Spam User Registration ??

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
eskwire
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 118
Joined: Sun Sep 25, 2005 3:57 pm
Location: Atlanta, GA
Contact:

Re: Spam User Registration ??

Post by eskwire » Fri Mar 12, 2010 4:25 pm

Thanks for this thread, for what ever reason my spam signups have jumped to 10 to 20 perday times 10 websites and that turns out to be quite a few emails.

I have been working with some of the different reCaptcha plugins and have them working but I am not sure it is slowing down the bots. Have some more testing to do.

1. If you have recaptcha on the user sign up form is it possible for a bot to get past this with out entering the text correctly. Perhaps a way the bot could go straight to the database?

2. I use sh404SEF, if I turn on project honeypot will site performance suffer?

After a little more testing I hope to write up my results to hopefully help others.

Thanks!

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Spam User Registration ??

Post by fcoulter » Fri Mar 12, 2010 4:54 pm

I use sh404sef with project honeypot, I have not found a big difference in performance. And it is effective in stopping a lot of spam, I have found it stops most, where a small amount slips through the net it is usually possible to ban the rest by IP address.

I would certainly recommend trying it, if it does not work for you then you can always stop using it again. Project Honeypot is a great service in my opinion.

It is my understanding that some bots can now read some captchas, that might be how they are getting through.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

stuffdone
Joomla! Guru
Joomla! Guru
Posts: 726
Joined: Tue Oct 28, 2008 11:06 pm
Location: NE Florida
Contact:

MORe: Spam User Registration ??

Post by stuffdone » Wed Apr 21, 2010 3:32 pm

I have same problem except that they are registering from India to try to post classified ads. In my case I turned OFF registrations in the global configuration yet they are still able to register.

My login forms and registration forms ( when active ) use captcha as well.

I removed the links to register from the site as well. It still has not prevented them from creating a user account.


( They cannot post adds without my approving them however. Using AdsManager )

I am not certain that the extension Adsmanager is not creating a back door but since they have locked their forums and have removed their contact us form I assume no one is minding that extension any longer.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Spam User Registration ??

Post by fcoulter » Thu Apr 22, 2010 1:24 pm

I think you are right this might be something to do with ads manager.

Certainly it should be the case that disallowing user registration in your site configuration should effectively block any registration, the Joomla user component definitely checks for this before allowing any registration, and I have found that to be effective in the past in blocking spammy registrations.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

stuffdone
Joomla! Guru
Joomla! Guru
Posts: 726
Joined: Tue Oct 28, 2008 11:06 pm
Location: NE Florida
Contact:

Re: Spam User Registration ??

Post by stuffdone » Thu Apr 22, 2010 2:16 pm

fcoulter wrote:I think you are right this might be something to do with ads manager.

Certainly it should be the case that disallowing user registration in your site configuration should effectively block any registration, the Joomla user component definitely checks for this before allowing any registration, and I have found that to be effective in the past in blocking spammy registrations.


I tend to agree but am confounded by how AdManager is able to circumvent the Joomla setting to not allow registrations since those are registering as Joomla members. Also there are no links to any registration forms any longer. In fact I even deleted the /component/com_user/register files.

There must be some hack they are using. Problem is there is no longer any help available from AdsManager site as the forum is locked closed. I like this program better than others I have tried.

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Spam User Registration ??

Post by fcoulter » Thu Apr 22, 2010 8:49 pm

I just took a look at ads manager, it contains the following function (in adsmanager.php at line 2184)

Code: Select all

function saveRegistration($comprofiler) {
	global $database, $acl,$mosConfig_absolute_path;

	// simple spoof check security
	//josSpoofCheck();	
	
	$row = new mosUser( $database );

	if (!$row->bind( $_POST, 'usertype' )) {
		mosErrorAlert( addslashes(end($row -> getErrors())) );
	}

	mosMakeHtmlSafe($row);

