Somehow users are being registered without registering...?

vbgamer45 · February 08, 2023, 08:25:10 PM

Do you have older backups you can check?

This is a common issue lately with old users having weak passwords which guessed.

itistoday · February 08, 2023, 10:01:03 PM

I do have backups but it would take me at least a day to boot up a new machine and restore from them and test this, and I don't have that kind of time right now. Maybe in a few days or weeks I might have time. If there are any other suggestions that are less laborious that I can try, please let me know.

itistoday · February 08, 2023, 10:04:54 PM

Also, I find it difficult to believe that a hacker would hack into these accounts by guessing weak passwords for 2 reasons:

1. The logs do not show any brute force attempts, and it is extremely unlikely, basically impossible, that they would guess the password on the first try.
2. Even if they managed to guess the passwords to 3 accounts (that I'm 99.999999999999% sure did not exist until maybe yesterday) on the first try, why would they update the profiles to say that they are from Nepal? No, these were originally registered as spam accounts.

shawnb61 · February 08, 2023, 11:43:34 PM

The above logs show a logon, followed by a profile update (signature change?), followed by more activity. Pretty normal.

It's not likely a brute force attempt. However, it's extremely common for folks to re-use IDs and passwords. And those are all pretty easily found out there.

I saw the same thing on my site a few months ago. 3 or 4 good users, non-spammers, who suddenly started spamming from the same IPs.

As for why they didn't show up on your searches, they likely didn't meet the search criteria. E.g., it could be that they had been active recently. Or maybe they even had a post that was recently subsequently deleted (possibly even by the spammer). The only way to know for sure would be to look at a backup.

There is a chance you find the emails/ids/passwords in question (or your own site) here, might be worth exploring this or similar sites:
https://haveibeenpwned.com

If I were in your shoes, I'd have all admins & global moderators change their passwords. I'd also change the cpanel password. And make the admins all use 2FA. It's simply good practice.

itistoday · February 09, 2023, 12:17:22 AM

Quote from: shawnb61 on February 08, 2023, 11:43:34 PMAs for why they didn't show up on your searches, they likely didn't meet the search criteria.

I looked through the members list: https://www.taoeffect.com/forum/index.php?action=mlist [nofollow]

Surely they would have shown up there, as that list shows all users.

Quote from: shawnb61 on February 08, 2023, 11:43:34 PMmight be worth exploring this or similar sites:
https://haveibeenpwned.com [nofollow]

2 of the 3 users' emails showed up there. But again, 99.999% sure these users didn't exist, because they weren't in the members list before.

If you guys have no other suggestions, at some point I will eventually look at the backups, and I'll probably find that I'm right (these users were never there). What then?

vbgamer45 · February 09, 2023, 12:24:21 AM

If it doesn't appear in the backups I would be shocked. I would say that someone hacked your control panel at that point or your hosting account.

shawnb61 · February 09, 2023, 12:39:58 AM

Quote from: itistoday on February 09, 2023, 12:17:22 AMI looked through the members list: https://www.taoeffect.com/forum/index.php?action=mlist

Surely they would have shown up there, as that list shows all users.

Actually, no, it doesn't necessarily... When doing admin-oriented tasks, you should really use the much more powerful admin member search:
https://www.taoeffect.com/forum/index.php?action=admin;area=viewmembers;sa=search

Quote from: itistoday on February 09, 2023, 12:17:22 AM2 of the 3 users' emails showed up there.

Yep. And that's low hanging fruit...

itistoday · February 09, 2023, 12:54:46 AM

I figured out a way to quickly check the backups without having to setup a new machine... and you guys were right.

I don't know how I missed them multiple times, but those users exist in the backups.

Quote from: shawnb61 on February 09, 2023, 12:39:58 AMWhen doing admin-oriented tasks, you should really use the much more powerful admin member search:
https://www.taoeffect.com/forum/index.php?action=admin;area=viewmembers;sa=search [nofollow]

Thanks for that tip, I'll try that next time. And I did just use it to search for users with 0 posts and deleted the spammers.

So, sorry for the false alarm, and thank you for your help! I'm relieved to know that that this isn't a vulnerability in SMF. At least, it doesn't seem that way. I'll keep an eye on the forums and will update if something weird happens again (and hopefully it won't be me hallucinating).

shawnb61 · February 09, 2023, 01:27:40 AM

Perfect! Thanks for letting us know.

Aleksi "Lex" Kilpinen · February 09, 2023, 10:45:49 AM

Quote from: itistoday on February 08, 2023, 08:07:51 PMSMF claims each of these users registered in 2017.

They also ALL have user IDs below the current latest user, and SMF does not recycle user IDs.
This is a very good indication that you have simply missed them - Perhaps because they weren't actually active when you went through your members.

News:

Somehow users are being registered without registering...?