Somehow users are being registered without registering...?

itistoday · February 05, 2023, 11:40:48 PM

I'm 99% sure I deleted all users in my forum who had 0 posts using the admin tools.

Yet this user just appeared as active: https://www.taoeffect.com/forum/index.php?action=profile;u=10728 [nofollow]

And this is the 2nd time this happened. The first time I noticed this bizarre thing happen a couple days ago, I banned the user and deleted their account, it's there in my ban log, their IP was 194.169.217.114 from a @mail.ru address.

This user is from the same block of IPs: 194.169.217.119, also with a @mail.ru address, and obviously a spammer, but what is *bizarre* is that SMF claims they registered on July 30, 2017, 03:11:11 PM, a few years ago, which should be impossible because I deleted all users who had 0 posts (as this person has).

Another thing of note: my automated ban thingy kicked in because a trigger for Mail.ru [nofollow] got triggered.

So - I think this is a bug but I'm not sure. Is there any way to be sure? (Has anyone heard of this before?)

EDIT: this is the only relevant line I could find in my logs from that IP:

Code Select

194.169.217.119 - @ www.taoeffect.com [05/Feb/2023:19:51:35 -0800] "POST /forum/index.php?action=login2 HTTP/1.0" 302 0 "https://www.taoeffect.com/forum/index.php?action=login" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36" "-"

The other IP was similar:

Code Select

194.169.217.114 - @ www.taoeffect.com [03/Feb/2023:19:22:16 -0800] "POST /forum/index.php?action=login2 HTTP/1.0" 302 0 "https://www.taoeffect.com/forum/index.php?PHPSESSID=3m0l___redacted___psmj&action=login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.86 Safari/537.36" "-"

Kindred · February 06, 2023, 08:47:00 AM

I can pretty much guarantee that this is not a bug in SMF.

I can also guess -- you are using Tapatalk, aren't you?

Either this, or ---- How did you "delete all users who had zero posts"?
Did you use the SMF admin interface or did you try to do it directly in the database?

itistoday · February 06, 2023, 01:15:40 PM

I'm using this plugin: Enhancements to purge inactive members (imo should be built-in feature)

I don't know what Tapatalk is.

I'll delete this user, and if they show up again I will be 100% sure they're bypassing the registration system (because I manually checked, there are no other suspicious users with 0 posts).

Aleksi "Lex" Kilpinen · February 06, 2023, 01:24:17 PM

Your latest member, registered a week ago and has 0 posts. How exactly did you check for those 0 post members?

itistoday · February 06, 2023, 01:26:31 PM

Yeah, sorry I edited my post to add the word "suspicious" to make it clear that there's 1 member with 0 posts who isn't suspicious. They registered after I purged the members with 0 posts.

Aleksi "Lex" Kilpinen · February 06, 2023, 01:29:30 PM

Are they a global moderator on purpose as well?
Just trying to make sure, as I for sure see it a bit suspicious to have member who has never logged in be a global moderator.

itistoday · February 06, 2023, 01:33:26 PM

Yes, thanks for checking.

I'll wait a bit and will leave that IP range unbanned to see if any new bot accounts pop up. Just wanted to see if anyone had reported this before. Maybe I'm hallucinating. Or maybe these IP ranges are just not part of the "Stop Forum Spam" and they registered normally... EDIT: no that can't be the case because as vbgamer45 points out bellow, the UID on that user is old.

vbgamer45 · February 06, 2023, 01:34:52 PM

From what I can see it is an old user.

Your newest member ID has an id of 13751 while the one that posted/has one of 10728 big difference registered years ago

Aleksi "Lex" Kilpinen · February 06, 2023, 01:38:57 PM

Okay, good then - Just wanted to make sure. I would suggest that the most likely explanations would be that either you missed someone when doing the purge earlier, or someone has lost posts after that and has become a new 0 post member after it. Of course, there's always the option that something really is wrong, but so far there's not much evidence of that.

Kindred · February 06, 2023, 03:50:22 PM

BTW, purging inactive users should NOT be a standard feature.

If you are using it to control "suspicious" users, then you are doing it wrong. Just prevent spammers from registering in the first place.

I have not looked at that mod, but as long as it uses the internal delete user function, I can not conceive of any way that a user "came back" after begin deleted.

itistoday · February 06, 2023, 03:54:03 PM

Quote from: Kindred on February 06, 2023, 03:50:22 PMJust prevent spammers from registering in the first place.

It would've been great if SMF had done that, then I wouldn't have had to purge them. Now with the latest version and the Stop Forum Spam mod, hopefully won't need to do it again.

Kindred · February 06, 2023, 05:32:10 PM

SFS is a good add on, but it's only halfway decent at identifying spammers

SMF HAS HAD the capability to prevent spammers for the last decade.

Questions.
20-30 Questions, asking 2 during registration.
I have not had a successful spambot registration in over 5 years.

itistoday · February 06, 2023, 06:13:28 PM

Quote from: Kindred on February 06, 2023, 05:32:10 PMSMF HAS HAD the capability to prevent spammers for the last decade.