	$row->id 		= 0;
	$row->usertype 	= '';
	$row->gid 		= $acl->get_group_id( 'Registered', 'ARO' );

	if (!$row->check()) {
		echo "<script> alert('".addslashes(end($row -> getErrors()))."'); window.history.go(-1); </script>\n";
		exit();
	}

	$row->password 		= md5( $row->password );
	$row->registerDate 	= date( 'Y-m-d H:i:s' );

	if (!$row->store()) {
		echo "<script> alert('".addslashes(end($row -> getErrors()))."'); window.history.go(-1); </script>\n";
		exit();
	}
	$row->checkin();
	
	$database->setQuery( "SELECT u.id "
				. "\nFROM #__users u "
				. "\nWHERE u.username='".$row->username."'"
				);
	$userid  = $database->loadResult();
	
	if ($comprofiler > 0)
	{
		$lastname = mosGetParam( $_POST, 'name', "" );
		$firstname = mosGetParam( $_POST, 'firstname', "" );
		$middlename = mosGetParam( $_POST, 'middlename', ""  );
		
		$query = "INSERT INTO #__comprofiler (id,user_id,firstname,middlename,lastname) VALUES ('$userid' ,'$userid' ,'$firstname','$middlename','$lastname')";
		$database->setQuery($query);
		$database->query();
	}
	
	return $userid;
}  

This is clearly a user registration function which bypasses com_user, and ignores the site configuration - it is surely the source of your problem. If you really want to use this extension I suggest deleting the function code so that it is just a stub, eg

Code: Select all

function saveRegistration($comprofiler) {
 return 0;
}
Another reason for doing that is that the query

Code: Select all

$database->setQuery( "SELECT u.id "
            . "\nFROM #__users u "
            . "\nWHERE u.username='".$row->username."'"
            );

seems to be vulnerable to SQL injection, since $row->username does not appear to be escaped, unless I am missing something. I am not particularly familiar with Joomla 1.0, so can't say for sure.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam User Registration ??

Post by mandville » Thu Apr 22, 2010 9:32 pm

can i have the developers site for adsmanager to check it out, thanks
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Spam User Registration ??

Post by fcoulter » Thu Apr 22, 2010 9:54 pm

It seems to be http://www.joomprod.com/ - that's all I know. According to the comments in the JED it is no longer supported.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

stuffdone
Joomla! Guru
Joomla! Guru
Posts: 726
Joined: Tue Oct 28, 2008 11:06 pm
Location: NE Florida
Contact:

Re: Spam User Registration ??

Post by stuffdone » Fri Apr 23, 2010 2:27 pm

Yes...I went there first for help but the lights are out! I am not a programmer but will take a stab ad modding that file keeping a copy of the original to see what happens when legally registered users try to log in to post an ad.

Thanks...I will post results
--- http://www.Stuffdone.com ---
Wow. Doing web sites for over 28+ years now. Still learn new tricks...not bad for an old dog

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Spam User Registration ??

Post by fcoulter » Thu Apr 29, 2010 10:00 am

Good luck with that. Personally i would recommend not using this extension. Even if I am wrong about the previous query, the following one

Code: Select all

$query = "INSERT INTO #__comprofiler (id,user_id,firstname,middlename,lastname) VALUES ('$userid' ,'$userid' ,'$firstname','$middlename','$lastname')";
surely is vulnerable to SQL injection, since the '$firstname','$middlename','$lastname' parameters come directly from POST values.

The fact that there seem to be so many problems in one function is not exactly encouraging about the rest of the extension. It looks insecure to me and you are risking the security of your site by using it.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

tompap
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Thu Aug 31, 2006 12:48 pm

Re: Spam User Registration ??

Post by tompap » Mon May 10, 2010 9:06 pm

Hello,

I am the author of this quite old component.
The code that you mentionned here is only activated when a specific option is activated in adsmanager (option: allow adsmanager for automatic registration).

I didn't have the time right now to check if there is a real issue, but if you think, this could be a real issue just don't use this option and that is all

Thomas

stuffdone
Joomla! Guru
Joomla! Guru
Posts: 726
Joined: Tue Oct 28, 2008 11:06 pm
Location: NE Florida
Contact:

Re: Spam User Registration ??

