Some guy created an account on my system: joe-the-web using this e-mail address: joe-the-web@mail.nnov.ru. He then managed to log in and run some sort of program that created a blank comment reply to every node in my system.

I am sending this out as a warning to other site administrators. I am also wondering how this was done, and how to prevent it in the future?

Thanks!

-ron

Comments

styro’s picture

developing a Drupal site spamming bot and testing out the initial functionality.

--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ

styro’s picture

there he is on my site. I blocked him before he actually logged in though. I figured blocking was better than deleting - that way the bot couldn't recreate that account.

--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ

jap1968’s picture

This is the only thing you can see on the httpd logs:

# grep '81.95.146.186' access_log
81.95.146.186 - - [01/Dec/2006:07:58:20 -0500] "POST /user/register/ HTTP/1.1" 302 - "-" "-"

Nothing on error_log

At least on my system it seems to be an automated bot (not even previous visit to confirm that is a drupal site) which has created the account.

Does any of you know if some kind of 'captcha' can be added to the registration form in order to avoid automated user registrations?

sepeck’s picture

Default is math captcha, it comes with an add on for image captcha. :)

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

pwolanin’s picture

I think that anyone who get a valid login could then use it to do automated spamming (of any system, not just Drupal).

One way I could think of to slow this down is to limit the number of comments per hour though a custom module.

---
Work: BioRAFT

SomebodySysop’s picture

Anything available to do this now, other than moderating all comments?

pwolanin’s picture

- but it ought not be too hard- I'd look at the code form the contact module to prevent users from "flooding" messages. Perhaps newer users could be limited to X comments per day?

One real question is whether the comment module has all the hooks that one would want.

---
Work: BioRAFT

SomebodySysop’s picture

I did a google for this name, and apparently he has signed on to dozens (perhaps hundreds) of Drupal sites, all within the past 2 days.

If you see this account, block or delete it!

oadaeh’s picture

There is also a user (maybe the same person or bot) called john_smith_666 with the e-mail address of john_smith_666@mail.nnov.ru (same domain as joe-the-web) that is doing the same thing. Both of them have hit groups.drupal.org.

SomebodySysop’s picture

Here is the IP used by the spammer on our system today round 14:00 PST: 81.95.146.186

styro’s picture

and there are approx 63000 google results for "joe-the-web" - he's been busy.

--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ

adam gallash’s picture

Found his way onto a Western Australian fishing website as well, signed up using joe-the-web@mail.nnov.ru and also used john-smith666@mail.nnov.ru doing the same damage as you guys have mentioned. Eventually caused cpu overload on the hosting site of exceeding 20%.

L:(

pwolanin’s picture

sounds like a good use for an access rule blocking all registrants from the nnov.ru domain

---
Work: BioRAFT

TheWhippinpost’s picture

Blocking IP's will likely prove fruitless as they are probably using proxies - but it's a first line of defence nevertheless.

It's worth spending the time changing certain footprints that will identify your site as a Drupal site, and as having comments enabled.

Error messages is one footprint (search google for any error msgs spat out by Drupal to see what I mean). Paths another, as well as the obvious words like "comment", "post", "reply" etal.

Mike
------------------------------------------------------------------------------------------
A simple thanks to those that help, a price worth payng for future wealth.

Boletus’s picture

I spend more and more time trying to counter the attacks from these spammers.

What is the security level of Drupal? I am kinda of new here, so I really want to know. When choosing CMS or other open source system, it now comes down to trying to find how susceptible the system is to spammers and bots.

sepeck’s picture

Does your system allow user registration and comments? If so, then people automating this for spam is not exploiting a security issue, it is exploiting the logon system. There are a couple of spam solutions floating around. Bad Behavior Module. The Spam module. The Captcha module. Loggon Tobboggin module. It depends on what level you are going to try. I use the captcha module configured for math captcha but my site doesn't get a lot of comments.

As to Drupal's security in general? Read the best practices and sign up for the security newsletter in your user profile or drupal.org/security

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

oadaeh’s picture

The Source Mage web site doesn't allow anonymous posting, so comments weren't the problem, but creating user accounts with bogus information (URLs and the like) was. It was getting 2 or 3 a day of bogus users created every day, and because the 4.6 captcha module wasn't working correctly, it couldn't be stopped. There was finally an opportunity to upgrade to 4.7 and use the captcha math question, and those bogus accounts have almost totally stopped being created. I think there have been two in 2 or 3 months. It is a simple solution that does work.

moggy’s picture

has anyone tried the badbehavior module against this guy?

Edit: I can answer my own question. Just found his IP in my logs. 1 occurance, badbehavior told his bot to get lost :D

vitich’s picture

My sites seem to be OK (captcha & textimage)

/vitich

vitich’s picture

*********************************************************************
The Postfix program

: host
/home/chroot_bandit/lmtp/lmtp[/home/chroot_bandit/lmtp/lmtp] said: 552
5.2.2 Over quota (in reply to RCPT TO command)

: host
/home/chroot_bandit/lmtp/lmtp[/home/chroot_bandit/lmtp/lmtp] said: 552
5.2.2 Over quota (in reply to RCPT TO command)
**********************************************************************
So many abuse, I guess...

--
VITICH from Dolyna Djerel
My projects: Dolyna Drupal, OpenCatalog.Info

rszrama’s picture

Googling joe-the-web turns up 280,000 entries right now... unfortunate, but it is an interesting way for us to get a look at all the different uses of Drupal out there. Maybe he can become the new benchmark for measuring Drupal's growth. ; )

jjkd’s picture

Seems to be back, using mynameis@mail.nnov.ru instead of joe-the-web.
--
Joe Kyle
--jjkd--

jokes-1’s picture

According to this 5 page write-up from DevShed, there is a russian hacker organization (as if there are not enough everywhere else... ) That in the last couple months, have done quite a job at spamming emails, which I'm sure alot of us have probably gotten alot of them... and even though this brief article does not say much about website spambots, I'm sure it must mix in the blender of this sticky mess somehow. It is an interesting read.. Here's the link:
http://webhosting.devshed.com/c/a/Web-Hosting-News/Are-Botnets-Beating-U...

On a side note... I came here looking for something to prevent anonymous posting of garbage in my comments... I know I know... I could just turn off anon. posting of comments, but our site does not require membership, because it is closed to just family members, so I basically need it to be allowed to let my anonymous friends to post :)
It does not take long to delete the 200 or so that have been posted each day as of late, but it was only about 100 last week, so it seems it is escalating on our family website.
One other thought... perhaps these are not bots on the comments... could be something as easy as macros :P just my 2 cents. Happy New Years everyone!

rszrama’s picture

Interesting article. Thanks for the link. I know there's a CAPTCHA module for Drupal and a Spam module. I think there's one or two other solutions, too...

If you just need help deleting comments are are running 5.0, I made a Check All module that I use on my sites to get rid of long lists of unwanted comments. A lot easier than checking each one... (It can be ported to 4.7 but relies on jQuery right now.)

----------------------
Current Drupal project: http://www.ubercart.org

pcs305’s picture

And he is using joe-the-web's ip address! 81.95.146.186

Will it be an option to ban the IP?

rszrama’s picture

You can already ban IPs by setting up the appropriate Access Rules (admin/access/rules in Drupal 4.7, admin/user/rules in Drupal 5.0).

----------------------
Current Drupal project: http://www.ubercart.org

ajwwong’s picture

Approximately 4 random new users, who apparently have bogus accounts, within the last 24 hours:

All new bogus users have the form:

"birdnameXX@yandex.ru"

Where birdname is a random birdname, e.g., cuckoo, bullfinch, woodpecker, etc. and XX is a 2-digit number.

Usernames are generally male usernames followed by a single digit, e.g., "Benjamin4"

The admin / access control / rules suggestion should work. Might be overkill, but I'm blocking all "yandex" signups. Possibly Captcha is a better solution, but we'll see.

Thanks for the heads up.

Albert
Esalen Alumni Group

david anderson-1’s picture

I got 5 from yandex.ru yesterday as well, before I could slam the lid on them. Their spam was in russian, so spam.module didn't catch it either.

I do have filtered HTML set up so that the links are rel=nofollow, so at least I shouldn't get dinged by the search engines if they happen across them.

Now I suppose I should go add those access rules to all my other drupal sites. Sigh.

One other thing I noticed. The spambots are opening several sessions simultaneously from several different IPs. This might be a case for a session restricting module

SSHGuy’s picture

I guess it is not to hard to build a drupal spam bot, since most drupal sites i have seen yet do not have a image verification activated and some do not even require an activated user account - so I do not allow posting without verification on my site.

_____________________
SEO Blog