Security Questions

Hi, I am currently running 2.2.0 and was just wondering if my log entries from the link below are normal?
My site has been constantly under attack from the start compliments of google and the welcome mat keywords "Powered by Elgg" to locate it.
Now it seems that they have found a way to validate their own accounts with two instances in the past couple of days.
Any help would be appreciated, thanks.
  • It's of course completely possible that some core bug allows self-validation. What we'd need to resolve that is to know the IP(s) logged of a user who did this and cross-reference those with httpd access logs to see exactly what HTTP requests were made. It's a lot of work. There's some easy stuff core could do to help:

  • Before taking it for granted that any "self"-validation has actually happened I would like to get some conclusive facts about what exactly is happening and what plugins (bundled and 3rd party plugin) are installed and enabled AND if any 3rd party plugins used are really for Elgg 2.x. I don't know if this will ever happen though with respect to the huffy reply on the suggestion that the accounts COULD be (NOT must be!) due to registering with 3rd party site credentials.

    What I find irritating is that the first post seems to connect the perfectly normal Elgg log entries with "my site is being attacked from day 1". So, no indication yet that there is any kind of self-validation yet.

    Next, the stats of the http:blacklist plugin are cited twice (as some kind of evidence that self-validation happens?). But the non-blocked registration count wouldn't give any indication that the registered accounts are fishy in any kind. Some might be (not yet reported before) but others might be perfectly alright. The counter also would refer to number of accounts registered and not number of accounts activated.

    What plugin is really used for account validation? As it was mentioned that "approval by admin" was intended I just assumed that the uservalidationbyadmin was used. But is this even true? Maybe the (wrong) assumption is that by NOT using the uservalidationbyemail plugin the accounts would require admin approval... instead of being automatically enabled! And even if the uservalidationbyadmin plugin is used it's still the question if it is used in the version compatible with Elgg 2 AND if the plugin is fully working on Elgg 2. But so far nobody else has reported any problems with uservalidationbyadmin. So, is it likely that self-validation of accounts happens isolated on one single Elgg site only?