Crazy Amount of Fake Registrations Despite Q&A, Recaptcha, and Vertical Icons

[own3mall]

Hey Guys,

Over the past three days, I've been getting a crazy amount of forum registrations on multiple different SMF version 1.1.20 forums that I run.  My forums are typically dead anyways, but there is some good information on a few of them. 

My forum runs Recaptcha, NotCaptcha (vertical icon placement test), and even has questions that must be answered during registration.  Is there a new exploit out for SMF 1.1.20 that bypasses the registration process?  Surely, a bot couldn't beat these three different methods?  I have these forums on lockdown?  All accounts have to be approved by an admin anyways, but I can't deal with the hundreds of emails flooding my inbox telling me a new person has registered.

Any idea what might be the cause? 

Here's one of my least busy forums where they are registering like crazy.

http://forums.uhost4free.com/index.php?action=register

[margarett]

http://www.simplemachines.org/community/index.php?topic=531173.0
http://www.simplemachines.org/community/index.php?topic=531204.0

It seems it's happening to many people... Check those topics for details and tips

[own3mall]

http://www.simplemachines.org/community/index.php?topic=531173.0
http://www.simplemachines.org/community/index.php?topic=531204.0

It seems it's happening to many people... Check those topics for details and tips

Hmm, well I don't understand how they could get through all 3 of the mechanisms I already use

[margarett]

Captcha is pretty much useless against bots. Q&A are effective but, as stated in those topics, are shared in bots databases. So you need to have, eg, 3 out of 10 questions and change them often enough, it's less likely that your questions get logged and known

[own3mall]

Captcha is pretty much useless against bots. Q&A are effective but, as stated in those topics, are shared in bots databases. So you need to have, eg, 3 out of 10 questions and change them often enough, it's less likely that your questions get logged and known

I'm starting to think it must be an exploit that bypasses registration completely.  I changed all of my questions and made sure there were five of them.  Within a few minutes, the signups just continued as if nothing happened. 



Only thing I've seen work so far is that Key Captcha stuff.  Maybe my DB has been hacked.  I'll change the password.

[own3mall]

Alright, so I got really pissed off and:

http://www.simplemachines.org/community/index.php?topic=531227.msg3772493#new

[Arantor]

The behaviour you are seeing with respect to the questions... this is completely consistent with what we have been seeing. The spammers are sharing the answers to questions - so it only takes a human to answer the questions, and the answers are shared to a database that *all* the bots can pull from.

[own3mall]

With the new Google API for recaptcha, I've had zero signups so far.  Back to normal

[vbgamer45]

Send a ping to the original author i would like to see it updated if it is better. But who knows for how long.

[own3mall]

I did.  He said he would look into updating it.  In the mean time, I put together an updated package of it and tested it on smf 2 and 1.2.  It appears to work.  If I have his permission, I will release the package I created temporarily in case anyone needs it immediately like I did.

[own3mall]

I released an unofficial version here:

http://www.simplemachines.org/community/index.php?topic=531227.0

[own3mall]

I noticed that shortly after implementing the new Google Anti-Captcha, all of my forums' ( I run three different instances of SMF) Settings.php files were completely emptied somehow.  Is this is a new vulnerability in SMF 1.1.20?  I have no idea how they could empty the Settings.php file...

[Arantor]

It's a bug.

[own3mall]

Is there a fix for it?

[Arantor]

Upgrade to 2.0.

[own3mall]

Upgrade to 2.0.

Is there a better solution?  I can't upgrade to 2.0.  My custom edited themes are NOT compatible with 2.0.x. 

[Kindred]

then actually... no, there is not a better solution... 1.1.x has been in sunset mode (only getting security updates) for a while now and 1.1.x is going to be end of life and will lose ALL support at that point.

[vbgamer45]

Upgrade to 2.0.

Is there a better solution?  I can't upgrade to 2.0.  My custom edited themes are NOT compatible with 2.0.x. 

You can make your Settings.php read only.

[own3mall]

then actually... no, there is not a better solution... 1.1.x has been in sunset mode (only getting security updates) for a while now and 1.1.x is going to be end of life and will lose ALL support at that point.

That's great, but SMF 1.x should be left to die in a working state, which with these bugs I'd say it isn't in a working state.  I would say the empty Settings.php is a security bug that needs to be patched.  I could run chattr +i on the server, but that's lame.  Anyone know why the Settings.php file is emptied?  I could edit the code if I knew what to look for. 

@vbgamer45, I did make it read only... I'll see if that works... but if not, I will have to use chattr...

[Kindred]

it is actually not really simple to patch 1.1.x nor do we intend to do so, even if it was... as I said, 1.1.1x is sunset already.

it empties because of a race condition with the error status getting written to the settings.php file when it was already being written to by another error.

for the most part, it's not a common error...