Welcome to Geeklog, Anonymous Thursday, March 28 2024 @ 10:11 am EDT

Geeklog Forums

strange users registering on my site

Page navigation


Status: offline

garfy

Forum User
Full Member
Registered: 01/02/05
Posts: 437
Location:EU
I am not sure what is happening

users like this are registering on my site

hlpx7h@mistacronks.com
pjy56@mistacronks.com

are these spammers

they do not post any comments for now but i wonder why i have around 10 such users from mistacronks.com
 Quote

TechnoHippie

Anonymous
I've posted a bit of info about the current round of attacks at http://technohippie.com/geeklog/public_html/article.php?story=20060825101819593 that might help you sort this out. Be sure to read the comments.

pax, TechnoHippie
 Quote

Status: offline

garfy

Forum User
Full Member
Registered: 01/02/05
Posts: 437
Location:EU
Hi

It was me who posted the comment on your site Smile


how did the upload the c99.php

how is that possible and where is the file exactly
 Quote

TechnoHippie

Anonymous
Quote by garfy: Hi

It was me who posted the comment on your site Smile


how did the upload the c99.php

how is that possible and where is the file exactly


Hi garfy Smile I've added to the post and there's an interesting flash demo of how the hack is done posted as well. Check your spamx plugin folder in the GL root directory. That's where I found it on my server.

HTH,
TechnoHippie
http://technohippie.com/geeklog/public_html/
 Quote

Jon

Anonymous
Yeh, mistacronks, mail.ru, cashette.com, gawab.com.. the domains these russian spammers use vary quite a bit. Check for all of these domains in your user lists.

Using spamx, Ban, and Bad Behaviour, I've successfully blocked spams from publicly appearing. Unfortunately they haven't stopped the creation of new user accounts that lie dormant in my list. I presume this is the result of my publicly available new user registration being auto-filled by spam bots.

So I took matters into my own hands.

This could probably be done with a custom registration form properly, but in a rush and a bit confused, I simply hacked the users.php code and adjusted my templates as follows:

In registrationform.thmtl I added an extra field below the user name and e-mail address.

<td align="right"><BR><BR><IMG SRC="mysitedotcom/images/fiveplusfive.jpg" border=0><BR><b>in CAPITAL LETTERS:</b><BR><BR></td>
<td><input type="text" size="16" maxlength="16" name="botcheck"></td>

Note the name of the new field, botcheck. The image is a simple math question, shown as one of those screwy text verification images. The answer is TEN.

Next, in users.php.

function createuser ($username, $email)

is replaced with:

function createuser ($username, $email, $botcheck)

then after

$email = trim ($email);

add

$botcheck = trim ($botcheck);

(This above step actually could be skipped, but I'm using text, so why not.)

Directly under that you will see:

if (COM_isEmail ($email) && !empty ($username)) {

Replace it with:

if (COM_isEmail ($email) && !empty ($username) && $botcheck == 'TEN'Wink {

Change TEN to whatever text you want your user to type in to verify they are human.

Under:

$msg = $LANG04[18]; // invalid email address
}

Add:

if ($botcheck != 'TEN'Wink {
$msg = 'The trivia question must be answered to verify you are human.'; // botcheck failed

Again, this TEN must match the word you've chosen for a human to verify themselves.

That's it! I did this, and boom - not a single spam user created since. Humans have no problems. Obviously you will have to use an image that asks the user to enter the verification text you've chosen. See mine at rewindvideo(dot)calm.

Important notes:

1) Backup your original users.php before uploading the hacked one.
2) This isn't flawless: an incorrect username or e-mail returns a blank page instead of a proper error code. I haven't had the chance to fix that.
3) This ain't no snazzy encrypted security system, it's just a lil' something to confuse a simple submission bot. Use at your own risk.
4) I'm no PHP expert, I just threw this together. Hopefully it's a starting ground for a better coder.

Improvements are welcome! I'm thinking about making this into a proper plug-in sometime that can support of randomly selected questions stored in a GL table. We'll see.


Jon
 Quote

TechnoHippie

Anonymous
Quote by Jon: Yeh, mistacronks <snip> I simply hacked the users.php code and adjusted my templates <snip> We'll see.


This is what I've been looking for since I read all the trouble folks are having with the GL Captcha plugin. I didn't bother ... waiting for something less buggy. I don't trust buggy Smile I don't use a custom registration and my new user chooses the password.

Another thing I thought about doing was moderating the signups ... the problem is that the c99.php shell script works around authentication. I don't have trouble with typical spam that we've all grown to know and love. It's the excrement from the Captain Crunch Team over at ccteam.ru

This relates back to the last posted exploit that inspired the newest version of Geeklog. The fix was too late because the tunnels were already dug on the ports. I missed some red flags early on and the sleeper woke up. Thier site is fairly new and they uploaded the shell script in early July before the patch was offered ... I didn't find it until a few days ago after all my trouble started. It's all good for now. *big smile*
 Quote

Status: offline

garfy

Forum User
Full Member
Registered: 01/02/05
Posts: 437
Location:EU
isn't there an option that the admin should confirm the activation of each account

that would be the best I think

theses users are like plague

I get 5 of them each day, do you think that that is a spam bot or the human is doing it??
 Quote

Status: offline

jmucchiello

Forum User
Full Member
Registered: 08/29/05
Posts: 985
There are a bunch of responses to this problem. This was mine. There are several others if you search the forums.
 Quote

Jon

Anonymous
Quote by garfy: isn't there an option that the admin should confirm the activation of each account

that would be the best I think

theses users are like plague

I get 5 of them each day, do you think that that is a spam bot or the human is doing it??


Yes, you can moderate user submissions, but a) I don't want to be going in daily determining fake users from real ones every day and b) I want my legit users to be able to begin posting immediately.

My method allows that. And yes, your five or so a day are likely bots.
 Quote

Jon

Anonymous
the problem is that the c99.php shell script works around authentication


A shell script could get around just about anything. The only defense against this I suppose is to run a tight ship, keep your software up to date, and check back here frequently to see what other users have been dealing with. I wonder if these shell scripts have anything in common that could be detectable, say with a daily scan of newly uploaded php files. Food for thought.
 Quote

Status: offline

racooper

Forum User
Junior
Registered: 03/13/04
Posts: 24
I've been getting a lot of mistacronks, xxxxx%40hotmail.com, gawab, mail.ru and cashette.com registrations recently, as well. I did two hacks to system/lib-user.php to first log all user creations, then block some of them based on the logging. First, the patch to lib-user.php function USER_createAccount (this is on 1.3.11sr7-1); logs new user creation to COM_accessLog and records in COM_errorLog those creation attempts that do not contain HTTP_REFERER:

Text Formatted Code
--- lib-user.php.orig   2005-10-03 12:27:16.000000000 -0500
+++ lib-user.php        2006-08-30 21:17:50.000000000 -0500
@@ -231,6 +231,18 @@
         $values .= ",'$homepage'";
     }
 
+// rac - update to catch attempts to bypass new user submission form
+if (!$_SERVER['HTTP_REFERER']) {
+    $errval = COM_siteHeader ('menu')
+            . COM_errorLog("ERROR: User creation error.  Please visit the <a href="/users.php">User Page</a> to login.", 2)
+            . COM_siteFooter ();
+    COM_errorLog("ERROR: User creation error.  Invalid referer in request. User: '$username', email: '$email', full name: '$fullname', password (md5): '$passwd', regdate: '$regdate'",1);
+    echo $errval;
+    exit;
+}
+// end referer check
+
+
     // if user submission queue is active and the current user is not a
     // User Admin, then we may have to add the new user to the submission queue
     if (($_CONF['usersubmission'] == 1) && !SEC_hasRights ('user.edit')) {
@@ -254,6 +266,14 @@
     }
 
     DB_query ("INSERT INTO {$_TABLES['users']} ($fields) VALUES ($values)");
+// rac - function to log POST for new users
+    $errmsg = '';
+    $errmsg = 'SERVER Vars -- ';
+    foreach ($_SERVER as $key => $value) { $errmsg .=  $key . " -> " . $value . "n"; }
+    $errmsg .= 'POST Vars -- ';
+    foreach ($_POST as $key => $value) { $errmsg .=  $key . " -> " . $value . "n"; }
+    COM_accessLog ("New User Entry:n $errmsg");
+// end of POST logger
 
     $uid = DB_getItem ($_TABLES['users'], 'uid', "username = '$username'");
 


Next, the results of the creation log of a bad user, basically just logging all $_SERVER and $_POST variables. This one does contain HTTP_REFERER; therefore, it bypassed the check:

Text Formatted Code
SERVER Vars --
HTTP_HOST -> www.mydomain.com
HTTP_ACCEPT -> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
CONTENT_LENGTH -> 69
CONTENT_TYPE -> application/x-www-form-urlencoded
HTTP_COOKIE -> ni_LastVisit=1157078032; ni_LastVisitTemp=deleted; ni_phpbb2mysql_data=a%3A0%3A%7B%7D; ni_phpbb2mysql_sid=xxxx;
HTTP_COOKIE2 -> $Version=1
HTTP_REFERER -> http://www.mydomain.com/users.php?mode=new
HTTP_USER_AGENT -> Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP_ORACLE_ECID -> 1157078090:10.10.10.188:3460:4936:42,0
HTTP_CONNECTION -> close
PATH -> /sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin
SERVER_SIGNATURE -> <address>Apache/2.0.53 (Fedora) Server at www.mydomain.com Port 80</address>

SERVER_SOFTWARE -> Apache/2.0.53 (Fedora)
SERVER_NAME -> www.mydomain.com
SERVER_ADDR -> ww.xx.yy.zz <i>munged for privacy</i>
SERVER_PORT -> 80
REMOTE_ADDR -> 80.51.234.54
DOCUMENT_ROOT -> /home/mydomain/geeklog/public_html
SERVER_ADMIN -> webmaster@mydomain.com
SCRIPT_FILENAME -> /home/mydomain/geeklog/public_html/users.php
REMOTE_PORT -> 4134
GATEWAY_INTERFACE -> CGI/1.1
SERVER_PROTOCOL -> HTTP/1.1
REQUEST_METHOD -> POST
QUERY_STRING ->
REQUEST_URI -> /users.php
SCRIPT_NAME -> /users.php
PHP_SELF -> /users.php
PATH_TRANSLATED -> /home/mydomain/geeklog/public_html/users.php
argv -> Array
argc -> 0

POST Vars --
username -> gfdre%40hotmail.com
email -> gfdre@hotmail.com
mode -> create
 


I'm dealing with two distinct domains that have nothing more to do with each other than being hosted on the same physical machine. On the first one, the HTTP_REFERER check works like a charm; I get these entries in errorLog:
Text Formatted Code
Thu Aug 31 06:24:09 2006 - ERROR: User creation error.  Invalid referer in request. User: 'bhha2w', email: 'bhha2w@mistacronks.com', full name: '', password (md5): '', regdate: '2006-08-31 06:24:09'
Thu Aug 31 18:18:26 2006 - ERROR: User creation error.  Invalid referer in request. User: 'b16a4s', email: 'b16a4s@mistacronks.com', full name: '', password (md5): '', regdate: '2006-08-31 18:18:26'
 


On the second domain, user creation attempts:
1) contain HTTP_REFERER, which means it's either being spoofed or the script is actually visiting the page first to load the correct referer;
2) Don't fill entries correctly in PhpBBBridge; I had to hack the delete function in the Bridge to allow me to delete users from GL that don't have valid phpBB accounts.

I noticed a strange entry in the above $_SERVER variable log: HTTP_ORACLE_ECID. I'm not runnig oracle, and I'm not on 10.x.x.x subnet, so I'm guessing this originates from the client/script....?

I hope this info will be useful to someone besides me....

I think what I'm going to work on this weekend is a hack to allow blacklisting domains/regex on registration.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Just a note: Instead of hacking users.php, all these checks could be implemented using the custom registration API.

bye, Dirk
 Quote

Status: offline

racooper

Forum User
Junior
Registered: 03/13/04
Posts: 24
OK...I have the start for domain blacklist code. I'm still working in lib-user.php; I want the code working before I start trying to figure out customer user functionality....

Anyway, I need some advice. Here's my code:

Text Formatted Code

// implement blacklisting of domains
list($mailUser, $mailDomain) = split("@", strtolower($email));
if ($testDomain = DB_getitem($_TABLES['subscribe_bl'], '*', "domain LIKE '$mailDomain'")) {
    $errval = COM_siteHeader ('menu')
            . COM_errorLog("ERROR: User creation error (INVALIDDOMAIN).  Please visit the <a href="/users.php">User Page</a> to login.", 2)
            . COM_siteFooter ();
    COM_errorLog("ERROR: User creation error.  Domain blacklisted. User: '$username', email: '$email', full name: '$fullname', password (md5): '$passwd', regdate: '$regdate'",1);
    echo $errval;
    exit;
}
// End of blacklist code

 


Also available at: http://www.spywarefix.org/pastebin/pastebin.php?show=4

My problem is that I'm a bit weak on my SQL....I'm having trouble figuring out how to query against wildcards or substrings in the domain. If I can get this straightened out, I'll add username blacklisting too.

