henke37 Posted October 2, 2008 Share Posted October 2, 2008 I guess that I might as well explain the one line change. Basically, the xmlout.php file is used for ajax, instead of good old index.php. The issue is about the renew of the capatcha image. It creates a new image, saves the secret text in it and gives the image a random id so that it can be loaded later. The bug was that the secret id and random text was related, more specifically, the random text was the first 6 characters of the random id. Btw, here is the bugreport. Strange how it could sit there for weeks and nothing happening and then it got patched and every spam bot started exploiting the bug. Link to comment Share on other sites More sharing options...
desti Posted October 2, 2008 Share Posted October 2, 2008 bfarber, Patch in xmlout.php don't work. xmlout function called only when captcha image reloaded by mouse click. U can check it: change$reg_code = strtoupper( substr( md5( mt_rand() ), 0, 6 ) ); to $reg_code = "123456"; and go to "register" page. U can see "123456" after reload picture only. Bot's don't reload image. IPB 2.3.5 Link to comment Share on other sites More sharing options...
kafloo Posted October 2, 2008 Share Posted October 2, 2008 has anyone tried using thishttp://invisionmodding.com/index.php?showtopic=26878 recaptcha Link to comment Share on other sites More sharing options...
Black Prowler Posted October 2, 2008 Share Posted October 2, 2008 I updated all my sites so hopefully this will deter the persistant critters :P But I also use FSY23's Anti-Spam Modual and a bot deterant on the regsitration similar to the one posted...but mine requires an edit to a php file to work.......which reminds me I have to re-install it to a board I just upgraded to 2.3.5. :o Nevertheless I don't have many problems with bots or spammers regitering or posting spam as a result of these modifications. The captcha patch will just be an added improvement for me. :cool: ;) Link to comment Share on other sites More sharing options...
tsutton Posted October 2, 2008 Share Posted October 2, 2008 The deleting of the old files appears to have done the trick... no spambot registeration overnight! :D Link to comment Share on other sites More sharing options...
The Old Man Posted October 2, 2008 Share Posted October 2, 2008 We have updated it with that information. :) Hi Keith, Forgive my numptiness, but the downloaded files contain a sub-folder called __MACOSX which appears to also have images in its own captcha sub-folder. I didn't upload those as they were part of my IPB installation on my server and I don't have a Mac. Should we be uploading those too and what are they for? Can you confirm the proper folder/file structure we should have to complete this update properly? At the moment, I have: forum/style_captcha/captcha_backgrounds/the new backgrounds and index.php file but No __MACOSX folder and hence nothing inside it. forum/style_captcha/captcha_fonts/the new fonts only and the index.php file Many thanks! Link to comment Share on other sites More sharing options...
Cool Surfer Posted October 2, 2008 Share Posted October 2, 2008 I was surprised to see bots register on y forum and even post in download section as guest, when actually guests can even login into my forum. Link to comment Share on other sites More sharing options...
RobertMidd Posted October 2, 2008 Share Posted October 2, 2008 Not sure if these were bots but I had 23 members register in the last 24 hours with a known spam ip address and I have 4 custom profile field which were all set to the same values for all 23 members. None of these validated their email address and therefore have not posted. They have now been removed and I updated the ipaddress ban filters. I use the IPS Captcha. Link to comment Share on other sites More sharing options...
John__ Posted October 2, 2008 Share Posted October 2, 2008 We've had about 10 or so bots register in the last few hours, after we applied the IPS patch. Half of them validated their email address and posted while the other half didn't validate yet. Link to comment Share on other sites More sharing options...
Management Matt Posted October 2, 2008 Management Share Posted October 2, 2008 [b]bfarber[/b], Patch in xmlout.php don't work. xmlout function called only when captcha image reloaded by mouse click. U can check it: change$reg_code = strtoupper( substr( md5( mt_rand() ), 0, 6 ) ); to $reg_code = "123456"; and go to "register" page. U can see "123456" after reload picture only. Bot's don't reload image. IPB 2.3.5 Exactly! The register.php code already used the new method of generating the numbers in the image but xmlout.php didn't. This meant all spammers had to do was load the page and then re-load the image to get the easier-to-crack image. Link to comment Share on other sites More sharing options...
Phil Bowen Posted October 2, 2008 Share Posted October 2, 2008 I have had the same attack from this bot. I think it traces back to Russia, MarinaWonders was the first member when this started, it went quiet for a while now I am getting 5 - 10 registrations per hour. nearly 100 yesterday. How do we resolve this folks? Arrgghhh!! Link to comment Share on other sites More sharing options...
Cool Surfer Posted October 2, 2008 Share Posted October 2, 2008 Anyone else tried Jason's idea > http://forums.invisionpower.com/index.php?showtopic=277065 :) If this is a forum security related suggestion then all members should have access to this suggestion. It tells me that i am not a customer, when I have the paid forum. Link to comment Share on other sites More sharing options...
Phil Bowen Posted October 2, 2008 Share Posted October 2, 2008 It is very irritating as it uses a different gmail, ip, username, and in custom profile fields I have set as follows, makes it near impossible to add it to a ban filter. I have now set to email validation (which it completes) then admin, this gives me and other staff chance to remove them manually. xbox live gamertag (required) adds registered username. Skype (google) twitter ( adds a random country) PS3 gamertag, (adds a random country) Wii code (adds random country) Link to comment Share on other sites More sharing options...
