Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Not a member yet? Click here to register.
Forgot Password?

Fake Accounts on your site

Asked Modified Viewed 13,380 times
H
HobbyMan
H
Just some Guy
  • Veteran Member, joined since
  • Contributed 1,486 posts on the community forums.
  • Started 91 threads in the forums
  • Started this discussions
asked
Veteran Member

There seems to be an increase in the number of fake accounts being set up on PF sites. They can be easily identified by gibberish usernames and web addresses as well as being very close together with the join dates.

[ulist=disc]Are you having similar problems?
Which captcha are you using?
Are you using any other security measures?
Have you noticed any increase at all?[/ulist]
0 replies

21 posts

M
Masy
M
Masy 10
  • Newbie, joined since
  • Contributed 4 posts on the community forums.
  • Started 1 thread in the forums
answered
Newbie

Put/check out within system-controls the option:

New members activated by the SuperUser (Yes)

Now you have to manualy accept every new member.

But You've got the control over You're site and there visitors...

Greetings,
0 replies
I
icb
I
icb 10
  • Member, joined since
  • Contributed 54 posts on the community forums.
  • Started 16 threads in the forums
answered
Member

Happening to me as well.... those accounts were spamming **** in forums, so banned them. I use e-mail and admin activation, but still its annoying to delete bunch of them every day.

Anything else to be done to prevent it ?
0 replies
V
Vyper69
V
Unprecedented Times call for Unprecedented Measures
  • Senior Member, joined since
  • Contributed 551 posts on the community forums.
  • Started 146 threads in the forums
answered
Senior Member

I am trying to figure out something with this as well. I have 4 sites, and all of them use the secure question. All set up the same way in registration, but for somereason 1 site keeps letting them in I don't get it.
0 replies
I
icb
I
icb 10
  • Member, joined since
  • Contributed 54 posts on the community forums.
  • Started 16 threads in the forums
answered
Member

Quote

Vyper69 wrote:

I am trying to figure out something with this as well. I have 4 sites, and all of them use the secure question. All set up the same way in registration, but for somereason 1 site keeps letting them in I don't get it.


Are you using ReCaptcha ?
0 replies
K
Ken
K
Ken 10
No Support by PM. Please use the forum.
  • Senior Member, joined since
  • Contributed 713 posts on the community forums.
  • Started 43 threads in the forums
answered
Senior Member

This have been a problem in long time. Why not just ask a "serious" hacker how they trick the system? Other CMS systems take the hacking very serious, but in here it looks like they dont care much. Imho the registersystem is way to weak. With the register-by-email-verification it should be easy to keep the bots out, but somehow they have found a securityhole. If the email-verification system worked, it should not be able for anyone who use a gibberish email to register.
Edited by Ken on 17-12-2012 13:48,
0 replies
P
PolarFox
P
  • Veteran Member, joined since
  • Contributed 1,633 posts on the community forums.
  • Started 29 threads in the forums
answered
Veteran Member

There is no security holes in registration system, I have no bots at all.

Just use mods for this.
0 replies
K
Ken
K
Ken 10
No Support by PM. Please use the forum.
  • Senior Member, joined since
  • Contributed 713 posts on the community forums.
  • Started 43 threads in the forums
answered
Senior Member

Quote

PolarFox wrote:

There is no security holes in registration system, I have no bots at all.

Just use mods for this.

Maybe your site is not that interesting than others seems to be then. Why the heck do others tell they have problems with bots then?
0 replies
S
smokeman
S
  • Veteran Member, joined since
  • Contributed 920 posts on the community forums.
  • Started 79 threads in the forums
answered
Veteran Member

Hmm it's not easy to discuss (IMO) at least.

As I see it: Hacked sites/hacking in generel comes often from security holes in code(s) - when it's not the FTP they've hacked into or the host firm itself.

When we talk spam it comes from hackers that write script(s) that can bypass eg; the /register.php, the Captcha, Security Questions and so on. Imo it's not caused security holes. Let's say I write a script that can "see" eg; the Captcha and then register - or that can lay 2+15 together (some anti spam bots security script) I don't think it's hacking nor caused security holes. But maybe Im wrong - Im not a hacker..

