[jcable]

Recapcha seems to be working to keep secure control over our other quotas, there have not been any other attacks on any thing other then the original quota_id=9 they targeted. I agree, more then likely JR capcha HAS been compromised, I played with its setting a bit and it didn't make a difference.

Once we removed the quota, patched JR signup.php and moved to recaptcha I am fairly confident that we are now secure. I have had several new users signup and upload music and ZERO rouge accounts or spam since taking those actions. The system seems stable, except for the bot still attacking that quota id.

Its entirely possible they are spoofing those IPs, we can always revert them once the pounding stops. Banning at the firewall was a very bold choice to stop them quickly so they couldn't make an additional 100 apache requests in a row over and over again, especially if we knew they were malicious from get go, per attacking that quota ID#.

We tend to manage our site everyday, we have three admins, so I guess it helps we are hands on with both our server and JR, I have admin emails turned on so i'm instantly notified of the sites activity daily.

[kdh]

kdh:

I work with Jcable on our site.. We have banned almost 4500 IP address.. I will provide you the list of IP address so you can ban them before they start beating on your server. Private message me and I will send you a link to the text file. I do not want to post it on the open forum.

i'm up to 4800 banned IP address.. if you want the list, pm me and i'll send you the link.

[2tunes]

I've been looking for alternatives to "captcha" and found a couple that I think could be a temporary solution.

http://hellocaptcha.com/
http://www.captchagenie.com/

Here is an article dealing with the recent captcha crack.

http://www.allspammedup.com/2011/11/captcha-cracked-again/

Well back to work on trying to bring my web site up-to-date I'm still running 4.2.3


_________________
440MUSIC.COM Internet Radio & Music Store
The Granddaddy of Internet Radio for the
Unknown, Unsigned, and Independent Musician
Going Beyond The Reach Of Satellite

[rickallen]

Anybody have an idea about how to clean up the mess this caused. New signups have dropped off since the fix, but have about 7 or 8 thousand pending accounts to remove.

Since these are pending accounts would setting the days to validate to one day clear them out automatically?

I'd rather not do prune since that seems to be based on last login and could kill some valid accounts correct?


_________________
JR 4.X + JR modules and addons ( I keep all of them current )
www.michiganmonster.com

[Brian]

rickallen:

Anybody have an idea about how to clean up the mess this caused. New signups have dropped off since the fix, but have about 7 or 8 thousand pending accounts to remove. Since these are pending accounts would setting the days to validate to one day clear them out automatically?

Yes - if they are all pending, they'll be removed once the validation days have passed (it runs as part of the nightly daily maintenance cycle).

Quote:

I'd rather not do prune since that seems to be based on last login and could kill some valid accounts correct?

That's correct...

Hope this helps!

- Brian


_________________
Make sure and check out:
* The Jamroom FAQ
* The Jamroom Documentation

[rickallen]

Thanks Big Guy! BTW nice quick response on this issue. Thanks for that.


_________________
JR 4.X + JR modules and addons ( I keep all of them current )
www.michiganmonster.com

[2tunes]

I've been searching for alternatives to CAPTCHA and got this from one of the PHP Groups I belong to:

Quote:

I'm looking for help ASAP finding a solution or an alternative to captcha Quote: Tom as a comment pointed out, "No security system is perfect forever. Build a castle, here come catapults." To prevent bots from registering fake accounts on one of my systems I added two additional functions in the form process. I prefer not to use captcha due to the possibility of frustration. First, I have a hidden input field with a random token key that is changed every 30 minutes via a cron job. Some robots repopulate all the form fields when submitting a request. If the form key is different than the set variable an error will be thrown. Resetting the key every 30 minutes helps prevent crawlers from being able to use the form later on. Next, When the page is visited and the form is viewed, an ajax call is made to the server to set a new mt_rand() random number in a session variable. When the call is complete another hidden input is given this value and later checked when the form is submitted. If the form value does not equal the session value an error is thrown. This helps make sure the person has java script enabled. Unfortunately the latency of the operation takes a few hundred milliseconds, but due to the project nature it is worth it. I also implemented a few php based conditions to help make sure javascript is enabled. Bots are getting smarter, the functions I implemented are not perfect but they help greatly. This is a great resource for more captcha alternatives:http://www.evengrounds.com/developers/alternatives-to-captcha

Those of you who have more skills in this area I'd appreciate your advice.

Thanks
Tom


_________________
440MUSIC.COM Internet Radio & Music Store
The Granddaddy of Internet Radio for the
Unknown, Unsigned, and Independent Musician
Going Beyond The Reach Of Satellite

[jcable]

As Brian provided in this post, ReCaptcha is easy to install, ready to go, and seems to be working very well for us thus far.
-g'luck

bigguy:

Switch to using ReCaptcha. Jamroom supports using Recaptcha in place of the built in captcha. You need to go here: http://www.google.com/recaptcha and click on the "use recpatcha on your site" button - fill in the form and you will be given some unique ID values for your site. Go into Jamroom Tools -> Advanced Settings and set the following 2 keys: jr_recaptcha_private_key jr_recaptcha_public_key to the values you received on the Recaptcha site. Reset your template cache and you should see Recaptcha in place of Jamroom's captcha. If you continue to receive spammer signups AFTER doing this, then it means it is not a bot signing up, but a real user and you'll need to manually delete accounts. Hope this helps! - Brian

[2tunes]

I must be the only one who avoids google!! like the plague!!!!

So it looks like I'm on my own at this point. We got to get an alternative!!!


_________________
440MUSIC.COM Internet Radio & Music Store
The Granddaddy of Internet Radio for the
Unknown, Unsigned, and Independent Musician
Going Beyond The Reach Of Satellite

[kdh]

2tunes:

I must be the only one who avoids google!! like the plague!!!! So it looks like I'm on my own at this point. We got to get an alternative!!!

Whats wrong with google?

I checked out the links you posted to http://hellocaptcha.com/

Its a pretty neat idea. You could easily write your own version of the same thing using the GDlibs, FFMpeg, and a bit of PHP that would easily intergrate into JamRoom. Once you get that code knocked out, post it up for all to share as I'm sure most people would be interested in it.

for now, most of us will just use google ReCaptcha because its working this very moment.

[kdh]

kdh:

kdh: I work with Jcable on our site.. We have banned almost 4500 IP address.. I will provide you the list of IP address so you can ban them before they start beating on your server. Private message me and I will send you a link to the text file. I do not want to post it on the open forum. i'm up to 4800 banned IP address.. if you want the list, pm me and i'll send you the link.

Im up to 5200 IPs banned at this point.. if you want the list, pm and i'll send you the link to the list.

Also.. It looks like its slowing down.

At one point we were getting 1 sign up every 70 or so seconds.. its down to 6 attempts in an hour now.

You guys seeing a slow down, or are you still being pounded?

Honestly our site is working completely fine with no issues.

[jcable]

2tunes:

I must be the only one who avoids google!! like the plague!!!! So it looks like I'm on my own at this point. We got to get an alternative!!!

I feel confident in due time, the JR team will promptly provide an update to captcha but as you posted I think its going to take some research as to how/why the current method is able to be compromised.

I do think that being able to change the font would drastically help, I use other captcha's that supply this functionality and if a font gets compromised using an alternative font and point size usually helps. As to my knowledge changing the font is not an option as it stands.

For the intermittent time, Google reCaptcha is securing our site nicely. At this stage, I think this is the best/quickest option we have been supplied. Sure we could try to mold in a alternative solution but time presents a challenge for us. At the point when JR provides a new update to captcha we will switch back to a nonhosted captcha solution, for now its working and I'm confident in the support supplied by JR for another solution eventually.

[CAPER]

I got about 18,000 spam signups and it sucks

[djmerlyn]

CAPER:

I got about 18,000 spam signups and it sucks

I'm still trying to get people to realize there sites are vulnerable and being nailed hard. I've resorted to moving signup.php to signup.php.bad and well I'll be damned if that doesn't solve the problem lol


_________________
Pro JR Hosting, now 50% off!
-100% Guaranteed

"more server and network power than any host, dedicated to your jamroom site"

[2tunes]

I've been looking at alternatives for CAPTCHA and I was wondering if we could insert a hidden field in the signup.php page that if filled in would reject the sign-up?

I'm not knowledgeable enough with PHP to do this but after reading some of the info I've found I got this idea. Bots fill in fields hidden or not and if it's hidden real people won't see it but the bot will fill it in.

Happy Thanks Giving All.

Tommy TBones


_________________
440MUSIC.COM Internet Radio & Music Store
The Granddaddy of Internet Radio for the
Unknown, Unsigned, and Independent Musician
Going Beyond The Reach Of Satellite