Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
freespirit
New Member
New Member



Joined: Mar 27, 2005
Posts: 18

PostPosted: Tue May 30, 2006 6:23 pm Reply with quote

Hello,
I need some help. I am using 6.9 with all the patches. I use Sentinel 2.0.0 (still haven't updated it. Was wondering whether the newer versions would be backward compatible or not ).
Recently, I had been getting a lot of random new user registrations on my site. Earlier, I had disabled the graphics security check and also allowed new users to register immediately without going through email validation etc.. Ever since this incident, I had enabled both. These random registrations stopped for a while and started off again. Most probably its a robot or my security has been compromised - I honestly don't know. So far there's been no hanky-panky going on by those new "users" but daily new user registration numbers are getting ridiculous now, since mine is a small community site.
Has anybody had the same problem? Can you help?
 
View user's profile Send private message
kguske
Site Admin



Joined: Jun 04, 2004
Posts: 6432

PostPosted: Tue May 30, 2006 7:44 pm Reply with quote

We've seen increases in registrations, but it wasn't random. You could use CNB-YA or the approve membership addon and require administrative approval for membership.

_________________
I search, therefore I exist...
nukeSEO - nukeFEED - nukePIE - nukeSPAM - nukeWYSIWYG
 
View user's profile Send private message
freespirit







PostPosted: Tue May 30, 2006 9:09 pm Reply with quote

Thanks for the quick reply.
But what is CNB-YA ? Embarassed
Where can I download it and also the Approve Membership add-on? My ISP is very slow and it'll take ages for me to search for both. Do you know if it'll work in PHP Nuke ver. 6.9 ?
Also, I already downloaded NukeSentinel_242pl6_70-79, but didn't upgrade it because there were changes to core files like mainfile etc.. from only ver 7.0 up. Any suggestions?
 
kguske







PostPosted: Tue May 30, 2006 9:18 pm Reply with quote

I use CNB-YA (YA=Your Account), which is a replacement for the standard Your Account module.

You can get version 4.4.2 here. That site appears to be down now.

You can get version 4.4.1 here.
 
kguske







PostPosted: Tue May 30, 2006 9:22 pm Reply with quote

Not sure what to recommend for NukeSentinel, other than you should try to get it to work since it's very effective at blocking many types of attacks. There are some guidelines here on how to make it work without having the latest patch, which is really what you mean by only version 7.0 and up, correct?
 
freespirit







PostPosted: Tue May 30, 2006 10:52 pm Reply with quote

Thanks. I'll give it a try.
Yes, in the edits for core files, there are changes to the mainfile but they only start from ver. 7.0. till 7.9
Are those guidelines you mentioned, here in the forums? FYI, the NukeSentinel I'm using now (2.0.0) has been working very effectively against all attacks - thanks to Raven and the team for doing so much for the Nuke community. Smile I didn't want to upgrade my ver 6.9 to 7.x because I made quite a few changes to files and I don't even remember them now. Razz
 
kguske







PostPosted: Wed May 31, 2006 4:06 am Reply with quote

Yes, they guidelines should be here in the forums. In fact, Raven uses 6.9 here, so you're in good company.
 
dkrager
New Member
New Member



Joined: Jun 16, 2005
Posts: 22
Location: San Diego CA

PostPosted: Wed May 31, 2006 4:08 pm Reply with quote

freespirit wrote:
Hello,
I need some help. I am using 6.9 with all the patches. I use Sentinel 2.0.0 (still haven't updated it. Was wondering whether the newer versions would be backward compatible or not ).
Recently, I had been getting a lot of random new user registrations on my site. Earlier, I had disabled the graphics security check and also allowed new users to register immediately without going through email validation etc.. Ever since this incident, I had enabled both. These random registrations stopped for a while and started off again. Most probably its a robot or my security has been compromised - I honestly don't know. So far there's been no hanky-panky going on by those new "users" but daily new user registration numbers are getting ridiculous now, since mine is a small community site.
Has anybody had the same problem? Can you help?


Yes my site and a few others got hit by the same thing. It started on Monday morning. I was able to get it under control using string filters. I also threw in a healthy dose of ip2c but that was more for blanket protection in the future rather than targeting this individual exploit. Like the last exploit I reported here this one is doing something strange with the login. Try putting the domain name from the email addresses of the bogus users into your string filters.

There is an active thread on this over at nukeforums right now about this. Although one of the guys sort of goes off on a rant about Sentinel and has some pretty radical ideas about bouncing traffic he seems to have the best grip on what’s going on with the logins. Here is a link to the thread and the strings I added to my filter.
[ Only registered users can see links on this board! Get registered or login! ]

blogspot.com
lipster.net
mespacha.com
noparara.com
src21.net
wisral.com
xmlrpc.php
zeppele.com


Cheers,

Dave
 
View user's profile Send private message Visit poster's website
Susann
Moderator



Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Wed May 31, 2006 6:19 pm Reply with quote

You need the patch 3.1 for the newest NukeSentinel Version but you should upgrade your NS Version. I m sure you can use 2.2.1a without any problems. You´ll find older versions of NukeSentinel in the download section archive at:

[ Only registered users can see links on this board! Get registered or login! ]

I agree with Kguske for a better control over new member registrations use CNB-YA or a similar tool.
There is also a helpful admin tool it s called Resend_Email. I like it and I use it daily.
[ Only registered users can see links on this board! Get registered or login! ]
 
View user's profile Send private message
freespirit







PostPosted: Wed May 31, 2006 7:00 pm Reply with quote

Whew !! Thanks a lot everybody. I thought I was the only one with the problem !!

dkrager... those are the same domain names I got on the email addresses of those 'users'.

Susann... Thanks for the links. I'll take a look now.
 
dkrager







PostPosted: Wed May 31, 2006 8:16 pm Reply with quote

No prob. The issue is real. Unfortunately people don’t take these reports serious and just chalk it up to newbie’s having a PEBKAC.

Cheers,

Dave
 
Gremmie
Former Moderator in Good Standing



Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sat Jun 03, 2006 8:55 am Reply with quote

Why would someone want to add a bunch of users to some random PHP-Nuke site?

And do we know how they are doing it?

_________________
GCalendar - An Event Calendar for PHP-Nuke
Member_Map - A Google Maps Nuke Module 
View user's profile Send private message
gregexp
The Mouse Is Extension Of Arm



Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol

PostPosted: Sat Jun 03, 2006 9:11 am Reply with quote

ppl would want to do such things...just because....there is not always...i say always because some have a reason...but not always....i hate to say this

most of the time ppl have no REAL reason to do it...and if they do..they hide behind bots and it aggravates me so,

not always do we know exactly how but we have some of the best out there looking into how they do it...but more importantly looking into how to stop them...the people on this forums really put an effort into security, just look at ravens nuke..security was the key issue on developing that script, and secure it is...to the best of their ability...remember...for all to see and understand

HACKERS, will continue to try to exploit anything they can possibly find...ive seen hackers use their bots and get them banned by 20 sites in an effort to test one exploit, they are not without their limits...the best tool i have every seen in stopping hackers is not sentinel...but the site owner...making every effort to watch and diligently see all thatis going on in a site...Sentinel is an excellent TOOL, but like all tools...it depends on the owner to make it REALLY functional and the owner cannot depend on a tool to stop what the owner has not told it to.

Bob raven and all the members of these teams make an effort to secure a site as best as they can...and believe me ...that will stop most...but EVERY security trick requires the owner to be diligent on keeping uptodate on chatservs patches(which secures a lot) and on the latest version of sentinel...i just wont everyone to know that security is 20% tools...80% owner deligence

My opinion is all.

_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! 
View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
dkrager







PostPosted: Sat Jun 03, 2006 12:12 pm Reply with quote

I couldn't agree more. While Bob, Raven, Chatserv and many others do an absolutely stellar job its really up to the site owners to be diligent in implementing the tools and fixes that they provide. Communications on sites such as this is also a powerful tool because there will always be new exploits coming out and it gives us a way to report them as we find them as well as share ideas on how we can better protect our sites.

With regards to the current problem at hand, I think it was just malicious activity but I have had 2 other incidences in the last couple of weeks where the same trick was used to try and plant comment spam.

Since I don’t think the problem is going to go away on its own I decided to take a more proactive approach and made a few changes on my site that will hopefully attack the root of the problem.

I decided to rename the functions new_user and Login in the your_account module to something else and adjusted the links around the site accordingly. Then I added the strings Your_Account&op=New_User and Your_Account&op=Login to my sentinel string filters.

Hopefully that will provide a bit more blanket protection against these forms of automated attacks on the site.

Cheers,

Dave
 
Gremmie







PostPosted: Sat Jun 03, 2006 4:32 pm Reply with quote

So let me get this straight...did you or did you not have email validation on?

I have not had this problem (knock on wood), but I do get about 30 new users a month who never visit the site; i.e. user_lastvisit is 0 in the users table. I give them 30 days to visit the site, and delete them if they don't. Again, I can see maybe a few people just forget, but why so many?

I just don't get why someone would unleash a bot to add 50 new users to some random site. What's the point? Just vandalism? But then again, there are a lot of unexplainable things people do in this world. Sigh.
 
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam

PostPosted: Sat Jun 03, 2006 4:37 pm Reply with quote

The reason for creating the account is so that later on, when they have built up the number of sites the have accounts on, the can do a mass spamming to get an instant rank boost.
 
View user's profile Send private message Send e-mail
gregexp







PostPosted: Sat Jun 03, 2006 4:55 pm Reply with quote

actually..grimmie gives me an idea...one that i would have never thought of till now...what about coding a script to delete users automatically?
one that if turned on...ie the table variable is set to one..then this script automatically checks it...mainfile would allow this...curious...ill need to look at the tables to make sure there is a input on that table to allow such a function.

I want to make it so that after 30 days of activity...it deletes the account automatically.
 
Gremmie







PostPosted: Sat Jun 03, 2006 5:03 pm Reply with quote

I just got done modifying my users admin panel. I do a query where I find all users who are active and lastvisit = 0. I then look at their user_regdates (which aggravatingly enough is not actually a date, but a varchar(20) - that's okay, PHP has strtotime()) and see if they are older than 1 month. I display all these in a select w/multiple box. I look them over, selecting the ones I want to delete (some of them are people I know). I hit a submit button and they all get deleted.

I moved the existing code that deleted a user into it's own function, and my new code just calls that function in a loop.
 
gregexp







PostPosted: Sat Jun 03, 2006 5:30 pm Reply with quote

thats another concern that needs to be addressed...we need to move the users into a temporary table that can be monitored and deleted by choice.

i think im board...and need somethin to do. Laughing
 
Susann







PostPosted: Sat Jun 03, 2006 5:45 pm Reply with quote

There are two phpBB mods to delete inactive users:
[ Only registered users can see links on this board! Get registered or login! ]
 
viper155
Regular
Regular



Joined: Feb 18, 2006
Posts: 99

PostPosted: Sat Jun 03, 2006 9:45 pm Reply with quote

Quote:
blogspot.com
lipster.net
mespacha.com
noparara.com
src21.net
wisral.com
xmlrpc.php
zeppele.com


I got crushed today, 102 new user bots signed up while I was out.

Add that list above seems to have stoped them in there tracks. Its banning the ips like crazy now.

*MAKE EM GO AWAY MOMMY!*
 
View user's profile Send private message Visit poster's website
sqzdog
Involved
Involved



Joined: Sep 22, 2003
Posts: 252

PostPosted: Sat Jun 03, 2006 10:10 pm Reply with quote

Where do I add this list?
 
View user's profile Send private message Send e-mail
viper155







PostPosted: Sat Jun 03, 2006 10:15 pm Reply with quote

Blocker Configuration>String blocker settings>

Enter in box

blogspot.com
lipster.net
mespacha.com
noparara.com
src21.net
wisral.com
zeppele.com
 
sqzdog







PostPosted: Sun Jun 04, 2006 8:02 am Reply with quote

I did this and they are still coming. Are there any configuration changes I should make to the string blocker settings, besides adding the domains? How did you set yours up?
 
gregexp







PostPosted: Sun Jun 04, 2006 8:05 am Reply with quote

make sure its on first...and make it block it and e-mail
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©