3rd party spam exploit possible? Help please!

Re: 3rd party spam exploit possible? Help please!

Steve Hyndman -
回帖数:5

I've dealt with this on a couple of sites in the past week. This isn't your normal spam that is done automatically...there is a lot of human intervention here. From what I can gather:

1. The spammer finds a moodle site that allows account creation and email verification...lots of those out there

2. They manually create their account and verify it

3. They they seem to immediately go to the account profile and change the email address used to create the account...pretty smart actually, since Moodle does no require that a change of email be verified at the "NEW" address entered which allows someone to use a single email account to create an unlimited number of these spam accounts. Some people believe the spammers are using accouts like "mailanitor" to create these, but they can create a moodle account, change the email in the profile, and then use that same email address to create another account, allowing them to use any single email account to create as many moodle accounts as they want.

4. They enter their spam (long list of Pharmacy/Viagra links) in the profile description field. This gives them an automatic webpage that they can now use in their other spam emails.

My experience has been with two different 1.6 installs, but it seems to me the same exploits can happen in any version. So, what can you do?

1. Don't allow email account creation on your site (Not an option for many).

2. Set your site so that users must be logged in to see profiles. (You would think this would limit the value of using a profile for spam, but evidently the spammers aren't smart enough to check that since both sites I found this type spam on required users to be logged in to view profiles).

3. Remove users ability to use the "Description" field in the profile on the site. (This is what I did on both sites. By doing what I describe below, you will delete any information in the description field for all existing users on your site and prevent any new users from entering any useful information in that field).

To disable the ability to enter information in the profile "description" field in Moodle 1.6 -- Not sure about later releases -- I did the following.

1. Opened my database using phpmyadmin

2. Selected the mdl_user table

3. Opened the "description" field to edit the default values

4. Changed field type to CHAR

5. Set Length/Values to "1"

6. Set Default value to "1"

Saved.

Since this field is a required field, now when an account is created it will be automatically populated with the number 1. For all information currently entered in this field for existing accounts, only the first letter will show. If anyone updates an account, they can type as much as they want, but only the first letter will be saved.

Of course, you lose this field for your users, but it doesn't do the spammers any good either.

Disclaimer: This seems to work on the two sites where I applied it, but use at your own risk. Also, there may be easier and/or better ways to deal with this, but since the description field is not critical on the sites I dealt with, this seems to be an effective solution. 

Steve 

平均分:Useful (1)
回复Steve Hyndman

Re: 3rd party spam exploit possible? Help please!

Mauno Korpelainen -

Good answer, Steve!

http://tracker.moodle.org/browse/MDL-7407 - still human spammers can pass captcha. In moodle 1.8-1.9 you have a little more possibilities to control traffic and registration so upgrading may be worth trying.

The point is that moodle sites (user profiles) are just free web space for saving links to nasty pages - user profile that is open to google is like a free web page that can contain any links to illegel sites. Such open sites that nobody has used for a long time or really big sites with many users are ideal to hide some extra users. Most likely bots create different link lists and submit them to guestbooks and forums - searching with "user/view.php" gives you both moodle site user profiles and those link lists pointing to moodle sites. I suspect (like Steve) that human spammers select the content to user profiles - those unused bot profiles may be just test profiles that tell spammers how different sites react.

This whole spam business is something really rotten - nobody wants to buy any products or services from those links but every time somebody presses a spam link he/she possibly creates a new spam wave - or gets trojans etc. The main purpose is not to send ads but to steal identities, usernames and passwords, next steal servers, mail servers or even name servers to be able to create new fake email addresses, servers and so on. And spammers try to open any possible route they can think...

平均分: -
回复Steve Hyndman

Re: 3rd party spam exploit possible? Help please!

Mauno Korpelainen -

But I just noticed something - the reason why most attacked sites are old sites (using moodle 1.6 or moodle 1.5) might be exactly that setting forceloginforprofiles

In moodle 1.6 Administration -> Configuration -> Variables
and under Permissions
SET forceloginforprofiles: Yes

Enable this setting to force people to login as a real (non-guest) account before being allowed to see the user profile pages. By default this is disabled ("false") so that prospective students can read about the teachers of each course, but this also means that web search engines can see them.

In moodle 1.7-1.8-1.9
Administration -> Security -> Site policies
SET forceloginforprofiles: Yes

Enable this setting to force people to login as a real (non-guest) account before being allowed to see the user profile pages. By default this is enabled ("true")

For most cases this seems to be enough to keep anonymous visitors away from user profiles (as Martin already said in tracker). If somebody could just tell it to those thousands of moodle sites using moodle 1.5 or 1.6 thoughtful

It does not delete old links and user profiles inside moodle (administrators should check profiles manually) but at least it restricts straight access to user profile pages from spam links. 

平均分: -
回复Mauno Korpelainen

Re: 3rd party spam exploit possible? Help please!

Dan Hilke -
This is making a little more sense all the time... Mauno and Steve - I really appreciate your information and explanations!

My site really needs to be set up for Email authentication. It's sounding like that may be safe, as long as I make sure that forceloginforprofiles is set to yes. (My production site had this set to 'no' at the time of the attack.) Someone may still make phony users, but it will at least be a waste of their time.

Does this sound correct?
Thanks,
Dan


平均分: -
回复Dan Hilke

Re: 3rd party spam exploit possible? Help please!

Mauno Korpelainen -

Yes and it is also possible to lock field Description at least in moodle 1.6-1.9 (I don't have moodle 1.5 to check but it might be possible there as well) from

Administration -> Users -> Authentication options

It does almost the same as Steve's suggestion (the field can't be edited) but it is easier to change the setting from administration menu if you need to change description for some users and lock it again.

平均分: -
回复Mauno Korpelainen

Re: 3rd party spam exploit possible? Help please!

Ben Christopher -

Hi there,

i have 2 sites on my host server and i realised that someone has hacked into my non moodle site. i have deleted the "online" directory where they had kept their link and i have been advised to do the following:

Chmod all folders to at least 755 (check with the moodle devs if that is ok)

Chmod all files to atleast 644 (again, check this with the devs).

as far as i can see, most files/directories have these settings anyway.

in addition, i was advised to:

Remove / rename install.php

Is this recommended?

also in admin/users/manual accounts and email based selfregistration - i have set "description" to locked - as advised above.

is it worth also disabling  Email-based self-registration (Administration

Users Authentication Manage authentication)

any help, as usual. greatly appreciated

ben

平均分: -