We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Membership Spam Attack

May 03, 2012 3:46am

Subscribe [3]

  • #1 / May 03, 2012 3:46am

    Beebs

    207 posts

    EE V1.7.2

    So the website received membership spam attack until eating up the bandwidth. There are hundred thousand members automatically appear as administrator. I managed to combat the attack by reading some advise in the forum. The bogus member appear as administrator because in the setup by default, the new member will be assign as administrator.

    To the best of my knowledge, I have explained to the client as well as the web host manager. However the web host manager who is not a big fan of EE, start badmouthing EE and claim that somebody have hacked into the admin panel, and that EE is not good CMS in terms of security (I am not being devil’s advocate here. I am just pouring my heart out). So I need a help from you guys.

    1. The website does not have a membership system - so no one is actually invited become member. Can you please explain, - and I will pass this explanation to them, if there is no membership system, how can there are spams that appear as administrator? Is it true that someone hacked into the back-end of the website.

    2. Now the client want to have CAPTCHA in the CP login. Can you help me, how to do so?

    3. Client also want to have a script installed, that when the password was entered 3 times wrong, they will be rejected to get into the CPanel. Can you help me how to do so?

    Kind Regards

  • #2 / May 03, 2012 7:16am

    silenz

    1651 posts

    The bogus member appear as administrator because in the setup by default, the new member will be assign as administrator.

    That sounds fishy.
    Admin ›  Members and Groups ›  Membership Preferences
    What does it say under Default Member Group Assigned to New Members?

    1. The website does not have a membership system - so no one is actually invited become member. Can you please explain, - and I will pass this explanation to them, if there is no membership system, how can there are spams that appear as administrator? Is it true that someone hacked into the back-end of the website.

    Admin ›  Members and Groups ›  Membership Preferences
    Is Allow New Member Registrations? set to No?

    Noone can say if your backend has been hacked without looking at your server.

    2. Now the client want to have CAPTCHA in the CP login. Can you help me, how to do so?

    That’s not an option without additional programming.

    3. Client also want to have a script installed, that when the password was entered 3 times wrong, they will be rejected to get into the CPanel. Can you help me how to do so?

    Admin ›  System Preferences ›  Security and Session Preferences
    Enable Password Lockout?  set it to Yes
    Also set Time Interval for Lockout to something appropriate.

  • #3 / May 03, 2012 1:44pm

    Shane Eckert

    7174 posts

    Hello Beebs,

    I am really sorry that this has happened.

    The response from silenz is excellent. The questions he has asked are very important and a great place to start.

    Also, I would back up the database and then proceed to delete this accounts. If you are able to use something like phpMyAdmin or some SQL, doing a mass remove would not be a bad idea.

    Can you respond with the answers to those and we can go from there.

    Cheers,

  • #4 / May 03, 2012 6:42pm

    Beebs

    207 posts

    The bogus member appear as administrator because in the setup by default, the new member will be assign as administrator.

    That sounds fishy.
    Admin ›  Members and Groups ›  Membership Preferences
    What does it say under Default Member Group Assigned to New Members?

    Answer :
    As I said above :
    The bogus member appear as administrator because in the setup by default, the new member will be assign as administrator.

    But before I post this message - I have already changed to Pending. And I also choose “Member activation by administrator”

    1. The website does not have a membership system - so no one is actually invited become member. Can you please explain, - and I will pass this explanation to them, if there is no membership system, how can there are spams that appear as administrator? Is it true that someone hacked into the back-end of the website.

    Admin ›  Members and Groups ›  Membership Preferences
    Is Allow New Member Registrations? set to No?

    Answer: Yes I choose No

    Noone can say if your backend has been hacked without looking at your server.

    Answer : Do you mean the EE Control Panel or the web host server? I will negotiate to the web hosting, if they provide details FTP, would you like to have a look in it?

    2. Now the client want to have CAPTCHA in the CP login. Can you help me, how to do so?

    That’s not an option without additional programming.

    Answer : Okay. Understand. How much time and labour cost would it be? I just need the estimate. Frankly, I want to give this project up. But to give them an estimate is important.

    3. Client also want to have a script installed, that when the password was entered 3 times wrong, they will be rejected to get into the CPanel. Can you help me how to do so?

    Admin ›  System Preferences ›  Security and Session Preferences
    Enable Password Lockout?  set it to Yes
    Also set Time Interval for Lockout to something appropriate.

    Answer : Cool. This is the feature that I overlooked. Appreciate this.

  • #5 / May 03, 2012 6:50pm

    Beebs

    207 posts

    Hello Beebs,

    I am really sorry that this has happened.

    The response from silenz is excellent. The questions he has asked are very important and a great place to start.

    Also, I would back up the database and then proceed to delete this accounts. If you are able to use something like phpMyAdmin or some SQL, doing a mass remove would not be a bad idea.

    Can you respond with the answers to those and we can go from there.

    Cheers,

    Thanks for the reply Shane. I just want to clarify that I have done all what you have said above. So the crisis is over. The thing is, those matter appear in the meeting conversation again. I just run out of explanation to assure the client of their question : if there is no membership system allowed, how can there are hundreds membership cast as administrator appear in the back-end?

    I have given the answer : this is a spam attack. But they keep asking me with annoying question “how” ?

  • #6 / May 04, 2012 3:27pm

    Shane Eckert

    7174 posts

    Hey Beebs,

    Did you turn Registration on? If registration is turned on then anyone an register unless you disable it.

    Thank you,

  • #7 / May 04, 2012 6:46pm

    Beebs

    207 posts

    Hey Shane,
    To be honest, I forgot whether I turned the registration on or off during first installation, because this project does not have membership system. But of course, now I turn the registration off

  • #8 / May 07, 2012 3:18pm

    Shane Eckert

    7174 posts

    Hi Beebs,

    That sounds like the reason!

    Is there anything else I can help you with?

    Cheers,

  • #9 / May 07, 2012 9:30pm

    Beebs

    207 posts

    Hi Shane, I need your opinion, how this spammer works - that they can spam into the backend of EE although there is no membership facilities. I just need a couple of simple explanation that I can pass this information. Thanks

  • #10 / May 08, 2012 1:01pm

    Shane Eckert

    7174 posts

    Hello Beebs,

    Sure!

    Just to clarify, these spammers are not doing anything on the backend. Access to the backed would be a hack. This is all through the front end and registration. If you had registration open and the default group set to Administrator then ExpressionEngine was doing exactly what you told it to do.

    The thing to remember with ExpressionEngine is that it is very, very flexible and it will do exactly what you tell it. If the condition above were as described, then changing them to the opposite will stop this issue and keeping this in mind will keep you safe the next time around.

    Does that help?

    Thank you,

  • #11 / May 08, 2012 5:51pm

    Beebs

    207 posts

    Cool. That is helpful. Thanks

  • #12 / May 09, 2012 3:11pm

    Shane Eckert

    7174 posts

    Hey Beebs,

    I am glad to help!

    If you need anything else, please just let me know by opening a new thread.

    Cheers,

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register