Spammer getting through - bypassing our registration system

Discussion in 'aMember Pro v.4' started by seanadl, May 17, 2013.

  1. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    Hi there,

    This is a known issue that i've told Alex about. Amember think its to do with our "caching" system - however our engineers have told me that Amember is not cached and the usernames being chosen look very suspicious.

    Since upgrading to version 4 almost all new registrations are not being assigned to any product and none of them have invoices.

    They all have usernames which look like spammers. Usernames such as "GlRcykuvxb GlRcykuvxb" (there are loads of these types of registrations which we never had before).

    Alex , this is a security problem with Amember that needs looking at ASAP.

    Has anybody else had this problem?
  2. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    Just to give you an idea of how serious this problem is - we had around 304 registrations yesterday and most of them are spammers who bypassed the registration system. They exist on the system as members without any products or invoices.

    We didn't have this problem on Amember3 - and we haven't changed any of our caching system settings.

    All of these members have random characters as their usernames.

    This is a BIG security problem.
  3. alexander

    alexander Administrator Staff Member

    Joined:
    Jan 8, 2003
    Messages:
    6,279
    Sean,
    First, this is not a security issue, these automatically created users doesn't have access to anything and can't harm system in any way.
    Your signup form doesn't have captcha, so it can be freely submitted by any bot, and of course aMember will create an account for user because there is literally no way to know was that real user or automatic. In order to prevent such signups, add reCaptcha to signup page, I explained how to do this in a message which I sent in helpdesk few minutes ago.
  4. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    Hi Alex,

    But the security flaw is that they are bypassing having to chose a product from our list. We have 2 options - a free product or a paid one - they are getting through the registration system by not selecting either of them. This is a security hole. It might not be a serious one - but its still a hole.
  5. alexander

    alexander Administrator Staff Member

    Joined:
    Jan 8, 2003
    Messages:
    6,279
    No. You even can remove product brick from signup form and user still will be able to signup, and this is correct. For example this is usefull to handle affiliates signup, when user doesn't need to purchase any product.
  6. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    hmmm.. is there a way of disabling it at all by doing any customisations to the sign up form?
  7. alexander

    alexander Administrator Staff Member

    Joined:
    Jan 8, 2003
    Messages:
    6,279
    Sean,
    There is nothing to disable. Signup form works as it should. Please check my message about this issue in helpdesk, invoices are not being created because spam bot which submits signup form send paysys_id parameter twice and the last value is free. So from aMember side it looks like someone try to signup for paid product using free payment system, of course amember do not allow this and do not create such invoice.
    The only way which you can use in order to prevent such signups is captcha.
  8. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    With captcha enabled we've still had 3 spammers get through in the last hour.
  9. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    So Alex has done something to stop the bots coming through (i don't know what he did)... But since doing that yesterday lots of people are reporting script errors when trying to sign up.

    Here is one example of a user who emailed in and upon checking the logs i can indeed see an error. Does anyuone know what this means?

    "SERVER=Array ( [REDIRECT_SCRIPT_URL] => /amember/signup [REDIRECT_SCRIPT_URI] => http://www.********.com/amember/signup [REDIRECT_STATUS] => 200 [SCRIPT_URL] => /amember/signup [SCRIPT_URI] => http://www.********.com/amember/signup [HTTP_HOST] => www.davidicke.com [HTTP_CF_CONNECTING_IP] => 99.247.240.226 [HTTP_CF_IPCOUNTRY] => CA [HTTP_CF_RAY] => 7088b57a5ba0528 [CONTENT_LENGTH] => 458 [HTTP_X_FORWARDED_PROTO] => http [HTTP_CF_CIP_TAG] => 0 [HTTP_CF_VISITOR] => {"scheme":"http"} [HTTP_CF_WAN_ID] => 0 [HTTP_CF_WAN_ENCODING] => 0 [HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0 [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5 [HTTP_DNT] => 1 [HTTP_REFERER] => http://www.********.com/amember/signup [HTTP_COOKIE] => __cfduid=dfd80a05f92c77c9ea1e7b8867decc29c1365821229; __utma=56171838.1711689540.1365821226.1366805980.1368879026.5; __utmz=56171838.1368879026.5.3.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __gads=ID=375568698b2c645d:T=1365821231:S=ALNI_MY6TcMdGTNcyASC1sLautcYilrKRw; bblastvisit=1365822228; bblastactivity=0; __atuvc=0%7C16%2C2%7C17%2C0%7C18%2C0%7C19%2C3%7C20; __utmb=56171838.8.10.1368879026; __utmc=56171838; 7f6698be1f23a30456849a3cdee5b6c6=870a4bc224ab6a6e829827a64e6434dc; bbsessionhash=bb09b70d5f1e9df305081785b48152b2; PHPSESSID=e0c64a24e04eb81165c14e639e1fefda [CONTENT_TYPE] => application/x-www-form-urlencoded [HTTP_X_FORWARDED_FOR] => 99.247.240.226 [HTTP_ACCEPT_ENCODING] => gzip [HTTP_X_VARNISH] => 477041326 [PATH] => /usr/local/bin:/usr/bin:/bin [SERVER_SIGNATURE] => [SERVER_SOFTWARE] => Apache [SERVER_NAME] => www.davidicke.com [SERVER_ADDR] => 127.0.0.1 [SERVER_PORT] => 80 [REMOTE_ADDR] => 99.247.240.226 [DOCUMENT_ROOT] => /home/david2009/public_html [SERVER_ADMIN] => webmaster@********.com [SCRIPT_FILENAME] => /home/david2009/public_html/amember/index.php [REMOTE_PORT] => 15560 [REDIRECT_URL] => /amember/signup [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => POST [QUERY_STRING] => [REQUEST_URI] => /amember/signup [SCRIPT_NAME] => /amember/index.php [PHP_SELF] => /amember/index.php [REQUEST_TIME] => 1368880075 [argv] => Array ( ) [argc] => 0 ) REQUEST=Array ( [product_id_page-0] => Array ( [0] => 2-2 ) [paysys_id] => worldpay [name_f] => Renate [name_l] => Parker => ********@gmail.com [login] => Hotrodda [pass] => ren0774 [_pass] => ren0774 [recaptcha_challenge_field] => 03AHJ_VuucIDNPVjk0u0KJAEX0NgFkJ2Q_zPoG1TwNJRQkrfD75fNK3nkwohF9Fl1KpAR6_i7R5mdA2j6_0XvFZFFSxYSmAsLp0v6VvyTE7piNDfKSBDwX1jxlPz0aJiZt4rkjV6TiXIV_UxLHASxSHOZ2Dv7e2KCqyGyrFlSgYcP21qs2ckxcGqU [recaptcha_response_field] => The Welckc [_qf_page-0_next] => Next [_save_] => page-0 [__cfduid] => dfd80a05f92c77c9ea1e7b8867decc29c1365821229 [__utma] => 56171838.1711689540.1365821226.1366805980.1368879026.5 [__utmz] => 56171838.1368879026.5.3.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not provided) [__gads] => ID=375568698b2c645d:T=1365821231:S=ALNI_MY6TcMdGTNcyASC1sLautcYilrKRw [bblastvisit] => 1365822228 [bblastactivity] => 0 [__atuvc] => 0|16,2|17,0|18,0|19,3|20 [__utmb] => 56171838.8.10.1368879026 [__utmc] => 56171838 [7f6698be1f23a30456849a3cdee5b6c6] => 870a4bc224ab6a6e829827a64e6434dc [bbsessionhash] => bb09b70d5f1e9df305081785b48152b2 [PHPSESSID] => e0c64a24e04eb81165c14e639e1fefda ) SESSION=Array ( [__ZF] => Array ( [amember_auth] => Array ( [ENT] => 1368887275 ) ) [amember_auth] => Array ( [user] => ) [amember] => Array ( [_signup_container] => Array ( [datasources] => Array ( ) [values] => Array ( [page-0] => Array ( [_save_] => page-0 [product_id_page-0] => Array ( [0] => 2-2-1 ) [paysys_id] => worldpay [name_f] => Renate [name_l] => Parker [email] => ********@gmail.com [login] => hotrodda [pass] => ren0774 [_pass] => ren0774 [_qf_page-0_next] => Next ) ) [valid] => Array ( [page-0] => 1 ) [opaque] => Array ( [hideBricks] => Array ( ) ) ) [signup_member_id] => ) ) POST DATAproduct_id_page-0%5B%5D=2-2&paysys_id=free&paysys_id=free&name_f=Renate&name_l=Parker&email=********%40gmail.com&login=Hotrodda&pass=ren0774&_pass=********&recaptcha_challenge_field=03AHJ_VuucIDNPVjk0u0KJAEX0NgFkJ2Q_zPoG1TwNJRQkrfD75fNK3nkwohF9Fl1KpAR6_i7R5mdA2j6_0XvFZFFSxYSmAsLp0v6VvyTE7piNDfKSBDwX1jxlPz0aJiZt4rkjV6TiXIV_UxLHASxSHOZ2Dv7e2KCqyGyrFlSgYcP21qs2ckxcGqU&recaptcha_response_field=The+Welckc&_qf_page-0_next=Next&_save_=page-0&paysys_id=worldpay"[/COLOR][/SIZE][/FONT]
  10. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    And this is definitely as a result of whatever fix/hack Alex applied to stop the bots. So now we have no bots coming through - but we also have few legitimate users coming through either (as they are getting errors).

    We'll get there..... eventually (i hope)
  11. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    I just tried to sign up for a subscription on the website myself with a test username and i got an error. So for the last 24 hours most users haven't been able to access our registration system.

