xoops forums

Marco

Home away from home
Posted on: 2009/12/29 15:22
Marco
Marco (Show more)
Home away from home
Posts: 1256
Since: 2004/3/15
#1

Spam through comments made by registrered users on unknown modules

I've found some recently huge strange comments on my sites : a registrered users (a spammer) was able to post many comments on a unknown module from my XOOPS site (on download module, that was not installed at all). How is it possible ? Anyone ever experienced this too?
i had to delete those through system admin (modules/system/admin.php?fct=comments)

ghia

Community Support Member
Posted on: 2009/12/29 16:17
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#2

Re: Spam through comments made by registrered users on unknown modules

Use the date and time of the comments to find the actions taken in the Apache logs.

Marco

Home away from home
Posted on: 2009/12/30 19:53
Marco
Marco (Show more)
Home away from home
Posts: 1256
Since: 2004/3/15
#3

Re: Spam through comments made by registrered users on unknown modules

yep, i'll analyse deeply next time, but what was surprising is that i run the protector module.
i wonder if anyone experienced this before...

djynnius

Just popping in
Posted on: 2009/12/30 20:17
djynnius
djynnius (Show more)
Just popping in
Posts: 59
Since: 2006/10/21
#4

Re: Spam through comments made by registrered users on unknown modules

what version of XOOPS was this?

Marco

Home away from home
Posted on: 2009/12/30 20:21
Marco
Marco (Show more)
Home away from home
Posts: 1256
Since: 2004/3/15
#5

Re: Spam through comments made by registrered users on unknown modules

2.4.2, but i experienced this with 2.3 too before

ghia

Community Support Member
Posted on: 2009/12/30 20:44
ghia
ghia (Show more)
Community Support Member
Posts: 4954
Since: 2008/7/3 1
#6

Re: Spam through comments made by registrered users on unknown modules

Protector protects only in some cases when 'regular' users start to post. There is the number of requests, but limiting it too far will harm access to modules with rich content.
And there is the number of links in a post, but limiting it too far will harm regular article posting.

You must seek your Apache logs for repeating patterns, typical originating from several IP addresses when a bot net is used. If you have them still available from the week where the postings were done, I could take a look at them.