We are seeing more and more new users registering for the board as ADMINISTRATORS. Any ideas?
As a precautionary measure, I updated the STOP Spammer mod and added the reCAPTCHA mod.
Thanks,
Brian
------
SMF 1.1.12
Stop Spammer 2.3.8 (reports 2.3.7)
reCAPTCHA mod (just added)
do you have any groups that inherit permissions? i would disable registration till you can resolve this or your forum may loose control and end up locking you out.
Quote from: Illori on January 07, 2011, 03:23:38 PM
do you have any groups that inherit permissions? i would disable registration till you can resolve this or your forum may loose control and end up locking you out.
I too work with bvsweeney, and did check to see if there are any permissions inherited, but unless I am not looking in the right place, there are none. We possibly need to wait a day or so and see if this happens after BVS did the changes. We do thank you for your quick answer and are glad to work with you when we have issues...
GG>-
We are still seeing spammers subscribing as Admins. Is there a know exploit for this?
there are no known security issues with smf at this time. your best bet is to disable registration until you can review all your permissions and make sure none are leading to admin privileges.
Did you try registering as a new user yourself? Do you get admin access?
If yes and no, then what I'd do is uninstall any mods, download the large upgrade and overwrite your themes and sources files to make sure it's pure SMF 1.1.12 without modifications to see if that fixes it. Don't install any mods during the test period.
Also make sure your PHP files aren't writable to world or group (unless required from outdated server config) and neither are your folders. If PHP is running as CGI you shouldn't need either of them to be readable or writable to anyone but owner.
Quote from: DavidCT on January 17, 2011, 02:58:17 PM
Did you try registering as a new user yourself? Do you get admin access?
If yes and no, then what I'd do is uninstall any mods, download the large upgrade and overwrite your themes and sources files to make sure it's pure SMF 1.1.12 without modifications to see if that fixes it. Don't install any mods during the test period.
Also make sure your PHP files aren't writable to world or group (unless required from outdated server config) and neither are your folders. If PHP is running as CGI you shouldn't need either of them to be readable or writable to anyone but owner.
Yes, I did try registering a new user. My test user did not get admin rights.
Thanks DavidCT for the verbose suggestion. (I needed that.) I will try this right away.
-Brian
Quote from: bvsweeney on January 17, 2011, 03:51:36 PM
Quote from: DavidCT on January 17, 2011, 02:58:17 PM
Did you try registering as a new user yourself? Do you get admin access?
If yes and no, then what I'd do is uninstall any mods, download the large upgrade and overwrite your themes and sources files to make sure it's pure SMF 1.1.12 without modifications to see if that fixes it. Don't install any mods during the test period.
Also make sure your PHP files aren't writable to world or group (unless required from outdated server config) and neither are your folders. If PHP is running as CGI you shouldn't need either of them to be readable or writable to anyone but owner.
Yes, I did try registering a new user. My test user did not get admin rights.
Thanks DavidCT for the verbose suggestion. (I needed that.) I will try this right away.
-Brian
This is Gadgetgeek, I am also an Admin on Brian's board. We have had 2 Admin logons in the last 10 hours.. No IP address, but logged on as Administrator. It scares me to death..
.
Quote from: bvsweeney on January 07, 2011, 03:22:17 PM
We are seeing more and more new users registering for the board as ADMINISTRATORS. Any ideas?
As a precautionary measure, I updated the STOP Spammer mod and added the reCAPTCHA mod.
Thanks,
Brian
------
SMF 1.1.12
Stop Spammer 2.3.8 (reports 2.3.7)
reCAPTCHA mod (just added)
Guys, we are still having the newbies loggon on as Administrator problem. 4 or 5 in two days. I hate to sit this close to the computer every day just to catch them, I'm afraid when bass season comes around I'll be on the lake and some spammer has come in and XXXX up the board. I"d hate that ...
.
if you dont mind please read http://www.simplemachines.org/community/index.php?topic=87130.0 and send me an admin account along with url to your forum and I will take a look tomorrow.
Does 'saved names' not work?
Just a thought.
what do you mean 'saved names'? this is not an issue of reserved names being used and those getting admin powers by default because of that.
I said 'just a thought, meaning is this an option or not,
Its not, then ok. I realise your frustration but say thanks for trying or something...never mind.
I hope so0me KNOWLEDGABLE person gives you much satisfaction to your problem.
i was just trying to understand what you were staying and clear it up for the op as to what effect that has on this issue.
