question about spammers

Events happening in the community are now at Drupal community events on www.drupal.org.
socialtalker's picture

this is a general question, i dont know if this group is the right place to ask it, but since i am running Barracuda Octopus Aegir, what the heck.
3 weeks ago i put up some test sites. i went into the account section and made it so that visitors could not automactically register for an account, admin only. before that in previous installs, my mailbox would get crowded with pending account emails for sites with no content on them. anyway, it was working, no account user pending emails.

sunday, i get this email from "root"

[blockquote] Sun Sep 18 03:04:07 2011 -0400

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/sbin/csf: FAILED
/usr/sbin/lfd: FAILED[/blockquote]
i had not made any changes in the past 2 week on my server or BOA.

and now my mailbox is again getting flooded with pending user accounts. sure enough, i checked all my sites and somehow they were able to change
the "Who can register accounts?" selection from what i had set-"Administrators only" to "Visitors, but administrator approval is required". so now i have to go back to all my sites and reselect for "Administrators only" in the account settings section.
my question is: is this connected? and what should i do? thanks.

Comments

This warning about csf/lfd

omega8cc's picture

This warning about csf/lfd changed is normal, because AUTO_UPDATES = "1" is set by default in /etc/csf/csf.conf.

However, it is not connected in any way with any Drupal settings being reverted. Do you use some custom feature where you have these settings enabled maybe? Does this feature enable modules like dblog, update or devel? If yes, then /var/xdrago/usage.sh script running daily will revert/disable this feature. I don't see any other reason why it could happen.

i havent added ANYTHING, no

socialtalker's picture

i havent added ANYTHING, no other modules other than what is already in your script. and i wasnt getting them for 3 weeks. is there some other way i can check to see how this is being done?

Then I don't see any reason

omega8cc's picture

Then I don't see any reason why it could happen. BOA doesn't touch your sites configuration if you don't use any custom Feature with modules I listed above.

I had a similar thing happen

geofftech's picture

I had a similar thing happen with several new sites I thought I had locked down.

I have a "feature" that is activated in the install profile that sets this property to Admin only for creating logins. So this should all have been set as a default.

And a day or so ago, I had about a dozen "requests" to be members?? This should not have been possible!!

So that makes two occurrences of the problem - does that make it an epidemic yet?

Do you include in your

omega8cc's picture

Do you include in your Feature any module listed in my first comment above?

Same Here

magicmirror's picture

I'm in a similar situation with a site/server I haven't touched in at least 3+ weeks.

At 12:42AM this morning, a person from Russia attempted to create an account on a site I have set to automatically block any new account for admin approval. So the user became authenticated but blocked.

Then later this morning, I get this:

The following list of files have FAILED the md5sum comparison test. This means that the file has been changed in some way. This could be a result of an OS update or application upgrade. If the change is unexpected it should be investigated:

/usr/sbin/csf: FAILED
/usr/sbin/lfd: FAILED

This message was sent to me via e-mail at 5:05 CST.

You can check csf updates

reload's picture

You can check csf updates here:

http://blog.configserver.com/

Cheers

BOA

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: