51
Peekay
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/12/17 12:21

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


When a new user receives their activation email, they click a link in the email to activate their account. This makes an HTTP 'GET' request of a file on the server which includes the user activation code in the query string. The actual file that is requested varies according to the version of Xoops, but in 2.0.18 and 2.3 it's not 'register.php'.

You're correct in saying that should the user click the activation link in a webmail application, the referer will be the mail host (e.g. mail.yahoo.com). If the link is clicked in a mail client, or cut and pasted into a browser, there may be no referer at all. However, that doesn't matter, because the code only blocks referer-less requests for 'register.php'.

Register.php should always have a referer, because in a genuine registration it would only ever be accessed via the 'Register Now' link from a page on your website.

52
robstockley
Re: Mass user registrations.... bots perhaps? Anyone else getting these?

In that case my statement only applies to 2.4.x which does indeed use register.php for email activation. The following line is from XoopsMailer->send() in /class/xoopsmailer.php
$text str_replace("{X_UACTLINK}"XOOPS_URL "/register.php?op=actv&id=" $user->getVar("uid") . "&actkey=" $user->getVar('actkey'), $text);

Which file manages the activation in earlier versions of xoops? Any idea why it was changed?

53
Peekay
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/12/20 1:16

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Quote:

robstockley wrote:
In that case my statement only applies to 2.4.x which does indeed use register.php for email activation...

Oh, I see. Thx for that info Rob. I have no idea why that was changed. My fix was based on the server log supplied by barryc who appears to be using 2.3, as am I.

Actually, I use a similar fix for Coppermine image gallery which also uses 'register.php' twice. I just added an extra condition to search for a phrase in the query string that is unique to the email activation request. For XOOPS you could use 'actv'.

// pk block access without referer but allow activation

  
$theref = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
  
$thequery = isset($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] : '';
  
$oursite 'mysite' ;
  
$queryok 'actv' ;
  if((
strstr($thequery$queryok)) === false && ($theref =='' || (strstr($theref$oursite)) === false)) {
  
header("HTTP/1.0 403");
  die(
"Direct access prohibited");
  }

// end pk mod


This should work, but I cannot test it. If you have XOOPS 2.4 and want to try it, please let me know if you can register and activate.

54
barryc
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/12/20 1:34

  • barryc

  • Just can't stay away

  • Posts: 480

  • Since: 2004/3/20


Quote:

Peekay wrote:
Quote:

robstockley wrote:
In that case my statement only applies to 2.4.x which does indeed use register.php for email activation...

Oh, I see. Thx for that info Rob. I have no idea why that was changed. My fix was based on the server log supplied by barryc who appears to be using 2.3, as am I.


At that time I was using 2.3 but have now upgraded both my live site and my test site to 2.4.2. I can test this on the latter, at least that it does not break the registration confirmation. Is there a way to test the no referrer condition?

I'll try to get to this tomorrow.

barryc

55
ghia
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/12/20 1:42

  • ghia

  • Community Support Member

  • Posts: 4953

  • Since: 2008/7/3 1


Quote:
Is there a way to test the no referrer condition?
Copy the link to the URL field of your browser and click go.

56
Peekay
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/12/21 12:59

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Yes, as Ghia says just open a new browser window and assuming that register.php is in the root directory, enter:
http://www.example.com/register.php

This makes a direct request of the file in a similar way to the robot. Using Firefox you should see the 'direct access prohibited' error that is embedded in the code. With IE you normally just get a 'could not display page' error.

If you check your server log for the exact time, you will see the request for the file has no referrer and has been given a '403' status code (denied).

If you check the log entry for a genuine registration, you'll see the request for register.php has the site as the referer and should have a '200' status code (success).

I'm not saying that this will eliminate robot registrations entirely, but it should stop bots that follow the same pattern as the one in barryc's log.

57
barryc
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/12/21 17:01

  • barryc

  • Just can't stay away

  • Posts: 480

  • Since: 2004/3/20


OK. I tested this. After making peekay's hack the registration process works normally if one clicks on register on the site home page and fills in the forms. I used a fake email address for the test user but I did receive the email sent to the admin address advising of the registration.

If I type in mysite/register.php directly I get the error message.

If I type in mysite/modules/profile/register.php I get the normal registration form and the registration process works. I assume this is because accessing that file does generate a referrer.

So, I assume the bot was accessing the mysite/register.php directly and not the profile module register.php? What happens if the bot gets smart enough to look for that file?

I haven't had any registrations with the google url since implementing recaptcha, so recaptcha alone seems to be effective for now.

[Edit] Actually, I decided to try adding peekay's hack to modules/profile/register.php. That works. With the hack in place in both register.php files, you can register normally by clicking on the register link on the home page but if you type in mysite/modules/profile/register.php directly you get the error page.

barryc

58
Peekay
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/12/21 18:06

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Quote:
So, I assume the bot was accessing the mysite/register.php directly and not the profile module register.php? What happens if the bot gets smart enough to look for that file?

Just stick the same code in both files, or delete the one you don't use.

-- edit --

Sorry barry, you beat me to it!

-- edit --

59
barryc
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/12/21 18:09

  • barryc

  • Just can't stay away

  • Posts: 480

  • Since: 2004/3/20


We overlapped! I gather that if one uses the profile module one can delete the register.php at XOOPS root. I'll do that.

barryc

60
barryc
Re: Mass user registrations.... bots perhaps? Anyone else getting these?
  • 2009/12/21 18:26

  • barryc

  • Just can't stay away

  • Posts: 480

  • Since: 2004/3/20


Actually, you can't delete the register.php at the XOOPS root and presumably you can't delete the one in the profile module either. The link to register points to mysite/register.php but clicking on that takes you to modules/profile/register.php. So, both files must be present. If you want to use this hack it seems you will have to make the change in both files.

barryc

Login

Who's Online

187 user(s) are online (95 user(s) are browsing Support Forums)


Members: 0


Guests: 187


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Oct 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits