CiviCRM Community Forums (archive)

Hello,

We have been running into a problem with spam accounts being added to CiviCRM and user accounts being changed (over 100 changes last night alone).  The users' emails sometimes get changed to junk.  The change logs show that the user changes their own account.  It does not show some other user making the changes. 

As far as I can tell, the spam accounts are just being added to the Civi database, as the users do not appear in Drupal.  It may be worth noting that the Drupal database/ site is on a different server from the CiviCRM database.

I am not sure if this is from SQL injections into the database or from something else.  We have applied the patch to Civi that we saw here.

Many of the spam accounts are from @mail.ru, but we have other clever names like airjordanoutletstore.us.  I've been searching the servers for any kind malicious script that may have been installed.  I found our sites/default/civicrm/custom folder filled with dozens of .unknown files.  The unknown files I looked at contained junk html sometimes with Cyrillic letters.  The unknown files may have been upload because users can upload a profile picture that was being stored in the same directory.

If anyone has had a similar problem or has a solution, any help would be most appreciated. This is getting pretty horrendous.

Thanks!

Thank you for the response.

Unfortunately, it's difficult to tell how the user accounts are being changed.  According to the log, each user is changing their own account.  It does not show a different user making all the changes.  I have checked the permissions, and anonymous/ auth users do have limited permissions.  So hopefully that is preventing some changes.

With Drupal, we have it set with Recaptcha and email confirmation from the site admin.  I don't think the Drupal database is having users added to it.  It is only the civi db.

My understanding of Recaptcha for Civi was for public facing forms, which we do not have with Civi.  Is there a way to set Recaptcha for any changes being made to a user profile?  Of course if SQL injections are causing the problem, I don't think Recaptcha will help much.

Our next step is moving our Civi db to a different server with a more up-to-date version of Civi.  Hopefully that will solve the problem.

Thanks again!

Thanks for the help!  I'm still getting used to Civi and it's good to know the lingo for future posts.

I did find a solution to the problem.  Originally, our Civi db and Drupal db were on different servers, which was not my choice.  We have a complicated set up with the hosting company that I am not involved in, but it can make it difficult to actually make changes on the server.  I created a sql dump of the Civi db after fixing the contacts and removing junk contacts.  I then created a new Civi db on the same server as the Drupal db and imported from the sql dump.  I had to change some of the Drupal settings files, but all appears to be in order with no fake Civi contacts being created or other contacts being changed!

I understand that may not be the most practical solution, but it did work for us.  We could not find any malicious script or file on our original Civi db server, so my best guess are SQL injections into the db.  I had tried changing the password for the MySQL user associated with the Civi db, but that didn't work.

If anyone else runs into this problem, you could try to create a new db for Civi, even if it is on the same server.  I wish I knew what specifically caused the problem, but at least there was a solution *fingers crossed*