I've been getting a lot of mistacronks, xxxxx%40hotmail.com, gawab, mail.ru and cashette.com registrations recently, as well. I did two hacks to system/lib-user.php to first log all user creations, then block some of them based on the logging. First, the patch to lib-user.php function USER_createAccount (this is on 1.3.11sr7-1); logs new user creation to COM_accessLog and records in COM_errorLog those creation attempts that do not contain HTTP_REFERER:
Text Formatted Code
--- lib-user.php.orig 2005-10-03 12:27:16.000000000 -0500
+++ lib-user.php 2006-08-30 21:17:50.000000000 -0500
@@ -231,6 +231,18 @@
$values .= ",'$homepage'";
}
+// rac - update to catch attempts to bypass new user submission form
+if (!$_SERVER['HTTP_REFERER']) {
+ $errval = COM_siteHeader ('menu')
+ . COM_errorLog("ERROR: User creation error. Please visit the <a href="/users.php">User Page</a> to login.", 2)
+ . COM_siteFooter ();
+ COM_errorLog("ERROR: User creation error. Invalid referer in request. User: '$username', email: '$email', full name: '$fullname', password (md5): '$passwd', regdate: '$regdate'",1);
+ echo $errval;
+ exit;
+}
+// end referer check
+
+
// if user submission queue is active and the current user is not a
// User Admin, then we may have to add the new user to the submission queue
if (($_CONF['usersubmission'] == 1) && !SEC_hasRights ('user.edit')) {
@@ -254,6 +266,14 @@
}
DB_query ("INSERT INTO {$_TABLES['users']} ($fields) VALUES ($values)");
+// rac - function to log POST for new users
+ $errmsg = '';
+ $errmsg = 'SERVER Vars -- ';
+ foreach ($_SERVER as $key => $value) { $errmsg .= $key . " -> " . $value . "n"; }
+ $errmsg .= 'POST Vars -- ';
+ foreach ($_POST as $key => $value) { $errmsg .= $key . " -> " . $value . "n"; }
+ COM_accessLog ("New User Entry:n $errmsg");
+// end of POST logger
$uid = DB_getItem ($_TABLES['users'], 'uid', "username = '$username'");
Next, the results of the creation log of a bad user, basically just logging all $_SERVER and $_POST variables. This one does contain HTTP_REFERER; therefore, it bypassed the check:
Text Formatted Code
SERVER Vars --
HTTP_HOST -> www.mydomain.com
HTTP_ACCEPT -> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
CONTENT_LENGTH -> 69
CONTENT_TYPE -> application/x-www-form-urlencoded
HTTP_COOKIE -> ni_LastVisit=1157078032; ni_LastVisitTemp=deleted; ni_phpbb2mysql_data=a%3A0%3A%7B%7D; ni_phpbb2mysql_sid=xxxx;
HTTP_COOKIE2 -> $Version=1
HTTP_REFERER -> http://www.mydomain.com/users.php?mode=new
HTTP_USER_AGENT -> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP_ORACLE_ECID -> 1157078090:10.10.10.188:3460:4936:42,0
HTTP_CONNECTION -> close
PATH -> /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
SERVER_SIGNATURE -> <address>Apache/2.0.53 (Fedora) Server at www.mydomain.com Port 80</address>
SERVER_SOFTWARE -> Apache/2.0.53 (Fedora)
SERVER_NAME -> www.mydomain.com
SERVER_ADDR -> ww.xx.yy.zz <i>munged for privacy</i>
SERVER_PORT -> 80
REMOTE_ADDR -> 80.51.234.54
DOCUMENT_ROOT -> /home/mydomain/geeklog/public_html
SERVER_ADMIN -> webmaster@mydomain.com
SCRIPT_FILENAME -> /home/mydomain/geeklog/public_html/users.php
REMOTE_PORT -> 4134
GATEWAY_INTERFACE -> CGI/1.1
SERVER_PROTOCOL -> HTTP/1.1
REQUEST_METHOD -> POST
QUERY_STRING ->
REQUEST_URI -> /users.php
SCRIPT_NAME -> /users.php
PHP_SELF -> /users.php
PATH_TRANSLATED -> /home/mydomain/geeklog/public_html/users.php
argv -> Array
argc -> 0
POST Vars --
username -> gfdre%40hotmail.com
email -> gfdre@hotmail.com
mode -> create
I'm dealing with two distinct domains that have nothing more to do with each other than being hosted on the same physical machine. On the first one, the HTTP_REFERER check works like a charm; I get these entries in errorLog:
Text Formatted Code
Thu Aug 31 06:24:09 2006 - ERROR: User creation error. Invalid referer in request. User: 'bhha2w', email: 'bhha2w@mistacronks.com', full name: '', password (md5): '', regdate: '2006-08-31 06:24:09'
Thu Aug 31 18:18:26 2006 - ERROR: User creation error. Invalid referer in request. User: 'b16a4s', email: 'b16a4s@mistacronks.com', full name: '', password (md5): '', regdate: '2006-08-31 18:18:26'
On the second domain, user creation attempts:
1) contain HTTP_REFERER, which means it's either being spoofed or the script is actually visiting the page first to load the correct referer;
2) Don't fill entries correctly in PhpBBBridge; I had to hack the delete function in the Bridge to allow me to delete users from GL that don't have valid phpBB accounts.
I noticed a strange entry in the above $_SERVER variable log: HTTP_ORACLE_ECID. I'm not runnig oracle, and I'm not on 10.x.x.x subnet, so I'm guessing this originates from the client/script....?
I hope this info will be useful to someone besides me....
I think what I'm going to work on this weekend is a hack to allow blacklisting domains/regex on registration.