Announcement

Collapse
No announcement yet.

Security help

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security help

    Before I am told to upgrade (which I am strongly considering), please visit my site to understand the level of customization that I have. I am using 3.0.12 with the upgrade patches to 3.0.17.

    I am seeing numerous amounts of bogus signups that are exploiting my register.php (atleast, this is my guest). I have been forced to moderate all user signups and its just getting overly cumbersome. After talking with my coder he suggests we place a page logger to log the location of the registration, but he does not have time to pursue this effort.

    Whats occuring the best I can tell, (and I believe this is a bot) is the signup occurs. I recieve a notification of the signup. Upon going to the admin panel, there is a long delay, like a script is being run or something, bypassing authentication. These bogus users can not post, until I approve them, or atleast they havent as of yet. Once I get into the admin panel, the moderated user might read 0. If I search for their account by username or email, I find them. Here is the consistent details, I have a required userfield (previous attempt to remediate this), this form requires the users to identify the software they use. They fill this in with '1'. Second, the bot always claims different locations as their location, yet the default drop down location always reads Eniwetok, Kawajalein. These items plus the notification of the bounce activation email is when I delete the accounts.

    I have tried the htaccess, I have tried blocking ips, tried banning. I am not having any luck.

    Does anyone have an idea to pursue, perhaps a code example of the page logging function that I can drop into my register functions?

    I am looking for some help/guidance and would sincerely appreciate some assistance. If I need to renew my account to seek the staff help, I will.

    Thanks!

    Sincerely,

    Steven D. Papke, AIA
    President and Owner, Vizdepot.com
    Visualization Community Resource
    Sincerely,

    Steven D. Papke, AIA
    President and Owner, Vizdepot.com
    Visualization Community Resource
    http://www.vbulletin.com/forum/images/misc/progress.gif

  • #2
    If I bypass the admin control panel home page and just search by user. If I delete their account, it creates the same long delay. I have recently added an admin link in the new user notification email which seems to allow me to bypass whatever is happening. Its just frustrating.

    I am really looking for some insight.
    Sincerely,

    Steven D. Papke, AIA
    President and Owner, Vizdepot.com
    Visualization Community Resource
    http://www.vbulletin.com/forum/images/misc/progress.gif

    Comment


    • #3
      I *strongly* recommend upggrading to 3.6.8. Also please see this thread on how to make your vBulletin more secure:

      http://www.vbulletin.com/forum/showthread.php?t=172234
      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
      Change CKEditor Colors to Match Style (for 4.1.4 and above)

      Steve Machol Photography


      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


      Comment


      • #4
        Steve, thanks for responding. I was beginning to wonder if the support was going to live up to its standard. I am not sure I that I haven't read that post 20 times already. #2 is a classic. I am smart enough to spend time searching this site for answers before I waste people's time.

        As for upgrading, if you spent a moment to look at my site, you would understand the time involved with the upgrade. Is it something I need to do? Certainly. However, I am not pursuing that at the moment as I mentioned at the onset of the post.

        Since you didn't offer an answer to my question, I am left to hope someone can relate to my ongoing level of frustration.

        Sincerely,

        Steven D. Papke, AIA
        President and Owner, Vizdepot.com
        Visualization Community Resource
        Sincerely,

        Steven D. Papke, AIA
        President and Owner, Vizdepot.com
        Visualization Community Resource
        http://www.vbulletin.com/forum/images/misc/progress.gif

        Comment


        • #5
          If you are concerned about security, then you should upgrade. It is as simple as that. You cannot patch 3.0.12 to make it completely secure. Each patch is only designed to work for the previous version of vB.

          In addition 3.6.8 has many more tools available to stop spammers an hackers.

          It's your choice of course, but criticizing me for trying to help you have the most security possible seems rather odd. Good luck.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography


          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          Comment


          • #6
            Steve, I wasn't criticizing you. I was simply acknowledging that code wise, patching a hole is completely possible, unfortunately it takes some considerable effort. I am more after trying to resolve the problem I have.

            I was hoping for (and I have to jog your mind to remember the 3.0.12 methods) perhaps some templates to target my search. Perhaps a code example of how to log a page a user is on when they sign up...etc. Some ideas. Perhaps some additional strategies from the experts. You all know this better than all.

            I was not criticizing you. That I can promise. I am simply looking for some help with my current problem. My site is so customized and interwoven between photopost, vbportal and vbulletin, an upgrade would take the site down for a significant time period.

            If my only true option was to upgrade, dude, I would in a heart beat. And to tell you the honest truth, I am trying to hold onto what I have, and research the options available before doing the inevitable, which will be to upgrade.

            One thing about the product you all support and make incredibly useful, no matter what, like email, there is no tone in printed words. I am sincerely appreciative, you, the head honcho, responded. I know perhaps I am getting an answer I don't want to hear, but perhaps its best to realize.

            Sincerely,

            Steven D. Papke, AIA
            President and Owner, Vizdepot.com
            Visualization Community Resource
            Last edited by sdp777; Sun 21 Oct '07, 10:56am. Reason: Steve, just cause...I have renewed my vbulletin license. :)
            Sincerely,

            Steven D. Papke, AIA
            President and Owner, Vizdepot.com
            Visualization Community Resource
            http://www.vbulletin.com/forum/images/misc/progress.gif

            Comment


            • #7
              No problem.
              Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
              Change CKEditor Colors to Match Style (for 4.1.4 and above)

              Steve Machol Photography


              Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


              Comment

              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...
              X