Can't figure out how spammers are posting links

I keep getting spam links posted. I have YOURLS set up to only allow authorized users to create links. I changed the password for every user (only three of us), and I changed the “secret” (cookiekey). I also changed the MySQL password.

Nevertheless, I still get the occasional spam link posted.

What else could I be missing?

Thanks.

You don’t have a public interface, right ?

Correct. I have three users (including me), and we’re the only ones who can post links.
No public interface.

Have you checked all files? When an app is compromised and malicious code is added to files, it’s pointless to change passwords. A good thing to do is delete every file and reupload ones

I did a clean install. I went over my config.php very carefully and it looks fine. I reviewed the MySQL database, and it looks fine.
Within two hours, there were two rogue URLs (“for SICK VPN”).
I’m really at a loss as to how they are getting in there.
Any other thoughts?
I’m using Dreamhost. I have plenty of sites up there and have never had a problem.

To summarize:

  1. Public interface off
  2. Three users - all with new passwords
  3. Changed SQL password
  4. Did clean install
  5. Carefully reviewed config.php
  6. Changed cookie secret

Any other ideas?

Thanks.

It could really be a number of things, ranging from server level to YOURLS itself. Out of the blue I have no further simple idea.

What’s the actual URL? If it’s a possibility for you, I’d love to have a temp SSH access to your server (to the YOURLS account on DH) to investigate and report. If so, my email is ozh at ozh dot org

Even after my completely clean install, this morning there were another 20 URLs.

I removed the yourls-api.php file. Will that effectively remove any chance for the API being used/abused?

It that doesn’t work, we’re going to modify .htaccess to restrict to our university domain.

I’ll let you know if that works, and if not, we can figure out how to get you access to the server.

Thanks.

The yourls-api.php file complies to the same authenticationthan the /admin part (unless of course you have a public API).

To add more data:

Using .htaccess, I restricted the admin area to just my university IP.

This morning, woke up to another 20 spam links.

Is there any log of how or where the URLs are added?

Also - I removed all the plugins.

And, as I said before, I deactivated the API.

No, there’s no log of “how” things were added.

You’re most certainly “fixing” things that were not broken (as I said, the API has the same auth as the admin part)

@volcs0, have you reviewed the server web logs ? Links that get added to the databasehave the ip and the timestamp so that will narrow down the time that you need to review on the server. You could review these and see if there are any suspicious requests to the server at this point in time (or just before).
Also check your ssh logins - you haven’t stated whether that account has had it’s password (or ssh key) changed. It could be that the attackers are ssh’ing into the server.
My yourls instance is also on Dreamhost and I haven’t seen this issue (yet) thankfully!

I just wanted to close the loop on this. As suspected, this was user error (i.e., me), I think.
I had used that sample public front page template to create an index.php file.
So, even when I set config.php to private, could the index.php have been used to POST links?

In any case, I’ve removed the index.php file. The spam links have stopped.

Eeeeeeeeeh… A public front page is a public front page, even is the admin area is private…