Phantom buddy adds

[cookdandbombd]

Hello and happy Easter.  My forum is running SMF 2.1.4.

My users have been reporting buddy adds recently, yet when they contact the people who added them, they said that they had done no such thing. 

This has plagued one person in particular who I urged to change her password.  Yet she is still getting buddy adds from people who know nothing about it.  We don't even use the buddy system tbh, I just have it turned on as it's coupled with ignore lists.

Not sure what to do or even if I should be concerned, I do find it a bit weird though.  Any ideas?

[Doug Heffernan]

You are running a very old and outdated version that contains numerous security issues. That goes for the php/mysql versions that can used with Smf 1.1. My advice, if I may is to upgrade to the latest version a.s.a.p.

[Kindred]

Ummmmmm... Doug?  The OP said they are using 2.1.4 -- the most current version.

Cook... to answer your question,  I have never heard of that occurring.
 What mods?
What theme?

Url?

[Doug Heffernan]

Ummmmmm... Doug?  The OP said they are using 2.1.4 -- the most current version.

It was posted in the 1.1. support section originally. I saw that you moved it to the 2.1x section now. I missed the forum version in the op though.

[Kindred]

Lol, no, it WAS there. I moved it... but they said 2.1.4 in the text

[cookdandbombd]

Lol, no, it WAS there. I moved it... but they said 2.1.4 in the text

OOPS, my apologies, much brain fog today :-)

Cook... you answer your question,  I have never heard of that occurring.
 What mods?
What theme?

Url?

I did search the forum to no avail, it's an odd one for sure.  I forgot to include mods though, apologies:

https://www.cookdandbombd.co.uk/forums/index.php?action=forum

I'm just using the default theme, I also made a copy of it recently and am making it into a dark mode one. 

Mods are SMF Gallery Lite; Custom Greeting; Curve2 Colour Changer; Remixed Breadcrumbs; Quick Spoiler; TinyPortal; Avatars Display Integration; Tagging System; Contact Page; SMF Center Banner; Forum Width Setting; Stop Forum Spam; FA Board Icons.

Thanks.

[Doug Heffernan]

Lol, no, it WAS there. I moved it... but they said 2.1.4 in the text

I missed the forum version in the op though.

Mods are SMF Gallery Lite; Custom Greeting; Curve2 Colour Changer; Remixed Breadcrumbs; Quick Spoiler; TinyPortal; Avatars Display Integration; Tagging System; Contact Page; SMF Center Banner; Forum Width Setting; Stop Forum Spam; FA Board Icons.

None of those mods have known security issues a.f.a.i.k. Was there any change done to the forum prior to this happening?

When you say buddy adds, what does that mean exactly? Can you please give a few more details on this?

[cookdandbombd]

None of those mods have known security issues a.f.a.i.k. Was there any change done to the forum prior to this happening?

Not that I can think of, although I've been very very busy with the place over the past year or more, but that activity has revolved around making the forum more stable and getting rid of bots, for the most part.

It's also kind of hard to tell how long this has been going on for, as most of us simply don't use the buddy system or even really understand it.  (I did look up the intended purpose of it today for more clarity.)

When you say buddy adds, what does that mean exactly? Can you please give a few more details on this?

Sure, it might be better to show you some examples.

[REPORT] Re: Buddy
Blue Jam has reported the below personal message, sent by bgmnts, for the following reason:
Hi Neil, got a "bgmnts has added you as their buddy" notification last week and now he appears to have had one from me, even though neither of us seem to have sent them! Think you may have a bug here. No offence to bgmnts of course

Below are the original contents of the personal message which was reported:

I wasn't expecting a friend add from you to be fair. Hmmm

I also had a notification saying "The Mollusk has added you as their buddy" the week before. Thought that was a bit odd- got nothing against him but we don't interact much and I'm not too popular with the vegans haha Just don't want to accidentally buddy up with the people I try to avoid on here and have them think I'm trolling them!

[REPORT] Re: Buddy
Blue Jam has reported the below personal message, sent by Tiggles, for the following reason:
Hiya, changed my password after your last message, but had another phantom buddy add, this time from Tiggles! Weird... xxx

Below are the original contents of the personal message which was reported:

Nope, a phantom add! Will take you off. Thanks for the heads up.

[Doug Heffernan]

Sure, it might be better to show you some examples.

Thank you. Now I see what you mean. That's not the normal behavior of the buddy system. If the users didn't send the buddy requests themselves then the only thing that I can think of is a hijack of their accounts. 

[cookdandbombd]

Sure, it might be better to show you some examples.

Thank you. Now I see what you mean. That's not the normal behavior of the buddy system. If the users didn't send the buddy requests themselves then the only thing that I can think of is a hijack of their accounts. 

Is there any way I can look into this more deeply, either through SMF or my nginx logs?  I'm not too sure how to progress further currently. I'm looking at the tracking section of one of the users, and it doesn't seem to have the info I would require - it just shows posts made from IPs etc.

Just checked the login field and it's all one consistent IP address that's logged into the account. And he's an active poster who hasn't changed in any kind of suspicious way.

[Doug Heffernan]

Is there any way I can look into this more deeply, either through SMF or my nginx logs?  I'm not too sure how to progress further currently

Can you check the access logs at your cPanel? There might be useful in there that might help you to figure this out.

[cookdandbombd]

Can you check the access logs at your cPanel? There might be useful in there that might help you to figure this out.

I have full access to all the logs from a shell, but am a bit rusty lol, just not sure what to even look for, but I'll keep thinking. 

[Illori]

i am not familiar with all the mods you have installed, do any of them add a button that makes it easier to add someone as a buddy? i am pretty sure the text string "has added you as their buddy" is not found in the default install.

[cookdandbombd]

i am not familiar with all the mods you have installed, do any of them add a button that makes it easier to add someone as a buddy?

Not that I know of no, definitely not intentionally anyway. The only reason I have buddy lists at all is that it's packaged with the ignore list.  Other than that, we don't use the buddy lists and don't really want or need them. 

i am pretty sure the text string "has added you as their buddy" is not found in the default install.

I just did it with a test account and it came up as a notification for me, here's how it looks:

[Sir Osis of Liver]

$txt['alert_member_buddy_request'] = '{member_link} added you as their buddy';

[Illori]

the string above was "bgmnts has added you as their buddy" this is not found as a default string. the word "has" is not in the english language strings. are you using english-british or something else?

[Kindred]

Actually,  here's a question:   are they Actually added as buddies?
If those users go to their buddy section,  does it list the other user?

[cookdandbombd]

the string above was "bgmnts has added you as their buddy" this is not found as a default string. the word "has" is not in the english language strings. are you using english-british or something else?

Perhaps they transcribed it from memory and added the "has" themselves?

Actually,  here's a question:   are they Actually added as buddies?
If those users go to their buddy section,  does it list the other user?

Yes, when they've been contacted by the other party who has been surprised by the add, they've then stated they've removed them from the feature.

Edit: I shall PM some of the individuals now to make doubly sure.