Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Massive spam issue even though domains are blacklisted and only admin or API can shorten #2353
Technical details regarding my environment
My instance of YOURLs gets a lot of spam domains or malwareridden domains by many different IP's and countries even though the domains they shorten are banned.
HOW does this happen and how do I block it if even administrator-login, captcha and regeneration of the API key doesn't block it?..
Hi @ozh ,
this is to share probably the same concern as @olenoerby 's post.
This is my POC for yourls.org -> http://tlkm.my/
i closed the form, however there's still unidentified input in url created.
if we see the ip, it's an invalid ip format
1.1 4709a868646bacc9738100003797f08a d
so, there's somewhere that spammer can get to create the link without form.
@afahmiparidin : most likely this isn't added to the YOURLS DB using standard input, since in that case the IP would be determined by the system, yet here it appears the value is being submitted. I suggest you change your secret key (see https://github.com/YOURLS/YOURLS/wiki/PasswordlessAPI) and your server passwords (MySQL, FTP)
@afahmiparidin - Hi Fahmi!
Beside the secret keys ozh told you about, and things like usernames, passwords, and YOURLS_COOKIEKEY (in config.php) there are more passwords you really need to change/strengthen. You may want to take a look at the tips on this page http://a.fil.net/s/admin/setup-config.php?step=0
Beyond MySQL and FTP passwords, you may have a password to admin your server from a webpage.
Finally, when a cracker gains access, he might not want to lose it! Most crackers will add hidden code to files you expect to be there. The easy way to fix this is to copy all the core files onto your server again. The standard files will not have the extra code and will therefore wipeout any added codes. Just be aware of your custom files. For example, config.php. Any file you made any change to manually, you will want to save before you upload the new files.
I hope this helps you Fahmi
@PopVeKind yeah, well that helps.
forgotten already about this tip. Thanks for reminding me.