auto registration problem

[rj]

Auto registration sends the email, clics the link in the email, come back, log in and it won't accept the password (or name I suppose). This may be only the case for those who have registered long ago, been deleted and are registering again? If "I" Go in and add a new password to both fields in Manage Users for them it works fine.

I am also getting over 100 notifications of registration attempts a day.
I turned off registration to comment and just used force name and email fields and the captcha and got about 5000 spam attempts a day, notified in email and filling up the admin comment area with approval requests. How are they getting past the captcha you think? I used the big bad pain in the ass api captcha which made no difference.
thankx
RJ

[garvinhicking]

Hi!

I don't understand the first part.

About captchas: This depends on your actual antispam settings, and maybe if you have other antspam plugins active. Several actions are performed before the captcha; if you've turned on global comment moderation for example, you get each comment notified despite the captcha. You'd need to show us all of your exact settings.

Regards,
Garvin

[rj]

For about a year now I have had troubles with the auto registration plugin. It is why I have been experimenting with various options to allow comments without registration. All of those options ended up with about 5000 spam attempts with email notifications a day. With auto registration I get about 100 attempts a day that fail getting in (the email verifications stops them) but I am email notified.

At first I thought the problem of real people failing the log in after registering was some sort of hidden Serendipity cookie in which someone who has registered previously and registers again cannot log in because of the same email address or maybe isp address or something. But the feedback is that no one is able to register and successfully log in. Most of course just give up and disappear, but the few who contact me for help I go in and put a password in each password field in Manage Users and email them the password and it works fine.

The click REGISTER or COMMENTS and click REGISTER, Add user comes up, they put in a name and password and email, they click GO, they get the email, they click the link in email which returns them, they see the message that they are now registered and to log in, and as soon as they do, they get WRONG PASSWORD or USERNAME. As most who fail this just go away, I and friends using different email addresses try it and it always fails for us too.

been fighting this issue for a year now...
http://rackjite.com

Thanx
RJ

[garvinhicking]

Hi!

Which s9y version and version of the adduser plugin are you running? And how did you configure event and sidebar plugin of the adduser plugin?

Regards,
Garvin

[rj]

serendipity 1.51
User self registration 2.27
I do not use it in the sidebar but take the ADD USER link and add it to the header area.
http://rackjite.com/index.php?serendipi ... e]=adduser
Maybe someone could try registering to see what happens?
Thanks
RJ

[garvinhicking]

Hi!

You need to update both your plugin and the s9y version.

Regards,
Garvin

[rj]

Ah! I think I see the problem! Remember on Nov 1st "WE" had issues after I moved to a dedicated server. You came in and fixed it which I assumed was doing some CMOD stuff.
Accessing EVENT UPGRADE and plugins failed in both templates c and plugins.
I havent tested the user reg yet but I changed all folders and files in both templates c and plugins to
read, write and execute and succeeded in both processes.

I got in big trouble in early November with Google who threatened to drop me as a spam site. the "Gift" trojan had gotten into "Uplaods" and was reaking havoc, literally thousands of link deposits. I had to take WRITE and EXECUTE off UPLOADS. What SHOULD I be doing with cmod overall? Are the places to have PUBLIC open to "write" and some not? And what about "execute"?

Thanx
RJ

[garvinhicking]

Hi!

Check http://www.s9y.org/11.html#A15

Regards,
Garvin

[rj]

755 means NO WRITE EXECUTE YES ... I am not clear on what EXECUTE actually means.
My concern is the UPLOADS directory where that horrible GIFTS worm got in.
Do I have to turn off EXECUTE also to protect it?

And now user reg works fine! This was the issue all along, THANKYOU GARVIN!

[Timbalu]

Sorry for hopping in....

You need the perm execute in uploads, else you cant upload.
But the real necessity is to find out how this worm got into into it!
This meens you have to find out which vulnerable script (like the ones we just had in htmlarea) opened this hole.

Ian

[rj]

Thanks. After Google emailed me a warning that I was spam site and needed to do something within 24 horus or else... I found it easy enough. It was a folder in /UPLOADS named "Gifts" with literally thousands of link files in it. So it was just a matter of deleting the folder and changing the permissions. I took away both write and execute in public which meant my helpers couldnt do their graphics, I had them email them to me and I ftpd them. So now I have changed it to NO WRITE EXECUTE YES which is correct I assume? I am always now on the watch on the UPLOADS directory, if fact I check all directories for GIFTS quite often. Next time I will come by here and have someone take a look if they could before I do anytjhing. But WRITE OFF and EXECUTE ON is what it should be?

[Timbalu]

Heeeeeeee, halllooooooo...., I did't talk about removing the worm, this is self-evidence!
I talked about finding out HOW they did it.
Before you can't say how === STOP interneting!!!
( and you still need at least 775 or even 777 )

Ian