Thread

A couple of days back I posted about a problem and found that my site’s membership system was still open to all-comers even though I wasn’t using it. I thought I’d closed that loophole but I think I messed up and maybe didn’t commit the preference changes in the CP because it was still open this evening.

THIS time around I really HAVE turned off Allow Memberships, but I now have a weird problem. I appear to have 62 members that do not show up in any of the memberships groups (but they are listed in the ‘Total Members’ count when I go to ‘View members’.

If I can’t find them in the system, how can I delete them?

Hi Rick,

Are these members actually in the exp_members table? Please go to Admin > Utilities > SQL Manager > Manage Database Tables and click browse next to the exp_members table? Are these members displayed? If so, which number is shown as the ‘group_id’ for them?

Cheers

Greg

Hi Greg, thanks for your reply.

Yes, they are listed in the table, and all have a group ID of 5.
Means nothing to me really, but maybe it does to you?

Cheers;
Rick

Rick,

To confirm, you deleted your ‘Members’ group and replaced it with another one?
By default after a fresh install that Members group would have an ID of 5

Just to confirm, you can’t see these member via the View Members screen?
If you can see them there, is their Join date after the date you deleted that member group?

John;

Thanks for the reply. I deleted the Members group but didn’t actually replace it with anything — I don’t use membership on my site (deleting the group was done at Ingmar’s suggestion, see thread referenced in OP, although with hindsight I could have simply used the Prune Data technique to delete the contents of the group without deleting the group itself. But I only found that out after the event).

Re. seeing the members in View Members: well, that’s not entirely black and white. The only member actually listed in that screen is me (the superadmin) but the View Members screen is, oddly, paginated into 2 pages. Page one is empty, page two shows me. The ‘Total Members’ count in the corner shows 62 members.

So, after I deleted the Members group but (accidentally) failed to close the ‘Allow new member registrations’ loophole, some spammy hackscript from The OutSide registered a load of new memberships — which somehow went into a group that no longer exists.

The ‘Allow new members’ permission is now set to No, but…Ouch!
Help!

Okay, think I’ve solved it — breaking it down to answer john’s questions kind of clarified where the problem lay, so I tried recreating a Members group. I wasn’t sure whether it would be given a group ID of 5 (I hoped it would since John states that to be the default ID for the Members group), or, if it was given ID5, whether the mystery members would be assigned to the new group. But it was, and they were, and so suddenly they showed up in the View Members screen again. All now deleted and I am the only member again. Hopefully it will stay that way.

The fact that having ‘Allow new member registrations’ set to ‘Yes’ permitted this to happen does, however, make me wary about using memberships in the future. I know that my current installation is a bit behind the curve (1.6.7)… is this a vulnerability that has been addressed in 1.6.8/1.6.9/2.0? Or is it simply down to my not having certain preferences set? (my membership prefs were those straight out of the box as per default instalation).

The fact that having ‘Allow new member registrations’ set to ‘Yes’ permitted this to happen does, however, make me wary about using memberships in the future. I know that my current installation is a bit behind the curve (1.6.7)… is this a vulnerability that has been addressed in 1.6.8/1.6.9/2.0? Or is it simply down to my not having certain preferences set? (my membership prefs were those straight out of the box as per default instalation).

The vulnerability comes down to hacker/spammers knowing how to identify when a site is based on ExpressionEngine. Using reCAPCHA, tightening down to use moderation for registrations, changing the trigger word, etc. will all help.