MyBB Community Forums

Full Version: [F] Post doesn't check referrer
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2 3 4 5
I'm not sure if this is a bug or a suggestion. But, my site, WiiLoaded.com, Faced a severe spam attack this morning. It was due to the attackers ability to make posts from another domain.

He wrote a script that sequentially went through each thread ID and then somehow managed to create a post in that thread.

Every time an account was banned a new one was made. The only way I could resolve it was an IP-Ban and then using phpMyAdmin to delete all posts made from that IP. (I'm still regenerating Last Post Columns).

I'm sorry I don't have more details but surely just checking the referrer before actions would prevent this type of attack.

Thanks in advance. Your software has been a great tool.
At least you are not reporting a flood because you know MyBB controls flood using the X amount of time between each post and another.

Banning IPs i believe was made for such cases, i donno how you can control a user from posting all over the forum with/while he is respecting the rules and settings.

However if you can prove that he has posted those posts remotely, moreover by abusing the flood control system then, at least me, sees this as something not related to a vulunrability in MyBB.
heh, he stated that he was doing it remotely. but unfortunately I deleted every post from that IP (approximately 7000 posts in about 30 mins) I don't think someone can make that many posts by hand.
Aha so now this tells something.. 7000 posts in 30 mins, indeed this is an abuse of the flood control system.

I didn't mean doing it by hand, i meant, it can be a script or a human, but only posts every X time which is the amount of seconds set by the flood control system. But indeed 7000 posts in 30 mins is really something big and shows that there was no control for this, so let me ask you, have you disabled the flood control? and do you doubt that this user has access to any admin account?

regards
Our flood control is set at about 10seconds between posts.

but that would only amount to 180 posts :/
There was no admin access at all The admin log shows only people that are supposed to have the abilities (and yes I trust them) and they did nothing suspicious
Can you PM me a link to Server logs for your forum so I can identify when, where, and how?

Also, see this: http://community.mybboard.net/showthread.php?tid=16578
PM Sent
I read the link and It's a similar problem, but the fact was that the posts were appearing on many different threads and It was usually one post to a thread.

And they were all Identical.
Does anyone have anything I can use as a fix.. He has resurfaced (through an anonamizer) I get the feeling another attack is imminant
You could temporary disable registrations and let other people who want to register pm you..
Pages: 1 2 3 4 5