XF 1.4 My admin account was logged on from a spamer's IP

[DennisSkov]

Hi.

Today we received a report about a spamer on the forum. We took action and used the "report spammer" function in Xenforo, but after I had banned the account, I saw the following:


I was still sleeping at that time. The admin.php page is only accesible from my own IP, and my password consists of 15 characters that has been randomly generated, not stored anywhere. Is this some sort of exploit?

Any information about this would be much appreciated!
Dennis

 

[Paul B]

If you don't have a static IP address, this is possible.

 

[Mike]

This is also very possibly caused by an add-on that causes content to be created in someone's name and recording an IP log against that.

 

[Paul B]

Yes, I was going to add that the possible causes of this are:

• a dynamic IP address
• server configuration
• an add-on
• the same person logging in to both accounts

There are no known exploits with the XenForo software which would cause that.

 

[DennisSkov]

This is also very possibly caused by an add-on that causes content to be created in someone's name and recording an IP log against that.

Does this also apply even if it's the only IP address that is logged for the spammer? Since it's the only IP logged, I figure that it's also the IP that the registration happened from.

 

[Jim Boy]

Some add-ons, like Multiple Account Detection, have functionality that will create a new thread in a particular forum. There has to be a 'thread creator' and the the addon will create that thread using the IP address of the user who originally triggered the action (the spammer) as being the IP address of the thread creator, resulting in the thread creator user (*eg dennis) as having apparently 'logged on' from that ip address. Its an annoyance but nothing to be concerned about.

 

[DennisSkov]

Some add-ons, like Multiple Account Detection, have functionality that will create a new thread in a particular forum. There has to be a 'thread creator' and the the addon will create that thread using the IP address of the user who originally triggered the action (the spammer) as being the IP address of the thread creator, resulting in the thread creator user (*eg dennis) as having apparently 'logged on' from that ip address. Its an annoyance but nothing to be concerned about.

Yeah, but again - this is the only IP that was logged on that account. I'm using an addon that sends a message to all new users - could this be the case? The message is send from my user ID, and that kind of suits the things you described.

 

[Paul B]

I'm using an addon that sends a message to all new users

That's the add-on which is known to cause this problem.

 

[DennisSkov]

That's the add-on which is known to cause this problem.

Ok, thanks for clearing that up! It would explain that other users are sharing my IP as well...

I almost panicked. Thanks for being so fast with the correct information. It's much appreciated

 

[cdub]

That's the add-on which is known to cause this problem.

Which addon exactly is that?

 

[DennisSkov]

It's called New Users Welcome.

 

[cdub]

It's called New Users Welcome.

And is it a security concern or just a glitch?

 

[rainmotorsports]

Which addon exactly is that?

Any add-on that creates threads, conversations or profile posts can do this. You have to set a flag in the data writer to not record an IP. Otherwise a random or the receivers IP will be written. Most addons of this nature have this issue. Its not that hard to fix.

 

[DennisSkov]

It shouldn't be a security issue from what I understand.