Jump to content

Bots / Scripts Can Register on 2.3.5


Guest Katsuma

Recommended Posts

I guess that I might as well explain the one line change. Basically, the xmlout.php file is used for ajax, instead of good old index.php. The issue is about the renew of the capatcha image. It creates a new image, saves the secret text in it and gives the image a random id so that it can be loaded later. The bug was that the secret id and random text was related, more specifically, the random text was the first 6 characters of the random id.

Btw, here is the bugreport. Strange how it could sit there for weeks and nothing happening and then it got patched and every spam bot started exploiting the bug.

Link to comment
Share on other sites

  • Replies 161
  • Created
  • Last Reply

bfarber,

Patch in xmlout.php don't work.

xmlout function called only when captcha image reloaded by mouse click.

U can check it:

change

$reg_code = strtoupper( substr( md5( mt_rand() ), 0, 6 ) );

to

$reg_code = "123456";



and go to "register" page. U can see "123456" after reload picture only. Bot's don't reload image.

IPB 2.3.5

Link to comment
Share on other sites

I updated all my sites so hopefully this will deter the persistant critters :P

But I also use FSY23's Anti-Spam Modual and a bot deterant on the regsitration similar to the one posted...but mine requires an edit to a php file to work.......which reminds me I have to re-install it to a board I just upgraded to 2.3.5. :o

Nevertheless I don't have many problems with bots or spammers regitering or posting spam as a result of these modifications. The captcha patch will just be an added improvement for me. :cool: ;)

Link to comment
Share on other sites

We have updated it with that information. :)



Hi Keith,
Forgive my numptiness, but the downloaded files contain a sub-folder called __MACOSX which appears to also have images in its own captcha sub-folder.
I didn't upload those as they were part of my IPB installation on my server and I don't have a Mac.

Should we be uploading those too and what are they for? Can you confirm the proper folder/file structure we should have to complete this update properly?

At the moment, I have:

forum/style_captcha/captcha_backgrounds/the new backgrounds and index.php file but No __MACOSX folder and hence nothing inside it.
forum/style_captcha/captcha_fonts/the new fonts only and the index.php file

Many thanks!
Link to comment
Share on other sites

Not sure if these were bots but I had 23 members register in the last 24 hours with a known spam ip address and I have 4 custom profile field which were all set to the same values for all 23 members.

None of these validated their email address and therefore have not posted. They have now been removed and I updated the ipaddress ban filters.

I use the IPS Captcha.

Link to comment
Share on other sites

  • Management

[b]bfarber[/b],



Patch in xmlout.php don't work.



xmlout function called only when captcha image reloaded by mouse click.



U can check it:



change



$reg_code = strtoupper( substr( md5( mt_rand() ), 0, 6 ) );



to

$reg_code = "123456";



and go to "register" page. U can see "123456" after reload picture only. Bot's don't reload image.

IPB 2.3.5



Exactly! The register.php code already used the new method of generating the numbers in the image but xmlout.php didn't. This meant all spammers had to do was load the page and then re-load the image to get the easier-to-crack image.
Link to comment
Share on other sites

I have had the same attack from this bot.

I think it traces back to Russia, MarinaWonders was the first member when this started, it went quiet for a while now I am getting 5 - 10 registrations per hour. nearly 100 yesterday.

How do we resolve this folks? Arrgghhh!!

Link to comment
Share on other sites

It is very irritating as it uses a different gmail, ip, username, and in custom profile fields I have set as follows, makes it near impossible to add it to a ban filter. I have now set to email validation (which it completes) then admin, this gives me and other staff chance to remove them manually.

xbox live gamertag (required) adds registered username.

Skype (google)

twitter ( adds a random country)

PS3 gamertag, (adds a random country)

Wii code (adds random country)

Link to comment
Share on other sites

I had a crap-load of "odd" names (and suspect email accounts) register on my boards yesterday and as far as I am aware, none passed the email validation stage.

Literally since the very moment I applied the patch from IPS, the registrations dropped back to normal.

Link to comment
Share on other sites

If it's completing email validation, then there's every chance it's a human that is being paid to register.



I dont think so matt. Ive done some further searching and I have 35 validated accounts all registered by this bot with the exact same details people are reporting here

Ive also got an equal number of unvalidated accounts. We've never had bots sign ups like this before, ever. Sure we get the odd account now and then but not more than 70 in the same day :-s
Link to comment
Share on other sites

If anyone is interested there is a list of forum spammers located at http://www.stopforumspam.com

I created a script that loads these ip address of these into ibf_banfilters and again if anyone is interested then here is the code.

<?php

   define( 'IPB_THIS_SCRIPT', 'public' );

   define( 'IPB_LOAD_SQL'   , 'queries' );


   require_once( './init.php' );


   //===========================================================================

   // MAIN PROGRAM

   //===========================================================================


   $INFO = array();


   //--------------------------------

   // Load our classes

   //--------------------------------


   require_once ROOT_PATH   . "./sources/ipsclass.php";

   require_once ROOT_PATH   . "./conf_global.php";


   # Initiate super-class

   $ipsclass	   = new ipsclass();

   $ipsclass->vars = $INFO;

   $ipsclass->init_db_connection();


   $ips = file_get_contents("http://www.stopforumspam.com/downloads/bannedips.csv");

   $date = time();

   $banips = explode(",",$ips);

   $ipsclass->DB->Query("delete from ibf_banfilters where ban_type='ip'");

   foreach ($banips as $ip){

	   if (strlen($ip)> 7){

		   $ipsclass->DB->Query("INSERT into ibf_banfilters (ban_type,ban_content,ban_date) VALUES ('ip','$ip',$date)");

	   }


   }




You will note that this deletes all existing 'ip' ban filters, so comment that line if not required.
You should then rebuild the banfilters cache and note there is a problem in the ACP as I indicate in this tracker bug

If you do not want so many ban filter then take a look at the API that is available http://www.stopforumspam.com/apis

Link to comment
Share on other sites

i know this is going to sound strange, but we have recently changed to and IP board, i was wondering if anyone could tell me where i could ban email address and IP address please.
Im having the same problem but i have put in the question, we will see where this will take us :)

Link to comment
Share on other sites

Hi Keith,


Forgive my numptiness, but the downloaded files contain a sub-folder called __MACOSX which appears to also have images in its own captcha sub-folder.


I didn't upload those as they were part of my IPB installation on my server and I don't have a Mac.



Should we be uploading those too and what are they for? Can you confirm the proper folder/file structure we should have to complete this update properly?



At the moment, I have:



forum/style_captcha/captcha_backgrounds/the new backgrounds and index.php file but No __MACOSX folder and hence nothing inside it.


forum/style_captcha/captcha_fonts/the new fonts only and the index.php file



Many thanks!



Blame Rikki and his Mac :P

That is typically some invisible folder when using a Mac (similar to a thumbs.db file on windows, which is usually hidden for Windows users).

So in short, you can ignore the MACOSX folder.
Link to comment
Share on other sites

I'm getting these on my forum now as well--had about 10 such registrations overnight, and they are passing the email validation, the new Captcha patch/graphics, and a custom profile field. None have gotten by Admin validation yet, at least that I know (haven't had any spam posts yet). I've been using the stopforumspam.com site as a reference, but it doesn't catch them all. Most are pretty obvious, even if they are not listed on stopforumspam.com.

..Al

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.

×
×
  • Create New...