That wasn't my experience. 🤷�♂️

I had SMF's built-in captcha + 3 of the questions during registration, and was so badly overrun with bots that I had to shut down our forums for several years.

Kindred · February 06, 2023, 06:29:49 PM

The captcha has been useless for years.

As i said, you need 20-30 questions in your pool
You only need to ask 2 at registration.

You need to change your pool every 2-3 years (maybe 1-2 years if you have a popular site)

As I said, not a single spambot in 5 years... 5 different sites

If you were getting spambots, then you had bad questions and/or not a large enough pool

Steve · February 07, 2023, 04:35:40 PM

Should this be in Support? I was going to move it but didn't know what version SMF the OP is using.

itistoday · February 07, 2023, 04:51:33 PM

Feel free to move it if you want. I'm using the latest version.

Steve · February 07, 2023, 11:28:45 PM

I was asking Kindred.

Kindred · February 07, 2023, 11:39:25 PM

Fyi, "the latest version" is a useless term... because it is almost always incorrect

When we ask what version, we need a number.

I see 2.1.3 from the link

itistoday · February 08, 2023, 08:05:13 PM

Guys, I am convinced something is going on.

Here are 3 new 0 post users who allegedly were registered in 2017:

- https://www.taoeffect.com/forum/index.php?action=profile;u=12794 [nofollow]
- https://www.taoeffect.com/forum/index.php?action=profile;u=10495 [nofollow]
- https://www.taoeffect.com/forum/index.php?action=profile;u=12196 [nofollow]

Example log from one of the IPs:

Code Select

[stdout] 194.169.217.110 - @ forums.okturtles.com [26/Jan/2023:21:37:12 -0800] "GET /index.php HTTP/1.0
" 301 162 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/7
5.0.3770.100 Safari/537.36" "-"
[stdout] 194.169.217.110 - @ www.taoeffect.com [05/Feb/2023:17:23:29 -0800] "POST /forum/index.php?acti
on=login2 HTTP/1.0" 302 0 "https://www.taoeffect.com/forum/index.php?action=login" "Mozilla/5.0 (Window
s NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"
[stdout] 194.169.217.110 - @ www.taoeffect.com [05/Feb/2023:19:51:31 -0800] "GET /forum/index.php HTTP/
1.0" 302 0 "http://www.taoeffect.com/forum/index.php" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWe
bKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36" "-"
[stdout] 194.169.217.110 - @ www.taoeffect.com [04/Feb/2023:05:25:44 -0800] "GET /forum/index.php?board
=11.0;sort=replies;desc HTTP/1.0" 200 24461 "https://www.taoeffect.com/forum/index.php?board=11.0;sort=
replies;desc" "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93
 Safari/537.36" "-"

Another IP:

Code Select

[stderr] 2023/01/28 21:25:28 [error] 173#173: *439069 FastCGI sent in stderr: "PHP message: PHP Depreca
ted:  Function create_function() is deprecated in /var/www/www.taoeffect.com/forum/Sources/Load.php on 
line 178PHP message: PHP Deprecated:  Function create_function() is deprecated in /var/www/www.taoeffec
t.com/forum/Sources/Load.php on line 183PHP message: PHP Deprecated:  Function create_function() is dep
recated in /var/www/www.taoeffect.com/forum/Sources/Load.php on line 184PHP message: PHP Deprecated:  F
unction create_function() is deprecated in /var/www/www.taoeffect.com/forum/Sources/Load.php on line 22
0PHP message: PHP Deprecated:  Function create_function() is deprecated in /var/www/www.taoeffect.com/f
orum/Sources/Load.php on line 223PHP message: PHP Deprecated:  Function create_function() is deprecated
 in /var/www/www.taoeffect.com/forum/Sources/Load.php on line 235PHP message: PHP Deprecated:  Function
 create_function() is deprecated in /var/www/www.taoeffect.com/forum/Sources/Load.php on line 250PHP me
ssage: PHP Deprecated:  Function create_function() is deprecated in /var/www/www.taoeffect.com/forum/So
urces/Load.php on line 252PHP message: PHP Deprecated:  Function create_function() is deprecated in /va
r/www/www.taoeffect.com/forum/Sources/Load.php on line 257PHP message: PHP Deprecated:  Function create
_function() is deprecated in /var/www/www.taoeffect.com/forum/Sources/Load.php on line 268PHP message: 
PHP Deprecated:  Function create_function() is deprecated in /var/www/www.taoeffect.com/forum/Sources/L
oad.php on line 270PHP message: PHP Deprecated:  Function create_function() is deprecated in /var/www/w
ww.taoeffect.com/forum/Sources/Load.php on line 273" while reading response header from upstream, clien
t: 194.169.217.87, server: www.taoeffect.com, request: "GET /forum/index.php HTTP/1.0", upstream: "fast
cgi://172.19.0.10:9009", host: "www.taoeffect.com", referrer: "http://www.taoeffect.com/forum/index.php
"
[stdout] 194.169.217.87 - @ www.taoeffect.com [28/Jan/2023:21:25:28 -0800] "GET /forum/index.php HTTP/1
.0" 200 20244 "http://www.taoeffect.com/forum/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.
36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36" "-"
[stdout] 194.169.217.87 - @ www.taoeffect.com [27/Jan/2023:22:49:26 -0800] "GET /viewforum.php?f=10 HTT
P/1.0" 404 548 "https://www.taoeffect.com/viewforum.php?f=10" "Mozilla/5.0 (Windows NT 10.0; WOW64) App
leWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"

And the 3rd IP:

Code Select

[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:37 -0800] "GET /forum/ HTTP/1.0" 302 0
 "http://www.taoeffect.com/forum/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
 Chrome/90.0.4430.85 Safari/537.36" "-"                                                                
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:38 -0800] "GET /forum/?sslRedirect HTT
P/1.0" 200 14167 "https://www.taoeffect.com/forum/?sslRedirect" "Mozilla/5.0 (Windows NT 6.1) AppleWebK
it/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"                                   
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:40 -0800] "GET /forum/index.php?action
=login HTTP/1.0" 200 9609 "https://www.taoeffect.com/forum/index.php?action=login" "Mozilla/5.0 (Window
s NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"                
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:42 -0800] "POST /forum/index.php?actio
n=login2 HTTP/1.0" 302 0 "https://www.taoeffect.com/forum/index.php?action=login" "Mozilla/5.0 (Windows
 NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"                 
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:43 -0800] "GET /forum/index.php?action
=login2;sa=check;member=12196 HTTP/1.0" 302 0 "https://www.taoeffect.com/forum/index.php?action=login2;
sa=check;member=12196" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0
.4430.85 Safari/537.36" "-"                                                                            
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:47 -0800] "GET /forum/index.php HTTP/1
.0" 200 17585 "https://www.taoeffect.com/forum/index.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537
.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"                                         
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:48 -0800] "GET /forum/index.php?action
=profile HTTP/1.0" 200 18438 "https://www.taoeffect.com/forum/index.php?action=profile" "Mozilla/5.0 (W
indows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:49 -0800] "GET /forum/index.php?action
=profile;area=forumprofile;u=12196 HTTP/1.0" 200 25948 "https://www.taoeffect.com/forum/index.php?actio
n=profile;area=forumprofile;u=12196" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Geck
o) Chrome/90.0.4430.85 Safari/537.36" "-"
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:51 -0800] "POST /forum/index.php?actio
n=profile;area=forumprofile;u=12196 HTTP/1.0" 302 0 "https://www.taoeffect.com/forum/index.php?action=p
rofile;area=forumprofile;u=12196" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/90.0.4430.85 Safari/537.36" "-"
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:52 -0800] "GET /forum/index.php?action
=profile;area=forumprofile;updated HTTP/1.0" 200 26021 "https://www.taoeffect.com/forum/index.php?actio
n=profile;area=forumprofile;updated" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Geck
o) Chrome/90.0.4430.85 Safari/537.36" "-"
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:53 -0800] "GET /forum/ HTTP/1.0" 200 1
7585 "https://www.taoeffect.com/forum/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like G
ecko) Chrome/90.0.4430.85 Safari/537.36" "-"
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:55 -0800] "GET /forum/index.php?board=
11.0 HTTP/1.0" 200 24626 "https://www.taoeffect.com/forum/index.php?board=11.0" "Mozilla/5.0 (Windows N
T 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:56 -0800] "GET /forum/index.php?action
=post;board=11.0 HTTP/1.0" 200 24138 "https://www.taoeffect.com/forum/index.php?action=post;board=11.0"
 "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
" "-"
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:08:58 -0800] "GET /forum/index.php?action
=verificationcode;vid=post;rand=8cf7e53875c3b74f8865000a8a7bb8d6 HTTP/1.0" 200 1486 "https://www.taoeff
ect.com/forum/index.php?action=post;board=11.0" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML
, like Gecko) Chrome/90.0.4430.85 Safari/537.36" "-"
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:09:00 -0800] "POST /forum/index.php?actio
n=post2;start=0;board=11 HTTP/1.0" 200 44803 "https://www.taoeffect.com/forum/index.php?action=post;boa
rd=11.0" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safar
i/537.36" "-"
[stdout] 102.129.143.42 - @ www.taoeffect.com [04/Feb/2023:02:09:01 -0800] "POST /forum/index.php?actio
n=post2;start=0;board=11 HTTP/1.0" 403 9672 "https://www.taoeffect.com/forum/index.php?action=post;boar
d=11.0" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari
/537.36" "-"

These 3 accounts didn't exist.

What should I do? Do you guys see similar logins from 194.169.217.* on any of your forums?

itistoday · February 08, 2023, 08:07:51 PM

SMF claims each of these users registered in 2017.

There is *no way* that is true. All 3 users suddenly appeared on my server with 0 posts with recent logins/activity after I wiped and double-checked, triple-checked, and you guys checked, that all 0 post users (except for that 1 moderator I approved) were deleted?

No way. This is a real bug / exploit happening.

News:

Somehow users are being registered without registering...?