Management Matt Posted October 2, 2008 Management Share Posted October 2, 2008 If it's completing email validation, then there's every chance it's a human that is being paid to register. Link to comment Share on other sites More sharing options...
Rοb Posted October 2, 2008 Share Posted October 2, 2008 I had a crap-load of "odd" names (and suspect email accounts) register on my boards yesterday and as far as I am aware, none passed the email validation stage. Literally since the very moment I applied the patch from IPS, the registrations dropped back to normal. Link to comment Share on other sites More sharing options...
Adriano Faria Posted October 2, 2008 Share Posted October 2, 2008 If it's completing email validation, then there's every chance it's a human that is being paid to register. I think so... I have several registrations but they stop on email validation. Link to comment Share on other sites More sharing options...
John__ Posted October 2, 2008 Share Posted October 2, 2008 If it's completing email validation, then there's every chance it's a human that is being paid to register. I dont think so matt. Ive done some further searching and I have 35 validated accounts all registered by this bot with the exact same details people are reporting here Ive also got an equal number of unvalidated accounts. We've never had bots sign ups like this before, ever. Sure we get the odd account now and then but not more than 70 in the same day :-s Link to comment Share on other sites More sharing options...
Stuart 4 Posted October 2, 2008 Share Posted October 2, 2008 had a few spam bots 2day :( Link to comment Share on other sites More sharing options...
Midnightmadness Posted October 2, 2008 Share Posted October 2, 2008 After I applied the patch yesterday and the new Images I still got a few spam bots registering Decided to turn off new registrations for the time being. Link to comment Share on other sites More sharing options...
RobertMidd Posted October 2, 2008 Share Posted October 2, 2008 If anyone is interested there is a list of forum spammers located at http://www.stopforumspam.com I created a script that loads these ip address of these into ibf_banfilters and again if anyone is interested then here is the code. <?php define( 'IPB_THIS_SCRIPT', 'public' ); define( 'IPB_LOAD_SQL' , 'queries' ); require_once( './init.php' ); //=========================================================================== // MAIN PROGRAM //=========================================================================== $INFO = array(); //-------------------------------- // Load our classes //-------------------------------- require_once ROOT_PATH . "./sources/ipsclass.php"; require_once ROOT_PATH . "./conf_global.php"; # Initiate super-class $ipsclass = new ipsclass(); $ipsclass->vars = $INFO; $ipsclass->init_db_connection(); $ips = file_get_contents("http://www.stopforumspam.com/downloads/bannedips.csv"); $date = time(); $banips = explode(",",$ips); $ipsclass->DB->Query("delete from ibf_banfilters where ban_type='ip'"); foreach ($banips as $ip){ if (strlen($ip)> 7){ $ipsclass->DB->Query("INSERT into ibf_banfilters (ban_type,ban_content,ban_date) VALUES ('ip','$ip',$date)"); } } You will note that this deletes all existing 'ip' ban filters, so comment that line if not required. You should then rebuild the banfilters cache and note there is a problem in the ACP as I indicate in this tracker bug If you do not want so many ban filter then take a look at the API that is available http://www.stopforumspam.com/apis Link to comment Share on other sites More sharing options...
lauram340 Posted October 2, 2008 Share Posted October 2, 2008 i know this is going to sound strange, but we have recently changed to and IP board, i was wondering if anyone could tell me where i could ban email address and IP address please. Im having the same problem but i have put in the question, we will see where this will take us :) Link to comment Share on other sites More sharing options...
Keith J. Kacin Posted October 2, 2008 Share Posted October 2, 2008 Hi Keith, Forgive my numptiness, but the downloaded files contain a sub-folder called __MACOSX which appears to also have images in its own captcha sub-folder. I didn't upload those as they were part of my IPB installation on my server and I don't have a Mac. Should we be uploading those too and what are they for? Can you confirm the proper folder/file structure we should have to complete this update properly? At the moment, I have: forum/style_captcha/captcha_backgrounds/the new backgrounds and index.php file but No __MACOSX folder and hence nothing inside it. forum/style_captcha/captcha_fonts/the new fonts only and the index.php file Many thanks! Blame Rikki and his Mac :P That is typically some invisible folder when using a Mac (similar to a thumbs.db file on windows, which is usually hidden for Windows users). So in short, you can ignore the MACOSX folder. Link to comment Share on other sites More sharing options...
XNova Posted October 2, 2008 Share Posted October 2, 2008 Use this to solve :)http://resources.invisionpower.com/index.p...mp;article=6104 Link to comment Share on other sites More sharing options...
AtariAge Posted October 2, 2008 Share Posted October 2, 2008 I'm getting these on my forum now as well--had about 10 such registrations overnight, and they are passing the email validation, the new Captcha patch/graphics, and a custom profile field. None have gotten by Admin validation yet, at least that I know (haven't had any spam posts yet). I've been using the stopforumspam.com site as a reference, but it doesn't catch them all. Most are pretty obvious, even if they are not listed on stopforumspam.com. ..Al Link to comment Share on other sites More sharing options...
The Old Man Posted October 2, 2008 Share Posted October 2, 2008 Blame Rikki and his Mac :P That is typically some invisible folder when using a Mac (similar to a thumbs.db file on windows, which is usually hidden for Windows users). So in short, you can ignore the MACOSX folder. Thanks Keith! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.