The MU forums have moved to WordPress.org

vulnerabilities in 2.7.1? spam users/blogs despite disabled public signup (7 posts)

  1. vanillaxtrakt
    Member
    Posted 15 years ago #

    We just upgraded to Mu 2.7.1 from <cough, cough> 1.3.3. All of a sudden spam blogs and users are being added to our site. This shouldn't even be possible, because we disabled public signup. We're using wpmu-ldap to create users.

    Are there any known vulnerabilities in 2.7.1? If not, does anyone have any ideas as to how this might be happening?

    I found this, but I haven't even been able to exploit this vulnerability on our site:
    http://www.securiteam.com/securitynews/5QP0E0KRQM.html

    We aren't using a ton of plugins, but I know that is one way Wordpress can be compromised, and I'm looking into that now. We're using these plugins (in case any of these pop out to anyone with known security issues):

    addthis sidebar widget
    akismet
    blubrry powerpress
    disable core update
    google analytics for wordpress
    more privacy options
    move comments
    mycss
    page links to
    peters custom anti spam
    sidebar login
    wp super cache
    wpmu-ldap
    youtube

    As well as a few we've written ourselves, which could very well likely be the culprit.

    The site code itself is repository maintained and hasn't been compromised, and at least on the filesystem end everything seems to be locked down pretty well. In addition, the spam users aren't doing anything; there are no posts or anything. Simply a spam user and blog are created in the format of a random name followed by 7 numbers, with obvious spam e-mail registration addresses. For example:

    paula7229546 paula7229546@nosiliconebreasts.com
    dexter5255004 dexter5255004@medicalclaimsadvocate.com

    The users and blogs are created at random intervals. We've had maybe 10 of them added in the last couple of days.

    Any ideas? Anyone seen this before? Any ideas on what action to take next? I'm going to spend time going through our logs, so I may have some information to add later...

  2. AndrewGerssen
    Member
    Posted 15 years ago #

    I would re-check if the option public signup is still disabled, could be that it has changed since your upgrade.

    And try recreating the process of how the bots would access your blog signup page, maybe that should help you in your quest. Also try upgrading on your testserver to 2.8 there are alot of security fixes.

  3. vanillaxtrakt
    Member
    Posted 15 years ago #

    Yeah, public signup's still disabled, at least within the LDAP plugin options:

    "Disable Public Signup?
    This overrides all actions that take place within wp-signup.php, effectively disabling public signup."

    It's crazy, cause I'm a site admin and I can't even add a local user myself. Enabling the above setting completely removes the form for adding new users...

    I went ahead and set "Allow new registrations" to Disabled in the Site Admin --> Options page for now since apparently admins can't add new users anyway.

    We'll definitely be testing the upgrade to 2.8 soon, but I'm not sure when we'll get the go ahead to do the upgrade. The powers that be don't feel it safe to be on the bleeding edge...

    Is there a way to see only security fixes from 2.7.1 to 2.8? I went to the trac to see the changelog, but I don't see a "security" type, only bugs, enhancements, feature requests, and task (blessed):

    http://core.trac.wordpress.org/query?status=closed&group=type&order=priority&col=id&col=summary&col=type&col=component&milestone=2.8&resolution=fixed

  4. AndrewGerssen
    Member
    Posted 15 years ago #

    You can block known spam ip adresses with your apache server, and before you change to 2.8 you could look at which file the bots are hitting on. Maybe just renaming (or deleting) the signup php file should fix it (for now), since you only use LDAP for user login.

    Maybe one of the developers can help you further with this.

  5. andrea_r
    Moderator
    Posted 15 years ago #

    From the current readme.txt:

    SPAM
    ====
    On WordPress MU sites spam signups can be a major problem. Akismet (http://akismet.com/)
    protects against spam comments but the following will help defeat
    spammers using automated scripts to create blogs:
    http://ocaoimh.ie/cookies-for-comments/
    http://wordpress-plugins.feifei.us/hashcash/
    http://www.darcynorman.net/2009/05/20/stopping-spamblog-registration-in-wordpress-multiuser/

    Also, if you've hooked up a forum, they may be getting in that way.

  6. vanillaxtrakt
    Member
    Posted 15 years ago #

    I've been monitoring blog creation since the upgrade, but went ahead and turned registration notification on in the site admin options to keep an eye on things.

    I had created a local admin user because I disabled LDAP authentication during the upgrade process. I suspected the spambot might have gotten in through that user somehow, so I first changed the password and then deleted the account to no avail. Today I removed that user from the list of "site admins" in the site admin options page, as well as the "admin" user which we don't use anyway.

    I haven't had any since then, which is the longest we've gone without getting any.

    As I was digging through the database I found about 50 records in the wp_signups table, all spam. I'm not quite sure what that table's 4, cause only 10 spam users/blogs or so were actually created. I went ahead and deleted everything in there after reading this post and seeing it worked for this person:

    http://mu.wordpress.org/forums/topic/13245?replies=13

    We left the wp-signup file but wiped all the content and replaced it with some stuff that will give us some nice information in our logs when anything tries to access the file.

    How do they get in? Is it the wp-signup.php file? It just baffles me that someone could create a user/blog when I can't even create one through the wordpress interface unless it's tied into LDAP, and when our code itself hasn't been messed with, nor have they actually done anything to the site like deface it or fill it with comment or post spam.

  7. kgraeme
    Member
    Posted 15 years ago #

    We're using LDAP with 2.7.1 in one of our instances and haven't seen this problem (yet).

    I'm assuming they're being created as local users? (As in, stored in the wordpress db and not referenced via ldap.)

    We set "Allow new registrations" to "Only logged in users can create new blogs" and "Add New Users" is set to "No". The LDAP plugin treating any LDAP user as pre-configured.

    We also set the "Limited Email Registrations" to our domain (since for us it's blog hosting just for our staff).

    (We're testing 2.8.4 for this server too, but we're waiting pending resolution of ticket 1090.)

About this Topic

  • Started 15 years ago by vanillaxtrakt
  • Latest reply from kgraeme