Have I been hacked?

[Grover]

I have a low traffic site [http://www.speekeezy.ca/] that has been up for about 6 months, is pretty much complete and will soon debut as a specialized e-commerce site.

I was shocked to find 189 registered users today. There should be one [me], maybe a few other legitimate users but not that many. Most are clearly fake, machine-concocted identities. I have OSOL Captcha implemented. All are registered but none have Super Admin or other higher status. I did not receive notice of these registrations even though I have a valid e-mail in place. I have New User Account Activation set to NO as I ultimately want users to be able to register as part of their virtue-mart check out experience without first going back to their e-mail clients. Maybe this is wrong-headed.

Can anyone give me an indication of where the security hole might be. Is captcha being somehow bypassed? Is Virtuemart the culprit? What is the risk or potential damage?

If useful I'll post a screen capture of the user list.

[mandville]

with this administration issue, by not having users activate their account (industry standard) you are opening yourself up for this.
also try a different captcha system

speak to virtuemart and see if there is another way

[Grover]

Thanks Mandville. I will require user activation, this is just too damn weird, and try a different captcha system as well. Every registered user's e-mail I checked is a known source of SPAM so I'll delete them all as well.

I'm curious, what's the point of registering so many different user IDs? Is this just the benign byproduct of numerous hacking attempts? Or is it the result of someone trying to hijack the contact form? I can't really see why someone would go to the trouble, even though I realize the process is automated. I also can't understand why my mailer didn't inform me when each user was created.

[mandville]

its not a hack as such, if you look at them they are most likely comment spammers.
you may also look at some of the registration extensions eg alpharegistration http://extensions.joomla.org/extensions ... ation/7727 that are a bit different from the normal form layout, have capta and blacklist tie ins

[Grover]

Interestingly, I switched from OSOLCaptcha to Joo Recaptcha as a result of this event and the latter allowed me to register three different users even though I purposefully misspelled the captcha code of BOTH words. On the third registration the variance between what I typed and what Joo Recaptcha was displaying was wildly off and it caught the attempt. But still when I input the correct number of characters with one letter off for both words the user was registered. Now I understand that reCaptcha is actually used for transcribing scanned texts and that one word will always be an unknown. The other should however require a greater degree of precision.

Needless to say I quickly switched back to OSOLCaptcha and tested that out. There is no way it would let me register with any variance whatsoever. That suits me just fine so I doubt whetherthe captcha was the security hole.

I only have one comment on the site and it is legit so Comment SPAM doesn't seem likely either.

So this gets back to the question of what could the bots be up to? I can't see any pay off. The registrations happen somewhat randomly over many months with no more than 2 on any given day. Are they not bots at all? Who would waste the time?

[DK180]

Did you get to the bottom of this one? I am being targeted and have installed Re-capture and have account activation set to Yes

I am still getting bot registrations and cant understand why.