Silent comment spam

tkan · 2018-01-25 10:30:41

Hi there,

sorry if this a known issue but I couldn’t come up with creative search terms for the forum. My issue is:

I run a blog with Textpattern (v4.6.2) which is not listed on Google. I am fairly certain about having strong login credentials. There has been a significant amount of comment spam on my blog (one comment per day – mostly on a specific post). I have a fairly simple spam protection (“submit” is unclickable until the preview button has been pressed and the preview is rendered). Every time I get a comment I will receive an email notification.
Now, the comment spam is not triggering an email notification leading me to the assumption that the spammers 1) have access to my DB, 2) have access to my txp-installation or 3) use some injection technique.

Has anyone had similar experiences?

Thanks & all the best

Bloke · 2018-01-25 11:03:53

Long shot: is your preference setting on the Preferences->Comments panel set to All but spam?

You could also try installing a plugin like rah_comment_spam to see if you can trap the pesky comments outright. That gives you more control over what is decreed as ‘spam’ or not and to take action.

It might not be a bad idea to change your host, MySQL and Textpattern login passwords just in case. Short of a back door trojan being installed on your server, at least that’ll rule out direct access.

Once you are certain there are no fishy files around, and your site is in a known-good state, you could try out smd_prognostics which will monitor your site for suspicious activity. It needs a little visual srpuce up one day and – depending on your version of PHP – may require you to use the bleeding edge copy (which fixes some MySQL stuff) but other than that it’s a fairly decent tool. Even if I, ahem, do say so myself :-)

tkan · 2018-01-25 11:16:20

Thanks Bloke. Those are some excellent pointers.

1) Preferences->Comments is set to All (not All but spam). So notifications should be send regardless.

2) rah_comment_spam – ok will try that

3) Passwords – yeah, I feared so. But I would like to understand where the spam is originating from. And to put some super glue before this hole.

4) smd_prognostics – I see you like to do comprehensive documentation. I will take some time and try to get a grip of it. Thanks again.

If there are any more possibilities for understanding my silent spam I’d love to know.

Bloke · 2018-01-25 11:31:57

tkan wrote #308871:

Preferences->Comments is set to All … So notifications should be send regardless.

Yes. That makes it doubly odd if only regular comment emails are being received.

I would like to understand where the spam is originating from.

Me too. If it’s automated and somehow bypassing the comment email trigger then we need to investigate this and check it’s been patched in the upcoming 4.7.0.

Anything you find out about the state of your filesystem or if there are any Textpattern (Preferences->Site->Log all hits) or server logs that might give away how the comments are being triggered at a network level, would be incredibly handy. Feel free to drop me a line with anything you find out and I’ll see if we can help figure out what’s going on.

smd_prognostics – I see you like to do comprehensive documentation.

You could say that :-) If there’s anything you need help with, just let me know and I’ll try and explain it better. The docs could probably do with being tighter – I’ll get to that when I next update the plugin.

tkan · 2018-01-25 12:14:25

Bloke wrote #308872:

Anything you find out about the state of your filesystem or if there are any Textpattern (Preferences->Site->Log all hits) or server logs that might give away how the comments are being triggered at a network level, would be incredibly handy.

One of the comments which got through was “injected” on 16.01.2018 at 12:38:12. Here’s what the Apache log holds:

107.172.231.0 - - [16/Jan/2018:12:38:02 +0100] "GET /year/month/day/title/ HTTP/1.0" 200 11363 "http://mydomain.tld/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0"
107.172.231.0 - - [16/Jan/2018:12:38:09 +0100] "POST /year/month/day/title/ HTTP/1.1" 200 12261 "http://mydomain.tld/year/month/day/title/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0"
107.172.231.0 - - [16/Jan/2018:12:38:11 +0100] "POST /year/month/day/title/ HTTP/1.1" 302 - "http://mydomain.tld/year/month/day/title/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0"
107.172.231.0 - - [16/Jan/2018:12:38:13 +0100] "GET /year/month/day/title/?commented=1 HTTP/1.1" 200 10351 "http://mydomain.tld/year/month/day/title/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0"

I replaced some strings due to privacy, but maybe the ?commented=1 is a lead?

kuopassa · 2018-01-25 22:08:46

I’ve had similar problems with several Textpattern sites where spammers have managed to put several comments to one or two pages of a website. The only effective fix for that has been to close commenting for such pages.

?commented=1 should be visible after a comment has been sent and published, so it’s hopefully not a sign of hack. :-] If that would be commented=0 then comment has been sent and is waiting for moderation.

tkan · 2018-01-26 09:06:36

@kuopassa:
Thanks for the clarification. It is also interesting to hear that this issue bothers other users as well.

Neal Pole wrote a few years back about a vulnerability using an altered POST request. I wonder, if something similar is happening here.

As this is atm my strongest guess, the smd_prognostics plugin will likely be not of much help, unfortunately. I am planning on keeping my “honey pot” post open and try to catch a new wave of spam comments with mod_dumpio (or something similar) activated. Hopefully, I can log some strange POST (or GET) behaviour.

Last edited by tkan (2018-01-26 09:08:21)

Bloke · 2018-01-26 10:15:20

tkan wrote #308886:

Neal Pole wrote about a vulnerability using an altered POST request. I wonder, if something similar is happening here.

Never say never, but we patched everything we could find. The front side doesn’t use CSRF as such, but comments use a one-time nonce during the preview step so it should be nigh-on-impossible – short of a rainbow attack – to post a comment without that step. You can use the DOM inspector to enable the post button right out of the gate, but on submission, Txp sees that there’s no nonce or a non-existent faked nonce and bounces you back to the form, so you need to submit again anyway with the valid nonce it gives you from the first request.

This is how it should work:

Person types (or bot prepares) message payload.
Submitted.
If it’s the first time, there’s no nonce passed, the comment is rejected, an encoded nonce/secret pair are created and added to the form and message box. The preview step is triggered.
Second submission has to match the encoded nonce/secret or the comment is rejected.
Nonce is invalidated/old ones deleted.

Bottom line, there’s no way I can see to bypass the fact that there MUST be a valid, one-time nonce in the database before the comment can be accepted.

Now, in theory, you could prepare a POST payload with 1, 2, 5, 10, 1,000,000 name-value pairs containing md5 checksums in the hope that it matches one of the ones in the database from other commenters that have not yet completed their post. As soon as someone completes a post or 10 minutes have elapsed, their nonce is invalidated/deleted so you’d have to be quick.

If you were truly bored, you could craft a million “preview” posts in your bot script, which would generate a million nonces, then use those to complete the process, but why bother? You’ve got to post twice anyway, why not get your bot to just post twice through legit channels and save yourself the work? It’s not like this is national security: it’s a comment on a blog that uses md5 as a soft wrapper to help stop the fly-by-nights from flooding your inbox.

In terms of one or two posts attracting bots, that’s just one of those things. I get that on my own domains and on textpattern.com. The article I posted about Themes a few weeks ago has had about 40 spam posts, a large portion within a day or so. It’s died down now, but still continues to attract the odd spam message from all over the web. The posts before and after that: nada. Not one.

Same on my site. Spam companies sometimes stick their teeth into one or two and just hammer them, others don’t get a single hit. My best guess is it comes down to content. Some posts just attract more because they’re being trawled for keywords first.

That said, if you do find anything out from your logging, it would be incredibly helpful to us to ensure that the commenting system is as watertight as we can make it, so please submit anything of relevance. Thanks!

etc · 2018-01-26 10:19:23

Textpattern spam protection being rather basic, the automation is quite easy. That’s the silent part of it that is weird. From a quick look at the code I see no evidence of how a spam could not trigger the email notification while the “regular” comments (on the same article) do.

jakob · 2018-01-26 10:27:31

tkan wrote #308886:

Neal Pole wrote a few years back about a vulnerability using an altered POST request. I wonder, if something similar is happening here.

In all these years, I’d never seen that post. Interesting stuff. The only thing marked there as unresolved at the time is a whitelist of registered tags. That was added (“tag registry”) a while back. You’ll get a warning when older plugins have not registered their tag in the tag registry.

Do you have any plugins installed that might be bypassing the usual channels?

Bloke · 2018-01-26 10:37:59

etc wrote #308891:

Textpattern spam protection being rather basic

That’s an understatement! I guess it was never designed to be military grade.

That’s the silent part of it that is weird.

Yes, that’s what’s interesting to me too. Likewise, I scanned the code and can’t see a way to bypass the email notification or enforced nonce unless there’s direct DB/site access. More research required, maybe with my black hat on.

etc · 2018-01-26 10:58:30

Textpattern CMS

Textpattern CMS support forum

#1 2018-01-25 10:30:41