Advertisement:

Author Topic: SPAM - Bots Bypassing Admin Approval!  (Read 4650 times)

Offline AlkaSeltxer

  • Semi-Newbie
  • *
  • Posts: 55
  • Gender: Male
  • Damn it! Damn it! Damn it!
    • Mongoworks
SPAM - Bots Bypassing Admin Approval!
« on: November 25, 2012, 06:17:39 AM »
The past 3 or 4 week I've been having a huge issue with spam bots registering and posting. I installed httpBL, Stop Spammer and Bad Behavior. That stopped them for about two days. Suddenly a few hours ago it started up again. Bots getting through the three mods and spamming the boards. So I set registration to admin approval until I could do some looking around... I go back to the forum and to my amazement the bots were able to "admin approve" themselves and start posting spam again!

CAPTCHA and the questions are set up as well.

My question... Where do I even start looking... Mod related? I have disabled registration for the time being. Kinda curious if they are still able to get in. I'm at a loss.

SMF 2.0.2
w/mods:
Latest TP
Users mass actions 0.1.1
Menu Editor Lite 1.0.5
Add Social Media Icons To Profiles 1.0.7
Treasury 2.10
httpBL 2.5.1
Bad Behavior mod 1.5.13
Ohara YouTube Embed 1.0
BlogBridger 1.1.4
Bookmarks 2.5
SA Facebook 2.0 RC4 Rev58
Stop Spammer 2.3.9
« Last Edit: November 25, 2012, 03:36:15 PM by AlkaSeltxer »
~Josh~
Over 16 keyboards lost to raging.

Offline Storman™

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 2,027
Re: SPAM - Bots Passing Admin Approval!
« Reply #1 on: November 25, 2012, 06:36:51 AM »
You seem to have done all the right things. I have httpBL and Stop Spammer on their own and they stop 99% so I'm not sure what's happening on your forum.

Makes me wonder if BlogBridger has a vulnerability despite registration being in SMF ? I know nothing about this bridge though so can't really comment further.
Any Backup method is bettter than no Backup method....

Offline AlkaSeltxer

  • Semi-Newbie
  • *
  • Posts: 55
  • Gender: Male
  • Damn it! Damn it! Damn it!
    • Mongoworks
Re: SPAM - Bots Passing Admin Approval!
« Reply #2 on: November 25, 2012, 06:46:46 AM »
You seem to have done all the right things. I have httpBL and Stop Spammer on their own and they stop 99% so I'm not sure what's happening on your forum.

Makes me wonder if BlogBridger has a vulnerability despite registration being in SMF ? I know nothing about this bridge though so can't really comment further.

BlogBridger was installed after the fact for the most part; But before I noticed the issue with admin approval being bypassed. I had never used admin approval before this so I couldn't say it wasn't already an issue that I just hadn't had a chance to notice.
~Josh~
Over 16 keyboards lost to raging.

Offline Storman™

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 2,027
Re: SPAM - Bots Passing Admin Approval!
« Reply #3 on: November 25, 2012, 07:08:35 AM »
You could try something like CrawlProtect which gives some protection against code injection attempts.

I take it there's nothing in your SMF error log. A look in the main server/site logs would be interesting if you have access.
Any Backup method is bettter than no Backup method....

Offline AlkaSeltxer

  • Semi-Newbie
  • *
  • Posts: 55
  • Gender: Male
  • Damn it! Damn it! Damn it!
    • Mongoworks
Re: SPAM - Bots Passing Admin Approval!
« Reply #4 on: November 25, 2012, 01:47:17 PM »
You could try something like CrawlProtect which gives some protection against code injection attempts.

I take it there's nothing in your SMF error log. A look in the main server/site logs would be interesting if you have access.

I'll look into that.

Right now the bots are still getting accounts to register with registration disabled! It's even sending out Approval Notifications to these new registers.

Error logs are clean, server side and on SMF. As for the general server logs, I wouldn't know where to look. Never needed to. Would they be accessible through cpanel?

Could this be an issue with .htaccess, or a bad chmod on a file?
~Josh~
Over 16 keyboards lost to raging.

Offline Storman™

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 2,027
Re: SPAM - Bots Passing Admin Approval!
« Reply #5 on: November 25, 2012, 01:55:45 PM »
Quote
Could this be an issue with .htaccess, or a bad chmod on a file?

Maybe...but don't think thats the issue.

Crawlprotect will actually analyse the chmod on all your files and folders and tell you if they are set incorrectly. It will also create a secure htaccess.

To be honest the reason for your issue is hard to ascertain without actually taking a look at your setup, in theory it sounds like you've done all the right things.

Any Backup method is bettter than no Backup method....

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,119
  • Gender: Male
    • Kindred-999 on GitHub
Re: SPAM - Bots Passing Admin Approval!
« Reply #6 on: November 25, 2012, 02:02:08 PM »
I bet it has to do with the facebook integration. deactivate that.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline AlkaSeltxer

  • Semi-Newbie
  • *
  • Posts: 55
  • Gender: Male
  • Damn it! Damn it! Damn it!
    • Mongoworks
Re: SPAM - Bots Passing Admin Approval!
« Reply #7 on: November 25, 2012, 02:27:58 PM »
I bet it has to do with the facebook integration. deactivate that.

Ehh, don't want to, but I'll try anything at this point.

Side note: I went through and did a clean file install of the forums, no change. I'll try killing face book integration.
~Josh~
Over 16 keyboards lost to raging.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 55,119
  • Gender: Male
    • Kindred-999 on GitHub
Re: SPAM - Bots Passing Admin Approval!
« Reply #8 on: November 25, 2012, 02:35:01 PM »
if there are users in the pending activation queue, then they can still ACTIVATE the accounts after you turn off registration
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline AlkaSeltxer

  • Semi-Newbie
  • *
  • Posts: 55
  • Gender: Male
  • Damn it! Damn it! Damn it!
    • Mongoworks
Re: SPAM - Bots Passing Admin Approval!
« Reply #9 on: November 25, 2012, 02:39:46 PM »
if there are users in the pending activation queue, then they can still ACTIVATE the accounts after you turn off registration
Nada, list is and was empty after shutting down the registration, also when setting it to admin approval.
~Josh~
Over 16 keyboards lost to raging.

Offline AlkaSeltxer

  • Semi-Newbie
  • *
  • Posts: 55
  • Gender: Male
  • Damn it! Damn it! Damn it!
    • Mongoworks
Re: SPAM - Bots Passing Admin Approval!
« Reply #10 on: November 25, 2012, 03:01:20 PM »
I bet it has to do with the facebook integration. deactivate that.

Didn't change a thing.
~Josh~
Over 16 keyboards lost to raging.

Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,150
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: SPAM - Bots Bypassing Admin Approval!
« Reply #11 on: November 25, 2012, 05:42:37 PM »
Double check all your membergroup permissions. You possibly have a permissions issue somewhere that is allowing them to admin approve themselves. 
It is possible that you accidentally set wrong primary or secondary permission level using the Users mass actions mod.

Offline AlkaSeltxer

  • Semi-Newbie
  • *
  • Posts: 55
  • Gender: Male
  • Damn it! Damn it! Damn it!
    • Mongoworks
Re: SPAM - Bots Bypassing Admin Approval!
« Reply #12 on: November 25, 2012, 08:29:43 PM »
Double check all your membergroup permissions. You possibly have a permissions issue somewhere that is allowing them to admin approve themselves. 
It is possible that you accidentally set wrong primary or secondary permission level using the Users mass actions mod.

As far as I can tell, memgroups looks ok...
~Josh~
Over 16 keyboards lost to raging.

Offline Sir Osis of Liver

  • SMF Hero
  • ******
  • Posts: 7,107
  • 'Tis the gift to be simple
Re: SPAM - Bots Bypassing Admin Approval!
« Reply #13 on: November 25, 2012, 08:49:21 PM »
Side note: I went through and did a clean file install of the forums, no change. I'll try killing face book integration.

Did you delete all forum files, and verify that all were gone, before reinstalling it?


Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,150
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: SPAM - Bots Bypassing Admin Approval!
« Reply #14 on: November 25, 2012, 09:30:47 PM »
That was my next question as well. There may be a rogue file that they are using to gain access.

MrPhil

  • Guest
Re: SPAM - Bots Bypassing Admin Approval!
« Reply #15 on: November 25, 2012, 09:41:37 PM »
Perhaps they have obtained one or more of your passwords, and are simply directly signing on as the Admin? If you haven't done so already, do a thorough spyware/virus scan of all PC's you use to access the site. Once they're clean, change every password in sight: SMF admin account, FTP, host site access, perhaps even the database password.

Offline AlkaSeltxer

  • Semi-Newbie
  • *
  • Posts: 55
  • Gender: Male
  • Damn it! Damn it! Damn it!
    • Mongoworks
Re: SPAM - Bots Bypassing Admin Approval!
« Reply #16 on: November 26, 2012, 04:31:39 PM »
Things, so far, seem to be ok now. Here's what I did...

Changed MySQL password.
Changed all admin account passwords after all admins ran a virus scan as mentioned, serverside as well.
Installed the KeyCAPTCHA mod.
Added CrawlProtect.

So far, there have not been any new spam accounts created, or been attempted to be created. Since I'm not sure if this is just an attack lull, I'm not ready to mark as solved just yet. Going to give it a week and see what happens.

Not sure which did the trick if this isn't a lull, I would have tried each individually if I had the time.

Thanks to all for the suggestions and help.
~Josh~
Over 16 keyboards lost to raging.