Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
dreadedcorpse
New Member
New Member



Joined: May 15, 2013
Posts: 3

PostPosted: Thu May 16, 2013 5:18 pm Reply with quote

neralex wrote:
kguske is right. Thanks for the reply Smile But the RN have not a lack of functions, it have more functions than EVO if i look into the code. Sorry but you looking only on this, what you can see or click but not in the code. The alone the code creates the 'magic'. This is the biggest problem of EVO and so long nobody optimize the old code, so long you are live with the massive count of errors. This is the reason why I cried so loud as I have seen the code in my RN. In this case i like my clear written RN, here i have the chance to implement my own stuff based on the current standards and without all these errors they are provided from the EVO core-code.

Now back to the topic:

To make a next step i need to know which of the both values you want have in the configuration and which i should close out or should both closed out of the configuration? If i understand it correctly, then you need only the '45' from the new_user.php and the '15' from new_cofirm.php should stay hardcoded in the file?


If it said 45 when you modified it, then I have to fix that because that was only 45 because its from my test site/demo site, they both don't need to be hard coded, but should be the same time limit. That would be a mistake on my part.

both should be 15. but again, you don't need to be hard-coded, if you followed my post above. You can just remove one of the options and use just one globally. I will fix it in a few hours and send you a PM with the new one to see what i was talking about.

As for RN. I am not talking about for functionality of the backend. Most of your new users don't know anything about the back end of things. But if you take the current RN and put it next to say the version I ran in 2006/2007, The look almost the same, and the controls is almost the same.

Visually, not much has changed. I have seen some changes, but not much, but as I tell everyone over at CT, if they are looking for more of a professional site, RN is where you want to go, but for a clan site, they are better off using Xtreme. As for Xtreme not optimizing, I agree with that. But I don't think they are worried about that because I believe they are moving away from phpbb2/BBtoNuke and going to redo their system off something else.
 
View user's profile Send private message
neralex
Site Admin



Joined: Aug 22, 2007
Posts: 1772

PostPosted: Thu May 16, 2013 5:40 pm Reply with quote

Now i'm cunfused! But i hope it would better if see your new code. Smile

BTW: I don't mean the backend - i mean the functions in the core-code of the CMS. Not all what you see is what you get! For me is important the way to get it what you can see and not the result of them.
[ Only registered users can see links on this board! Get registered or login! ]

Wink

_________________
Github: RavenNuke  
View user's profile Send private message
dreadedcorpse







PostPosted: Thu May 16, 2013 6:07 pm Reply with quote

neralex wrote:
Now i'm cunfused! But i hope it would better if see your new code. Smile

BTW: I don't mean the backend - i mean the functions in the core-code of the CMS. Not all what you see is what you get! For me is important the way to get it what you can see and not the result of them.
[ Only registered users can see links on this board! Get registered or login! ]

Wink


I hear that, but, I believe it should be both ways. Think of when your building a hot-rod. When you design a hot rod, you tweak everything from brakes, tires, suspension, electrical, engine, ect... But if you don't do the body work, its nothing but a glorified rat-rod. Every nut and bolt on a correct hot-rod is paid close attention to. Sorry for this analogy, I use to build hot-rods for a living.

I sent you a Pm with the changed files. I believe I got everything. hope I did not confuse you too much.
 
wHiTeHaT
Life Cycles Becoming CPU Cycles



Joined: Jul 18, 2004
Posts: 579

PostPosted: Sun May 19, 2013 2:09 am Reply with quote

Can a bot simulate indexDB?
 
View user's profile Send private message Send e-mail
corpse
Regular
Regular



Joined: Oct 15, 2007
Posts: 87

PostPosted: Sun May 11, 2014 4:08 am Reply with quote

Today, I have released HoneyPot V2 for RavenNuke. Check the first thread for the download and information about it.

Over the past 2 weeks or so, nuken, (Owner of [ Only registered users can see links on this board! Get registered or login! ] ), has offered his site as a testing ground for the HoneyPot to test its effectiveness against bots registering on your site and posting. Over this time, as of now, there has been 2800 bot registration attempts on his site and 0 have gotten through. The way this script works is a series of checks after the person clicks the "Submit" button on the registration. Below is a image that show the order of how this system works, from the person coming to your site, then registering on your site, and once the click the submit button, the next series of checks are run in the order I show, from top going down to the bottom. If it gets stopped by any once of them, it will stop them and write the information to the DB for your records and being able to see it working. If they pass all the checks, it will proceed with allowing the completion of the registration.

