Hello everybody,
Since yesterday I have been under a spam attack. I disabled "Allow new users to register" option from Settings > Advanced Settings admin panel and I still have got attacks because new fake users have been registered.
Additionaly I have this plugins installed and enabled: uservalidationbyemail, recaptcha, iptracker, spam_login_filter, spam_throttle, honeypot and akismet.
What can I do? Thank you very much.
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
@Ron:
Possible helpful tips:
There's no need to disable any plugins for a point release upgrade.
In addition to what was mentioned you can simply disable registration in the advanced settings during the process and turn it on again after if you are worried.
Hint: if you set your server up so that the elgg installation is a clone of the git repo, you can simply run
Then run upgrade. The entire process will be done in under a minute.
@Matt: "git checkout" on a productive site!? Maybe I'm too "old-school". But it surely has the advantage of only changed files to be updated (faster) and files removed in the repo getting removed on the server, too. Still, I personally prefer to take a look into the content of the zip archive before blindly copying something on my server.
Another option is to
It's hardly 'blind copying' - the repo is public - you can inspect it at will before checking it out :)
@Matt. It's interesting that there is no need to disable any plugins for a point release upgrade. We always have, so it's interesting that we may not have to. On the other hand, because we use ismayil's hype framework (plugins) we don't upgrade until we have his blessing, we have found that to be a good and valuable practice. So, I'm not sure that the instruction is perfectly correct.
@iionly said "Also, you won't have any outdated/deprecated files of the former Elgg versions remaining in your Elgg install directory afterwards." That too is interesting. Over the past many years I always questioned this a number of times, and I was always instructed to a do a copy-over rather than a full replacement. Confusing what's best.
@all Thank you for the advice. Like I've said, we've done many upgrades since ver .9, but this is the first time we are under spam attack. Since we are not elgg devlopers much of what you all say is foreign to me, but I will try to deciper some of it to have a safe upgrade. The one that sounds like it may stop the attack during the upgrade is @Team Webgalli instruction to change the connection paramerter in the engine setting. php. I am assuming that the settings.php file is not written over during the uploading of the new files? Is this a correct assumption?
Thank you
@Ron: both settings.php and .htaccess are not overwritten when you copy a new Elgg version into your Elgg install directory as these files are not included in the zip file but only created when you run an Elgg installation. So, you won't lose your database settings in settings.php or any custom modifications in .htaccess. But you should check for differences between your settings.php and settings.example.php and .htaccess and htaccess_dist before running the upgrade script. If there are any differences apart from what you changed yourself (and of course the database credentials) you should merge these changes into setting.php and .htaccess respectively. It depends on what version your upgrade from if there are any changes or not.
The tip with changing the database parameters in settings.php is surely interesting. Never thought about that!
Regarding "simply copy over" vs. "removal of outdated files": you most likely won't not have any problems if there are outdated files but I prefer to get rid of any files no longer used. Then I can be sure that there are no problems.
@iionly: I understand and appreciate your knowledge. -ron
For those using a version below 1.8.14 should definitely upgrade. I noticed a patch has been introduced in this release where a user that is denied registration from a plugin like spam_login_filter will actually be deleted.
Otherwise the account will be created anyway. The user cannot login, but you still can have hundreds of fake accounts.
In case anyone would have any further advice, my sites are still being attacked. Getting anywhere from 1 to 3 attacks a minute that ALL are being blocked by Spam Filter; so I'm not getting any fake registrations on any of our sites; but the attacks keep coming. I don't get why these jerks keep doing this when there's no registrations and no advantage to them. I'd hate to think that all our elgg sites are doomed to these attacks forever. Thanks for any further advice you can shed on this.
- Previous
- 1
- 2
- 3
- 4
- 5
- 6
- Next
You must log in to post replies.