Botnets injecting direct to register.php. HELP!

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • XXP
    Member
    • Jan 2007
    • 82

    Botnets injecting direct to register.php. HELP!

    We have an ongoing problem where botnets are doing direct 'GET's to vBulletin's "register.php". It appears that they are somehow using it to send out email.

    We are at the current vB 3.x level: 3.8.6 PL1.

    The only way that we've found to stop it is to rename or remove "register.php". When we do that then the hits start getting 404's and the bounced mail messages start to disappear. As soon as we put register.php back then, within minutes, it starts up again.

    We need a vBulletin supported variable for the name of that file, please. We do not want to vary the code base from vB standard.

    Thanks very much.
  • Steve Machol
    Former Customer Support Manager
    • Jul 2000
    • 154488

    #2
    Honestly I don't see how that is possible. How are they sending emails exactly? Also do you have any add-ons installed?
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment

    • XXP
      Member
      • Jan 2007
      • 82

      #3
      Originally posted by Steve Machol
      How are they sending emails exactly? Also do you have any add-ons installed?
      Thanks for your reply and questions.

      1. Haven't figured out how they are doing it. Only know four symptoms:
      A. Bots have been hitting register.php directly to monstrous level -- e.g., our server has buckled under the load, twice.
      B. Coincident with A. above we start getting a flood of bounced email notices.
      C. A & B show in our [larger than normal] logs.
      D. When we rename register.php, the bots will continue to try for hours but gradually both symptoms will subside.

      Tried to include a quote from our httpd access log here, but key strings seem to get filtered by this board's message entry cleaning. Maybe it's a clue? Will send it by mail, if you like.

      2. Yes; we have a few add ons. One is "EZ Bounce Management" that may be related to this. Is it a known problem? I'll try disabling it to see if the matter changes.

      Thanks again.
      Last edited by XXP; Mon 27 Dec '10, 1:47pm. Reason: Removed log entry; added EZ Bounce item.

      Comment

      • Steve Machol
        Former Customer Support Manager
        • Jul 2000
        • 154488

        #4
        It sounds like they are using dummy email addresses, which is exactly what email verification is supposed to catch and stop. In other words, the system is working fine. It's just that you have a lot of bots trying your forums for some reason.

        Are you using any of the Human Verification options? Please see this thread for recommendations on reducing spam and registrations from spam bots:

        How to Reduce Spam and Registration Bots
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment

        • XXP
          Member
          • Jan 2007
          • 82

          #5
          Hi Steve,

          Yes; human verification is turned on. Have reCaptcha + security questions (who's buried in Grant's tomb, etc.)

          Comment

          • XXP
            Member
            • Jan 2007
            • 82

            #6
            These are sending GET messages directly to register.php.

            Comment

            • Alfa1
              Senior Member
              • Dec 2005
              • 4165
              • 3.8.x

              #7
              Ban all fake email domains. Install vmail. That should get rid of it.
              I buy 420 forums

              Comment

              • XXP
                Member
                • Jan 2007
                • 82

                #8
                Originally posted by Steve Machol
                ... It's just that you have a lot of bots trying your forums for some reason.
                This isn't about bots trying the forums. This is about bots calling register.php directly and packing the argument stream with stuff that apparently gets register.php to do things [send out emails] for them.

                I've tried to quote one of the stuffed argument strings here, but the form cleaners clean it out. (Yay for that.)

                Write me directly and I'll email a copy of one to you. Or I can maybe redirect some of the bad traffic to the register.php on the vB support forum so that you can see it in action.

                Comment

                • Zachery
                  Former vBulletin Support
                  • Jul 2002
                  • 59097

                  #9
                  Enabling human verification with recapcha or very specific customized Question & Answer should prevent bots from registering.

                  You can use [noparse] or [code] or both to make sure the specific text doesnt get removed from the post. You could also post a bug report if you think its a bug in the software

                  Comment

                  • XXP
                    Member
                    • Jan 2007
                    • 82

                    #10
                    Originally posted by Alfa1
                    Ban all fake email domains. Install vmail. That should get rid of it.
                    Thanks but that's not what this is about. These guys are going directly to register.php. Got nothing to do with the actual registration process on our boards. Registration is turned off on our boards now and register.php itself has been removed but the bots are still hammering the server trying to get to register.php with all kinds of weird argument strings.

                    Comment

                    • Zachery
                      Former vBulletin Support
                      • Jul 2002
                      • 59097

                      #11
                      How do you propose we stop the bots?

                      Comment

                      • XXP
                        Member
                        • Jan 2007
                        • 82

                        #12
                        Originally posted by Zachery
                        Enabling human verification with recapcha or very specific customized Question & Answer should prevent bots from registering.
                        I've already said, twice, that we DO use reCaptcha and custom security questions.

                        These bots are sending GET requests directly to register.php. (Note: "GET", not "POST" as is used in the vB code.)

                        Comment

                        • Alfa1
                          Senior Member
                          • Dec 2005
                          • 4165
                          • 3.8.x

                          #13
                          Why is that special?

                          I see hundreds of GET requests in my usage log today.
                          I buy 420 forums

                          Comment

                          • XXP
                            Member
                            • Jan 2007
                            • 82

                            #14
                            Originally posted by Alfa1
                            Why is that special?
                            Wow. I'd really like to thank you all for your attention to this. Unfortunately the message has been broken up by the process.

                            This is different because these bots seem to be actually getting register.php to do something bad. Not sure what, but am sure that it involves sending out emails from our server.

                            To answer the question about what I propose to do about it; I'll refer back to my original post. I don't know what an ultimate solution is or should be, but an interim one would be to allow us to modify the name of register.php so that we can hide it on our servers. That is, give it a name that the bots don't know so that they won't know what script to call.

                            Thanks again to all.

                            Comment

                            • Alfa1
                              Senior Member
                              • Dec 2005
                              • 4165
                              • 3.8.x

                              #15
                              To view the register page, a user needs to GET the page first.
                              If bots are using your register.php to send out email then:
                              - there need be a open relay. You can test for this. I cant imagine how there would be, but I can be wrong about it.
                              - your bounced messages will absolutely reveal what messages are sent and to whom. So please provide that information.

                              What IP addresses do the bots have?

                              And to answer your question about cloaking register.php, I answered that one above. Try vmail. It will replace register.php as the first step in the registration process. If any of your suspicions are true, then this will solve it.

                              My guess is that the bots are just hitting register.php to bring your site down or they are SE bots trying to crawl the file. Have you excluded register.php in robots.txt?
                              I buy 420 forums

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...