Should also note, you should move all the current users out of that affected quota (#1) remove all signup links to that quota and finally remove the quota out of the system completely. that will lock the attack to a non-existing quota then after, you should be able to safely run the script above and block any requests still going to that quota.
be careful you could easily block real users if you don't remove the quota and all links to it... if one real users hits that link, apache will reject them forever.
Joined: 20 Aug 2003
Posts: 5341
Location: Nottingham, UK
Posted: 11/20/11 05:46
I look after a site that is being seriously hit. Its in maintenance mode at the moment - the only sure way to stop them.
Are the bots getting past recaptcha? What hope for us if they are?
The site owner is desperate. Years of work building up the site are being ruined, and I'm not sure what to do for him.
We do not have root/command line access so can't do what you suggest, risky as it sounds. I'm going to create a new signup quota and move existing real users to that, then disable the existing one for now.
Is IP blocking a real answer? Won't the bots just move on to other IPs?
Pa
Joined: 14 Jan 2004
Posts: 224
Location: Exeter, UK
Posted: 11/20/11 12:23
Wow, I leave my site for a month or so, Imagine my delight when I last logged in to see that I had nearly 9000 new accounts sign ups recently. I've never known it so bad on Jamroom.
I need to know the following:
How to delete multible accounts.
How to delete multible suspended users/artist accounts
How to stop these bots/people from signing up
If Jamroom intends to release a patch to solve this issue.
This problem has recently caused my site to go over my hosts threshold and I expect it will stop my account soon.
Is IP blocking a real answer? Won't the bots just move on to other IPs?
Sure banning IPs at the firewall isn't going to stop them completely but it stops them from hitting apache/sql.. (it was a ditch effort for us to hold them temporarily, not long term). We contacted our host but we are on a dedicated server, so ultimately it is our responsibility to handle this 'IF' we violate TOS they will just shut us off if its our fault or not. Short of changing the domain name, JR licenses and the IP it points to, unfortunately the requests aren't going to stop, you have to patch it and wait it out. If you turn off your site, its be right there waiting for you when you turn it back on, I guess you could try turning it off for a week or two, our attack is going on close to a week now ...
henryjimdix:
How to delete multible accounts.
How to delete multible suspended users/artist accounts
How to stop these bots/people from signing up
If Jamroom intends to release a patch to solve this issue.
please reread what has been posted here in detail ..
There is a clear outline of what the attack looks like, ways to ward off the issue, patches that JR has provided and sysadmin tools that can be used 'at your own risk'. We have determined the point of entry, JR patched it very quickly because there support ROCKS! and we now are just warding off what seems like a persistent botnet (5k+ IPs).
The Bottom Line, I think is this.
If your site has already been exposed then all you can do is hold them out and WAIT! There is no real way to stop the attack (we are still getting hit) but you can patch your site, clean up the db, hold them back best you can, notify your host of the issue and wait until the attack stops, that really is the only coarse of action.
Lots of great solutions in the post to help you out on all the above! keep you guys posted when/if it stops for us.
-g'luck
Last edited by jcable on 11/20/11 13:58; edited 2 times in total
Joined: 14 Jan 2004
Posts: 224
Location: Exeter, UK
Posted: 11/20/11 13:57
I have read the thread and started my war against these morons by changing the recapcha code.. Will work on the others later. Is there a way to mass delete artists? I've moved the spammers to a 'spam' quota but the auto prune to delete didn't do anything.
I have read the thread and started my war against these morons by changing the recapcha code.. Will work on the others later. Is there a way to mass delete artists? I've moved the spammers to a 'spam' quota but the auto prune to delete didn't do anything.
Joined: 18 Dec 2003
Posts: 13497
Location: Behind You
Posted: 11/20/11 15:23
I think its about time for a form letter of some type to users. I'm about to hit everyone in my network today. I see a few people have already exceeded the 32k folder limit from the spam. A shame for a site with 100 artists to have to clean up 31,898 profiles. I see a lot of site owners are blissfully unaware, might be a good idea to make an attempt to let them know?
Others are just straight up closed and in maintenance mode for lack of a better solution as the one here is apparently insignificant or not significant enough to maintain business continuity. Is there anything else that can be done other then breaking the progress meter for security as I mentioned in another post? I think dropping the progress meter for a secured spam free site is looking like a better and better compromise the more I see the damage sites have taken. What are we looking at for solutions from here out?
Joined: 18 Dec 2003
Posts: 13497
Location: Behind You
Posted: 11/20/11 15:35
The least logical thing I can think of, is to attempt to block IP's. If they're already beating the captcha form, I'm sure any other challenge setup will be just as easy.
The only solution I have that I know works, is to proxy the requests. The downside is that it breaks the progress meter. I can't find any other solutions that will improve the situation right now.
The least logical thing I can think of, is to attempt to block IP's. If they're already beating the captcha form, I'm sure any other challenge setup will be just as easy.
The only solution I have that I know works, is to proxy the requests. The downside is that it breaks the progress meter. I can't find any other solutions that will improve the situation right now.
Are they beating captcha or recaptcha? It could be they just figured out a hack for that. I can't imagine they have someone physically doing all this so that is why I suggested the challenge question.
Banning IP's is virtually pointless I agree. They are obviously using a proxy so they have ip's from all over. I just worry about my site getting hammered by hundreds/thousands of bots.
Joined: 09 Jul 2003
Posts: 37583
Location: Seattle, WA
Posted: 11/20/11 17:01
henryjimdix:
I have read the thread and started my war against these morons by changing the recapcha code.. Will work on the others later. Is there a way to mass delete artists? I've moved the spammers to a 'spam' quota but the auto prune to delete didn't do anything.
A prune should work - when you test it, are you not getting any results?
Joined: 09 Jul 2003
Posts: 37583
Location: Seattle, WA
Posted: 11/20/11 17:12
djmerlyn:
Others are just straight up closed and in maintenance mode for lack of a better solution as the one here is apparently insignificant or not significant enough to maintain business continuity. Is there anything else that can be done other then breaking the progress meter for security as I mentioned in another post? I think dropping the progress meter for a secured spam free site is looking like a better and better compromise the more I see the damage sites have taken. What are we looking at for solutions from here out?
It's not clear to me how a change in web server (or adding a proxy server) is going to prevent spam bots from signing up to a site. A request for "signup.php" would have to be proxied to Apache just like any other request. If the bot can properly enter the captcha, they will get in. As far as I know recaptcha has NOT been broken, and based on the explosion of spam users over the last couple of days I'm going to figure that the default Jamroom captcha _has_ been broken now, which is why we are seeing an influx of spam bots.
For now, moving to recaptcha, as well as making sure you are running the Jamroom 4.2.6 signup.php (from the bonus pack testing change set) should alleviate the issue as far as bots are concerned.
If these are real users signing up with the intention to spam your site, once again, Jamroom has no capability to determine the "intent" of a user at signup. There might be some merit to having a "spam" checker check blog posts, but at this time you can make sure your blog posts are going though the pending approval system - that should let you delete any spam entries that come through before making it onto your site.
It's also very important that you keep tabs daily on what's up on your system. The way these spam bots work is that they post a spam message, and then another process a day or two later looks for special "keywords" in the post to see if they are still there (this is why the fist post often appears as just gibberish) - if they find the keywords then they know the system owner is NOT keeping tabs on spam, and you'll now get a truckload of "live" spammers descending on your system to start posting the "real" spam posts, which are typically URL heavy posts pointing to a specific site. This is done get as many inbound links to a site as possible to push the site up the Google rankings as fast as possible.
So ultimately we can blame it on google - the public availability of a site's PR ranking plays heavy into the sites that are spammed, and making it into Google's SERP's is so important to so many sites that they are willing to play dirty to get there.
I'm not aware of any completely technical solution that is going to allow you to be "hands off" - in this day and age you've got to be on top of it pretty regularly.
Sorry for asking, but how do we do this prune? That is, where is it setup?
Thanks
bigguy:
henryjimdix:
I have read the thread and started my war against these morons by changing the recapcha code.. Will work on the others later. Is there a way to mass delete artists? I've moved the spammers to a 'spam' quota but the auto prune to delete didn't do anything.
A prune should work - when you test it, are you not getting any results?
Hmm, The logs show that the spammers keep coming back. From just a few hours to a day or two. A prune may not get them. However, I set the blog's to admin approval. From there I can suspend the account and kill the blog.
I been suspending the artist profiles that have spammed. Is there a way to see the suspended profiles only and then just delete them?
bigguy:
It is in the general settings tab of your quota config.