There is a difference..
0 replies
K
Ken
K
Ken 10
No Support by PM. Please use the forum.
  • Senior Member, joined since
  • Contributed 713 posts on the community forums.
  • Started 43 threads in the forums
answered
Senior Member

Quote

smokeman wrote:

Hmm it's not easy to discuss (IMO) at least.

As I see it: Hacked sites/hacking in generel comes often from security holes in code(s) - when it's not the FTP they've hacked into or the host firm itself.

When we talk spam it comes from hackers that write script(s) that can bypass eg; the /register.php, the Captcha, Security Questions and so on. Imo it's not caused security holes. Let's say I write a script that can "see" eg; the Captcha and then register - or that can lay 2+15 together (some anti spam bots security script) I don't think it's hacking nor caused security holes. But maybe Im wrong - Im not a hacker..

There is a difference..

If you make a program to see something you are not supposed to see, it is hacking. If you make a software to see someones 4 digit code for his creditcard it's hacking! There are no excuse for what they do and there is not a difference.
0 replies
P
PolarFox
P
  • Veteran Member, joined since
  • Contributed 1,633 posts on the community forums.
  • Started 29 threads in the forums
answered
Veteran Member

No, they are just a stupid bots.
No exceptions, and no spam-holes nowadays.
0 replies
C
Craig
C
Craig 14
  • Fusioneer, joined since
  • Contributed 4,462 posts on the community forums.
  • Started 212 threads in the forums
answered
Fusioneer

Just programmes and dummy emails like yopmail etc, etc. No holes in fusion email activation. lol
0 replies
S
Samuel
S
Samuel 10
  • Member, joined since
  • Contributed 55 posts on the community forums.
  • Started 13 threads in the forums
answered
Member

In my opinion, there is no security holes at PF. Fake accounts cannot be blocked if we activate registration at our website.
0 replies
G
Gillette
G
Gillette 10
  • Senior Member, joined since
  • Contributed 335 posts on the community forums.
  • Started 4 threads in the forums
answered
Senior Member

I just deleted 14 fake unactivated accounts today,not a big deal,somthing to do in the morning time.Yes I approve accounts manually
0 replies
H
halo_fourteen
H
  • Newbie, joined since
  • Contributed 3 posts on the community forums.
answered
Newbie

Hi,

i am a member at a small community using php-fusion. lately we have been troubled with spam bots. new members have to be activated by an admin, so no spam bot makes it to our site. but atm we have 3000 unactivated members...

So even if legit people register, we will probably delete them by accident because we cant really check 3000 accounts.

what can be done? i activated email verification today, but at least one new bot registered during the last hours.

http://warhammerers-online.co.uk/news.php
0 replies
P
PolarFox
P
  • Veteran Member, joined since
  • Contributed 1,633 posts on the community forums.
  • Started 29 threads in the forums
answered
Veteran Member

There is A LOT of mods. Choose wisely.
0 replies
K
KasteR
K
KasteR 10
  • Senior Member, joined since
  • Contributed 290 posts on the community forums.
  • Started 1 thread in the forums
answered
Senior Member

I wouldn't even use a pre-created MOD IMO. The more popular a MOD becomes, the higher likelihood of a programmer, programming against it.

The reason why you would use a MOD in the first place, is to separate yourself from common code.

The best way is to write something yourself. You can lead a horse to water, but ultimately it's up to him to drink it.
0 replies
H
halo_fourteen
H
  • Newbie, joined since
  • Contributed 3 posts on the community forums.
answered
Newbie

Hi,

thank you for your replys.

Writing something ourselfs ist not an option i think, as none of us has writing skills.
I would try the addon/infusion method. Maybe it helps to have a security question for registration. e.g. this http://www.phpfusion-mods.net/infusio...mod_id=518

It says its for version 7.00 , our site says its PHP Version 5.2.17 ind the php info... i guess that might be a problem :(

Is it possible to upgrade?
0 replies
P
PolarFox
P
  • Veteran Member, joined since
  • Contributed 1,633 posts on the community forums.
  • Started 29 threads in the forums
answered
Veteran Member

You have 2 separated versions: PHP Version 5.2.17 AND PHPFusion version ??.??.?? (check out your admin panel).

