Security issue? Bots logs in as an existing forum account and opens a topic

[Pablo BJB]

Hi guys,

I run a self-hosted instance at https://forum.bjbikers.com. For a couple of days now we are seeing that bots are able to log in as existing forum members and then post their spam as new topics. My forum was on the previous v4.7.14, but today I've upgraded it to the latest v4.7.15. This has happened 4-5 times with different accounts.

Here's the activity log for such an account:

 

Does this happen to anyone else? Do you have any advices on what should I do to prevent this from happening in the future?

Thanks!

 

 

 

Edited February 10 by Pablo BJB

[Pablo BJB]

Here's some more information. 

The IP used for logging into an existing member account has been used to register an spam account which wasn't automatically recognized as spam (editors flagged him afterwards because it posted spam). 

 

 

 

[Safety1st]

How did you determined it is a bot? It didn't pass Turing test?

[Randy Calvert]

This is not a “security” issue. The software code is not being exploited etc. 

Spam bots can and do register accounts.  Those spam bots can be programmed to register on Monday and make a post 2 weeks later and then a week later, etc as a way to evade detection. They might be using different IP addresses but the botnet itself obviously would know a password if it registered the account. It’s not hard to script doing email validation using a free throw away Gmail account. 

[Pablo BJB]

I understand what you are saying, but this is not the case here. Those accounts are legit, they have posted normal messages over years until a couple of days ago when they were abused. One account used is registered in 2014. by a person known in my community. 

 

[Jim M]

10 minutes ago, Pablo BJB said:

I understand what you are saying, but this is not the case here. Those accounts are legit, they have posted normal messages over years until a couple of days ago when they were abused. One account used is registered in 2014. by a person known in my community. 

 

IP addresses recycle so it is completely possible it could have been used by a regular user at one point and a spammer. Simply because the IP address is the same, does not indicate a security issue.

It also is completely possible that the user's credentials were leaked in another site's attack, and that user uses the same credentials on many sites, so the botnet was able to log in as them. 

Both of which are not security concerns in our software. We would recommend enabling Two Factor Authentication if you're concerned about this.

[Pablo BJB]

Huh, you are very quick to determine that this is not a security concern for your software, by providing one possible explanation. :) I was hoping for a more caring attitude for your customer from 2010. and at least some questions/hints on what should we investigate, which would help in the end to explain what actually happened.

By looking at the IP addresses used in that account its obvious that when a person was using the account, his IP addresses are geolocated in Serbia, Europe (as my forum community is mostly located in ex-Yugoslavia region) and only when a spammer used his account, IP address location is in USA. That kind of proves that a spammer was using this account and not the person who regularly uses that account. 

It is possible that this persons password is leaked somewhere else and used, but is rather unlikely since this problem I am facing is happening on several legit accounts. 

I will look into this issue with my sys admin, since it seems that I won't get any help from you guys.

 

[Jim M]

2 minutes ago, Pablo BJB said:

It is possible that this persons password is leaked somewhere else and used, but is rather unlikely since this problem I am facing is happening on several legit accounts. 

This is actually something which has been circling the web recently as there have been pretty big sites in the last few months to a year which have been exposed recently with full credentials being populated on the dark web and individuals using the same credentials frequently, has caused lots of problems with spammers getting into otherwise dormant or trustworthy users. As mentioned, we recommend enabling 2FA if you're concerned about your users.

2 minutes ago, Pablo BJB said:

Huh, you are very quick to determine that this is not a security concern for your software, by providing one possible explanation.

I am sorry you feel we do not care, it is actually the opposite which we are providing you this information about how to better secure user accounts. With the limited information of the same IP address we were provided, we are providing the results of what we have seen previously. This is nothing new and ultimately, not seeing this come from an exploit of our software. If there is new information which is showing that the account has been compromised through the software, we will certainly investigate that but at this time, there is no evidence of that.

8 minutes ago, Pablo BJB said:

By looking at the IP addresses used in that account its obvious that when a person was using the account, his IP addresses are geolocated in Serbia, Europe (as my forum community is mostly located in ex-Yugoslavia region) and only when a spammer used his account, IP address location is in USA. That kind of proves that a spammer was using this account and not the person who regularly uses that account. 

This would point further to exploited credentials, I'm afraid. 

[TwinTurbo]

Hello @Pablo BJB,

1. Kindly take a look at this link:

https://www.conquer-your-risk.com/2022/11/30/4-websites-to-check-if-your-password-is-in-the-darkweb/

https://haveibeenpwned.com/

The above website (have i been pwned) should be helpful in exploring the possibility that your user's accounts were breached as part of various data breaches at various companies and compounded by potential password sharing. 

The above website (have i been pwned) allows you to enter the email address and it will show all the breaches for that particular email address (you might have to scroll down a bit to see the detailed breach history). 

As part of troubleshooting and diagnosis, kindly consider checking various email addresses of the users you suspect are posting spam (perhaps involuntarily due to things going wrong somewhere and them being a trusted user) in the above website (have i been pwned). If their credentials were breached, you will probably see their email addresses as part of multiple breaches. 

 

2. As part of further troubleshooting and diagnosis effort, you could perhaps contact the user (assuming you have their phone number - sms / call as you deem appropriate, or send a personal email to their registered email - different from the usual forum notification which they might not read) and perhaps convince them to change their password and add in a 2FA and see if the problem goes away. This way you might be able to mitigate the issue. Part of the problem in handling data breaches is that people don't know that their credentials have been breached. And as a friendly suggestion, you might want to word it in a way that doesn't set off panic in the contacted user : (hey, I need your help in troubleshooting an issue with the forum, something along the lines of that, describe the issue and long term trusted users should be more than willing to help you out). And (assuming) that if indeed the user's creds have been breached, your user would need to change the passwords on all affected services. 

 

Good luck with your troubleshooting and do keep us posted. 

 

Regards,

TwinTurbo. 

 

 

[TwinTurbo]

@Pablo BJB Also as part of your troubleshooting, it might be helpful to take a look at some bot control mechanisms.

CloudFlare Turnstile : 

https://www.cloudflare.com/products/turnstile/

And also the CloudFlare free plan: https://www.cloudflare.com/plans/

CloudFlare free plan should help with some website performance issues (DDOS / others). The $20 / month (paid yearly) or $25 per month (paid monthly) might be worth it based on your use case [Your sysadmin will probably have more technical info on this]

While CloudFlare Turnstile doesn't require the user to do anything (like other captcha's make the user select images), I haven't had first hand experience with it. Some reddit reviews say some good things about Turnstile. Since it's free, might be worth trying to see if the bot problem is mitigated. Alternatively you can also consider other popular captcha services. [Again you sysadmin will have latest on the ground reliability and usefulness of these captcha services. If and when you choose to deploy any bot mitigation service, do consider monitoring the end result (website usability, forum users feedback and whether they like it or not, or if the captcha becomes a major friction point / pain for your users) and then re-evaluate.]

Good luck with your troubleshooting. 

 

 

[Safety1st]

⚠ Also be aware that if you use services like CloudFlare, you should protect your community from exposing its real IP. So you at least should forget about attaching preview of remote images/links, installing plugins/apps (this can be tweaked to allow access to GitHub, etc btw).