One more followup: the script definitely goes looking through profiles -- my online.php file is filled with attempts to send PMs and also guest viewing users profiles. The spams also happened in alphabetical order, for whatever that's worth.
Thousands of Spammer PMs
Collapse
X
-
arnComment
-
I hope the vBulletin team adds a check for not allowing the username and password to be the same on version 3.7.3.Comment
-
In all honesty, we lucked out in that these spammers could have used certain methods (which I suppose I ought not fully lay out here) to make their deeds harder for admins to detect and hunt down.Comment
-
My forum got hit by this last Thursday, as well. 16000 spams, all from various users who hadn't been logged in in a while and had username==password.
Thanks for the script, macrumors.Comment
-
Has anyone posted a suggestion yet to have vB check to make sure the username and password are not the same when someone registers or changes their password? If not, then please make this suggestion:
Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
Change CKEditor Colors to Match Style (for 4.1.4 and above)
Steve Machol Photography
Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.
Comment
-
So, you would reduce it, but I had some long standing members with hundreds of posts who had their password = username.
Has anyone posted a suggestion yet to have vB check to make sure the username and password are not the same when someone registers or changes their password? If not, then please make this suggestion:
arnComment
-
What an ugly problem. Where's the setting in vBulletin to disallow the password chosen to be the same as the username? And if there's not one...yikes! That's bad.Comment
-
Thank you macrumors for reporting this and providing your script for a quick lookup of these accounts
I wrote a very quick hack to block logins for new users (they still try to register with username as password even though I added bold warning text to the register form): product file with plugin that, upon recognizing such a user logging in, does immediately log him off again and reset his password to random (septimus' method), offering them the link to reset their pw.
The error page looks ugly and I should've used a phrase instead of hard-coded text, but since I noticed users still signing up that way and boldly ignoring the bold warning text, some quick code was necessary; there's still time to update it to look nicer if Jelsoft shouldn't issue an update dealing with it themselves.Comment
-
For anyone searching for a way to get all users that use their username as their password, use the following SQL:
PHP Code:SELECT userid, username
FROM user
WHERE password = MD5(CONCAT(MD5(username), salt));
Reset passwords
In case you want to invalidate all passwords, you could use something like this:
PHP Code:UPDATE user
SET password = MD5(RAND())
WHERE password = MD5(CONCAT(MD5(username), salt));
This will not logout users that are already logged in!
Solution: before running the query above (the password reseting), first run this:
PHP Code:DELETE FROM session
WHERE userid IN (SELECT userid FROM user WHERE password = MD5(CONCAT(MD5(username), salt)));
Please note:
I don't know how server intense this is!
Also: create a back-up of you forum before running any of these query's.
It also might be good idea to disable the forum while you do this.
Edit:
Whoops, somebody already posted something like this.👍 2Comment
-
Has anyone posted a suggestion yet to have vB check to make sure the username and password are not the same when someone registers or changes their password? If not, then please make this suggestion:
http://www.vbulletin.com/forum/forumdisplay.php?f=55
Damn, I missed being post 1.6m by 5.
-- hughComment
-
here's the basic code to find the users in your db with usernames==passwords. I stripped out the destructive part of my code where I actually changed their password to something invalid. This will scan 5000 users and print the results. A more button lets you test the next 5000.
Any ideas?Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment