Spammers posting through existing accounts with no need to login?

z3r010 said:
Mr Lucky said:
I just did this one a test user and nothing happened. They were able to continue using the site, log out and log in again. No requirement to rest password.
Click to expand...
My test account got the following and could do nothing.
Click to expand...

I just found out that batch update is not working. Hence my issue. This is a known unresolved bug:

xenforo.com

Fixed - Batch update users broken in 2.2.12

Since 2.2.12 .. batch update users feature is broken due to this weird change at XF\Job\UserAction $customTitle = $this->getActionValue('custom_title'); if ($customTitle !== '') { $user->custom_title = $customTitle; } where $customTitle will never be...
xenforo.com xenforo.com

Security lock works fine if done user by user but that is not much use in this case with thousands of users !!
 
Mr Lucky said:
I just found out that batch update is not working. Hence my issue. This is a known unresolved bug:

xenforo.com

Fixed - Batch update users broken in 2.2.12

Since 2.2.12 .. batch update users feature is broken due to this weird change at XF\Job\UserAction $customTitle = $this->getActionValue('custom_title'); if ($customTitle !== '') { $user->custom_title = $customTitle; } where $customTitle will never be...
xenforo.com xenforo.com

Security lock works fine if done user by user but that is not much use in this case with thousands of users !!
Click to expand...

I found a workaround to the non-functioning batch update. Warning! this seemed to work but I can't guarantee it won't mess anything up as I'm always wary of editing the database, however seems fairly straightforward.

Promote the users who you want to reset passwords for to a usergroup
Run the query UPDATE xf_user SET security_lock = reset' WHERE FIND_IN_SET(123, secondary_group_ids) (where the secondary group is 123)
 
Last edited:
I have three very large forums and have had hundreds of these in the past week or so... Most from dormant accounts.

Is there any plugins available that force user accounts that haven't logged in in the past 6 months to change their passwords?
 
Black Tiger said:
It might indeed. Thank you.
Is this officially release yet? As I can't seem to find this here on Xenforo neither on the TH website under the addons. Only in this post.
Click to expand...
It's not one we release like the others, just something we have that may be useful to others here.
Mr Lucky said:
Didn't work with my test user.
Click to expand...
It runs on a cron, so you'd probably need to run it manually to see immediate changes.
 
It just creates an option group "[TH] Reverify Inactive Users" where you can set the action to take (default is just email confirmation) and the cut off days.
 
One of my forums has over 11k members, and goes back 26 years.

So far, we haven't had any of these, but we're on alert! It sounds like this has been a large problem in the past 48 hours, for a lot of forums.

Thanks for making that, Matt!
 
Last edited:
Ozzy47 said:
May I release it so people wishing to discuss it can do so in the addon support thread?
Click to expand...
I'd rather it just stayed here for anyone that comes across the thread, not really looking to have it rebranded or turning into an actively maintained addon listed anywhere. It is what it is and is there if people come across it and find it useful to protect accounts against this spam attack.
 
You can use the addon "Dragonbyte Security" by @DragonByte Tech in 2 ways to avoid this issue:

xenforo.com

[DBTech] DragonByte Security

DragonByte keeps a watchful eye over your forum even when you are not there, and has the capability to alert you of any suspicious activity. Uses DragonByte is the ideal product for forums that are concerned about security, or wish to be alerted...
xenforo.com xenforo.com
  1. Turn on Captacha on Login. This will avoid any kind of brute-force login attacks.
  2. Monitor failed logins. If there are a lot of failed logins, probably someone is trying to hack accounts.
Good luck!
 
we see the same posts here but something is odd. They all show up in User Change Log with this settings changed:
2023-01-16 23_17_14-Window.png

but "last login" is still from long ago. Server logs show a normal login.
Some have the Moldovian IP posted above but others show up as "No IP logs were found for the requested user."
 
Maybe trying to hide their tracks, so the account owner isn't notified.

Really odd if the login date isn't being moved, though.

Added 109.107.166.230 to the ban list.
 
high1976 said:
we see the same posts here but something is odd. They all show up in User Change Log with this settings changed:
View attachment 280125

but "last login" is still from long ago. Server logs show a normal login.
Some have the Moldovian IP posted above but others show up as "No IP logs were found for the requested user."
Click to expand...
The last activity column is updated on a delay in the hourly rebuild cron, which may explain the last login date there (depending on where the date is pulled from).
 
high1976 said:
we see the same posts here but something is odd. They all show up in User Change Log with this settings changed
Click to expand...
I'd say this is not odd at all:

Let's assume those accounts are compromised because the attacker got an email address and a password that works to log into that email account (and other websites like forums where the same password was used) and that the user was not actively using those forum accounts (for a long time).

If that is the case, the attacker would not want the victim to become aware that the email account is compromised (due to forum notification emails) - so all email notifications are being turned off.
 
Last edited:
the last login issue is not a general one but seems to affect some these accounts. The hourly cron runs fine manually, I see other (active) accounts are updated with todays date. Same for IP.

Maybe a local issue, not sure.

Kirby said:
I'd say this is not odd at all:
Click to expand...
sure, I meant the last login and IP problem, sorry
 
Last edited:
You must log in or register to reply here.
Top Bottom