I am currently on DF 9.0.3.0 just about to upgrade. In the meantime, today 3 or banned members were suddenly unbanned. They appeared to be targeted because they are the most notorious banned users, not just random. There are no new admins.

Are there any known hacks to accomplish this, or would someone have to be logged in as admin to do it?

Are there any IP records of admins? I'm running IP Tracker, but it seems to register their regular username, not their Admin login name.

Any other thoughts on preventing or tracking this?

In old versions, there is a bigger chance of being hacked, i would recommend upgrading to 9.0.6.1, and then ban those members again.

OK, this is still happening, and I have some new info.

1. I upgraded to the current version, 9.0.6.1

2. I removed all admins except myself.

3. I have IP_Tracker installed and working and when I checked who was in my admin, there was only me, except in one instance my IP was listed as 0.0.0.0 but the host name was still mine.

It is consistently the same 3 users and it happens two or three times a week. I changed all of their emails to my email address so they can't retrieve their passwords or get the email that they are banned yet again. They are the 3 most notorious banned members, and the ones that are commonly known to be banned. How can this be happening?

Banning only applies to forums - suspension is required for the overall site.

Yes, you're right, I was using the wrong terminology. I have been "suspending" them, and they will consistently become unsuspended.

(However, even if I was banning them, I would expect their status to "stick".)

Could it be the computer you are working on? Can you be sure you do not have any malware on your machine?

Besides runnign Norton AV, I just scanned it with spysweeper and ad-aware, and am running spyware blaster. Nothing is coming up.

I had the same thing happen to me but I can confirm it was nothing malicious and instead a possible bug.

I had 13 users suspended, and I went and unsuspended one user who returned to wanting to use the board. When I unsuspended him, it unsuspended several other folks with him and had to re-suspend them.

Wish I had more details, but something in the unsuspend code is not selecting the right users with the mysql grab. I can't figure out the code, but thinking that the admin/modules/users_susdel.inc is likely candidate.

Well, I haven't been able to pin this to any action on my part but I'll keep an eye on it. Strange that it's only these three and never any others. I know it's not when I'm unsuspending someone else because I haven't done that at all.

go into the SQL tables and change thier names to something else. then ban thier IPs in your htacess file in the root directory and they won't even be able to goto the site at all.

but i have to ask. what are they doing? is it just being really annoying all the time or something?

I thought about these things...

If I change their names, then they could theoretically sign up again with their original names. They all have dynamic IPs too.

They were each suspended for different reasons, being rude, or scamming other members. As far as I know, none of them has used the window while their account is unsuspended to do anything, but two of them hold major grudges, and one is a wannabe hacker.

My thing is, A. How is this happening? B. Why these three? C. Is there a security flaw, or what?

I'd really like to get to the bottom of this.

if you do a whois on those members call thier ISP and tell them about the things that they are doing. make sure to get the managers' name and have proof on hand of what they have done. other than that i'm not a security expert on DF (der)

This is still happening. We recently suspended one of the member's friends and they were unsuspended a short time later. We have over 35 other suspended members who never become unsuspended, only those related to these 3. I even changed one members username and they still got unsuspended.

If I was going to look at IP_Tracker for evidence, what should I look for?

The fact that this thread has been ignored by any site admins makes me wonder... Do you imagine I'm somehow doing it wrong? Do you think it it's an inside job? Is suspending members not important? Or is it just a matter of this not being as important as the many other things you're all dealing with? Whatever the reason, I'll understand, but I'd really like SOME kind of response on what I feel is a serious issue when it comes to adminning a site.

You're going to have to start debugging by the process of elimination.

I would first thing is to take away the member option from any other admins on your site. You become the only admin capable of suspending / unsuspending a user.

Then... wait.

Or if you don't want to do that, I would suggest breaking the piece of code that unsuspends a user.

In \admin\modules\users.php go to line 89.

PHP:

echo '<tr><td colspan="4"><input type="hidden" name="susdel" value="restoreUser" /><input type="submit" value="'._RESTORE.'" /></td></tr>';

change it to something like:

PHP:

echo '<tr><td colspan="4"><input type="hidden" name="susdel" value="BUSTED" /><input type="submit" value="'._RESTORE.'" /></td></tr>';

With a little time the folling code could be put after line 81 in \admin\modules\users.php.

PHP:

$userinadmin =& $CLASS['member']->members[is_user()]; $header = "From the User Admin"; $mailto = "YOURNAME@YOURSITE.com"; $subject = "Person in User Admin"; $message = $userinadmin['username'] . " is in the user admin area of the admin.php users script."; mail ($mailto,$subject,$message,$header);

I tested the above code and it works and used apart from the other options mentioned might help you catch the insider doing the unsuspending if there is such a person. Be sure to change $mailto = "YOURNAME@YOURSITE.com";
to your proper email address.

I did try the first thing, and it still happened. I will definitely implement the hack.