So I think someone has an exploit into our kdenlive.org site. Back a few years just before we moved the forums JBM gave me admin privs on the site so I could help out with anti-spam and migrate the forums. For a while the site was pretty much off line with respect to user contributions. But around 2014-11-09 in response to a mantis request ( https://bugs.kdenlive.org/view.php?id=3402) JBM turned back on the camcorder database.
Since then (maybe before I have not being paying attention) the site has been getting hundreds of user registrations per week by spam bots. And we have been getting lots of spam posted to the camcorder database. And I have been progressively trying to prevent this by adding extra captcha tests and then turning off the automatic sending of one time log-in links to newly registered users and asking users to PM me in the forums if they want a kdenlive.org account. The result of this is that we still get lots of spam bot created users but they are created with a blocked status. So this has been somewhat sucessful. However, even after these measures the site is still getting one or two active users being created. And the logs show successful use of the one time log in link that used to be sent out. But which is not being sent out (by me at least). And these users generate 3 -4 spam post per day. So I think someone is using an exploit of some kind on that site. It currently is running 7.34 of drupal (but I don't know when it got to that version). But back in 2014-Oct-15 a major security flaw in versions lower than 7.34 was announced https://www.drupal.org/SA-CORE-2014-005 and which has been give the name drupalgeddon I don't know if JBM patched this issue. It is a pretty dramatic announcement - https://www.drupal.org/PSA-2014-003 *Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection <https://www.drupal.org/SA-CORE-2014-005>. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.* So the fact that we get active users in the absence of approving them might be related. It might not. JBM - did you know about drupalgeddon and patch it in the 7hour limit? (what a ridiculous time frame !!) But this raises the question - does the camcorder database on kdnelive.org serve a useful purpose? Could it be moved to .kde infra structure too like the forums? Or do we need it at all? Do we want to move the jbm/till/granjow blogs off kdnelive.org Or can the vulnerability be fixed? My vote would be to just get off kdnelive.org all together and use the kde.org infrastructure. Because - as JBM has found out - maintaining this sort of stuff in the big bad world of spammers is hard work. Time is better spent on kdenlive itself than on the drupal website. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.kde.org/pipermail/kdenlive/attachments/20141227/83e683fb/attachment.html>