Image


Overall, I am not going to claim that this is 100% guarantee that it will stop bots, just because there are human bots and the bot technology continues to change and improve. But for now, I believe it is the best single system out there. I have looked at a few others out there for Raven and one thing I have found is all of them pretty much rely on outside blacklist to stop the registration. My system uses the API from stopforumspam.com, but that is the last checks in the system and pretty much uses them as a final check. All other actions of this script are actually physical checks designed to trick bots into failing.

I know some of you may have in the back of your mind that you want something that is unobtrusive and does the checks, well the nice thing about this is most of the checks are unobtrusive. There are 2 checks which one requires them to delete some text, which is not hard. The other is a system where you can put in your own questions and answer. And nice thing is, is that you can pick and choose which checks you want to use. You are not forced to use any or all of them.

Overall, this script has been being developed for over a year now and so far, the sites I know that are using this system have been bot free since the installed this script, and with each new release, I am looking at improving its function so your site will continue being bot free.

A thanks has to go out to neralex for optimizing this script and to nuken for beta testing Version 2 of this script.

Enjoy...
 
View user's profile Send private message Send e-mail
kguske
Site Admin



Joined: Jun 04, 2004
Posts: 6432

PostPosted: Sun May 11, 2014 6:13 am Reply with quote

corpse, it's nice to see the non-bot functionality (stopforumspam ip and email address check) added to Nuke Honeypot in V2. Curious why you didn't integrate the nukeSPAM approach for using multiple IP blacklists and spammer databases. In addition to whitelists, it minimizes "expensive" calls to the spammer databases by checking to see if you've already blocked the user, email and / or IP address.

I'm still not a fan of obtrusive measures that impact the legitimate registrations, and even though it might not be very obtrusive (i.e. it won't affect most users), making a legitimate user wait is obtrusive. It also seems like something a bot programmer could handle - along with deleting text and answering questions, just as many have done with captchas. But making these configurable lets the webmaster choose which tools he wants to use. I am a fan of the unobtrusive hidden field - which I suspect is very helpful at stopping bots. If you don't mind, I'll add that to the wishlist for nukeSPAM (with full credit to you, of course!).

Since the spammers focus on the profile (signature / web link) and occasionally the forum post, I think approaches like SpasticDonkey's PROFILE AND SIGNATURE SPAM CONTROL FOR RAVENNUKE, which makes it more painful for the spammer to succeed, or hiding signatures and forum links from non-members (i.e. search engines) are the best ways to address that. Hiding links penalizes your members from a "link juice" perspective, but there are other ways to promote that (supporters, weblinks).

Anyway, congratulations on the new release, and thanks for the video and graphic that explains how it works. Both are very useful.

_________________
I search, therefore I exist...
nukeSEO - nukeFEED - nukePIE - nukeSPAM - nukeWYSIWYG
 
View user's profile Send private message
nuken
RavenNuke(tm) Development Team



Joined: Mar 11, 2007
Posts: 2024
Location: North Carolina

PostPosted: Sun May 11, 2014 8:25 am Reply with quote

As far as the wait, it takes a human longer than 15 seconds to type in their user name and email while bots usually do it in under 12 seconds. A real person won't even notice the wait if it is set to 15 or less. The hidden field also gets a bunch of them. I could see where the remove text could get a few real users. Bots are only going to get more aggressive as time goes on.

_________________
Tricked Out News  
View user's profile Send private message Send e-mail Visit poster's website
corpse







PostPosted: Sun May 11, 2014 10:05 am Reply with quote

kguske, I understand what your talking about adding in all the various spambot blacklist, but unfortunately, all that is going to do is block what is known, and not what is unknown. The list don't get updated as fast as you may need it to. As for the white list using what I already have in the DB as for the email / IP, that may be something for the next release since the info is already stored in the database. As for the time check, like nuken said, average human will take over 15 seconds to register on your site where bots on average can register on your site within a few seconds, talking between 2 - 7 seconds. This is what I have found in my research watching quite a few youtube videos.

As for the other checks like the text removal and the Q&A check, well lets start with the text removal. That is the least obtrusive of the two, considering if you know how to hit the delete button, you should be all set. As for the Q&A check, that has been discussed quite a bit and the guys over at phpbb3 have voiced that it has been one of their most successful bot blocks overall. Granted, its really up to the site owner to come up with a good Q&A for the check with something that can not be easily found on Google or any other search engine. It also can be very obtrusive in the case that the person just does not know the answer/can't spell. That is why by default, that check is turned off.

Everything else is unobtrusive in my eyes, either hidden completely or complete it check before you finish filling in the registration.

The nice thing about the system is you can pick and choose what you want to have turned one and what you want to have turned off. You can also adjust time for the wait check to what you feel you want for your site. Overall, you have 6 checks to use, but you are not forced to use all of them.

I know about SpasticDonkey script and that is all good and dandy and works well for what it is, but, again, that is like the other systems out there that does not address the problem. The problem is them registering on your site in the first place. Also his system works on the bases that they will not make more than 5 post, but some of the sites I have been working on have had the same bots post between 10 and 15 times very similar messages, each slightly different. A couple of years ago I was working for WarGaming helping write there news articles for their game, (World of Tanks), and also I help with bot control on their forums flagging all that needed to beremoved and notified them right away of spam accounts using skype. That site, a single bot was making between 7 - 20 post within 10 - 15 min, and we were getting hit hard. I ended up talking to the devs and a few guys that were in charge of the site in Skype and they ended up putting in a system where people could not post until they have played at least 5 matches in the game. That system there ended up being the best thing, but not all of us, including me have a game in development to do that with. Sad

I do know what I have developed is like a captcha and probably will be bypassed eventually, as well with everything else out there, it's just a matter of just trying to stay ahead of them and keep changing the technique or adding more. I know as long as this system stays some-what in the dark and does not go main stream on everything, I doubt that bot programmers will put the effort in putting these checks into their system. If a bot can not register on your site any more, eventually it seems it just starts to bypass and go to a less secured place. On my site, the "Text Removal" and the "Wait" check have been the most successful out of all. Even on my test site/demo site, I have a ton of bots that have attempted to get through and all have been caught. The nice thing about this system is if the are caught by the check and is a false positive, it tells them why it blocked them and they do have the chance to go back and try again. It also does have a way for people, if they do get blocked and keep having issues, Even with false positives from stopforumspam, they still can contact you through the feedback or email system if you decide to use it.

Overall, for my members and my community, I am willing to take that extra step and use something that is pretty much unobtrusive, to protect them rather than rely on something that relies on others to catch and report and get added to the system. I don't know how many people register multiple times on the same site, but on my sites that I run, most people only register once, and if it takes them an extra 3 - 5 seconds to register at most, then for the security it's providing is well worth it. I recommend people to use everything they can to protect their site and their community, you would be a fool not to.

Also thanks. The video was something that a few asked for and the image was something that I felt would better explain everything. Thanks again and this will be a on going thing. I am still doing research for future releases, trying to keep it as unobtrusive as possible while providing that much more protection.


Last edited by corpse on Sun May 11, 2014 8:17 pm; edited 1 time in total 
kguske







PostPosted: Sun May 11, 2014 3:29 pm Reply with quote

Absolutely agree - whatever can be done to stop both bots and human spammers is good. If a site has implemented hurdles to prevent registration and / or visibility to spam links, they'll seek other targets. The more difficult we make it to spam, the less incentive there is to do so.

Keep up the good work!
 
hicuxunicorniobestbuildpc
The Mouse Is Extension Of Arm



Joined: Aug 13, 2009
Posts: 1122

PostPosted: Mon May 12, 2014 5:44 am Reply with quote

I tested again on my site and it is working properly as it should be.

I changed a line to follow the standard single quotes.

modules/HoneyPot/includes/ya_new_user.php

Code:
echo "<script type=\"text/javascript\" src=\"modules/HoneyPot/js/flash.js\"></script>";


replace with this one

Code:
echo '<script type="text/javascript" src="modules/HoneyPot/js/flash.js"></script>';


but I think u can make some better changes

in the same file

U see this above

Code:
if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {exit('Access Denied');}

if (!defined('PHP_EOL')) define('PHP_EOL', strtoupper(substr(PHP_OS,0,3) == 'WIN') ? "\r\n" : "\n");
global $currentlang, $db, $prefix;
require_once 'modules/HoneyPot/admin/language/lang-' . $currentlang . '.php';
if (file_exists('modules/HoneyPot/js/flash.js')) {
   echo "<script type=\"text/javascript\" src=\"modules/HoneyPot/js/flash.js\"></script>";
}


U can change it like this

Code:
if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {exit('Access Denied');}

if (!defined('PHP_EOL')) define('PHP_EOL', strtoupper(substr(PHP_OS,0,3) == 'WIN') ? "\r\n" : "\n");
$module_name = basename(dirname(dirname(__FILE__)));
global $currentlang, $db, $prefix;
require_once 'modules/' . $module_name . '/admin/language/lang-' . $currentlang . '.php';
if (file_exists('modules/' . $module_name . '/js/flash.js')) {
   echo '<script type="text/javascript" src="modules/' , $module_name , '/js/flash.js"></script>';
}


I hope this changes do not bother other people. It is not a bug and it will work as well as the old one.
 
View user's profile Send private message
neralex







PostPosted: Mon May 12, 2014 9:05 pm Reply with quote

There are more issue like that have hicuxunicorniobestbuildpc found. I have send corpse a optimized package with many fixes for JS implementations and xHTML validation issues for few days ago but it seems coprse haven't use it. There are some really outdated script-typos in there. (added style-tag in the body area, outdated center tag, img, input and br-tags with a slash before the closing brace etc.)

@corpse - my result: remove my name from this script please - completely and don't ask me to check your outdated code again, if you are not use it. Its a pain for me to see this.

For all they are using nukeSPAM is the HoneyPot not really needed, because all that you need was checked by nukeSPAM and you have more options with it. But this only my point of view.
 
corpse







PostPosted: Mon May 12, 2014 9:10 pm Reply with quote

neralex wrote:
There are more issue like that have hicuxunicorniobestbuildpc found. I have send corpse a optimized package with many fixes for JS implementations and xHTML validation issues for few days ago but it seems coprse haven't use it. There are some really outdated script-typos in there. (added style-tag in the body area, outdated center tag, img, input and br-tags with a slash before the closing brace etc.)

@corpse - my result: remove my name from this script please - completely and don't ask me to check your outdated code again, if you are not use it. Its a pain for me to see this.

For all they are using nukeSPAM is the HoneyPot not really needed, because all that you need was checked by nukeSPAM and you have more options with it. But this only my point of view.


I believe that is the one that you sent back to me. I only say that because I don't package thing in zips, and checking it looks like the one sent to me in the PM you sent back. Did you pack the old one and send it back to me accidentally?
 
neralex







PostPosted: Mon May 12, 2014 9:34 pm Reply with quote

I have it packed as ZIP and if you would open the archive and would check the changedate of the module files, then you would see the changes. But anyway... don't ask me again!
 
corpse







PostPosted: Mon May 12, 2014 10:14 pm Reply with quote

neralex wrote:
I have it packed as ZIP and if you would open the archive and would check the changedate of the module files, then you would see the changes. But anyway... don't ask me again!
Don't worry, I wont. But I just compared the one your sent me, and the one I have on here for them to download, they are the same. That is doing a side by side comparison of the date, file size, and they were both identical. So I did attach the one YOU sent me, so I don't understand why your giving an attitude. I just attached the same one from this link you gave me. -LINK REMOVED-

Just a note, I never pack anything in .zip and haven't in years, I only do .rar or .7z, so I know I did not attach any that I packed. I also actually held off releasing it to use the one that you had doubled checked. I appreciate the help and effort, but not the attitude towards something that you gave back to me, then tell me not to use your name trying to give you credit for what you do because I didn't use the files you sent me when clearly I did. The mistake is not on my end, but on yours and you give attitude towards me. If I had added the wrong file, I would take full credit for the mistake, but I just had re-downloaded the one from that link and checked it with the one from here, "the one before doing the changes that hicuxunicorniobestbuildpc suggested", which I know you mentioned in the PM, and did my comparison and they were identical.

@hicuxunicorniobestbuildpc, I updated the one on the first page with the fixes you pointed out. Thanks for pointing those out.


Last edited by corpse on Mon May 12, 2014 11:00 pm; edited 1 time in total 
neralex







PostPosted: Mon May 12, 2014 10:48 pm Reply with quote

Which format you are using is on your own perspectives. This archive was only for you. Remove this link here, please. It's not for public! I thought you would check the files but it seems not.

I have checked the files and its defo not the same, because to check your files i must have it unpacked before i can change the files. I think this should make sense or we should discuss the using of a filesystem?

do what you want but remove the link and remove my name from this release, a package of bugs is a pain for me.
 
corpse







PostPosted: Mon May 12, 2014 11:20 pm Reply with quote

neralex wrote:
Which format you are using is on your own perspectives. This archive was only for you. Remove this link here, please. It's not for public! I thought you would check the files but it seems not.

I have checked the files and its defo not the same, because to check your files i must have it unpacked before i can change the files. I think this should make sense or we should discuss the using of a filesystem?

do what you want but remove the link and remove my name from this release, a package of bugs is a pain for me.


Link removed, but here is the side by side that I did. On the left, it the release I put up here. The one on the right, the one I just downloaded from that link your sent me. As you can see, the sizes and the dates match perfectly. If you open the one from the archive your sent me in the PM, it does not have the changes that you said were done. Yes, it was my fault for not double checking, maybe I just should not trust anyone, but I was led that the changes were done, or I would think it was if your repacked it.
[ Only registered users can see links on this board! Get registered or login! ]

But what ever. What is done is done.
 
hicuxunicorniobestbuildpc







PostPosted: Tue May 13, 2014 5:40 pm Reply with quote

Hi corpse:

I think u need to zip it again. I just download it again and I found out this line on modules/HoneyPot/includes/ya_new_user.php

Code:
require_once 'file:///C|/Users/DREADE~1/AppData/Local/Temp/Rar$DIa0.353/modules' . $module_name . '/admin/language/lang-' . $currentlang . '.php';


P.S I don't know what u were doing but just to let u know.
 
corpse







PostPosted: Tue May 13, 2014 7:58 pm Reply with quote

hicuxunicorniobestbuildpc wrote:
Hi corpse:

I think u need to zip it again. I just download it again and I found out this line on modules/HoneyPot/includes/ya_new_user.php

Code:
require_once 'file:///C|/Users/DREADE~1/AppData/Local/Temp/Rar$DIa0.353/modules' . $module_name . '/admin/language/lang-' . $currentlang . '.php';


P.S I don't know what u were doing but just to let u know.


Fixed, thanks for that catch.
 
hicuxunicorniobestbuildpc







PostPosted: Wed May 14, 2014 4:17 am Reply with quote

Hi Corpse

I wonder if you turn ON the SHOW WHITE SPACE on your editor. Take a look at this photo.



whitespace.png
 Description:
always turn "show white space" ON
 Filesize:  91.67 KB
 Viewed:  60171 Time(s)

whitespace.png


 
neralex







PostPosted: Wed May 14, 2014 8:57 am Reply with quote

I have PMed with kguske about the current package and i have checked all again and also checked the described issues here in this thread. I have found and fixed on the road also more validation issues. The unneeded free/whitespaces are gone.

Also i have changed the js-file loading method to the RN based function addJSToBody in the both included files ya_new_user.php and ya_confirm.php! In both included files must be set the full path to the module-folder of the honeypot-module because both files are included in Your_Account and if you would use here the variable $module_name then the paths are directed to module-folder of Your_Account and not to the honeypot-module.

Before we are getting a new mix of changes in the download-package, kguske will check and compare the files. Two eyes more on it should be fine for all.
 
hicuxunicorniobestbuildpc







PostPosted: Wed May 14, 2014 9:23 am Reply with quote

Quote:
In both included files must be set the full path to the module-folder of the honeypot-module because both files are included in Your_Account and if you would use here the variable $module_name then the paths are directed to module-folder of Your_Account and not to the honeypot-module.


I didn't think about that. Thanks for clarifying. :clap:
 
corpse







PostPosted: Wed May 14, 2014 1:33 pm Reply with quote

hicuxunicorniobestbuildpc, I did not have that turned on, it is now.
 
kguske







PostPosted: Wed May 14, 2014 8:26 pm Reply with quote

Multiple sets of eyes often helps make better products - and with corpse's research and development, neralex's HTML / CSS optimization and a dash of code style from hicux will definitely help make Nuke Honeypot even stronger. I added a few more code style "enhancements" based on hicux's post.

This is the kind of collaboration that makes great open source software. It isn't always pretty, but in the end, we all want better software. The optimized code is back with corpse for review...
 
corpse







PostPosted: Sat May 17, 2014 7:52 pm Reply with quote

Just updated it with the one that was looked at everyone and tripled checked.
 
hicuxunicorniobestbuildpc







PostPosted: Sun May 18, 2014 5:12 am Reply with quote

I just took some time to check file by file. It couldn't be more beautiful. I only found some white spaces but it is not a big issue.

Path + pictures

modules/HoneyPot/admin/config.php
modules/HoneyPot/includes/ya_new_user.php

Line 276 I forgot to mention as well in config.php



somedeadwhitespace2.png
 Description:
ya_new_user.php
 Filesize:  62.87 KB
 Viewed:  60061 Time(s)

somedeadwhitespace2.png



somedeadwhitespace.png
 Description:
config
 Filesize:  60.47 KB
 Viewed:  60062 Time(s)

somedeadwhitespace.png


 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©