File a security report (http://www.simplemachines.org/about/security.php).
Curious, when you go into admin panel, does it show them as being admins in the admin list on the front page? When you view their profile and view their permissions, it shows them having admin access? They aren't just using the username "Administrator", right? (don't be offended, I had to ask :) )
Any chance I can have the URL to your forum? PM me if you prefer.
i would not file a security report at this time, we dont know what the settings are for each group, someone, and i have volunteered already, should double check the permissions before making this a big issue. also most of the time security reports are for issues when someone has been hacked and wishes to provide details to the smf staff and not let it become public.
Quote from: DavidCT on January 21, 2011, 08:12:35 AM
File a security report (http://www.simplemachines.org/about/security.php).
Curious, when you go into admin panel, does it show them as being admins in the admin list on the front page? When you view their profile and view their permissions, it shows them having admin access? They aren't just using the username "Administrator", right? (don't be offended, I had to ask :) )
Any chance I can have the URL to your forum? PM me if you prefer.
http://285foodies.com/forum/index.php (http://285foodies.com/forum/index.php)
They are listed as an Administrator in the panel.
I got a new one this morning .. :-(
But, maybe I did have a permission setting wrong?
In Regular Members Permissions, I had "yes" toggled in Members Profiles- Edit account settings, perhaps they are able to change their Membergroup there ? I will switch this to "no" and give it a day or two ?
Thanks for making me look the hundredth time and perhaps uncovering MY error..
.
.
are you willing to allow someone, myself or otherwise, access to your site to double check the permissions?
Quote from: GadgetGeek on January 21, 2011, 10:35:06 AM
http://285foodies.com/forum/index.php (http://285foodies.com/forum/index.php)
They are listed as an Administrator in the panel.
I got a new one this morning .. :-(
But, maybe I did have a permission setting wrong?
In Regular Members Permissions, I had "yes" toggled in Members Profiles- Edit account settings, perhaps they are able to change their Membergroup there ? I will switch this to "no" and give it a day or two ?
Thanks for making me look the hundredth time and perhaps uncovering MY error..
.
.
Having the ability to edit account settings under Profile should not give them the ability to change their permissions. They would have to have manage permissions option checked under Member Administration. Maybe you could screenshot the permissions section?
Quote from: Illori on January 21, 2011, 10:47:32 AM
are you willing to allow someone, myself or otherwise, access to your site to double check the permissions?
Yes. I have to go out for a few hours, and thank you all. I'll be back this afternoon.
.
Quote from: Illori on January 21, 2011, 10:47:32 AM
are you willing to allow someone, myself or otherwise, access to your site to double check the permissions?
GG>- With the small change I made, I'm going to sit back for a day or two and see if that one toggle FIXED the problem. I'm not sure it has ?
GG>--I do want to thank all of you for help, and thank you Illori for your availability to help fix my perceived problem.
....
i am going to mark this solved, please mark it unsolved if in a few days you still find the issue.
Quote from: Illori on January 21, 2011, 06:03:55 PM
i am going to mark this solved, please mark it unsolved if in a few days you still find the issue.
I don't know if it is solved.. but again, thank you, and thank you personally Illori for taking the time to help a newbie find the correct path.
.
Well, what I changed did not fix it. I had a guest log on as Administrator yesterday, fortunately they were already banned from their email address so they could not do any damage or at least none that I could see. Here is a screen shot of the logon.
..
can you please pm me an admin account to your forum and i am sure i can fix this issue for you and post what the solution is for everyone.
[edit] also check admin -> registration primary group, it should be set to no primary member group
3 New Administrator logons in the last 4 hours..
How do I file a security report ?
.
i would recommend as said before to let someone check your permissions, which i volunteered 2 times already to do. filing a security report would not do any good without allowing someone to see your settings, as in the years that 1.1.* branch has been released this has not been an issue.
I registered on his forum and did not get admin rights. He disabled the ability for users to reach the profile page where membergroup is changed, so they aren't even able to do anything there. There is no way I can see for this to be happening based on permissions. There has to be a security problem. He said he overwrote his sources and themes files with fresh ones, and removed all mods, so it's not that.
What I find odd is he says these people don't have an IP address. I wonder if they are breaking in using the poorly written / broken remote_ip vs x_forwarded_for routine, though I don't know how. And saying SMF is secure... please, I've heard that since 1.1.3 and since we had .4, .5, all secure now, .6, .7... :) It's complicated software, I'm sure it's still possible to have flaws. The avatar/kb thing wasn't an issue until v1.1.8 I believe, so no telling what else is in there left to exploit. And just because nobody else noticed it doesn't mean it isn't happening elsewhere.
GG, I posted the link to file a security report in one of my posts in this thread.
If you do not mind GadgetGeek I would like to forward the login information you gave me to K@ who is an smf support team member and see if he can see anything wrong with your permissions which I do not at this time. K@ would then get back to you and possibly also request access to your cpanel to take a better look at things.
Gosh it's good to know I'm not crazy or cannot follow directions.. And thanks Illori for peeking in and seeing what you could see.
Of course anyone is/would be reluctant to hand over the keys to their baby, I hope you understand that Illori and not be offended.
Did you make any changes I should know about ?
And yes, you do have my permission to send the logon info to a support team member, actually that was what I had intended to take place all along.
.
While I"m not on the team any more, I'd be happy to take a look for you to see what's going on. If you'd like to send me logon details to your forum (email is best (
[email protected]), but PM works too). FTP and/or Cpanel access would be nice too as I could actually look at the registration code and see what is going on and also look at the HTTP access logs (which will show the registration and login attempts at a lower level than SMF's logs)
I have looked at the permissions and nothing looked wrong, there must be some reason for this to be happening but I dont think it is a hacking issue.
Quote from: Illori on January 28, 2011, 11:56:41 AM
If you do not mind GadgetGeek I would like to forward the login information you gave me to K@ who is an smf support team member and see if he can see anything wrong with your permissions which I do not at this time. K@ would then get back to you and possibly also request access to your cpanel to take a better look at things.
Happy Tuesday Illori, Did someone "make" a ticket for that problem we are still having ? I don't have a ticket number so there is no way for me to see what they are saying about it in the Helpdesk ?
I deleted an admin logon a few minutes ago, I am surely puzzled ..
.
I never got your approval to share the login details with K@ so they were not shared nor looked into further. there is no ticket system here unless you are a charter member. no bug was opened either as we dont have details on how to reproduce this issue.
Quote from: GadgetGeek on February 01, 2011, 12:05:47 PM
Quote from: Illori on January 28, 2011, 11:56:41 AM
If you do not mind GadgetGeek I would like to forward the login information you gave me to K@ who is an smf support team member and see if he can see anything wrong with your permissions which I do not at this time. K@ would then get back to you and possibly also request access to your cpanel to take a better look at things.
Happy Tuesday Illori, Did someone "make" a ticket for that problem we are still having ? I don't have a ticket number so there is no way for me to see what they are saying about it in the Helpdesk ?
I deleted an admin logon a few minutes ago, I am surely puzzled ..
I said "YES" in my nest-to-the-last post. Again, you MAY pass the logon info to K@
.
sorry i missed that message, I will ask K@ to take a look when he has time.
Quote from: GadgetGeek on February 01, 2011, 12:41:55 PM
Quote from: GadgetGeek on February 01, 2011, 12:05:47 PM
Quote from: Illori on January 28, 2011, 11:56:41 AM
If you do not mind GadgetGeek I would like to forward the login information you gave me to K@ who is an smf support team member and see if he can see anything wrong with your permissions which I do not at this time. K@ would then get back to you and possibly also request access to your cpanel to take a better look at things.
Happy Tuesday Illori, Did someone "make" a ticket for that problem we are still having ? I don't have a ticket number so there is no way for me to see what they are saying about it in the Helpdesk ?
I deleted an admin logon a few minutes ago, I am surely puzzled ..
I said "YES" in my nest-to-the-last post. Again, you MAY pass the logon info to K@
.
btw.. I am a Charter Member, it says so on my profile to the left...
.
i am not a charter member so i would have no part in that business ;)
Well...
I can see nothing wrong, really.
In "Reserved names", "Match case. If unchecked, search will be case insensitive." was checked, so people COULD register as "ADMIN", "administrator", "ADMINISTRATOR", etc. if they wanted to. (I've changed that).
But, I see that you have eight members awaiting approval (All Spammers) and none of their names are "Administrator".
I also registered, using another browser as "TEST".
TEST didn't have the name changed.
So.......
All seems fine, to me.
Just had a thought, though....
If this keeps happening, try disabling Pretty URLs and see if that cures it.
Quote from: K@ on February 01, 2011, 01:56:29 PM
Well...
I can see nothing wrong, really.
In "Reserved names", "Match case. If unchecked, search will be case insensitive." was checked, so people COULD register as "ADMIN", "administrator", "ADMINISTRATOR", etc. if they wanted to. (I've changed that).
You are saying with the NAME admin, ADMIN--- etc.. right ?
I am saying that they are logging in with a MEMBERGROUP as ADMIN.... not their name...
I'll leave the next one up as admin and alert you, how's that ?
Quote from: K@ on February 01, 2011, 01:56:29 PM
But, I see that you have eight members awaiting approval (All Spammers) and none of their names are "Administrator".
I also registered, using another browser as "TEST".
TEST didn't have the name changed.
So.......
All seems fine, to me.
Thanks K@, can I email you a screen shot of the last two Admin logons as .bmp ?
.
No, it's OK. I'll take another look.
BRB.
There's obviously some problem with one of the mods that you've got.
There're some incomplete tabs, in Admin, which should be labelled with the stuff that a mod should be showing.
Soooo....
Did you install any of those mods, just prior to this Admin thing happening?
Quote from: K@ on February 01, 2011, 03:19:48 PM
There's obviously some problem with one of the mods that you've got.
There're some incomplete tabs, in Admin, which should be labelled with the stuff that a mod should be showing.
Soooo....
Did you install any of those mods, just prior to this Admin thing happening?
You guys are lucky.. You understand the back end of this software. I have a partner that does installs and mods and things for me. I just chimed in on him, he is at work but he may have a second to answer your good question K@.
.
If I had FTP access, I could probably tell.
But, I ain't and I can't, properly.
Although, it looks like the last one added could well have been PrettyURLs, funnily enough.
I'm beginning to hate that mod...
I've just disabled it.
See if that cures it.
Quote from: K@ on February 01, 2011, 03:28:12 PM
I'm beginning to hate that mod...
I thought you did already ;)
I hate it even more... ;)
Quote from: K@ on February 01, 2011, 03:28:12 PM
If I had FTP access, I could probably tell.
But, I ain't and I can't, properly.
Although, it looks like the last one added could well have been PrettyURLs, funnily enough.
I'm beginning to hate that mod...
I've just disabled it.
See if that cures it.
Thanks again K@, and Illori.. I saw that bvsweeney was online on my board, he musta got the message ?
.
Not from me...
Hang on a minute....
Quote from: GadgetGeek on January 21, 2011, 10:35:06 AM
They are listed as an Administrator in the panel.
Do you mean in the "Users Online" panel?
If not, which panel?
Quote from: K@ on February 01, 2011, 03:19:48 PM
There's obviously some problem with one of the mods that you've got.
There're some incomplete tabs, in Admin, which should be labelled with the stuff that a mod should be showing.
Soooo....
Did you install any of those mods, just prior to this Admin thing happening?
The layout/configuration of the board has not changed much. I did update two mods (Stop Spammer/ReCAPTCHA) as a result of the issue that we are experiencing.
What about my last question?
Tum-ti-tum-ti-tum...
What would you like me to clarify?
which panel are the users showing up as admin.
Exactly.
...in the Members panel, sorted by position.
You mean here?
http://285foodies.com/forum/index.php?action=viewmembers
here: http://285foodies.com/forum/index.php?action=mlist;sort=ID_GROUP;start=0 (http://285foodies.com/forum/index.php?action=mlist;sort=ID_GROUP;start=0)
And also in the admin panel where it lists the forum admins.
Here - http://285foodies.com/forum/index.php?action=mlist;sort=ID_GROUP;start=0 (http://285foodies.com/forum/index.php?action=mlist;sort=ID_GROUP;start=0)
Administrator, FlyinBrian, APPATTEERAPLY, franksxxxlinks
Are they admins?
Just click on Members and sort by position.
Quote from: K@ on February 01, 2011, 04:08:17 PM
Administrator, FlyinBrian, APPATTEERAPLY, franksxxxlinks
Are they admins?
The first two are valid. The
last two are not.
Somehow, it looks like the membergroups are screwed.
Bryan is showing in that list as a Full Member. But, in his profile, he has no membergroup.
franksxxxlinks isn't showing in that list, at all.
FlyinBrian is fine (that's me).
These are the bad ones: APPATTEERAPLY, franksxxxlinks
Neither of those is appearing in that list.
So, it's just at the top of the Admin homepage that's wrong, yes?
There are several ways to look at members. What's important is that "APPATTEERAPLY and franksxxxlinks" are Administrators when they shouldn't be.
There's also the fact that neither of them appear in the memberlist.
Neither are admins, now, coz I changed their membergroup.
Just Administrator, FlyinBrian and me.
I'm just going to register as a new member and see what group I get put in.
I'm a noob. :)
I deleted Forum Helper and made myself admin.
Helper's gone from the admin credit thingy and I'm there.
So, I think we're sorted, aren't we?
Feel free to delete me, obviously.
Did you determine how new users were becoming Admins?
K@ - I think you're missing the point here - not all members are becoming admins when they register, but somehow, some bots, spammers or a real person is managing to make themselves an admin either upon registration or somewhere else... that is what they are trying to figure out, *how* it is happening.
Previously in the thread we stated that we were unable to recreate the problem ourselves but we continue to find new users in the Admin group.
Well, this is where I think we're having problems.
If you look at this list:
http://285foodies.com/forum/index.php?action=viewmembers
You're seeing members in red, yes?
They're not red because they're admins.
They're red because they're not approved.
In the list you linked to, there are no admins listed, at all, apart from the two (Three including me) that ARE admins.
Same with the Admin homepage.
Quote from: K@ on February 01, 2011, 04:46:33 PM
Well, this is where I think we're having problems.
If you look at this list:
http://285foodies.com/forum/index.php?action=viewmembers
You're seeing members in red, yes?
They're not red because they're admins.
They're red because they're not approved.
In the list you linked to, there are no admins listed, at all, apart from the two (Three including me) that ARE admins.
Same with the Admin homepage.
They are RED because of the STOPSpam Mod, K@...
bvsweeney is off line and on the road..
.
Nope.
The Spam mod stops them being approved, too.
I don't have any antiSpam mods and mine show red, until they're approved.
Maybe it's a bit of both.
You don't have any dubious admins, now, though.
Quote from: K@ on February 01, 2011, 04:54:32 PM
Nope.
The Spam mod stops them being approved, too.
I don't have any antiSpam mods and mine show red, until they're approved.
Maybe it's a bit of both.
You don't have any dubious admins, now, though.
Not at this moment..
See this from early today. I quickly changed the membergroup but snapped a screen shot of it.. Any help ?
(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Faroundhere.net%2FMike2%2F285Fpics%2Fadminlogon15.jpg&hash=c750136bbe141fe31333218aa1a54659d6eda45e)
..
Yeah. I suspect PrettyURLs, with that.
As I said, I've disabled it, for now.
See how it goes, for a couple of days.
If it doesn't happen, again, we'll know what the culprit was.
I had a good look around your forum and everything looks OK, apart from the weird tabs I told you about.
Only thing that I can't check is the files, themselves.
I'd need FTP access, to do that.
I don't recall pretty urls being installed/enabled the other day when I was taking a look at this just browsing around on his board... I would find it pretty difficult to believe that pretty urls was allowing this to happen too.
Quote from: K@ on February 01, 2011, 05:03:46 PM
Yeah. I suspect PrettyURLs, with that.
As I said, I've disabled it, for now.
See how it goes, for a couple of days.
If it doesn't happen, again, we'll know what the culprit was.
I had a good look around your forum and everything looks OK, apart from the weird tabs I told you about.
Only thing that I can't check is the files, themselves.
I'd need FTP access, to do that.
Thanks for your help K@, and bvsweeney & DaveCT & Illori & SlammedDime.. I'll wait right here and see what happens.
.
Wilco.
I'm off to bed.
Good luck!
Can you list all of the mods you currently have installed, and their version? (a simple copy/paste from the admin panel should suffice). I want to recreate your install locally to test with.
New Packages:
(package)
* Nice Anime Avatars 1.0
* Info Center 1.0
* Customizable Home Page 1.0
Package of the Moment:
Personal Message Auto Responder 0.1
Browse Packages
Modification Packages
Mod Name Version
1. SMF 1.0.20 / 1.1.12 Update 1.0 [ Uninstall ] [ List Files ] [ Delete ]
2. SMF Links 2.1 [ Uninstall ] [ List Files ] [ Delete ]
3. Stop Spammer 2.3.8 [ Uninstall ] [ List Files ] [ Delete ]
4. cURL fetch_web_data 1.1.1 [ Uninstall ] [ List Files ] [ Delete ]
5. reCAPTCHA for SMF 0.9.8 [ Uninstall ] [ List Files ] [ Delete ]
6. Pretty URLs 1.0RC5 [ Uninstall ] [ List Files ] [ Delete ]
7. Share This Topic 1.3 [ Uninstall ] [ List Files ] [ Delete ]
....
How's it going so far?
Just to note, I installed those mods locally, looked at all of the code after it was modified and even tried manually modifying forms to inject the admin group and couldn't do it. If it's not resolved, I think the only/best way to figure out how it's happening is to review the Apache access logs (available in cpanel) and to see what the requests are that are being made from those IP's.
I *thought* he removed ALL mods and uploaded FRESH SMF files like I suggested, I asked him to do that on page 1 of this thread. I guess he didn't. :)
I asked him to dig out the log for any date a person gained admin access, I guess he didn't. :)
Even if it's a mod that's doing it I'm sure everyone would like to know which one so it can be fixed, but it seems to me it's more important to stop the situation as quickly as possible, and my first step would be to have a clean SMF install with no mods and hope that fixed it :)
Oh well, what do I know ;D
GG, if you need help - let me know. I'd be happy to redo your forum for you, removing all mods, uploading fresh SMF files.
You do have a backup, right? CPANEL > BACKUPS > Download SQL database. You should do this daily, especially with a big forum like yours, especially since you are under attack, and date them and keep every one of them for a while, just in case.
ETA: This post was not meant to sound rude - sorry if I sounded that way, I was simply stating the obvious that I thought he removed the mods and updated the files as I asked him to. Sorry to GG if he was offended. This post has been going round and round but nothing seemed to be getting resolved and honestly it's a little frustrating :)
Oh yeah, I'd remove cURL fetch_web_data - without looking at it, I'd suspect that one to be the problem. SMF Links would be second. Maybe neither is the issue, but something has to be done. I don't know why he's waiting :)
I'm wondering if it'd be worth checking some of the files for a hack.
Quote from: K@ on February 02, 2011, 04:05:53 PM
I'm wondering if it'd be worth checking some of the files for a hack.
No Admin logons yet. I will let bvsweeney decide if we need to look at files after I see it happening again. Thanks though...
.
One way to check, although it won't check for EVERY hack.
Load index.php from the root into a text editor.
The first line should simply be:
<?php
and the last line should be:
?>
Nothing else, at all.
Two full days without an ADMIN logon, that is the world record on my board for the last 10 months.
I hope I'm not jinxing anything by being pleased.
.
(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fwww.katzy.dsl.pipex.com%2FSmileys%2Fc016.gif&hash=d0a9bf2c1a124604522e74c020e059ff2a7aea88)
Quote from: K@ on February 03, 2011, 11:25:36 AM
(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fwww.katzy.dsl.pipex.com%2FSmileys%2Fc016.gif&hash=d0a9bf2c1a124604522e74c020e059ff2a7aea88)
I spoke too soon. I just had one.. :-(
I honestly think it is happening by accident to these folks logging on or one of them would have caused some chaos on the board.
.
have you checked to see if these users all have the same/similar ip address? do they have similar email addresses?
Can I clarify something real quick...
You keep using the phrase 'logging on'... do you mean they are registering a new account which becomes an admin and then this person attempts to actually log on? Or are they already established as a user and somehow gets switched to an admin and tries to log on?
Quote from: Illori on February 03, 2011, 01:43:49 PM
have you checked to see if these users all have the same/similar ip address? do they have similar email addresses?
Nothing similar at all.. I have screen shots of the last 20... Most of them have no IP addres, that alone is similar.
Today is the wife's birthday, I have to go out and get a card and a pony for a present or something. I hate that this is bogging me down.
.
Quote from: SlammedDime on February 03, 2011, 01:50:33 PM
Can I clarify something real quick...
You keep using the phrase 'logging on'... do you mean they are registering a new account which becomes an admin and then this person attempts to actually log on? Or are they already established as a user and somehow gets switched to an admin and tries to log on?
It happens as they registering a new account, I have NEVER had someone come back after they had registered and changed their Membergroup.
.
Your partner in crime might have to help out then (bvsweeney)...
QuoteIf it's not resolved, I think the only/best way to figure out how it's happening is to review the Apache access logs (available in cpanel) and to see what the requests are that are being made
Here's the log data from the last guy that made himself and admin...
GET /index.php?option=com_user&task=register HTTP/1.0
POST /index.php?option=com_user HTTP/1.0
GET /index.php HTTP/1.0
GET /index.php?option=com_jfusion&Itemid=6&jfile=index.php&topic=959.0 HTTP/1.0
GET /forum/cooking-at-home-or-with-friends/sous-vide-cooker-at-home/ HTTP/1.0
POST /forum/cooking-at-home-or-with-friends/sous-vide-cooker-at-home/?action=quickmod2 HTTP/1.0
GET /forum/cooking-at-home-or-with-friends/sous-vide-cooker-at-home/ HTTP/1.0
GET /forum/index.php?action=post;board=1.0 HTTP/1.0
GET /forum/register/?PHPSESSID=a845819ca316127ccf2a8a7960430f9a HTTP/1.0
POST /forum/register2/ HTTP/1.0
GET /forum/register/forum/index.php?action=post;board=1.0 HTTP/1.0
GET /register/forum/index.php?action=post;board=1.0 HTTP/1.0
GET /forum/index.php?PHPSESSID=a845819ca316127ccf2a8a7960430f9a HTTP/1.0
GET /forum/index.php?action=post;board=1.0 HTTP/1.0
The pattern definitely looks to be that of a bot... is that all of the log data from that IP or is there anymore?
It is still happening. 3 in the last 24 hours..
I hope I catch them all before they run riot..
.
My offer still stands to help... I'd like to create a small mod for you guys to install to trap registration data and log it to a file to see exactly what these 'users' are passing in for registration data to become admins. It will trap all posted data except for passwords. That way we can review it and see how it's happening. Let me know if you want to proceed with it and I'll create the mod and email to you to install.
Quote from: SlammedDime on February 07, 2011, 03:37:29 PM
My offer still stands to help... I'd like to create a small mod for you guys to install to trap registration data and log it to a file to see exactly what these 'users' are passing in for registration data to become admins. It will trap all posted data except for passwords. That way we can review it and see how it's happening. Let me know if you want to proceed with it and I'll create the mod and email to you to install.
Ok, let's do it. Send me a link and I will install it.
-B
Ok, I don't think I'll have time at work today to make it, but I'll do it when I get home tonight and PM you the link once it's done. Feel free to review the code if you like before installing it to verify what is and isn't trapped.
PM sent to bvsweeney and gadgetgeek
Quote from: SlammedDime on February 07, 2011, 05:35:39 PM
PM sent to bvsweeney and gadgetgeek
Thanks bud. Fishing season is coming up.. I do NOT want to be here on this computer when the spotted bass are hitting topwater lures on Lake Sidney Lanier. I'll raise a glass to you tonight and send you flowers if we drill down to the bottom of how they are registering as Administrators (see, I'm using the right verbiage). Again, thanks for your help.
...
The RegTrapper mod has been applied.
we have one in the snare...
Sure coming on to my food board with a name like "mature sex" would give me a signal...?
...
lol... cool, let's get at least one more just to make sure we have the data needed. Keep track of the usernames so I can easily locate them in the log file. :)
Just checkin in... how are we doing?
I've figured out the issue without any further investigation... the problem is your JFusion bridge. Anyone who registers using it automatically becomes an admin on your forum. You'll have to take up this issue with the creator of that bridge.
That must've taken some working-out!
Nice one, SD! :)
Well done. I totally forgot that was in-place. I configured JFusion over a year ago when I thought SMF 2.0 was drawing near.
-Brian
Quote from: SlammedDime on February 09, 2011, 02:43:19 PM
I've figured out the issue without any further investigation... the problem is your JFusion bridge. Anyone who registers using it automatically becomes an admin on your forum. You'll have to take up this issue with the creator of that bridge.
Thanks SD. The first nice day while I'm cleaning up my boat to go fishing I'll be praising your name. Thanks again.
.
For what it's worth, I reconfigured JFusion. It is working properly now. In other words, I plugged the hole.
Thanks Again!!!
-B
Hey, I was able to wash my car rather than keep an eye out for Admin registrations. Whooopeeeee...
Thanks again guys.
....