Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Avalanche on
The account registration is set to administrators only, yet new accounts are being registered on my site all the time. I'm the only person with administrator access.
How is this happening and how can I stop it?
Comments
=-=
exact version of Drupal 7 in use?
are you sure noone has your login information?
Drupal 7.26.
Drupal 7.26.
Absolutely no one else should have administrative access; I even changed the password the moment Heart Bleed went public, so it was recently updated.
The user registrations are all spambots, though they can't actually post anything since permissions are disabled for un-authenticated accounts.
It looks like one of them logged in, though I can't think of anything that they could possibly do since permissions are all highly restricted.
Screen shots:
http://i.imgur.com/hxt85RY.png
http://i.imgur.com/frZQSMz.png
http://i.imgur.com/CV3olTK.png
=-=
what occurs when you are logged out and visit yoursite.com/user/register ?
I see that you have loggintoggan installed is that where the un-authentciated user role is coming from? have you inspected its settings?
what occurs when you are
The page reads, "You are not authorized to access this page".
I took a look at logintoboggan but don't see anything unusual. Here's a screenshot of the settings:
http://i.imgur.com/3DMShmk.jpg
=-=
If the form isn't being served to anonymous users, I can't see how the site is registering users without doing so through a hack.
So that's my major concern
So that's my major concern right now.
I keep all of the security patches updated, the os is updated, the environment is chrooted, and security audits all come back okay...
I'm not sure where to go from here.
=-=
I'd be disabling modules one at a time and watching the logs. I'd also make sure the UID 1 account password is changed as well as any other user accounts with a role that has any admin permissions.
Permissions Settings
If you're curious, here are the permission settings I'm using:
http://imgur.com/a/0amUh
You can install a Mollom and
You can install a Mollom and configure with a Captcha.
And you will have something like this....
http://i.imgur.com/Qi9gbNl.png
- Darryl Norris
Be Connected: Website | Twitter | LinkendIn | GitHub
-=-
That'd be a good immediate stopgap, though I'm hoping to avoid any user registration whatsoever.
=-=
The interesting part of this is that the form isn't being displayed to anon users.
-=-
Yeah, so clearly somewhere there is an opening. I'll need to find a way to track user behavior and see if it reveals anything about an open URL somewhere with a registration form.
I'm in the process of disabling and culling any disabled or unused modules from the website.