• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.1 Help Bot/Spam attack!

#1
Hello, my forum is www.turkcraft.net and it is not in english but i will try to explain the situation as well as I can.

Today when i woke up I have seen that the forum now has 24.000 users ( it usually had like 3.000 ) and that all of them have strange names like 3493859sdfsd . They were all bots and spamming stuff. The forum was in ruins. It had been spammed and the forum couldn't even handle the connections anymore.

So i quickly put the forum into maintenance mode. Now nobody can signup or login.

These spammers claim to spam the forum because we erased their post that was in ENGLISH is a Turkish forum and was solved anyway. These guys didnt get money from one of our users or something but our forum must pay for this with bots spamming us? These guys are just keeping us responsible for trying to keep our forum clean instead of solving their issue with their client.

Anyways, i would like some support please. What can i do against these bots? I mean there are 20.000 of them?

One reason they could get so many accounts is because we can't use the mail activation system and don't know how to. It has never worked for us so we closed it and set some questions for signing up instead. So with the absence of mail activation system they have created many accounts but i do not know how they passed the question protection.

Please does anyone have any suggestions? I am able to cooperate in any kind of solution. Thank you.
 

Brogan

XenForo moderator
Staff member
#2
As you don't have email verification/activation configured and do use Q&A, it is more than likely a group of individuals, probably from a rival site.
It wouldn't take long for a decent sized group to create that many accounts, quite possibly they also created a script; depending on how many different questions you have, it would work for a small percentage of attempts.

Your options are to restore from a backup or delete the accounts.

You should investigate the problem with activation emails and implement email verification.

If the IP addresses of the accounts are all the same/similar, you can also ban those.
 

borbole

Well-known member
#3
One reason they could get so many accounts is because we can't use the mail activation system and don't know how to. It has never worked for us so we closed it and set some questions for signing up instead. So with the absence of mail activation system they have created many accounts but i do not know how they passed the question protection.

Please does anyone have any suggestions? I am able to cooperate in any kind of solution. Thank you.
The email validation in registration should work ok and it can be set up at your Acp->Options->User Registration->Enable Email Confirmation. If that is not working ok for you then open a ticket at your help desk here so one of the xenforo staff can investigate this for you.

You can also set it to Enable Manual Approval for the time being until the wave of the spamming attack cools down.
 
#5
Thanks everyone. What i did was to activate administrator approval for new users for the time being. Luckily the spamming person created new subjects inside only one of the forums. So i did a little cleaning and then erased that whole forum. Anyways does anyone know how i can delete like 20.000 members? There names seem to begin like ; 3fef71d43ab412 , 3fbd25119411db etc. So they begin with 3f. Also their mail adresses go like this : 3fef71d43ab412@3fef71d43ab412.com .

All of their ips seemed to be the same so i have banned one ip. I do not know if there are more ips but i have checked some of them and they had the same ips. Any help please?
 
#11
Hello, sorry for bringing this back up but i am still suffering. I have contacted the spammers and they are nice people it seems. They have given me the script that they have used to spam and create many users. They also said that their usernames = passwords .

http://pastebin.com/2tUPfKmC

Doesn't really want to be part of this forum attack (however,i'm againts Lynax too) but the easiest way to filter those spam registers to delete those users where the username = password.
It'll work with 99% success rate,or 100% of your system dont let users use same username and password.MySQL query:
DELETE * FROM `your_users_table` WHERE `username_row` = `password_row`;
This good man suggested this solution, then :


Oops,forgot about password hashing.You need to hash the usernames and check if they = the password.
If you're using MD5 then you can do it in the mysql query.
If your hashing is more complicated then this then you'll have to recreate that in PHP and then check.So if you're first hashing the password to sha256 then to md5 you'll need something like this:
PHP:
<?php
$result
=mysql_query("SELECT `username_row` FROM `users_table`;");
while(
$hit=mysql_fetch_array($result)){$password=md5(hash('sha256',$hit['username_row']));mysql_query("DELETE * FROM `users_table` WHERE `username_row` = '$password';");
}
?>
However I am not a coder and don't know how to make use of their passwords being the same as their usernames. Any help?