    Its one problem after another. Alex, i hope you are online today to help fix this.
  12. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    Alex - when you are online could you help with the following:

    1/ let me or others know what the fix was to stop the bots coming through. You have said that you did nothing on this thread but on the ticket to me you have said you "found a solution" and to monitor the sign ups over the next 3 days to see if whatever the solution was has fixed the error. Bots have stopped coming through so whatever you did worked. This implies there is a problem with the Amember code if you applied a fix and it worked.

    2/ the fix you have done has caused real legitimate registrations (including a test one i did just now) to receive an internal server error. This needs to be fixed asap - because very few registrations are coming through as a result of this.
  13. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    Still nothing. New members signing to our free product getting internal server error messages since Alex made changes and Amember staff will not tell me what the changes they made were (as doing so would suggest there is a problem with their script letting bots through which they don't want to admit?)

    Somebody please sort this out. I would rather bots came through than no registrations!

    Just at least tell me the files which were changed so I can change them back myself.
  14. seanadl

    seanadl Member

    Joined:
    Dec 16, 2005
    Messages:
    59
    Just in case anybody is follwoing this, i have found out which files were changed to stop spam bots from coming through. It is the following 2 files which Amember edited:

    Line 100 on /amember/applicaton/default/controllers/SignupController.php

    The following new code has been inserted:

    {
    // Alexander@cgi-central.net
    $post = file_get_contents("php://input");
    if((strpos($post, 'paysys_id')!== false) && (strpos($post, 'paysys_id')!=strrpos($post, 'paysys_id'))){
    $debug = "SERVER=".print_r($_SERVER, true)." REQUEST=".print_r($_REQUEST, true)." SESSION=".print_r($_SESSION,true)." POST DATA". file_get_contents("php://input");
    $this->getDi()->errorLogTable->log($debug);

    throw new Am_Exception_InternalError('Bot detected');
    }


    Line 426 on /amember/application/default/models/Invoice.php

    The following new code has been inserted:

    // $debug = "SERVER=".print_r($_SERVER, true)." REQUEST=".print_r($_REQUEST, true)." SESSION=".print_r($_SESSION,true)." POST DATA". file_get_contents("php://input");
    // $this->getDi()->errorLogTable->log($debug);

    Note: This new code insertion from Alex seems to have stopped spam bots getting through BUT it has prevented nearly all new registrations! We usually get a couple of hundred every day - yesterday we got 2.

    I am now going to try deleting these new codes from these 2 files to see if that helps as i know Amember staff do not work during weekends.
  15. rick_wil

    rick_wil New Member

    Joined:
    Aug 29, 2006
    Messages:
    5
    reCaptcha does NOT stop these spambots from creating Pending customers. I ran with captcha on for a week and had many hundreds of Pending people all with the same pattern, identical garbage first and last names. However, I did have the same problem with aMember 3.x as well (just upgraded to 4.x, and had hoped this would disappear). For now, I removed captcha because I personally HATE them, and if it doesn't stop these, why annoy REAL customers.

    For now, I do a saved advanced search for status Pending and delete them all. Would love it if Alex could figure out what they are actually doing that gets them into the system without navigating through the actual sign-up form. -Rick

    Mikezvn Mikezvn (mikezvn)
    1u2d9v6p8d9h9d4w@multi.fotogizycko.pl 05/24/13, 02:19 PM
    Mikewed Mikewed (mikewed)
    1t5y5z2o2n9d1x6t@multi.fotogizycko.pl 05/24/13, 02:03 PM
    Erellesonse Erellesonse (erellesonse)
    plasteoganthee@hotmail.com 05/24/13, 01:48 PM
    FafCydAydar FafCydAydar (fafcydaydar)
    eee.eee23@o2.pl
    05/24/13, 01:34 PM
  16. skippybosco

    skippybosco CGI-Central Partner Staff Member

    Joined:
    Aug 22, 2006
    Messages:
    2,526
    seanadl, if the changes are effecting real users as well as bots then you can rename the file alex modified and restore the original from your aMember installation .zip file (downloadable from your members section of amember.com)
  17. miso

    miso aMember Pro Customer

    Joined:
    Aug 22, 2006
    Messages:
    543
    dude, get back to Alex in helpdesk, not here - the help here is sporadic, and that's what helpdesk is for.

    as far as your problem with bots registering and bypassing the signup validation, just search for Pending users every few days and delete those off the system - it takes 2 minutes, if that, to clean up the userbase.

    and no wonder you're getting all the spam - davidicke.com, huh? you'll need some advanced anti-spam solution regardless how you look at it...
  18. jackgordon

    jackgordon aMember Pro Customer

    Joined:
    Mar 23, 2009
    Messages:
    269
    I got rid of 99% of those spambot registrations by banning .pl and .ru email addresses. Occasionally a gmail or hotmail one will come through, but they are easy to ignore until I have a real registration to go in and approve.
  19. robw

    robw CGI-Central Partner

    Joined:
    Dec 18, 2007
    Messages:
    287

Share This Page