The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 59 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Fri Mar 12, 2010 4:25 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Sep 25, 2005 3:57 pm
Posts: 118
Location: Atlanta, GA
Thanks for this thread, for what ever reason my spam signups have jumped to 10 to 20 perday times 10 websites and that turns out to be quite a few emails.

I have been working with some of the different reCaptcha plugins and have them working but I am not sure it is slowing down the bots. Have some more testing to do.

1. If you have recaptcha on the user sign up form is it possible for a bot to get past this with out entering the text correctly. Perhaps a way the bot could go straight to the database?

2. I use sh404SEF, if I turn on project honeypot will site performance suffer?

After a little more testing I hope to write up my results to hopefully help others.

Thanks!

_________________
http://www.intownwebdesign.com


Top
 Profile  
 
PostPosted: Fri Mar 12, 2010 4:54 pm 
User avatar
Joomla! Guru
Joomla! Guru
Online

Joined: Thu Sep 13, 2007 11:39 am
Posts: 839
Location: UK
I use sh404sef with project honeypot, I have not found a big difference in performance. And it is effective in stopping a lot of spam, I have found it stops most, where a small amount slips through the net it is usually possible to ban the rest by IP address.

I would certainly recommend trying it, if it does not work for you then you can always stop using it again. Project Honeypot is a great service in my opinion.

It is my understanding that some bots can now read some captchas, that might be how they are getting through.

_________________
http://www.spiralscripts.co.uk for Joomla! extensions


Top
 Profile  
 
PostPosted: Wed Apr 21, 2010 3:32 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Tue Oct 28, 2008 11:06 pm
Posts: 320
Location: NE Florida
I have same problem except that they are registering from India to try to post classified ads. In my case I turned OFF registrations in the global configuration yet they are still able to register.

My login forms and registration forms ( when active ) use captcha as well.

I removed the links to register from the site as well. It still has not prevented them from creating a user account.


( They cannot post adds without my approving them however. Using AdsManager )

I am not certain that the extension Adsmanager is not creating a back door but since they have locked their forums and have removed their contact us form I assume no one is minding that extension any longer.


Top
 Profile  
 
PostPosted: Thu Apr 22, 2010 1:24 pm 
User avatar
Joomla! Guru
Joomla! Guru
Online

Joined: Thu Sep 13, 2007 11:39 am
Posts: 839
Location: UK
I think you are right this might be something to do with ads manager.

Certainly it should be the case that disallowing user registration in your site configuration should effectively block any registration, the Joomla user component definitely checks for this before allowing any registration, and I have found that to be effective in the past in blocking spammy registrations.

_________________
http://www.spiralscripts.co.uk for Joomla! extensions


Top
 Profile  
 
PostPosted: Thu Apr 22, 2010 2:16 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Tue Oct 28, 2008 11:06 pm
Posts: 320
Location: NE Florida
fcoulter wrote:
I think you are right this might be something to do with ads manager.

Certainly it should be the case that disallowing user registration in your site configuration should effectively block any registration, the Joomla user component definitely checks for this before allowing any registration, and I have found that to be effective in the past in blocking spammy registrations.


I tend to agree but am confounded by how AdManager is able to circumvent the Joomla setting to not allow registrations since those are registering as Joomla members. Also there are no links to any registration forms any longer. In fact I even deleted the /component/com_user/register files.

There must be some hack they are using. Problem is there is no longer any help available from AdsManager site as the forum is locked closed. I like this program better than others I have tried.


Top
 Profile  
 
PostPosted: Thu Apr 22, 2010 8:49 pm 
User avatar
Joomla! Guru
Joomla! Guru
Online

Joined: Thu Sep 13, 2007 11:39 am
Posts: 839
Location: UK
I just took a look at ads manager, it contains the following function (in adsmanager.php at line 2184)

Code:
function saveRegistration($comprofiler) {
   global $database, $acl,$mosConfig_absolute_path;

   // simple spoof check security
   //josSpoofCheck();   
   
   $row = new mosUser( $database );

   if (!$row->bind( $_POST, 'usertype' )) {
      mosErrorAlert( addslashes(end($row -> getErrors())) );
   }

   mosMakeHtmlSafe($row);

   $row->id       = 0;
   $row->usertype    = '';
   $row->gid       = $acl->get_group_id( 'Registered', 'ARO' );

   if (!$row->check()) {
      echo "<script> alert('".addslashes(end($row -> getErrors()))."'); window.history.go(-1); </script>\n";
      exit();
   }

   $row->password       = md5( $row->password );
   $row->registerDate    = date( 'Y-m-d H:i:s' );

   if (!$row->store()) {
      echo "<script> alert('".addslashes(end($row -> getErrors()))."'); window.history.go(-1); </script>\n";
      exit();
   }
   $row->checkin();
   
   $database->setQuery( "SELECT u.id "
            . "\nFROM #__users u "
            . "\nWHERE u.username='".$row->username."'"
            );
   $userid  = $database->loadResult();
   
   if ($comprofiler > 0)
   {
      $lastname = mosGetParam( $_POST, 'name', "" );
      $firstname = mosGetParam( $_POST, 'firstname', "" );
      $middlename = mosGetParam( $_POST, 'middlename', ""  );
      
      $query = "INSERT INTO #__comprofiler (id,user_id,firstname,middlename,lastname) VALUES ('$userid' ,'$userid' ,'$firstname','$middlename','$lastname')";
      $database->setQuery($query);
      $database->query();
   }
   
   return $userid;



This is clearly a user registration function which bypasses com_user, and ignores the site configuration - it is surely the source of your problem. If you really want to use this extension I suggest deleting the function code so that it is just a stub, eg

Code:
function saveRegistration($comprofiler) {
 return 0;
}


Another reason for doing that is that the query

Code:
$database->setQuery( "SELECT u.id "
            . "\nFROM #__users u "
            . "\nWHERE u.username='".$row->username."'"
            );



seems to be vulnerable to SQL injection, since $row->username does not appear to be escaped, unless I am missing something. I am not particularly familiar with Joomla 1.0, so can't say for sure.

_________________
http://www.spiralscripts.co.uk for Joomla! extensions


Top
 Profile  
 
PostPosted: Thu Apr 22, 2010 9:32 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12437
Location: The Girly Side of Joomla in Sussex
can i have the developers site for adsmanager to check it out, thanks

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Thu Apr 22, 2010 9:54 pm 
User avatar
Joomla! Guru
Joomla! Guru
Online

Joined: Thu Sep 13, 2007 11:39 am
Posts: 839
Location: UK
It seems to be http://www.joomprod.com/ - that's all I know. According to the comments in the JED it is no longer supported.

_________________
http://www.spiralscripts.co.uk for Joomla! extensions


Top
 Profile  
 
PostPosted: Fri Apr 23, 2010 2:27 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Tue Oct 28, 2008 11:06 pm
Posts: 320
Location: NE Florida
Yes...I went there first for help but the lights are out! I am not a programmer but will take a stab ad modding that file keeping a copy of the original to see what happens when legally registered users try to log in to post an ad.

Thanks...I will post results

_________________
--- http://www.Stuffdone.com ---
/ Xeon 8 cores / CentOS / cPanel / 8GB /
/ PHP 5.3.23 / MySQL 5.1.68 / NOC in Chicago /


Top
 Profile  
 
PostPosted: Thu Apr 29, 2010 10:00 am 
User avatar
Joomla! Guru
Joomla! Guru
Online

Joined: Thu Sep 13, 2007 11:39 am
Posts: 839
Location: UK
Good luck with that. Personally i would recommend not using this extension. Even if I am wrong about the previous query, the following one

Code:
$query = "INSERT INTO #__comprofiler (id,user_id,firstname,middlename,lastname) VALUES ('$userid' ,'$userid' ,'$firstname','$middlename','$lastname')";

surely is vulnerable to SQL injection, since the '$firstname','$middlename','$lastname' parameters come directly from POST values.

The fact that there seem to be so many problems in one function is not exactly encouraging about the rest of the extension. It looks insecure to me and you are risking the security of your site by using it.

_________________
http://www.spiralscripts.co.uk for Joomla! extensions


Top
 Profile  
 
PostPosted: Mon May 10, 2010 9:06 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Aug 31, 2006 12:48 pm
Posts: 9
Hello,

I am the author of this quite old component.
The code that you mentionned here is only activated when a specific option is activated in adsmanager (option: allow adsmanager for automatic registration).

I didn't have the time right now to check if there is a real issue, but if you think, this could be a real issue just don't use this option and that is all

Thomas


Top
 Profile  
 
PostPosted: Tue May 11, 2010 2:06 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Tue Oct 28, 2008 11:06 pm
Posts: 320
Location: NE Florida
Thanks. I have that feature turned off but it is still allowing people to create Joomla users ( which is also turned off ) and create ads. Of course they are not appearing inline because I don't approve them. Bottom line there is a problem. I have tried some of the other classifieds extensions and liked this the best until this problem became apparent. Hope you fix it sometime.

_________________
--- http://www.Stuffdone.com ---
/ Xeon 8 cores / CentOS / cPanel / 8GB /
/ PHP 5.3.23 / MySQL 5.1.68 / NOC in Chicago /


Top
 Profile  
 
PostPosted: Thu Jun 03, 2010 2:01 pm 
Joomla! Guru
Joomla! Guru

Joined: Mon Nov 07, 2005 3:45 am
Posts: 600
i have my setting set to "membership needed to post an ad" and the page indeed takes people to the registration page. this should be removed from the extension list. it was a good extension while it lasted - thanks.


Top
 Profile  
 
PostPosted: Thu Jun 03, 2010 4:42 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12437
Location: The Girly Side of Joomla in Sussex
all 1.0.x were removed from the JED so where ever your getting it from - dont bother -

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Thu Jun 03, 2010 8:07 pm 
Joomla! Guru
Joomla! Guru

Joined: Mon Nov 07, 2005 3:45 am
Posts: 600
so, the 1.5.x version is safe?


Top
 Profile  
 
PostPosted: Thu Jun 03, 2010 10:00 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12437
Location: The Girly Side of Joomla in Sussex
http://docs.joomla.org/Vulnerable_Extensions_List

Quote:
Please check with the extension publisher in case of any questions over the security of their product.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Sun Sep 26, 2010 12:08 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Oct 19, 2006 11:19 am
Posts: 38
Is there a plug in that can require the real name and username be different? Seems that all of the spam regs I get have the same real name and username.

I tried a recaptcha for a while and was having some folks on Safari filling it out correctly, but they couldn't get registered. Don't want to throw out the baby with the bathwater...


Top
 Profile  
 
PostPosted: Sun Sep 26, 2010 9:00 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12437
Location: The Girly Side of Joomla in Sussex
plugins for j1.0.x are no lonnger listed on the JED, have a look in the joomla 1.0.x extension forum for some ideas

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Mon Sep 27, 2010 2:24 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Oct 19, 2006 11:19 am
Posts: 38
ugh - didn't notice this was a 1.0 extension forum...


Top
 Profile  
 
PostPosted: Mon Sep 27, 2010 4:46 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Apr 22, 2009 6:28 pm
Posts: 25
EDIT: Likewise, I didn't realize this was a 1.0 forum. My problem is based on 1.5. Hope this can be moved to the appropriate forum.

I have disabled registration forms in CB, Joomla, and Kunena on my Joomla website. Still bots are forcing registration by using their own forms (or seem to be) using my the URL to my website.

I have never made a Joomla plugin before so maybe one of the good Samaritans on this forum could build one based on the suggestions for auto-blocking spam using the information provided below.

http://www.rubyrobot.org/article/protec ... m-spambots

If YOU do generate the plugin (or component as this is very capable of becoming) I'm sure we'd all be more than grateful and would return the favor by a generous link back to the website of the creator or maybe sporting a nice "Website Protected By" flag. ...I would anyway.

Hope this is possible and taken advantage of.


Top
 Profile  
 
PostPosted: Tue Sep 28, 2010 2:45 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12437
Location: The Girly Side of Joomla in Sussex
as it would be hard to split the appropriate posts, perhaps a new post in the 1.5 forums, probably administration as spam isnt really a security issue

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Oct 19, 2010 9:32 pm 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Thu Nov 03, 2005 12:10 am
Posts: 584
Location: Hesperia, California, USA
This may be worth giving a try.

http://extensions.joomla.org/extensions ... ation/7319

So far, it seems to have made a formidable improvement without causing issues.

_________________
http://www.MediaArmory.com - WEB | PHOTO | WRITE | MARKETING | DESIGN
http://www.DirtArmory.com - Off Road Sports Lifestyle


Top
 Profile  
 
PostPosted: Wed Nov 03, 2010 9:45 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Nov 03, 2010 8:53 am
Posts: 1
I use version 1.5.21 and regularly updated at last version and I have the same problem with too much spam user registration. I use captcha image, new user activation -> NO.
I believe the problem is in the joomla core and this spam user registration is caused by a "sql injection". Therefore installing add-on components is not the best solution. Instead, in order to stop this "spam registrations", I believe it would be better to work on the joomla core.


Top
 Profile  
 
PostPosted: Sat Dec 25, 2010 6:13 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sat Dec 25, 2010 6:04 pm
Posts: 4
is there any free version of 404sef.

ps. does honeypot work on its own, or do you have to block the ip addresses?


Last edited by mandville on Tue Dec 28, 2010 6:31 pm, edited 1 time in total.
Bump posts deleted. Please see forum rules


Top
 Profile  
 
PostPosted: Fri Jul 29, 2011 6:03 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Jul 29, 2011 5:56 pm
Posts: 4
We also have same problem of SAPM user on our website...users are from russia. We have facility of registration from front end and the form doesn't contain captcha.

However, I feel that user is not using our registration form to create these SPAM users since SPAM users has not been registered in the "Other Component" published on our website.

Is it possible that SPAM users are directly hitting com_user to create these SPAM users or that is not possible at all.

If they are using our registration form only then why those are not appearing in other Component.

I am fed up....please help...........


Top
 Profile  
 
PostPosted: Sun Oct 09, 2011 8:05 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sun Sep 26, 2010 9:06 am
Posts: 7
Location: Hanoi
Please Install this plugin: http://extensions.joomla.org/extensions ... tcha/13876

_________________
http://www.dieutridau.com
Điều trị đau .com - Xua tan những cơn đau !


Top
 Profile  
 
PostPosted: Sun Oct 09, 2011 8:58 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12437
Location: The Girly Side of Joomla in Sussex
dieutridau wrote:


this is a J1.0 topic not a j1.5 topic.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue May 07, 2013 5:37 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Apr 25, 2013 3:55 pm
Posts: 4
I was having this same problem after our web developer transferred our website to a new server. (We're using Joomla 2.5) We were getting dozens of spam registrants a day. After reading here and getting advice from other folks, I learned how to fix the problem. (so far)

1. I changed all the passwords for each administrator. (Just a cautionary step)
2. ReCaptcha was turned off for some reason. I re-enabled it. (Spammers still coming through)
3. Under "Users Manager" changed setting to the following - Allow User Registration = No.
4. Under "Global Configeration" select the "Permissions" tab. Go to the Public selection, under Site Login, select Denied.
(Make sure to Save.)

Note: As soon as I changed the settings under step 4, the spam registrants stopped immediately. So in changing that, I'm guessing it stops the public from logging into the front/back end of the site.

I tried installing extensions, which didn't apply to my problem, and was about to insert a hidden text field but found some negatives in doing that. So I spent hours trying to find another solution and this seems to work the best. *Relief*


Top
 Profile  
 
PostPosted: Tue May 07, 2013 6:12 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12437
Location: The Girly Side of Joomla in Sussex
poruca wrote:
I was having this same problem after our web developer transferred our website to a new server. (We're using Joomla 2.5)

these options do not apply to joomla 1.0.x
as there seems to be a trend in necroposting irrelevant information to this topic, it will be lockedm

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 59 posts ]  Go to page Previous  1, 2



Who is online

Users browsing this forum: No registered users and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group