Hi,
This is my first post on this forum.
I had been facing the "unwanted users registration problem" myself, but managed to solve it (or so it seems for now :) .. haven't had a similar attack for the past ten days or so, while previously it had become almost a daily occurrence).
I first tried using the email verification route.
That only succeeded in preventing the spam accounts getting activated, as all the email addresses were, of course, fake.
The en masse creation of accounts continued without fail.
Eventually I had to replace the default captcha with a new one and this finally stopped the account creation.
The quoted article:
Hackers using PyCurl to bypass registration
seems to suggest that the problem lies with a piece of code within libs/user.php.
It goes on to say:
"..Rather than using the captcha, it is just dumping in users by latching directly onto the users.php file.."
If I understood it right, the article seems to suggest that the hacker is bypassing the regular registration mechanism (register.php) totally (thus not going through captcha at all) and directly using user.php somehow.
My argument that follows is based on this. Please correct me if my understanding is flawed.
For using email verification, I added a new field to the users table, that holds
a random unique string that is emailed to the new user at the address he provides at registration time. This string has to be returned by the user for activating his account.
My question is, if what the aforesaid article says is true, how was the bot script still able to insert a new user record in the users table, complete with the random string in the new field?
Clearly it had to go through the routines in register.php.
Had it used user.php directly, I doubt if the new field would have been populated (I'd like someone conversant with pligg source code to comment on this)
I figured out that the captcha used was too weak for the bot and then replaced it with another one.
This seems to have done the trick.
Hope this helps somebody else too.