And you able to upgrade your PHPFusion if needed.
0 replies
H
halo_fourteen
H
  • Newbie, joined since
  • Contributed 3 posts on the community forums.
answered
Newbie

Hi,

after looking for a while in various settings i found it...
right on top of the admin panel :D

Warhammerers Online Admin Panel - v7.00.05

I'll have a talk with the other admins.
0 replies
M
MM
M
MM 10
  • Junior Member, joined since
  • Contributed 21 posts on the community forums.
answered
Junior Member

Quote

Ken wrote:
... but somehow they have found a securityhole. If the email-verification system worked, it should not be able for anyone who use a gibberish email to register.

Verification codes can be predicted/calculated.

\includes\classes\UserFieldInput.class.php lines 411-414 deal with generating email verification code on account registration:
[syntaxhighlighter brush=php,first-line=411,highlight=0,collapse=false,html-script=false]
mt_srand((double)microtime()*1000000); $salt = "";
for ($i = 0; $i <= 10; $i++) { $salt .= chr(rand(97, 122)); }
$user_code = md5($this->_userEmail.$salt);
$email_verify_link = $settings['siteurl']."edit_profile.php?code=".$user_code;[/syntaxhighlighter]Function rand() (line 412) is used to randomly return an int; this function however, produces "equally divided" results.

Beneath is a comparison of a 400 x 400px image generated by output from rand() (left part of image, which illustrates what is meant by "equally divided"wink and mt_rand() (right part of image):

oi43.tinypic.com/vwtppl.jpg


Also, mt_srand() is used on line 411 (in an attempt) to seed the function used to return random integers. mt_srand() however, seeds the mt_rand() function (though regular rand() is used (which can be seeded using mt_rand())).

I suggest to:
[ulist=disc]replace rand() (line 412) by mt_rand().[/ulist][ulist=disc]include mt_srand() (line 411) in the for-loop.[/ulist]
P.S.: though mt_rand() greatly decreases predictability for returned results (see image for comparison), it's not deemed cryptographically secure.
0 replies

Labels

None yet

Statistics

  • Views 0 views
  • Posts 21 posts
  • Votes 0 votes
  • Topic users 13 members

13 participants

K
K
Ken 10
No Support by PM. Please use the forum.
  • Senior Member, joined since
  • Contributed 713 posts on the community forums.
  • Started 43 threads in the forums
C
C
Craig 14
  • Fusioneer, joined since
  • Contributed 4,462 posts on the community forums.
  • Started 212 threads in the forums
S
S
  • Veteran Member, joined since
  • Contributed 920 posts on the community forums.
  • Started 79 threads in the forums
H
H
Just some Guy
  • Veteran Member, joined since
  • Contributed 1,486 posts on the community forums.
  • Started 91 threads in the forums
  • Started this discussions
P
P
  • Veteran Member, joined since
  • Contributed 1,633 posts on the community forums.
  • Started 29 threads in the forums
M
M
MM 10
  • Junior Member, joined since
  • Contributed 21 posts on the community forums.
I
I
icb 10
  • Member, joined since
  • Contributed 54 posts on the community forums.
  • Started 16 threads in the forums
S
S
Samuel 10
  • Member, joined since
  • Contributed 55 posts on the community forums.
  • Started 13 threads in the forums
G
G
Gillette 10
  • Senior Member, joined since
  • Contributed 335 posts on the community forums.
  • Started 4 threads in the forums
V
V
Unprecedented Times call for Unprecedented Measures
  • Senior Member, joined since
  • Contributed 551 posts on the community forums.
  • Started 146 threads in the forums
K
K
KasteR 10
  • Senior Member, joined since
  • Contributed 290 posts on the community forums.
  • Started 1 thread in the forums
M
M
Masy 10
  • Newbie, joined since
  • Contributed 4 posts on the community forums.
  • Started 1 thread in the forums
H
H
  • Newbie, joined since
  • Contributed 3 posts on the community forums.

Notifications

Track thread

You are not receiving notifications from this thread.

Related Questions

Not yet