New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Massive spam issue even though domains are blacklisted and only admin or API can shorten #2353

Closed
olenoerby opened this Issue Jan 12, 2018 · 7 comments

Comments

Projects
None yet
5 participants
@olenoerby

olenoerby commented Jan 12, 2018

Technical details regarding my environment

  • YOURLS version: 1.7.2

    • Plugins enabled: 404 Redirect, Anti spam, Google Analytics, Force Lowercase, Change error messages, Mass remove links, Random backgrounds, Random keywords, SSL for SSL, Yourls Abusedesk, reCaptcha.
  • PHP version: 7.1
    Running on a Ubuntu 17.10 with quite a bunch of subdomains - a lot running PHP, but none of them having been hacked before.

Bug description

My instance of YOURLs gets a lot of spam domains or malwareridden domains by many different IP's and countries even though the domains they shorten are banned.
Example:
It's not even possible to shorten big sites such as YouTube, yet still a link or two appears daily in my administrative panel with multiple clicks already on it.

HOW does this happen and how do I block it if even administrator-login, captcha and regeneration of the API key doesn't block it?..

@ozh

This comment has been minimized.

Show comment
Hide comment
@ozh

ozh Jan 12, 2018

Member

URL ?

Member

ozh commented Jan 12, 2018

URL ?

@afahmiparidin

This comment has been minimized.

Show comment
Hide comment
@afahmiparidin

afahmiparidin Apr 9, 2018

Hi @ozh ,

this is to share probably the same concern as @olenoerby 's post.

This is my POC for yourls.org -> http://tlkm.my/

i closed the form, however there's still unidentified input in url created.

image

if we see the ip, it's an invalid ip format

1.1 4709a868646bacc9738100003797f08a d

so, there's somewhere that spammer can get to create the link without form.

Thank you,
Fahmi Paridin

afahmiparidin commented Apr 9, 2018

Hi @ozh ,

this is to share probably the same concern as @olenoerby 's post.

This is my POC for yourls.org -> http://tlkm.my/

i closed the form, however there's still unidentified input in url created.

image

if we see the ip, it's an invalid ip format

1.1 4709a868646bacc9738100003797f08a d

so, there's somewhere that spammer can get to create the link without form.

Thank you,
Fahmi Paridin

@ozh

This comment has been minimized.

Show comment
Hide comment
@ozh

ozh Apr 9, 2018

Member

@afahmiparidin : most likely this isn't added to the YOURLS DB using standard input, since in that case the IP would be determined by the system, yet here it appears the value is being submitted. I suggest you change your secret key (see https://github.com/YOURLS/YOURLS/wiki/PasswordlessAPI) and your server passwords (MySQL, FTP)

Member

ozh commented Apr 9, 2018

@afahmiparidin : most likely this isn't added to the YOURLS DB using standard input, since in that case the IP would be determined by the system, yet here it appears the value is being submitted. I suggest you change your secret key (see https://github.com/YOURLS/YOURLS/wiki/PasswordlessAPI) and your server passwords (MySQL, FTP)

@afahmiparidin

This comment has been minimized.

Show comment
Hide comment
@afahmiparidin

afahmiparidin Apr 9, 2018

Dear @ozh, thanks for the reply.

For sure .. will do as per recommended. however, if i find out anything wrong, i'll let you know.

afahmiparidin commented Apr 9, 2018

Dear @ozh, thanks for the reply.

For sure .. will do as per recommended. however, if i find out anything wrong, i'll let you know.

@PopVeKind

This comment has been minimized.

Show comment
Hide comment
@PopVeKind

PopVeKind Apr 9, 2018

Contributor

@afahmiparidin - Hi Fahmi!
I agree with ozh, it looks like someone got into your site, It is hard (pretty much impossible) to fake the IP from outside of a system because it is used to return the reply. So... it looks like your system was comprised from inside, rather than outside.

Beside the secret keys ozh told you about, and things like usernames, passwords, and YOURLS_COOKIEKEY (in config.php) there are more passwords you really need to change/strengthen. You may want to take a look at the tips on this page http://a.fil.net/s/admin/setup-config.php?step=0

Beyond MySQL and FTP passwords, you may have a password to admin your server from a webpage.
Likewise you may have a password for something like PHPMyAdmin with a ridiculously simple password (or no password from within the website). Your hosting company may have set this up without you even knowing it. With access to a PHPMyAdmin account, for your server, I could change everything in your YOURLS database! And never even get close to your website form!

Finally, when a cracker gains access, he might not want to lose it! Most crackers will add hidden code to files you expect to be there. The easy way to fix this is to copy all the core files onto your server again. The standard files will not have the extra code and will therefore wipeout any added codes. Just be aware of your custom files. For example, config.php. Any file you made any change to manually, you will want to save before you upload the new files.

I hope this helps you Fahmi

Contributor

PopVeKind commented Apr 9, 2018

@afahmiparidin - Hi Fahmi!
I agree with ozh, it looks like someone got into your site, It is hard (pretty much impossible) to fake the IP from outside of a system because it is used to return the reply. So... it looks like your system was comprised from inside, rather than outside.

Beside the secret keys ozh told you about, and things like usernames, passwords, and YOURLS_COOKIEKEY (in config.php) there are more passwords you really need to change/strengthen. You may want to take a look at the tips on this page http://a.fil.net/s/admin/setup-config.php?step=0

Beyond MySQL and FTP passwords, you may have a password to admin your server from a webpage.
Likewise you may have a password for something like PHPMyAdmin with a ridiculously simple password (or no password from within the website). Your hosting company may have set this up without you even knowing it. With access to a PHPMyAdmin account, for your server, I could change everything in your YOURLS database! And never even get close to your website form!

Finally, when a cracker gains access, he might not want to lose it! Most crackers will add hidden code to files you expect to be there. The easy way to fix this is to copy all the core files onto your server again. The standard files will not have the extra code and will therefore wipeout any added codes. Just be aware of your custom files. For example, config.php. Any file you made any change to manually, you will want to save before you upload the new files.

I hope this helps you Fahmi

@afahmiparidin

This comment has been minimized.

Show comment
Hide comment
@afahmiparidin

afahmiparidin Apr 10, 2018

@PopVeKind yeah, well that helps.

Finally, when a cracker gains access, he might not want to lose it! Most crackers will add hidden code to files you expect to be there. The easy way to fix this is to copy all the core files onto your server again. The standard files will not have the extra code and will therefore wipeout any added codes. Just be aware of your custom files. For example, config.php. Any file you made any change to manually, you will want to save before you upload the new files.

forgotten already about this tip. Thanks for reminding me.

afahmiparidin commented Apr 10, 2018

@PopVeKind yeah, well that helps.

Finally, when a cracker gains access, he might not want to lose it! Most crackers will add hidden code to files you expect to be there. The easy way to fix this is to copy all the core files onto your server again. The standard files will not have the extra code and will therefore wipeout any added codes. Just be aware of your custom files. For example, config.php. Any file you made any change to manually, you will want to save before you upload the new files.

forgotten already about this tip. Thanks for reminding me.

@dgw

This comment has been minimized.

Show comment
Hide comment
@dgw

dgw Jul 10, 2018

Collaborator

Since this sounds like the result of a compromised server, I'm going to close it. We can reopen if it turns out that the entry point was YOURLS after all.

Collaborator

dgw commented Jul 10, 2018

Since this sounds like the result of a compromised server, I'm going to close it. We can reopen if it turns out that the entry point was YOURLS after all.

@dgw dgw closed this Jul 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment