot net
strokersclub dot net
lovesnake dot net



Status: offline

jmucchiello

Forum User
Full Member
Registered: 29/08/05
Posts: 985
This is how I solved the problem on my site. I just deny certain emails in COM_isEmail. So my change is in lib-common and affects all email validation in geeklog.

http://www.geeklog.net/forum/viewtopic.php?forum=3&showtopic=68531

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
We had the same problem on geeklog.net on Thursday night and the short-term fix I chose was to block the entire IP ranges the bots were coming from:

205.252.0.0 - 205.252.255.255
206.161.0.0 - 206.161.255.255
209.8.0.0 - 209.9.255.255

bye, Dirk

Status: offline

Robin

Forum User
Full Member
Registered: 15/02/02
Posts: 725
Looks like I'm not alone

I've been wondering whether adding a validation during registration process would prevent form bots registration. I mean adding a picture with random characters that you need to enter to the field.
This is like a common thing around the net now.

Just a thought,

Robert
Geeklog Polish Support Team

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
As much as I dislike CAPTCHAs, they would probably have helped in this case There's an implementation for Geeklog in the downloads section if you want to try it out (I haven't yet).

Geeklog's current signup process (sign up, receive password by email, log in with that password) was designed on the assumption that it would ensure that the user was legit. Now that throwaway email addresses - and even throwaway domains - are common, I guess it's time to rethink and re-evaluate that approach.

bye, Dirk

Status: offline

Robin

Forum User
Full Member
Registered: 15/02/02
Posts: 725
Quote by Dirk: As much as I dislike CAPTCHAs, they would probably have helped in this case


Me neither especially as it requires something like GD library or something similar.

Quote by Dirk:Geeklog's current signup process (sign up, receive password by email, log in with that password) was designed on the assumption that it would ensure that the user was legit.


Exactly and I believe that it works as I got several spammers registered with the site however never logged in. Maybe I'm missing something but how is it possible for a bot to spam as a registered user? Even if they register with a site they have to validate before logging in. Are they so clever these days?

Robert
Geeklog Polish Support Team

macboy

Anonymous
I've also had this on two of my sites. To help slow this down and give me some level of control over who registers, I've set:

PHP Formatted Code
$_CONF['usersubmission']  = 1; // 1 = new users must be approved
 


in config.php

That'll buy me some time until some other mechanism for confirming users is put in. I do like the graphic scrambeld text idea. Many sites use that to make sure there's a warm body on the other end...


Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Robin: Maybe I'm missing something but how is it possible for a bot to spam as a registered user? Even if they register with a site they have to validate before logging in. Are they so clever these days?

This is exactly what happened, though. The bot registered with the site and came back a minute later and logged in (and started spamming right away). It has obviously been written to wait for the email, read it and use the password to log in.

In a way, I guess, that's sort of a compliment: Geeklog is popular enough that it's worth going through the trouble of writing such a bot.

Actually, if it reads the email automatically, that would be another option to stop it (or at least make its author's life a little harder): Change the text and layout of the password email. Either by changing the language file or by using the built-it welcome email hack.

bye, Dirk

Lex

Anonymous
Quote by ByteEnable: Hi,

I was attacked last night by a php script/bot that was registering and logging in, then posting spam. It was pretty rapid. I just hacked users.php to die on those domains. The domain names were constant, but the username changed. As of today, the script/bot is still attempting registration.

4watcher dot com
koziavok dot net
pornoscop dot com
dro4ers dot net
1stflirt dot org
sweetsnet dot com
yamy dot net
strokersclub dot net
lovesnake dot net




I've been getting hit by these exact same people for two weeks now. I've been able to control their comment posts because they always use the same domains and they always use ".:." between their URLs. But they are racking up the fake user accounts.

All of their IP addresses are coming from btnaccess.com so I sent an email to their abuse address: abuse@btnaccess.com

I'm waiting to hear back from them. If you check the IP address of the folks linking to the above URLs, and find they are coming from blocks on btnaccess.com, please report them ASAP so we can temporarily stop these *censored*ers.

Thanks,
Lex

Status: offline

TrappedOnEarth

Forum User
Junior
Registered: 13/07/05
Posts: 15


Could the bots now be using gawab.com email addresses? I say this because a couple of weeks ago, I had switched from automatic user registrations to me having to manually approve new users because of the bot spam coming from the domains previously mentioned in this thread. But in the last few days, I have found an unusual amount of new users using email domains of gawab.com... Whereas over a year running Geeklog, and over 535 users, there haven't been any, and now within the last few days, there had to be a dozen new users with gawab.com addresses... makes me wonder if they are real or not.

Anyone else notice this?

Cheers,
Louis

Status: offline

milfodd

Forum User
Newbie
Registered: 13/11/05
Posts: 10
Sort of glad to hear that it's not just me....

