guest user and spam inflitration

pbo_dom

Joined: 2012-08-10
Posts: 12
Posted: Thu, 2013-04-25 20:22

All,
My gallery2 has been infiltrated by I believe a "bot". It is accessing the system as a 'guest' user and creating tens of thousands of albums and subalbums. Its easy for me to identify and delete these items from the database manually. But this is getting tedious. I'd much rather control what the user guest can do.
Now I have seen some posts about users/groups. I must note that I have reviewed my group and group memberships. There is no guest user in ANY of my groups. I've also identified the albums which typically get infiltrated and there also is no 'guest' user with individual permissions for said album.

Are there default settings somewhere? My current business need is to allow guest view only access for public display of images. But comments, album creation should NOT be allowed. I've looked for the user 'guest' and cannot find this user.

any ideas?

Gallery version = 2.3.2 core 1.3.0.2
API = Core 7.54, Module 3.9, Theme 2.6, Embed 1.5
PHP version = 5.3.3 apache2handler

 
suprsidr
suprsidr's picture

Joined: 2005-04-17
Posts: 8339
Posted: Thu, 2013-04-25 20:56

You had to specifically allow guests to post new albums/items this is not default.
Remove the permission that allows everyone to add item/sub-item from the root album and check the box to apply to all sub-items.

Later look in the mirror and blame the person you see for your troubles.

-s
________________________________
All New jQuery Minislideshow for G2/G3

 
pbo_dom

Joined: 2012-08-10
Posts: 12
Posted: Thu, 2013-04-25 21:28

Thanks, there are a few albums which have the group 'everybody' which as you noted guest belongs to. Well on these few albums the 'everybody' group has 'access all' permissions.
Although fixing this is posing a rather interesting problem, saying as there's now 16000 plus albums, all spam, all created by guest. any attempt I make to removed the 'access all' permission for 'everybody' fails and get a timeout.
As for looking in the mirror... i've inherited this app so the person I see in the mirror is the one responsible for this thing still running :). Those responsible are long gone from the company.
It must also be noted that the user 'guest' isn't logging in directly to the application. In fact I have capcha set up for direct logins, so unless the bot (or whatever is loggin in) is extremely clever it isn't a direct access infiltration.
It must be using URL attacks. Although thats my only guess. thanks again for the reply. now on to the manual DB deletion and filesystem deletion.

 
suprsidr
suprsidr's picture

Joined: 2005-04-17
Posts: 8339
Posted: Thu, 2013-04-25 21:37
Quote:
now on to the manual DB deletion and filesystem deletion.

NO
that is not the way

-s
________________________________
All New jQuery Minislideshow for G2/G3

 
suprsidr
suprsidr's picture

Joined: 2005-04-17
Posts: 8339
Posted: Thu, 2013-04-25 21:40

Gallery does alot more that just delete one item from one table to remove an item.
I wrote a script to use gallery's API to remove albums in a similar situation.

-s
________________________________
All New jQuery Minislideshow for G2/G3

 
pbo_dom

Joined: 2012-08-10
Posts: 12
Posted: Thu, 2013-04-25 22:14

Well, doing the deletes manually through the application is NOT an option unless I want to spend the next two weeks doing so. And to be honest the API is convoluted and not documented very well. We've dug into this API to attempt a custom handling of customfields on uploads of albums and images, it was disappointing to say the least.

The scenario i've got is that only albums were created, some sub-albums. Not items such as .pdf, .jpg, .mov, etc...
So i'm looking at deleting records and associations from:
Item
AlbumItems
ChildEntity
DescendentCountsMap
Entity
LinkItem (maybe)

Although, like the API, the schema definition for G2 is lacking on clarity and documentation. So it's difficult to know for sure.

If you have a better idea, i'm all ears!

 
suprsidr
suprsidr's picture

Joined: 2005-04-17
Posts: 8339
Posted: Thu, 2013-04-25 23:34

The API is not well documented? http://codex.galleryproject.org/Gallery2:API

-s
________________________________
All New jQuery Minislideshow for G2/G3

 
suprsidr
suprsidr's picture

Joined: 2005-04-17
Posts: 8339
Posted: Fri, 2013-04-26 10:38

this is what I wrote for one user:

<?php
    require_once ('embed.php');
    $ret = GalleryEmbed::init(array('fullInit'=>true));
    if ($ret) {
        echo $ret->getAsHtml();
        exit;
    }
    GalleryEmbed::done();
    
    list($ret, $album) = GalleryCoreApi::loadEntitiesById(42845, 'GalleryAlbumItem');
    if($ret){
      die($ret->getAsHtml());
    }
    list($ret, $ids) = GalleryCoreApi::fetchChildAlbumItemIds($album);
    if($ret){
      die($ret->getAsHtml());
    }
    //print_r($ids);
    foreach($ids as $id){
      $ret = GalleryCoreApi::deleteEntityById($id, 'GalleryAlbumItem');
      if($ret){
        echo($ret->getAsHtml());
      }
      GalleryEmbed::done();
    }
    die('done');
    
?>

this will delete every child album of the album with the id of 42845

-s
________________________________
All New jQuery Minislideshow for G2/G3