The MU forums have moved to WordPress.org

Spammer signed up even though wp-signup deleted (22 posts)

  1. redbox
    Member
    Posted 13 years ago #

    I went out of town for the weekend, and decided to delete the wp-signup.php file to prevent any spammers from signing up while I was gone. I deleted it Thursday night.

    Someone managed to sign up yesterday anyway. I checked the registration time, it was around 5am yesterday morning. And it was a spammer, the type that post the title spam.

    How can someone sign up without a signup page? Is there a way to prevent this, possibly by requiring referrers from a certain page?

  2. lunabyte
    Member
    Posted 13 years ago #

    I see you checked the registration time, but does anything correlate against your server logs for that point in time, +/- 10 minutes or so?

  3. redbox
    Member
    Posted 13 years ago #

    Unfortunately, our logs are on 24 hour rotation and the logs from the 15th were deleted when I returned home.

    At this point, the only thing I know is that a spammer registered without a signup page. I don't know much about it, but I think that some forms can be processed from other locations if they do not require a specific referrer.

  4. lunabyte
    Member
    Posted 13 years ago #

    This may seem silly, but you're 1000% sure you removed wp-signup.php?

    The registration forms all post to that file (IE: itself), and I haven't seen any other way (yet) that that page could be bypassed.

    Your log files don't have backups somewhere? Without access logs, there isn't much that can be determined at this point.

  5. alexz
    Member
    Posted 13 years ago #

    I installed the country protection plugin, that only internet users from Sweden could sign up. Strangely, they have bypassed it in someway.

    My theory is that they write the URL directly to sign up.

  6. redbox
    Member
    Posted 13 years ago #

    Luna, I'm certain I removed it. Actually, I created a new wp-signup.php file from blank notepad and wrote a message on it "New blog sign-ups are disabled until Sunday night" and uploaded that to over-write the original. There was zero wordpress code on it. I also clicked it to verify it was in place because I didn't want to take any chances since I wouldn't have access to the net. I was really concerned about preventing signups.

    Could they have used the cached copy in Google? Though I tend to agree with alexz that they may have written in the url.

    It would be nice to have an option in the config file to disable signups, or check the referrers.

  7. lunabyte
    Member
    Posted 13 years ago #

    If the file was blank, then directly writing the URL is going to produce the same results.

    wp-signup.php is wp-signup.php no matter how you slice it.

    A cached copy wouldn't work either. It's caching the output of that file, not what makes the output.

    So, if it were a cached copy, it would post to the actual site, which then would be null and void.

    The only other way I can think of off the top of my head would be an xmlrpc hack or something, but I can't vouch for that. It's merely an idea thrown out there off the top of my head.

  8. boonika
    Member
    Posted 13 years ago #

    Same problem. Someone created about 50 blogs inside my MU. How to fight it. I renamed wp-signup.php and even chmoded it to 333.

  9. boonika
    Member
    Posted 13 years ago #

    Maybe this can help. Not really a solution but...
    http://mu.wordpress.org/forums/topic.php?id=5913&page&replies=2

  10. redbox
    Member
    Posted 13 years ago #

    Somehow they are definitely getting around the wp-signup.php page. I edited my form to limit the number of characters in the blog title, and also did the same on the edit page so they could not edit it later. This has virtually eliminated the blog title spam problem. However, today someone managed to create a new blog with an extremely long title which included the usual prescription drug names. While it did not convert to html links, they still managed to bypass my forms and create a blog which I'm certain they are doing from outside of my website. I ran to my logs, but unfortunately my logs had rotated about 20 minutes after the spammer created the blog :( While I don't expect anyone to provide a solution based on this info, I am replying to this thread to keep a record of the occurrence, in case anyone else has the same problem and searches, like boonika.

  11. lunabyte
    Member
    Posted 13 years ago #

    Could it be possible that they are posting to your form, but from an outside source, and therefore bypassing the form you set-up but not bypassing that file?

  12. redbox
    Member
    Posted 13 years ago #

    I caught another, and this time I was able to get my logs.

    This is all that appeared for the IP that signed up the splog today which bypassed the title length restrictions..

    194.54.90.62 - - [16/Oct/2007:06:46:59 -0400] "POST /blogs/wp-signup.php HTTP/1.1" 200 20424 "-" "Mozilla/4.0 (compatible; 
    
    MSIE 6.0; Windows NT 5.1)"
    
    194.54.90.62 - - [16/Oct/2007:07:52:18 -0400] "GET /blogs/wp-activate.php?key=4e19439974aa2f22 HTTP/1.0" 200 20207 "-" "-"

    He didn't access any other pages of the site, including the index page. Unfortunately, I don't know if this helps. Does the reference to POST without a GET for the signup page indicate it could be posting from another location?

  13. thierryyyyyyy
    Member
    Posted 13 years ago #

    that exactly what Lunabyte said to you : they directly post through wp-signup without reading the form.
    So they can post a longer title length ... They didn't use a browser, but a script.

  14. SteveAtty
    Member
    Posted 13 years ago #

    You need to change the form handler as well as the form - so do your sanity checks in the back end as well as basic checks in the front end

  15. boonika
    Member
    Posted 13 years ago #

    I deleted wp-signup.php and I'm happy with it. Now visitors can only send a request for blog via e-mail. Works fine.

  16. WBNiko
    Member
    Posted 13 years ago #

    I used the signup question, made up a totally unique answer that nobody would guess and they still got through. There's a breach of security going on with the signup process.

  17. lunabyte
    Member
    Posted 13 years ago #

    Um, how is there a breech of security? The only way that would be the case would be if the signup process could be completed without that file.

    Thus far, I've seen no indication of that nor have I found a way around that file.

    Just because a spammer "gets through" doesn't mean it was through a hack. They could be sitting right there signing up.

    If the right information is posted to that file, the "sign-up question" could be completely bypassed.

    That being the case, it is through the fault of the plugin, not the fault of the sign-up form.

  18. LaSet
    Member
    Posted 13 years ago #

    delete registration on bbPress forum

  19. lunabyte
    Member
    Posted 13 years ago #

    If one is running a bridge, yep.

  20. Richard Palace
    Member
    Posted 12 years ago #

    Check the IP from the registrations log in the DB.

    Ban the IP if necessary.

  21. trcwest
    Member
    Posted 12 years ago #

    I too am havving the same problem...

    the bot must be generating the URL as i have a human capcha form on the wp-signup page and it works...

    i have had a look at my logs an this is what i have

    82.3.131.172 - - [19/Jan/2009:04:18:55 -0800] "GET /wp-content/themes/keep-it-simple/images/content-bg.gif HTTP/1.1" 200 73 "http://spotskenya.com/wp-signup.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; en-gb) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1"
    38.99.13.122 - - [19/Jan/2009:04:25:05 -0800] "GET /members/emmalee2960212/ HTTP/1.0" 302 9308 "-" "Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)"
    24.225.20.4 - - [19/Jan/2009:04:26:03 -0800] "POST /wp-signup.php HTTP/1.1" 500 4970 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
    24.225.20.4 - - [19/Jan/2009:04:26:03 -0800] "GET /wp-signup.php HTTP/1.1" 200 11230 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
    24.225.20.4 - - [19/Jan/2009:04:26:04 -0800] "POST /wp-signup.php HTTP/1.1" 200 6351 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
    24.225.20.4 - - [19/Jan/2009:04:29:53 -0800] "GET /wp-activate.php?key=0247d8c2ee887b5b HTTP/1.1" 200 7685 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    74.63.11.92 - - [19/Jan/2009:04:33:58 -0800] "HEAD /wp-cron.php?check=182e82b492695cacbdcc95e84a0701d7 HTTP/1.0" 200 - "-" "WordPress/2.7"
    24.225.20.4 - - [19/Jan/2009:04:33:58 -0800] "POST /wp-login.php HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    24.225.20.4 - - [19/Jan/2009:04:34:00 -0800] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 2 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
    24.225.20.4 - - [19/Jan/2009:04:34:00 -0800] "GET /wp-admin/themes.php HTTP/1.1" 200 24191 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

    how do i stop it doing this and going straight to the form..??

  22. redsoxmaniac
    Member
    Posted 12 years ago #

    I know this doesn't help anyone, but this is riveting. Hopefully this doesn't happen to my blog.

About this Topic

  • Started 13 years ago by redbox
  • Latest reply from redsoxmaniac