My new friends are punting cheap drugs spam with user names such as:
buy_ci***s
Order phen****n
cheap a*****x 200
(starred out to keep Geeklogs spam filters calm)


and email domains:
bfr.net
msn.com
myrx.com
octelera.com
etc

I've now switched to approving user requests but am having a problem deleting the bogus applications. When I attempt to do so I am faced with this error....


phpBB : Critical Error

Could not delete user 275 from phpBB groups table

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2

DELETE FROM phpbb_groups WHERE group_id =

Line : 360
File : functions.inc


Not being the best at understanding such can anyone please give me some pointers to get on top of this.

Thanks.

Oh and they've also been spamming my Chatterblock. Industrious critters...


Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by milfodd: I've now switched to approving user requests but am having a problem deleting the bogus applications. When I attempt to do so I am faced with this error....

Can't help you with phpBB problems, but if you're on Geeklog 1.4.0, you could also ban those users and keep their accounts. Unless those are really throwaway addresses, it would also have the added benefit of preventing those addresses from being reused.

bye, Dirk

Status: offline

milfodd

Forum User
Newbie
Registered: 13/11/05
Posts: 10
Looking at upgrading to 1.4 (currently 1.3.11sr2). The snag is I have phpBB and Gallery2 currently integrated and working and ,the truth be told, am scared of messing the whole thing up.

This could be the reason to make the leap though.

Thanks.

Wade

Anonymous
I would comment not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:

1. setting "custom_registration" in config.php to true (line 246)

2. making sure that your template includes ../custom/memberdetail.thtml

3. enhancing the "custom_usercheck" function in lib-custom.php to:

PHP Formatted Code
// fight the porn spammers
$domain = substr(strrchr($email, "@"), 1);
$baned_domains = array('dro4ers.net',
                                  'koziavok.net',
                                  'pornoscop.com',
                                  '4watcher.com',
                                  'strokersclub.net',
                                  'sweetsnet.com',
                                  '1stflirt.org',
                                  'hotmail.com',
                                  'yamy.net',
                                  'lovesnake.net',
                                  '126.com');
if (in_array($domain, $baned_domains))
{
        $msg = 'Your email address is hosted on a banned domain. Please resubmit with alternate address.';
}
 

Wade

Anonymous
I would recommend not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:

1. setting "custom_registration" in config.php to true (line 246)

2. making sure that your template includes ../custom/memberdetail.thtml

3. enhancing the "custom_usercheck" function in lib-custom.php to (starts on line 326):

PHP Formatted Code
// fight the porn spammers
$domain = substr(strrchr($email, "@"), 1);
$baned_domains = array('dro4ers.net',
                                  'koziavok.net',
                                  'pornoscop.com',
                                  '4watcher.com',
                                  'strokersclub.net',
                                  'sweetsnet.com',
                                  '1stflirt.org',
                                  'hotmail.com',
                                  'yamy.net',
                                  'lovesnake.net',
                                  '126.com');
if (in_array($domain, $baned_domains))
{
        $msg = 'Your email address is hosted on a banned domain. Please resubmit with alternate address.';
}
 

Yeraze

Anonymous
angry
same here.. I've deleted about 60 of these today, by hand.

I just integrated & tested the custom login stuff mentioned... Here's hopin it works.

Agent X20

Anonymous
I've had to enable spam-x filters and have to make the custom registration changes listed above.

My GL site is currently being attacked every day by these same guys posting dozens of spam-comments. Spam-X seems to be doing the trick for now - or until such time as they change their ad content.

I've had to manually delete over a hundred automatically created users with no end in sight. There's no point banning these users - they just create more and more and more.

Personally this is going to force the GL registration system to include some sort of protection against this abuse.

My GL site has been running for over three years now (I'm a big fan of GL and the work you guys do) and I like to think it's fairly visible in the search engines. This problem is only going to get worse, unless the present registration system gets tweaked.

Just my 5c.

Blah

Anonymous
I added "http" to my spamx log and no longer get any spam at all. Users can't post links but not a single user has complained yet and it's been months since I made the change.

Status: offline

tingo

Forum User
Chatty
Registered: 05/06/02
Posts: 57
Location:Oslo, Norway
Quote by Wade: I would recommend not hacking up lib-common. Use the system the way that it was designed. GeekLog already has methods in place for implementing customizations. This is done via lib-custom.php. GeekLog also already has methods in place for implementing custom registration forms. Thus, fighting these bots and implementing a black list for registration is as easy as:


Thanks, this really saved my day. Implemented and tested it in about 20 minutes. Saved me a few hours i guess, if I had to come up with something like this myself.
In about three days, one of my sites got over 100 new users - I knew something was not right.

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
As a very late follow-up: I just noticed that something from 209.8.40.26 is still trying to register automatically here on geeklog.net.

Now, if you do a ping on all those domain names that ByteEnable posted at the beginning of this thread, you'll notice that they are all hosted on IP addresses in the 209.8.22.* range. And the entire 209.8.* address range belongs to a "Beyond The Network America, Inc.". According to www.btnaccess.com, they are a hosting company, so it's one of their customers spamming.

I heartly recommend blocking that entire address range. If they are a hosting company, you won't see any regular visitors coming from that address range anyway.

bye, Dirk

All times are EDT. The time is now 07:28 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content