Derek: I'll try to implement this into custom user registration once I get it all working....
 Quote

Status: offline

viasoul

Forum User
Chatty
Registered: 10/28/05
Posts: 37
I installed (Geeklog CAPTCHA Implementation v0.4) and tried to make it work. But all I can surmise is that I don't have ImageMagic installed because I get a broken image on the registration form. I followed the instructions to the tee.

I really need help with this. I'm getting the same stuff from mistacronks.com.

Please somebody help me if you can.
 Quote

Status: offline

mevans

Forum User
Full Member
Registered: 02/08/04
Posts: 393
Location:Texas
viasoul,

The CAPTCHA implementation has the option to use the GD libs or ImageMagick, have you tried both? Also, you can turn on the debug (all of this is in the README) when using ImageMagick and it will log the ImageMagick command to your error.log file. If you have shell access to your server, you can run by hand and see if there are any problems.

If you are still having issues, I'll be happy to take a closer look at your system, you can contact me offline at mevans0263@gmail.com if you wish.

Thanks!
Mark
 Quote

Status: offline

geiss

Forum User
Full Member
Registered: 02/10/04
Posts: 176
Location:Boise, Idaho
Consider this a bump, but I have an added comment and 2 questions.

When we had GL 1.3.8 implemented on our site, I hacked the new user confirmation email to EXCLUDE the username and password field (Gaming clan, we audition new recruits). Since then I have upgraded to GL 1.3.11sr5 (and yes, after reviewing this issue, I will upgrade to 1.3.11sr7-1, just to be up to date Embarassed ), and it seems that my hack has been overwritten. I still have my custom added text which resides in the english.php file, but the login and pw fields are back. I did some digging and again applied the exclusion hack to /system/lib-user.php by just commenting out the lines that contain $username and $passwd in function USER_createAndSendPassword. This way, the new user gets an email with further instructions, but no login info. Hope this hack helps someone. YMMV Wink

Now, for my questions:

1- Does this c99.php file bypass all of the new user registration stuff, or does the script seem to rely on information provided in a confirmation email? Time will tell as we'll see if I get any more new user registrations from the above mentioned spammer domains, unless anyone knows otherwise.

2- Is this particular attack being executed on more than one version of GL? Like I said before, I have one site running GL 1.3.11sr5 that was compromised, and two other sites running GL 1.4.0sr5-1 that (so far) are ok. ...but I think new user registration is turned off on both of those! Wink





Synergy - Stability - Style --- Visit us at glfusion.org
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by geiss: This way, the new user gets an email with further instructions, but no login info. Hope this hack helps someone.

A much easier solution is to use the built-in "welcome email hack". I would have pointed you to the wiki page explaining it, but since it's down at the moment ... Anyway, you can have a customized welcome email in a file that Geeklog will then send out instead of the standard text. No need to change any core files.


Quote by geiss: 2- Is this particular attack being executed on more than one version of GL?

You'll need to upload that c99.php file first. There were two vulnerabilities in Geeklog which let you upload arbitrary files. Both have been fixed of course in the most recent releases.

bye, Dirk
 Quote

Status: offline

viasoul

Forum User
Chatty
Registered: 10/28/05
Posts: 37
mevans,

Thanks man. I'll contact you asap.

But for the record this is what I set the captcha.php file to:
Text Formatted Code
/* --- Configuration Settings --- */

$gfxFormat = "jpg";             // png or jpg
$gfxDriver = 0;                 // 0=GD 1=ImageMagick
$gfxPath   = "/usr/local/bin/convert";  // Full path to ImageMagick convert utility
$debug     = 0;         // 0=off 1=verbose logging
 


I'm running MediaGallery by using GD libs so this is the reason I thought these settings would work. Am I missing something?

Again, this issue was that signup form had a broken image rendering the form useless since no one could enter the image's information.

Bare with me here, I'm a total idiot when it comes to this kind of stuff. I'm just an interface designer that was lucky enough to stumble into GL. Now I need my hand held everytime something goes wrong. Sorry.

 Quote

Status: offline

chjabu

Forum User
Newbie
Registered: 11/13/03
Posts: 3
FYI - I installed Dirk's Bad Behavior plugin and that stopped the Mistacronks gang from adding new users to my system
basics4mac.com
 Quote

Status: offline

garfy

Forum User
Full Member
Registered: 01/02/05
Posts: 437
Location:EU
Quote by chjabu: FYI - I installed Dirk's Bad Behavior plugin and that stopped the Mistacronks gang from adding new users to my system


but where is it

where to download it

and can there e set a confirmation code to type when registering so the auto spam bots could not register???

 Quote

Page navigation

All times are EDT. The time is now 10:11 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content