Post by stuffdone » Tue May 11, 2010 2:06 pm

Thanks. I have that feature turned off but it is still allowing people to create Joomla users ( which is also turned off ) and create ads. Of course they are not appearing inline because I don't approve them. Bottom line there is a problem. I have tried some of the other classifieds extensions and liked this the best until this problem became apparent. Hope you fix it sometime.
--- http://www.Stuffdone.com ---
Wow. Doing web sites for over 28+ years now. Still learn new tricks...not bad for an old dog

ThePiston
Joomla! Guru
Joomla! Guru
Posts: 643
Joined: Mon Nov 07, 2005 3:45 am
Contact:

Re: Spam User Registration ??

Post by ThePiston » Thu Jun 03, 2010 2:01 pm

i have my setting set to "membership needed to post an ad" and the page indeed takes people to the registration page. this should be removed from the extension list. it was a good extension while it lasted - thanks.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam User Registration ??

Post by mandville » Thu Jun 03, 2010 4:42 pm

all 1.0.x were removed from the JED so where ever your getting it from - dont bother -
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

ThePiston
Joomla! Guru
Joomla! Guru
Posts: 643
Joined: Mon Nov 07, 2005 3:45 am
Contact:

Re: Spam User Registration ??

Post by ThePiston » Thu Jun 03, 2010 8:07 pm

so, the 1.5.x version is safe?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam User Registration ??

Post by mandville » Thu Jun 03, 2010 10:00 pm

http://docs.joomla.org/Vulnerable_Extensions_List
Please check with the extension publisher in case of any questions over the security of their product.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Cebby
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Thu Oct 19, 2006 11:19 am

Re: Spam User Registration ??

Post by Cebby » Sun Sep 26, 2010 12:08 am

Is there a plug in that can require the real name and username be different? Seems that all of the spam regs I get have the same real name and username.

I tried a recaptcha for a while and was having some folks on Safari filling it out correctly, but they couldn't get registered. Don't want to throw out the baby with the bathwater...

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam User Registration ??

Post by mandville » Sun Sep 26, 2010 9:00 pm

plugins for j1.0.x are no lonnger listed on the JED, have a look in the joomla 1.0.x extension forum for some ideas
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Cebby
Joomla! Apprentice
Joomla! Apprentice
Posts: 38
Joined: Thu Oct 19, 2006 11:19 am

Re: Spam User Registration ??

Post by Cebby » Mon Sep 27, 2010 2:24 am

ugh - didn't notice this was a 1.0 extension forum...

tymlls05
Joomla! Apprentice
Joomla! Apprentice
Posts: 25
Joined: Wed Apr 22, 2009 6:28 pm

Bringing up an old topic.

Post by tymlls05 » Mon Sep 27, 2010 4:46 pm

EDIT: Likewise, I didn't realize this was a 1.0 forum. My problem is based on 1.5. Hope this can be moved to the appropriate forum.

I have disabled registration forms in CB, Joomla, and Kunena on my Joomla website. Still bots are forcing registration by using their own forms (or seem to be) using my the URL to my website.

I have never made a Joomla plugin before so maybe one of the good Samaritans on this forum could build one based on the suggestions for auto-blocking spam using the information provided below.

http://www.rubyrobot.org/article/protec ... m-spambots

If YOU do generate the plugin (or component as this is very capable of becoming) I'm sure we'd all be more than grateful and would return the favor by a generous link back to the website of the creator or maybe sporting a nice "Website Protected By" flag. ...I would anyway.

Hope this is possible and taken advantage of.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam User Registration ??

Post by mandville » Tue Sep 28, 2010 2:45 pm

as it would be hard to split the appropriate posts, perhaps a new post in the 1.5 forums, probably administration as spam isnt really a security issue
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
FidelGonzales
Joomla! Guru
Joomla! Guru
Posts: 584
Joined: Thu Nov 03, 2005 12:10 am
Location: Hesperia, California, USA
Contact:

Re: Spam User Registration ??

