2025-03-01, 02:28 AM
That title does sound pretty bad, doesn't it. However, there is a steady stream of bots coming in.
A month ago, I posed a plugin request for a Anti-Bot /Anti 4-Digit Username Plugin, however it appears that said plug-in would be useless.
On examination of the accounts being created, the accounts do not have any birthdays applied despite the opening Coppa page that requests such. And the application of the birthday into the user's data when registration begins is built into the member.php itself.
Not only that, all security questions of old had been removed and replaced with new questions. However, of the myriad hundred accounts that have been created this month, none of the security questions received a correct answer.
And automated Bots will obviously not spend any time, so for good measure I set the required time spent on a registration page UP to 20 seconds (the default being 5). But a fat lot of good that did.
Captchas? Worthless. The whole origin was their images were to 'train' OCR systems to recognize characters despite the condition of the material. And Recaptcha has been broken for years.
On the question of IPs, StopForumSpam appears to be working. However, these accounts have often signed in with an IP that is clean and unreported, but will then switch to their 'usual suspect' IP after entry as their "Registration IP" and "Last Known" IP appear different within the 2-5 seconds time online.... if they even have spent any time online that is.
Do I have a list of IPs banned. Yes. The list is extensive. But sadly, worth very little other than a history of bots. Because whilst the system is set to only allow one account per IP, the bots are creating new accounts with IPs already banned. Indeed, the bots can create new accounts despite the IP ban system. I cannot say they are avoiding invalid eMails, and it appears banned usernames MAY be working, the bots care not for IP bans at all.
But it gets much worse.
Last night, I turned Registration OFF. And despite that, six more spambots entered when it should be completely impossible.
In short, the bots attacking can clearly bypass the Registration Page and create accounts (at least in UserID sequence) regardless of any MyBB built in requirements or security features.
But can it get worse?
YES.
Because post-banned accounts, those bots who were already banned, are able to return and make new posts within existing threads. Indeed, the permissions deny banned accounts from viewing, creating or posting any content. And for good measure, I personally " Suspend this user's posting privileges "... Permanently.
NOW... that sounds pretty bad.
Of course the Admin and even original SuperAdmin passwords have been changed. There are no new Admin accounts suddenly created.
Plugins? Hah. PluginLibrary isn't even active, let alone GoogleSEO.
Yes... this is indeed scary to me. The site has been running on MyBB since 2010.
We have a fresh new server to cope with the forum size having grown.
Currently using:
MyBB 1.8.38
Nginx 1.24.0
PHP 8.3.6
Ubuntu 24.04.1
MariaDB 10.11.8
Oh, and I know about htaccess being a viable area to place IP denials. And were it to work, I would not know as I would not have a log and I would not wish it to have so many IPs to ban (near infinite thanks to spammers) that it would cause the forum lag.
A month ago, I posed a plugin request for a Anti-Bot /Anti 4-Digit Username Plugin, however it appears that said plug-in would be useless.
On examination of the accounts being created, the accounts do not have any birthdays applied despite the opening Coppa page that requests such. And the application of the birthday into the user's data when registration begins is built into the member.php itself.
Not only that, all security questions of old had been removed and replaced with new questions. However, of the myriad hundred accounts that have been created this month, none of the security questions received a correct answer.
And automated Bots will obviously not spend any time, so for good measure I set the required time spent on a registration page UP to 20 seconds (the default being 5). But a fat lot of good that did.
Captchas? Worthless. The whole origin was their images were to 'train' OCR systems to recognize characters despite the condition of the material. And Recaptcha has been broken for years.
On the question of IPs, StopForumSpam appears to be working. However, these accounts have often signed in with an IP that is clean and unreported, but will then switch to their 'usual suspect' IP after entry as their "Registration IP" and "Last Known" IP appear different within the 2-5 seconds time online.... if they even have spent any time online that is.
Do I have a list of IPs banned. Yes. The list is extensive. But sadly, worth very little other than a history of bots. Because whilst the system is set to only allow one account per IP, the bots are creating new accounts with IPs already banned. Indeed, the bots can create new accounts despite the IP ban system. I cannot say they are avoiding invalid eMails, and it appears banned usernames MAY be working, the bots care not for IP bans at all.
But it gets much worse.
Last night, I turned Registration OFF. And despite that, six more spambots entered when it should be completely impossible.
In short, the bots attacking can clearly bypass the Registration Page and create accounts (at least in UserID sequence) regardless of any MyBB built in requirements or security features.
But can it get worse?
YES.
Because post-banned accounts, those bots who were already banned, are able to return and make new posts within existing threads. Indeed, the permissions deny banned accounts from viewing, creating or posting any content. And for good measure, I personally " Suspend this user's posting privileges "... Permanently.
NOW... that sounds pretty bad.
Of course the Admin and even original SuperAdmin passwords have been changed. There are no new Admin accounts suddenly created.
Plugins? Hah. PluginLibrary isn't even active, let alone GoogleSEO.
Yes... this is indeed scary to me. The site has been running on MyBB since 2010.We have a fresh new server to cope with the forum size having grown.
Currently using:
MyBB 1.8.38
Nginx 1.24.0
PHP 8.3.6
Ubuntu 24.04.1
MariaDB 10.11.8
Oh, and I know about htaccess being a viable area to place IP denials. And were it to work, I would not know as I would not have a log and I would not wish it to have so many IPs to ban (near infinite thanks to spammers) that it would cause the forum lag.