Spammer bypassed signup code

I just installed a brand spanking new WPMU last night, set up the signup code on it, installed a few more plugins, and went to bed.

Woke up this morning and check my email to find that a spammer has signed up for a blog. I haven't given out the signup code to anyone. I can't sign up myself without a signup code, how did this person sign up?

Is there a way to verify what signup code they used on the signup form?

Going through my logs, I only see 1 signup attempt, and it was successful:

70.242.14.138 - - [10/Jun/2010:05:19:17 -0400] "GET /wp-signup.php HTTP/1.1" 200 4848 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
70.242.14.138 - - [10/Jun/2010:05:19:18 -0400] "POST /wp-signup.php HTTP/1.1" 200 4549 "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
70.242.14.138 - - [10/Jun/2010:05:20:32 -0400] "GET /wp-activate.php?key=c28f75d8d9a95ffc HTTP/1.1" 200 3662 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
70.242.14.138 - - [10/Jun/2010:05:20:33 -0400] "POST /wp-activate.php HTTP/1.1" 200 3662 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
70.242.14.138 - - [10/Jun/2010:05:20:17 -0400] "GET /wp-activate.php?key=c28f75d8d9a95ffc HTTP/1.1" 200 3355 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
70.242.14.138 - - [10/Jun/2010:05:21:40 -0400] "POST /kaleigh7335889/wp-login.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
70.242.14.138 - - [10/Jun/2010:05:21:42 -0400] "GET /kaleigh7335889/wp-admin/options-writing.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
69.61.101.173 - - [10/Jun/2010:05:21:43 -0400] "POST /wp-cron.php?doing_wp_cron HTTP/1.0" 200 - "-" "WordPress/2.9.2; http://kaleigh7335889.*deleted*.com"
70.242.14.138 - - [10/Jun/2010:05:21:43 -0400] "POST /wp-login.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
70.242.14.138 - - [10/Jun/2010:05:21:45 -0400] "GET /wp-admin/options-writing.php HTTP/1.1" 200 15465 "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
70.242.14.138 - - [10/Jun/2010:05:21:46 -0400] "POST /wp-admin/options.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"

Any suggestions?

    drmike

    Just to clarify, is buddypress installed? I know you said it;s a brand new wpmu install. Just want to make sure though.

    Aaron

    Thanks for posting your log. I've honestly never been able to get someone to do it. I'm going to get this checked into as I've heard from 2 others that a spammer was able to bypass the code recently but you are the first to actually prove it with a log ;-).

    I really wish I could see what the POST content was...

    kernel_panic
    • 56
    • #2,124

    Another one just signed up:

    207.199.197.231 - - [10/Jun/2010:12:29:34 -0400] "GET /wp-signup.php HTTP/1.1" 200 6035 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
    207.199.197.231 - - [10/Jun/2010:12:29:35 -0400] "POST /wp-signup.php HTTP/1.1" 200 5726 "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
    207.199.197.231 - - [10/Jun/2010:12:33:33 -0400] "GET /wp-activate.php?key=43116a8682383597 HTTP/1.1" 200 3624 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
    207.199.197.231 - - [10/Jun/2010:12:33:34 -0400] "POST /wp-activate.php HTTP/1.1" 200 3624 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
    207.199.197.231 - - [10/Jun/2010:12:33:21 -0400] "GET /wp-activate.php?key=43116a8682383597 HTTP/1.1" 200 4519 "-" "curl/7.18.2 (i386-pc-win32) libcurl/7.18.2 zlib/1.2.3"
    207.199.197.231 - - [10/Jun/2010:12:38:42 -0400] "POST /maya9948091/wp-login.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
    207.199.197.231 - - [10/Jun/2010:12:38:42 -0400] "GET /maya9948091/wp-admin/options-writing.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
    69.61.101.173 - - [10/Jun/2010:12:38:43 -0400] "POST /wp-cron.php?doing_wp_cron HTTP/1.0" 200 - "-" "WordPress/2.9.2; http://maya9948091.*deleted*.com"
    207.199.197.231 - - [10/Jun/2010:12:38:43 -0400] "POST /wp-login.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
    207.199.197.231 - - [10/Jun/2010:12:38:44 -0400] "GET /wp-admin/options-writing.php HTTP/1.1" 200 15433 "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"
    207.199.197.231 - - [10/Jun/2010:12:38:46 -0400] "POST /wp-admin/options.php HTTP/1.1" 302 - "-" "curl/7.19.6 (i386-pc-win32) libcurl/7.19.6 OpenSSL/0.9.8k zlib/1.2.3"

    Aaron

    Ok, looks like you've helped find a security vulnerability in core WPMU/WP3.0 Multisite! (well credit goes to the sploggers first...)

    We have a temporary patch idea for this and will upload it probably by next week.

    I am creating a trac ticket for this so we can get a permanent fix in core though, and will post a link to that if you want to know the details.

    kernel_panic
    • 56
    • #2,124

    I'm running 2.9.2, so this affects that as well.

    drmike

    Thanks for posting your log. I've honestly never been able to get someone to do it

    Actually this has been an ongoing issue for years. Every few months someone posts to the mu forums that they had a spammer register to their install even though registration is turned off. We ask they about their logs and what debugging they've done and 9 times out of 10, we get back a "huh?" and never hear back from them.

    edit: Only thread I can find on the topic right off. There were many others:

    http://mu.wordpress.org/forums/topic/17304

    Aaron

    Dr. Mike, I did a quick perusal of the wp-signup.php code and it is currently not possible to bypass the reg value in 3.0 via a bot, though I wouldn't be surprised if that was not the case a few versions back, would have to search the old trac. I think a lot of those threads may have been due to using multi-site plugins (like Ron's) and each site having a separate registration setting.

Join 372423 happy members

Get access to our entire collection of epic plugins, astonishing themes & genius support

Become a member