Welcome to the E-Blah Community!
We would like to welcome you to our community and invite you to register an account or login.
Being a registered member is important, as it gives you several advantages over the normal Guest status. After registering you will be able to download files and images, post messages, and access member-only portions of the forum - just to name a few. Registration is quick and simple, and only takes about a minute of your time.

E-Blah Community    E-Blah Discussion    E-Blah Bugs  ›  How Spammers Crack the Captcha
Users Browsing Forum
No Members and 1 Guests

How Spammers Crack the Captcha  This thread currently has 3,892 views. Print
1 Pages 1 Recommend Thread
Fryedsoft
November 20, 2012, 8:29pm Report to Moderator Report to Moderator

E-Blah Member
Posts: 60
Gender: Male
Posts Per Day: 0.01
Time Online: 3 days 8 hours 19 minutes
Location: Farrell, PA
Age: 40
For awhile I've been playing with my register site default captcha, trying to stop the few spammers actually getting through Stop Forum spam. In the process I ran into something that is most likely being exploited by the bots.

First, in one of my tests, I setup a captcha that was technically solvable, but was absolutely impossible to solve by a human. pretty much, the captcha was using Wingdings as the font with enough lines through it to turn the captcha blank. Next day, I got 8 Registrations.

From there, I started looking at how the picture itself is presented to the user and ran into the issue. The file name of the Captcha is (MD5).png, Where (MD5) is a MD5 Hash of the Captcha text. So all the spam script has to do is go to the register site which will generate a valid captcha (for this example, we'll use the captcha 0BP2K3). Read the HTML of the register site for the captcha File name, (which would be 252d1a0dd96b78e2ee8cb36c709ceeef.png), Strip the .png from the file name and scan the MD5 hash through their MD5 Hash tables (for this example, we'll use the manual site http://www.md5online.org but trust me they got their own complete hash list for eblah considering the botnet they have), then send a form submit directly with all the spammer info and the cracked Captcha (which is 0BP2K3) to bypass any secondary captcha such as Assira.

The fix for this would be to either salt the hash with another encryption scheme (Hell, ROT13 might be enough to stop them for now.) or never present the user with a true hash while storing the hash as a randomly generated file inaccessible to browsing by the user, which would be more difficult to code, but would be much more effective in protecting the Captcha.

Revision History (1 edits)
Fryedsoft  -  November 20, 2012, 8:46pm
Logged Offline
Site Site Private Message Private message
rusky
November 26, 2012, 1:58am Report to Moderator Report to Moderator
E-Blah Member
Posts: 4
Posts Per Day: 0.00
Time Online: 5 hours 2 minutes
I added a key to the MD5 hash which would make it more difficult hopefully.

In Register.pl:

Line 173:
Code
$datad = md5_hex($captchaKey . $image->random_str());


Line 307:
Code
$datad = md5_hex($captchaKey . uc($FORM{'random'}));


In Settings.pl

After line "$autotag = 0;"

Code
$captchaKey = "HeUoLpUfYeE"; 


Change the key up a little bit with a mix of upper case / lowercase letters and numbers.


Here's a copy of the modified Register.pl file: http://pastebin.ca/2255298

Revision History (1 edits)
rusky  -  November 26, 2012, 2:51am
Logged Offline
Private Message Private message Reply: 1 - 4
rusky
November 26, 2012, 1:02pm Report to Moderator Report to Moderator
E-Blah Member
Posts: 4
Posts Per Day: 0.00
Time Online: 5 hours 2 minutes
Here's the mod you can install through the admin panel.

Note: Make sure after installing the mod, open up your Settings.pl and scroll to the bottom and change the value of $captchaKey.




Revision History (1 edits)
rusky  -  November 26, 2012, 1:14pm
Logged Offline
Private Message Private message Reply: 2 - 4
Fryedsoft
November 28, 2012, 8:03pm Report to Moderator Report to Moderator

E-Blah Member
Posts: 60
Gender: Male
Posts Per Day: 0.01
Time Online: 3 days 8 hours 19 minutes
Location: Farrell, PA
Age: 40
Am trying this salt method on my board (Only difference is I'm using a string directly in the code instead of a variable) to see what happens.

If my registrations drop dramatically, then my spammer hunch was correct.
Logged Offline
Site Site Private Message Private message Reply: 3 - 4
Justin
March 22, 2013, 5:33pm Report to Moderator Report to Moderator

The E-Blah Developer
E-Blah Programmer
Posts: 15,252
Gender: Male
Posts Per Day: 2.54
Reputation: 93.31%
Reputation Score: +307 / -22
Time Online: 39 days 5 hours 58 minutes
Location: Tallassee, AL
Age: 32
You, sir, should get a prize. I'm sorry it took me so long to find this thread, had I found it sooner I would have implemented this fix sooner. This is most likely the problem and has been the problem the whole time!

I have fixed and pushed to GitHub.

https://github.com/eblah/E-Blah-Forum/commit/cfb76a18a8da95ddb5663c41ee94f0a8bb0650ca
https://github.com/eblah/E-Blah-Forum/commit/cdae52033ff3c35084b204b1ad387a3a2fa83a29

After installing the latest version from GitHub, you can go to Admin/Settings then save your settings. The salt will be added to the captcha codes from then on.

Thank you for solving the problem!


My Websites: Revolution Reality (My Blog)  | Portfolio

"But you, O Lord, are a compassionate and gracious God, slow to anger, abounding in love and faithfulness." — Psalm 86:15 NIV
Logged Offline
Site Site Private Message Private message Reply: 4 - 4
1 Pages 1 Recommend Thread
Print

E-Blah Community    E-Blah Discussion    E-Blah Bugs  ›  How Spammers Crack the Captcha

Thread Tags
stop,  i,  captcha,  ran,  register,  site,  file,  md5,  hash,  user