Post by FidelGonzales » Tue Oct 19, 2010 9:32 pm

This may be worth giving a try.

http://extensions.joomla.org/extensions ... ation/7319

So far, it seems to have made a formidable improvement without causing issues.
http://www.MediaArmory.com - WEB | PHOTO | WRITE | MARKETING | DESIGN
http://www.DirtArmory.com - Off Road Sports Lifestyle

keyascii
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Nov 03, 2010 8:53 am

Re: Spam User Registration ??

Post by keyascii » Wed Nov 03, 2010 9:45 am

I use version 1.5.21 and regularly updated at last version and I have the same problem with too much spam user registration. I use captcha image, new user activation -> NO.
I believe the problem is in the joomla core and this spam user registration is caused by a "sql injection". Therefore installing add-on components is not the best solution. Instead, in order to stop this "spam registrations", I believe it would be better to work on the joomla core.

kamyarghofrani
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sat Dec 25, 2010 6:04 pm

Re: Spam User Registration ??

Post by kamyarghofrani » Sat Dec 25, 2010 6:13 pm

is there any free version of 404sef.

ps. does honeypot work on its own, or do you have to block the ip addresses?
Last edited by mandville on Tue Dec 28, 2010 6:31 pm, edited 1 time in total.
Reason: Bump posts deleted. Please see forum rules

topcafirms
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Jul 29, 2011 5:56 pm

Re: Spam User Registration ??

Post by topcafirms » Fri Jul 29, 2011 6:03 pm

We also have same problem of SAPM user on our website...users are from russia. We have facility of registration from front end and the form doesn't contain captcha.

However, I feel that user is not using our registration form to create these SPAM users since SPAM users has not been registered in the "Other Component" published on our website.

Is it possible that SPAM users are directly hitting com_user to create these SPAM users or that is not possible at all.

If they are using our registration form only then why those are not appearing in other Component.

I am fed up....please help...........

dieutridau
Joomla! Apprentice
Joomla! Apprentice
Posts: 7
Joined: Sun Sep 26, 2010 9:06 am
Location: Hanoi
Contact:

Re: Spam User Registration ??

Post by dieutridau » Sun Oct 09, 2011 8:05 am

http://www.dieutridau.com
Điều trị đau .com - Xua tan những cơn đau !

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam User Registration ??

Post by mandville » Sun Oct 09, 2011 8:58 am

dieutridau wrote:Please Install this plugin: http://extensions.joomla.org/extensions ... tcha/13876
this is a J1.0 topic not a j1.5 topic.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

poruca
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Apr 25, 2013 3:55 pm

Re: Spam User Registration ??

Post by poruca » Tue May 07, 2013 5:37 pm

I was having this same problem after our web developer transferred our website to a new server. (We're using Joomla 2.5) We were getting dozens of spam registrants a day. After reading here and getting advice from other folks, I learned how to fix the problem. (so far)

1. I changed all the passwords for each administrator. (Just a cautionary step)
2. ReCaptcha was turned off for some reason. I re-enabled it. (Spammers still coming through)
3. Under "Users Manager" changed setting to the following - Allow User Registration = No.
4. Under "Global Configeration" select the "Permissions" tab. Go to the Public selection, under Site Login, select Denied.
(Make sure to Save.)

Note: As soon as I changed the settings under step 4, the spam registrants stopped immediately. So in changing that, I'm guessing it stops the public from logging into the front/back end of the site.

I tried installing extensions, which didn't apply to my problem, and was about to insert a hidden text field but found some negatives in doing that. So I spent hours trying to find another solution and this seems to work the best. *Relief*

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15150
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Spam User Registration ??

Post by mandville » Tue May 07, 2013 6:12 pm

poruca wrote:I was having this same problem after our web developer transferred our website to a new server. (We're using Joomla 2.5)
these options do not apply to joomla 1.0.x
as there seems to be a trend in necroposting irrelevant information to this topic, it will be lockedm
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Locked

Return to “Security - 1.0.x”