I've just come across Xrumer since we've been attacked for the last few days...
What I'm noticing is that the idiot spam bot master is inserting the same sequence of strings in certain fields each and every time, which makes it so simple to identify the spam bot registrations.
In our specific case, the spambot master is inserting the email address into our telephone number field - under no other circumstance has anyone else ever done this, nor should they (given it's supposed to be only digits in a tel number - or certainly at least there should never be an '@' symbol in a telephone number), so to identify spambot registrations it's as easy as searching for '@' in the specific field and then updating the usergroupid to the id of the banned usergroup for any user that meets that criteria on registration.
I've written a very simple plugin to do this, I couldn't see anything that is sophisticated enough to do what I needed to do (ironically it's a very simple thing that needs to be done, but of course from one botnet master to another the way that they choose to complete a registration form will differ, so this is only a 'hack' really short of someone writing a more complete plugin which includes customizable fields=>strings to search on). The closest I saw was this:
https://vborg.vbsupport.ru/showthrea...ghlight=xrumer
which works by searching for the existence of certain email addresses and/or IP addresses (and maybe one other criteria) in a registration and blocks them when it finds them, but it doesn't allow for the kind of custom search that I (or generally anyone else that is attacked by Xrumer will) need to perform in order to adequately defend against the attack.
I appreciate this thread is over a year old, but it seemed to be the most suitable thread relating to Xrumer attacks I could find, maybe this will help someone else... this is the plugin code (read 'hack'!
) that I wrote:
PHP Code:
/*
hook location: register_addmember_complete
After a user has subscribed, check to see if a certain string is in one of the custom fields
and ban the user if it is.
The reason for this is that Xrumer (automated bot registration application) attacks often use
the same sequence of characters in certain sign up fields that are pretty much guaranteed to be
unique just to bot signups, so by searching for these strings we can ban them before they can
create any spam posts.
*/
// Email of admin to send notification to (leave empty to not send email):
$admin_email="foo@bar.com";
// Usergroup ID of banned user group:
$bangroupid=16;
// array of fields=>strings to search for:
$fields=array(
// idiot spambot always puts email addresses in the telephone field...
"field14"=>"@",
);
// this sql does what we want the plugin to do, basically ban any user with an @ in field 14:
// update user set usergroupid=16 where userid in (select userid from userfield where field14 like "%@%");
// something like this the sql needs to look like:
// update user set usergroupid=$bangroupid where userid in (select userid from userfield where field14 like "%@%" and userid=$userid)";
$sql="UPDATE user SET usergroupid=$bangroupid WHERE userid IN (SELECT userid FROM userfield WHERE (";
$parts=array();
foreach($fields as $fieldname => $regexp){
$parts[]="$fieldname LIKE \"%$regexp%\"";
}
// join up all the sql 'WHERE' clauses with an 'OR' operator:
$sql.=join($parts, " OR ").") AND userid=$userid)";
// *MUST ADMIT i DIDN'T TEST THIS!!! CAREFUL IF YOU USE MORE THAN ONE SEARCH CLAUSE!*
$rc=$db->query_write($sql);
// if we 'hit' a spammer, report it via email:
if( $db->affected_rows()==1 && isset($admin_email) && !empty($admin_email) ){
$message="The following user was banned by the Bot Registration Banning plugin:\n\n";
$message.="Username: $username\n";
// CHANGE THIS:
$message.="Admin Panel: http://path.to.your.forum.com/board/admincp/user.php?do=edit&u=$userid";
vbmail($admin_email, "Bot registrant banned on TGT", $message, true);
}
To use it you need to add a new plugin in the admin panel, set it to hook into the register_addmember_complete hook location (on the 'add plugin' page), obviously set it active and then modify the config variables $admin_email and $bangroupid. If you leave admin email empty it just won't send out any emails (I think?). The bangroupid can be found by looking at the usergroup.php page and seeing what the numeric ID is of your banned user group.
The path to your forum also needs changing in the code if you want to receive notification emails when it bans anyone.
Re the logic of the code itself... hopefully it's fairly self explanatory but it WILL no doubt need changing for your own forum and I can't really explain how you do that, it all depends on what common factor the Xrumer botmaster uses in his attack against your forum, all I can say is to check your bot registrations, look for a common pattern/string that's used consistently and then modify the code to search for that pattern. I can try and help but really the only way is to have direct access to your forum db to check it/test it.
Anyway... HTH.
PS the code is working on our VB4 board (sorry for posting in the vb3 board but like I say above this seems to be the place where xrumer is discussed most (maybe the thread can be moved?) and if I'm honest I don't really want to maintain this code... it's really just a quick 'hack' after all and if it were to be published properly it should really have a configuration screen where you can customize what strings to grep for etc)... anyway it should work OK on vb 3 and 5 as well.
If anyone wants to modify it and turn it into a 'proper' plugin with a decent config screen etc then that is fine with props.
Cheers.
More Information