SID-01747: Getting Consistently Hacked

Status:	Answered	TWiki version:	5.1.4	Perl version:	5.0
Category:	CategoryAuthentication	Server OS:	Linux	Last update:	12 years ago

My TWiki web site is getting consistently hacked. I had to stop registration until I can do something that stops this garbage. It appears that a worthless person in Australia (all registrations says Australia) has an automated script/ bot on the web that tracks down TWiki sites like mine. It gets the registration form and fills it out and submits it. Since I have been using TWiki's authentication which uses automated E-mail verification, the script/bot must receive the registration number from the hackers computer which receives the verification E-mail and then puts it in the appropriate form field of my TWiki site to gain access. It fills out a tens of registration forms with different E-mail addresses. It processes all of these with made up register/user names and then proceeds to put garbage spam in my TWiki site using a range of topics it defines. It's unbelievable. The TWiki Black List won't help. I'll be spending all my time populating the Black List and cleaning up my TWiki site or using restore from backup. The only thing that could stop this I think, is the Captcha Plugin. But I don't know if this works with the latest revision of TWiki, 5.1.4 that I use. Should I try it? Another way would be to allow me to send the authentication E-mail back to the person attempting to register rather than having it sent automatically. I can probably know if the person attempting to register is legit. I don't think the registration system of TWiki allows this option, correct? I guess I could modify the registration form. That would stop it for a period of time. Does anyone out there have a recommendation on what I should do?

-- David Steininger - 2013-06-24

Discussion and Answer

Do you use the latest version of the BlackListPlugin? A couple month ago we had issues on TWiki.org with automated registrations with names like ManFred525. I enhanced the plugin to prevent those scumbags from registering.

-- Peter Thoeny - 2013-06-24

Great! I'll try it. I'll let you know what happens so that we find the optimal solution.

-- David Steininger - 2013-06-24

I am installing the plugin. But I have a question. Why must .htaccess with its "Deny from all" get put in the pub directory. The files in the pub directory are used in constructing the web site. Topic related files are in this directory. Web site won't work if this is done. What am I missing here?

-- David Steininger - 2013-06-28

Where did you see this instruction? Obviously the pub directory needs to be visible via browser.

-- Peter Thoeny - 2013-06-28

This .htaccess provided by the Black List Plugin Zip file as placed in the pub/TWiki/BlacklistPlugin folder simply states "Deny from All." The Blacklist PlugIn documentation states that: "pub/TWiki/BlackListPlugin/.htaccess Apache access control to protect pub dir."

-- David Steininger - 2013-06-29

Ah. The plugin generates files in the attachment directory for internal use only. This plugin was designed before the plugin working directory was introduced. So, yes, the plugin's attachment directory can/should be protected. Leave the .htaccess in twiki/pub/TWiki/BlacklistPlugin/.

-- Peter Thoeny - 2013-06-29

Okay. The documentation should say "Apache access control to protect BlacklistPlugin folder," not "pub dir." Thanks for the help. I'll let you know how this plugin works.

-- David Steininger - 2013-06-29

Got Blacklist working even though when installing it it get Insecure depency error. So I will close out this question.

-- David Steininger - 2013-07-20

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.