21
ghia
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/11/14 2:00

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Thanks to barryc, who sent me a log, I have seen what the bot does:
Quote:
74.53.160.210 - - [10/Nov/2009:08:28:07 -0700] "GET /register.php HTTP/1.1" 302 518 "-" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)"
74.53.160.210 - - [10/Nov/2009:08:28:07 -0700] "GET /modules/profile/register.php HTTP/1.1" 200 41723 "-" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)"
74.53.160.210 - - [10/Nov/2009:08:28:09 -0700] "GET /class/captcha/image/scripts/image.php HTTP/1.1" 200 2029 "-" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)"
74.53.160.210 - - [10/Nov/2009:08:28:09 -0700] "POST /modules/profile/register.php HTTP/1.1" 200 55190 "/modules/profile/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)"
74.53.160.210 - - [10/Nov/2009:08:28:11 -0700] "POST /modules/profile/register.php HTTP/1.1" 200 43036 "/modules/profile/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; America Online Browser 1.1; rev1.1; Windows NT 5.1;)"

Later on the activation is done:
Quote:
74.53.160.210 - - [10/Nov/2009:13:57:14 -0700] "GET /register.php?op=actv&id=99999&actkey=9999999 HTTP/1.1" 302 550 "-" "-"
74.53.160.210 - - [10/Nov/2009:13:57:15 -0700] "GET /modules/profile/register.php?op=actv&id=99999&actkey=9999999 HTTP/1.1" 302 534 "-" "-"
74.53.160.210 - - [10/Nov/2009:13:57:15 -0700] "GET /modules/profile/activate.php?op=actv&id=99999&actkey=9999999 HTTP/1.1" 200 2824 "-" "-"

(It did repeat some actions and also access some not existing directories, but that doesn't matter here)

Biggest problem is that they found an automated way to (OCR?) read the captcha and thus providing the correct code. Proof of that is the speed where the form is requested and the loading of the image and posting the form is both in the same second (08:28:09).

They have not yet performed other actions. Altough this one, without reading the captcha or doing the activation tries to log in:
Quote:
212.235.107.85 - - [10/Nov/2009:03:36:25 -0700] "GET /modules/newbb/index.php HTTP/1.0" 200 58083 "/modules/newbb/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:34 -0700] "GET /modules/newbb/viewforum.php?forum=34 HTTP/1.0" 200 48545 "/modules/newbb/viewforum.php?forum=34" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:40 -0700] "GET /register.php HTTP/1.0" 302 473 "/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:40 -0700] "GET /modules/profile/register.php HTTP/1.0" 200 41365 "/modules/profile/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:44 -0700] "POST /modules/profile/register.php HTTP/1.0" 200 41693 "/modules/profile/register.php" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:48 -0700] "GET /modules/newbb/index.php HTTP/1.0" 200 58019 "/modules/newbb/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:50 -0700] "POST /user.php?op=login HTTP/1.0" 200 2662 "/modules/newbb/index.php" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:51 -0700] "GET /user.php?xoops_redirect=%2Fmodules%2Fnewbb%2Findex.php HTTP/1.0" 302 521 "/user.php?xoops_redirect=%2Fmodules%2Fnewbb%2Findex.php" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:52 -0700] "GET /modules/profile/user.php?xoops_redirect=%2Fmodules%2Fnewbb%2Findex.php HTTP/1.0" 200 35201 "/modules/profile/user.php?xoops_redirect=%2Fmodules%2Fnewbb%2Findex.php" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:57 -0700] "GET /user.php?xoops_redirect=/modules/newbb/newtopic.php?forum=34 HTTP/1.0" 302 525 "/user.php?xoops_redirect=/modules/newbb/newtopic.php?forum=34" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:36:58 -0700] "GET /modules/profile/user.php?xoops_redirect=/modules/newbb/newtopic.php?forum=34 HTTP/1.0" 200 35221 "/modules/profile/user.php?xoops_redirect=/modules/newbb/newtopic.php?forum=34" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:37:01 -0700] "GET /user.php?xoops_redirect=/modules/newbb/newtopic.php?forum=34 HTTP/1.0" 302 525 "/user.php?xoops_redirect=/modules/newbb/newtopic.php?forum=34" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"
212.235.107.85 - - [10/Nov/2009:03:37:02 -0700] "GET /modules/profile/user.php?xoops_redirect=/modules/newbb/newtopic.php?forum=34 HTTP/1.0" 200 35221 "/modules/profile/user.php?xoops_redirect=/modules/newbb/newtopic.php?forum=34" "Mozilla/4.0 (compatible; MSIE 6.0; Update a; AOL 6.0; Windows 98)"



It seems the Captcha is worthless for the moment.
We are in trouble!!!!

I think best thing to do is to edit the captcha config and try to vary some things, adapt the background image etc.

Furthermore I can encourage everyone to set the registration procedure with activation by the administrator.
This way they can't login and making havoc on the site.

22
Peekay
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/11/14 2:01

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


@barryc

You can copy me too if you want. I have sent you a PM.

OK. No need. Just overlapped Ghias post (again)

@Ghia. Getting late here. Will take a look at the log tomorrow and see if I can spot a block option, but I doubt it.

@barryc

The trouble with IP addresses is that unless you have paid for a static IP, your IP address may periodically change. A quick review of my broadband provider's forum suggests perhaps twice a year. So if I register on your site today, the IP address in your server log (and any address you might capture) is not that reliable in the long term.

A bigger problem is that a lot of people surf the net via free proxy servers that only reveal the address of the proxy service provider, not the IP provided to the user by their broadband provider. The reasons for doing this vary, but of course one reason is to bypass IP address bans. People who use these services could visit your site from a different IP address every day. They are not neccessarily doing anything wrong, but if they did it would be pointless blocking their IP address.

My understanding is that spammers use networks of 'elite' proxy servers where blocking the IP address is completely futile because the next attack will probably come from a different server on the network.

If you brush up on your server log basics and then examine your own access log you will be amazed how many robots are making requests for forbidden files, are trying to crack your login page or are attempting to spam mail forms. Add to this the websites that are leeching your images and the search engine robots that completely ignore robots.txt and it makes for an interesting read!

23
dbman
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/11/14 2:53

  • dbman

  • Friend of XOOPS

  • Posts: 172

  • Since: 2005/4/28


yes,
same IP over a period of about 3 days on some older version installs of Xoops. Server returns mostly 404 as the request paths are for non existing or malformed addresses. There are a few 200 returns which have no followup on the real path for register.php, just seems to resume requests on a specific path pattern. It seems to target specific module directories as well.





24
wishcraft
Re: Mass user registrations.... bots perhaps? Anyone else getting these?

Reminds me of wintermute from bladerunner. Some of the bots are getting really smart, I would say this one is reading the captcha and working it out with Optical Recognition.

Personally on production sites I normally replace the captcha (As I know and have seen many of the OCR Routines for breaching captcha).. And know the one by DJ was not sufficient to be a proper captcha.

I would suggest like when we where first talking about captchas for XOOPS to use either recaptcha.net or also use different fonts.

This is the problem with distrubuting fonts they are very easy to manipulate and use Optical Character Recognition (OCR) in the sort of distorition (minimal) provided with the XOOPS Captcha.

25
Mamba
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/11/14 3:42

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23


How can we use reCaptcha? How could we replace the current Captcha with reCaptcha?

Could we have a reCaptcha module that would hook into XOOPS using Preloads?

26
wishcraft
Re: Mass user registrations.... bots perhaps? Anyone else getting these?

I have a couple of models for using recaptcha, personally i think it should be a standardised mode for XOOPS, the only thing is people will have to aquire the Public and Private key for there site or network of sites.

It will involve 2 configs being put into XOOPS standard preferences -- I would say under User would be the best place, with a XOOPS default load of the public and private key.

Then it would mean modifying the captcha class so there is an option that allows for Recaptcha (Set to default) or the XOOPS captcha (set to secondary).

I like recaptcha as it has disability support and is publically/privately signed. I can make some modifications on the trunk if you like. To allow for this to be encompassed.

Just let me know..

27
ghia
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/11/14 9:19

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


I would like it gets a separate preferences group. And for the current captcha the configuration parameters that are now in two config files should be moved into them. This way users can adapt the settings and come up with more variations than that is now the case, because nobody knows there are even configuration possibilities for the captcha.
1) config.image.php
return $config = array(
"num_chars"             => 4,                                               // Nombre maximum de caractères
"rule_text"             => _CAPTCHA_RULE_IMAGE,
"rootpath"              => XOOPS_ROOT_PATH "/class/captcha/image",        // Chemin absolu vers le dossier contenant les images de fond
"imageurl"              => "class/captcha/image/scripts/image.php",         // Chrmin relatif vers le script de génération du captcha
"casesensitive"         => false,                                           // false : insensible à la casse / true : sensible à la casse (majuscule / minuscule)
"fontsize_min"          => 15,                                              // Taille minimale pour la taille des caractères
"fontsize_max"          => 15,                                              // Taille maximale pour la taille des caratères
"background_type"       => 2,                                               // Type d'image de fond : 0 - barres; 1 - ronds; 2 - lignes; 3 - rectangles; 4 - ellipses; 5 - polygones; 100 - utilisation d'une image
"background_num"        => 40,                                              // Nombre d'images à générer pour créer le fond
"polygon_point"         => 3,
"skip_characters"       => array('o''0''i''l''1'),                  // caractères à ne jamais utiliser
);
?>




2) config.php
return $config = array(
"disabled"              => false,                   // Désactiver la sécurité captcha
"mode"                  => 'image',                 // Mode par défaut (image ou text ?)
"name"                  => 'xoopscaptcha',          // Nom du captcha
"skipmember"            => true,                    // Ne pas afficher d'images captcha pour les membres identifiés
"maxattempt"            => 10,                      // Nombre maximum d'essais pour une session
"num_chars"             => 4,                       // Nombre maximum de caractères (doit correspondre à l'information indiquée dans config.image.php)
"rule_text"             => _CAPTCHA_RULE_TEXT,
"maxattempt_text"       => _CAPTCHA_MAXATTEMPTS,
);
?>
I don't see it, but there should be a font choice as well. AFAIK, there was one with the DuGris security image. This would allow to use some hand writing or posterised fonts, more difficult to read, or even mixed.

Why should the Recaptcha not at all OCR readable?
And can we not improve our Captcha system alike?
Maybe also gradfients would help like in the one of EurId
The curved baseline of the characters, is that comming from SVG?

28
ghia
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/11/14 11:24

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Another Idea (from shine) could be this spoofable form from Simple Machines applied to registration.

It seems easy to do.

If it would help or how long is another question.

29
Peekay
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/11/14 13:37

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Awake now... hangover!

Many thx for the log barryc and nice detective work Ghia.

The log does reveal some differences between genuine and robot requests.

All the robot POST requests are in order, however, genuine GET requests for register.php should have a referer and the robot ones dont. Likewise, genuine GET requests for img.php should have a referer and the robot ones dont.

So, there is a possibility to temporarily block access to both these files in htaccess if a referer is missing and/or add the same condition to the PHP code.

Might work. Might not. Gonna do some tests

30
Mamba
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/11/14 13:57

  • Mamba

  • Moderator

  • Posts: 11409

  • Since: 2004/4/23



Login

Who's Online

340 user(s) are online (228 user(s) are browsing Support Forums)


Members: 0


Guests: 340


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits