HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Unknown Spammer

TamaTama United Kingdom ✭✭✭
edited July 2013 in Vanilla 2.0 - 2.8

I have a forum running 2.1b,

I have installed StopForumSpam and Akismet plugins from the Vanilla Addons Repo on Github, this seemed to prevent spam for a while, but within the past few days we have had large amounts of spam by "Unknown" users, the click redirecting to profile id 0. But each one has a unique id address.

Following this I have had to enable Approval and Botstop, but I would like to know if you guys have any idea how they got through and how as "Unknown" as this makes cleaning up their spam difficult ( I have now coded a simple spam cleaner which bans them and removes their content, but this leaves gaps in the forum ).

Many Thanks :D

(View log over 2GB so can't attatch xd )

Tagged:
«1

Comments

  • TamaTama United Kingdom ✭✭✭
    edited July 2013
  • This is a serious security hole. have you got request logs? they could reveal some information.

    grep is your friend.

    UnderDog
  • x00x00 MVP
    edited July 2013

    check your sever request logs of those ips, this will reveal the method of injection.

    edit otherwise known as access logs.

    grep is your friend.

    UnderDog
  • TamaTama United Kingdom ✭✭✭
    edited July 2013

    121.205.243.221 - - [30/Jul/2013:05:15:55 -0700] "POST /forum/vanilla/post/comment/ HTTP/1.1" 302 -
    121.205.243.221 - - [30/Jul/2013:05:15:23 -0700] "GET /forum/discussion/2292/some-special-items- ideas HTTP/1.1" 200 56337
    121.205.243.221 - - [30/Jul/2013:05:15:21 -0700] "GET /forum/discussion/2292/some-special-items- ideas HTTP/1.1" 200 56921

    Plugins Used
    Akismet 1.0.1b
    Botstop 1.0.1
    ButtonBar 1.6
    Category based "New Discussion" button text 0.1.1
    Emocss 1.0
    FileUpload 1.7.1
    Flagging 1.1.1
    In This Discussion 1
    LastEdited 1.0.2
    Max Comment 1.0.1
    Minecraft Avatar (custom) 2.0.18
    OEmbed 1.3.1
    Peregrine Badges 4.1
    Peregrine Reactions 2.3
    Profile Extender 3.0
    Quotes 1.6.1
    RoleBadges 0.2
    Signatures 1.5
    Sock Puppet Detector 1.0b
    Split/Merge 1.1
    SFS 1.0.1
    Vanilla stats 2.0.4

    WhosOnline 1.3.1

  • is there anything before that point?

    grep is your friend.

    UnderDog
  • TamaTama United Kingdom ✭✭✭
    edited July 2013

    @x00 said:
    is there anything before that point?

    No but records for Spammer " 216.244.86.130"

    216.244.86.130 - - [30/Jul/2013:05:24:20 -0700] "POST /forum/vanilla/post/comment/ HTTP/1.1" 302 -
    216.244.86.130 - - [30/Jul/2013:05:24:20 -0700] "GET /forum/discussion/2343/different-weapons HTTP/1.1" 200 51623

    SQL Query used to find spammers

    SELECT * FROM `GDN_Comment` WHERE `InsertUserID` IS NULL
    
  • when logged out can you see a comment box?

    are you able to go to /post/comment/123 where 123 is a valid discussion ID?

    grep is your friend.

    UnderDog
  • TamaTama United Kingdom ✭✭✭
    edited July 2013

    @x00 said:
    when logged out can you see a comment box?

    are you able to go to /post/comment/123 where 123 is a valid discussion ID?

    Yes, checked on localhost running same version , does not occur

  • well your permission and roles are clearly not right.

    What permission do you have for guest role (screen grab would be better).

    grep is your friend.

    UnderDog
  • TamaTama United Kingdom ✭✭✭
    edited July 2013

    @x00 said:
    well your permission and roles are clearly not right.

    What permission do you have for guest role (screen grab would be better).

    Figured it out, this has to do with Vanilla's Embed forum functionality, it seems if you have this enabled but not the commenting system enabled, users can comment anyway

  • for a category they posted in show me the permissions.

    grep is your friend.

    UnderDog
  • TamaTama United Kingdom ✭✭✭

    @x00 said:
    for a category they posted in show me the permissions.

    They have posted in the categories which all have the default permission settings

    also check my comment above

    UnderDog
  • x00x00 MVP
    edited July 2013

    please show the whole list, and also the full list of roles. Meanwhile try to post a comment whilst logged out.

    grep is your friend.

    UnderDog
  • TamaTama United Kingdom ✭✭✭

    @x00 said:
    please show the whole list, and also the full list of roles. Meanwhile try to post a comment whilst logged out.

    However I've tracked down the issue, this occurs when using the EmbedForum functionality; it enables the embed commenting system as well, allowing for the use of the commenting system whilst logged out.

    UnderDog
  • @Tama said:
    However I've tracked down the issue, this occurs when using the EmbedForum functionality; it enables the embed commenting system as well, allowing for the use of the commenting system whilst logged out.

    please check that outside of the embed format, you can't comment ( you might have to turn off redirection).

    grep is your friend.

    UnderDog
  • TamaTama United Kingdom ✭✭✭

    @x00 said:
    please check that outside of the embed format, you can't comment ( you might have to turn off redirection).

    I am unable to , but it seems bots can as the form still shows

  • PM me the site

    grep is your friend.

    TamaUnderDog
  • Yes I'm able to post without being logged in you permission table is probably corrupt.

    grep is your friend.

    TamaUnderDog
  • ToddTodd Chief Product Officer Vanilla Staff

    What I'd do is this:

    1. You'll need to update your database directly in phpMyAdmin or something like that.
    2. Go into GDN_Role and find the Guest row.
    3. Set CanSession = 1.
    4. Now go into Roles & Permissions and edit the Guest role.
    5. Make sure the guest doesn't have any posting permissions.
    UnderDog
  • x00x00 MVP
    edited July 2013

    I wonder if there a NULL values or somethign else in

    JunctionTable
    JunctionColumn
    JunctionID

    Sometimes the effect of bad data dumps, means that the schema is not adhered to.

    You can DESCRIBE GDN_Permission and SELECT * FROM GDN_Permission LIMIT 30

    grep is your friend.

    UnderDog
Sign In or Register to comment.