+- LCKB (https://lckb.dev/forum)
+-- Forum: ** OLD LCKB DATABASE ** (https://lckb.dev/forum/forumdisplay.php?fid=109)
+--- Forum: Website Scripting & Security (https://lckb.dev/forum/forumdisplay.php?fid=197)
+---- Forum: LastChaos - CMS (https://lckb.dev/forum/forumdisplay.php?fid=182)
+----- Forum: ToXiC Support (https://lckb.dev/forum/forumdisplay.php?fid=206)
+----- Thread: Secure LC-CMS 3.6.1 (/showthread.php?tid=3195)
- Sutz - 01-09-2014
Since I released the cms I have myself witnessed the harm it has done. I only released it due to other people buying an selling it or using it an editing an re-selling as their work.
Now the code is public has brought new dickheads that think its great to download the cms just to make tools to manipulate other peoples database
(Spam accounts)Simple Howto guide:
Best way to stop this is to change things to protect your site & database, I have done this with my custom LC-CMS 3.6 which I will never release to anyone.
But you can achieve the same thing as me by learning from this guide.
LC-CMS 3.6.1:
Open "config/config.php" scroll to the bottom an you will find the PDO connector
// Added Security Option
$LC_Host = $LCSET[cms_host];
$LC_User = $LCSET[cms_username];
$LC_Pass = $LCSET[cms_password];
$LC_Auth = $LCSET[cms_lc_auth];
$LC_Db = $LCSET[cms_lc_db];
$LC_Data = $LCSET[cms_lc_data];
$LC_Act = $LCSET[cms_lc_authORdb];
$LC_CMSDb = $LCSET[cms_lc_site];
// PDO Connector
$pdo_cms = sprintf("mysql:host=%s", $LC_Host );
// PDO Test Connection
try { $con_cms_pdo = new PDO( $pdo_cms,$LC_User,$LC_Pass ); }
catch(PDOException $e) {die(<title>CONFIG ERROR</title><body text="#C0C0C0" bgcolor="#000000"><center><img src="styles/Metal/images/error.png" border="0"><br/><font color=red size=4>Error connecting to the Mysql server</font><br/>If your the admin please check your config settings.<br/>If your not then there is no connection to Mysql sorry, come back later.<br/><br/><br/>-LC-CMS By ToXiC L33T-</body>
;} Here you can rename all "$LC_whatever" to new values an also change "$con_cms_pdo".
Now open all the cms php files in ALL folders an search an replace what you changed.
search "$LC_Host" an replace with your new.
Doing this will disable these crappy account spammers, Happy Days!
- Sutz - 01-09-2014
If you use the CMS an dont change this you are open to spam account n00bs, I got spammed the other day but I caught them in the act before I got owned. Had to remove 6k accounts but 6k was better than 50k lol
Seems there is a tool going round made just to spam LC-CMS (Bless they spent time just to [CeNsOrEd] my CMS over lol). It bypasses the IP checker somehow an just spam spam spam accounts over an over in bg_user but also into the site db t_user_logs
Also there is a custom LC-CMS 3.5 going round which is a mix up of 3.4 an 3.5 (the one that dont show new char icons & has that epic style im using on my server)
Some of its code has been edited an some new scripts are in it (buynow.php, changename.php, paygol.php etc etc)
This I will not be responsible for it was my work but alot of code has changed so please use at your own risk!
It was being sold behind my back while I was selling my CMS, now I have gone free I think people also sharing this version about.
Please protect yourself
- LikeToMove - 01-10-2014
What about a captcha code on registration step? Or an email validation?
This can block a lot of spammers
- GuyFawkes - 01-11-2014
Captcha is ten times more effective than editing post variables.
- Sutz - 01-11-2014
Its not just editing post values :blink:
Just think of it this way.. If someone made a spam tool by hooking into the register script what else could they do by hooking into the PDO connection an calling queries from the CMS??
Maybe hook into admincp.php an make everyone GMs on your server??
This post isnt just about blocking spammers its about protecting your server, I was just saying that doing this will also block them.