| Author |
Message |
JoAnne
Worker
Joined: Oct 18, 2005
Posts: 127
Location: NYC
|
 Posted:
Thu Feb 22, 2007 7:06 pm |
 
|
Yes... Hackers have joined one of my sites with just entering one link!  
They did not do any harm that I can see..... no spam.... nothing.... so I don't know what they were trying to accomplish  ... maybe just to see if they could do it
Has anyone else seen this happen?
JoAnne ~
 |
|
|
 
|
|
wiz
Client
Joined: Oct 09, 2006
Posts: 394
Location: UK
|
| Posted:
Thu Feb 22, 2007 7:44 pm |
|
how do you know this..dont post any links or stuff. but how do you know they just entered one link?
sounds to a noob like me it was more of an executable link for a script. And is it a sleeper? therefore no damage is done yet, but the actual work is done..so that they can play later. |
|
|
|
|
JoAnne
Worker
Joined: Oct 18, 2005
Posts: 127
Location: NYC
|
| Posted:
Thu Feb 22, 2007 8:07 pm |
|
| wiz wrote: | how do you know this..dont post any links or stuff. but how do you know they just entered one link?
sounds to a noob like me it was more of an executable link for a script. And is it a sleeper? therefore no damage is done yet, but the actual work is done..so that they can play later. |
There was only one link to the IP which joined 3 times within minutes of each other. Most spam bots that try to enter the forums, use a fictitious email, that comes back as undeliverable and you can see them making attempts to enter the forums..... not these times.
One link and they are registered on my site. They used an activate command.... first I have seen of it.
Don't know what to do to protect against it happening again or if there is anything that can be done |
|
|
|
|
|
wiz
Client
Joined: Oct 09, 2006
Posts: 394
Location: UK
|
| Posted:
Thu Feb 22, 2007 8:10 pm |
|
well for a start..if you are sure..remove their account.  |
|
|
|
|
|
JoAnne
Worker
Joined: Oct 18, 2005
Posts: 127
Location: NYC
|
| Posted:
Thu Feb 22, 2007 8:26 pm |
|
| wiz wrote: | | well for a start..if you are sure..remove their account. |
I banned their user names for now. I have had problems in the past from deleting users entirely.
Strange that they didn't do anything.... but they could be coming back as you stated. |
|
|
|
|
|
wiz
Client
Joined: Oct 09, 2006
Posts: 394
Location: UK
|
| Posted:
Thu Feb 22, 2007 8:32 pm |
|
rename their account then, mail them suggesting a dodgy link and your policy blah blah.
while you make your judgement..the account is still there and they cant login because the username has changed.
The motive for this, is that you do not delete any legitimate activity that they have accumalated, but it gives you time to assess the threat to your prized (and very neat may i add) website. Hopefully someone more knowlegable will reply soon |
|
|
|
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6044
|
| Posted:
Thu Feb 22, 2007 8:45 pm |
|
The quickest way to tell how it happened it to check your access logs. These are usually available on the site's control panel. |
|
|
|
|
|
JoAnne
Worker
Joined: Oct 18, 2005
Posts: 127
Location: NYC
|
| Posted:
Thu Feb 22, 2007 8:54 pm |
|
| wiz wrote: | rename their account then, mail them suggesting a dodgy link and your policy blah blah.
while you make your judgement..the account is still there and they cant login because the username has changed.
The motive for this, is that you do not delete any legitimate activity that they have accumalated, but it gives you time to assess the threat to your prized (and very neat may i add) website. Hopefully someone more knowlegable will reply soon |
Thanks wiz!
I am thinking it might be better to change their password.. if they even entered one.... but they can always enter more users the same way they entered the three they did today..... stinks |
|
|
|
|
|
wiz
Client
Joined: Oct 09, 2006
Posts: 394
Location: UK
|
| Posted:
Thu Feb 22, 2007 8:59 pm |
|
well no..change their username, u have no way of recovering their original pw, user name, yes because it is not MD5'd.
The motive is..if you are being over cautious, it doesnt appear like that to the legit user, if you say in your email that their account is under review.
Then if they are bad, you remove them, if they are good you restore their username and they can login again. |
|
|
|
|
|
JoAnne
Worker
Joined: Oct 18, 2005
Posts: 127
Location: NYC
|
| Posted:
Thu Feb 22, 2007 9:13 pm |
|
| wiz wrote: | well no..change their username, u have no way of recovering their original pw, user name, yes because it is not MD5'd.
The motive is..if you are being over cautious, it doesnt appear like that to the legit user, if you say in your email that their account is under review.
Then if they are bad, you remove them, if they are good you restore their username and they can login again. |
with the email: ontimepaydayloan.com I doubt very much that they are legit accounts 
Besides... anyone that can register that way, I do not want as a member anyway!
Thank you wiz |
|
|
|
|
|
JoAnne
Worker
Joined: Oct 18, 2005
Posts: 127
Location: NYC
|
| Posted:
Thu Feb 22, 2007 9:15 pm |
|
| kguske wrote: | | The quickest way to tell how it happened it to check your access logs. These are usually available on the site's control panel. |
Hey kguske
Unfortunately the access logs didn't tell me anything more.
JoAnne |
|
|
|
|
|
wiz
Client
Joined: Oct 09, 2006
Posts: 394
Location: UK
|
| Posted:
Thu Feb 22, 2007 9:18 pm |
|
well you are the owner and admin..if you do not want it..delete it. Its your perogative.
However, i dont know if the experts can dispute this, but maybe keep it, change the details, then explore the account. Your site you have the right to explore anyones account. |
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Thu Feb 22, 2007 10:44 pm |
|
Hey JoAnne
Send me the links they are using and I will check it out. These are always automated bots, but if they've found a quicker way that doesn't need activation, it could be a flaw somewhere. |
|
|
|
|
|
jjh221
Worker
Joined: Dec 05, 2006
Posts: 178
|
| Posted:
Thu Feb 22, 2007 11:56 pm |
|
JoAnne, i found an amazon module
tested on 2.02.02. Doesnt work properly(i could just be a noob) says it only works on PHP-Nuke 6.9 - 7.4. . Ill prob sign up on his site and see if he can get it working with 2.02.02. Looks really good. |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9133
Location: Arizona
|
| Posted:
Fri Feb 23, 2007 6:33 am |
|
evaders99, we definitely could have an issue here and even in 2.10.00! I just had two "odd-ball" userid's sign up yesterday, one using this exact same domain (fishy in my book) and another very close to it.
If this is a bot, its getting past the new captcha. It might actually be a real person? Uuggghh... |
|
|
|
|
|
technocrat
Life Cycles Becoming CPU Cycles
Joined: Jul 07, 2005
Posts: 511
|
| Posted:
Fri Feb 23, 2007 10:36 am |
|
The spammers are posting to registration file. That's what they were doing in Evo. We are using CNBYA and they would simply send a POST to new_finish3.php and presto. No code validation, no email validation, nothing. So I added sessions to the files to make sure they went through each step. |
|
|
|
|
|
wiz
Client
Joined: Oct 09, 2006
Posts: 394
Location: UK
|
| Posted:
Fri Feb 23, 2007 10:54 am |
|
actually ive just found 10 of these accounts on one of my sites.. |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6373
Location: Vsetin, Czech Republic
|
| Posted:
Fri Feb 23, 2007 11:46 am |
|
I had 4 toady, one from the same email posted above.
Evaders99 appreciate any feedback if you learn anything from the data sent to you by JoAnne.
I have a feeling though that these are not automated sign-ups - surely there would be many more of them if this was the case?
Out of the four I had today 2 are fully 'registered users' the other two are still sitting in 'pending'. |
|
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3143
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Fri Feb 23, 2007 11:51 am |
|
| Quote: | | I have a feeling though that these are not automated sign-ups |
Guardian just google for ontimepaydayloan.com and youŽll find a lot of spam entries in blogs and other sites too. |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6373
Location: Vsetin, Czech Republic
|
| Posted:
Fri Feb 23, 2007 1:33 pm |
|
Thanks Susann I appreciate that but as yet I have found no evidence indicating that the issues posted here are as a result of an automated attack.
I'm not ruling out that they are conducting automated attacks in other places, I'm just trying to make the point that we shouldnt 'assume' its an automated attack.
I have spent a couple of hours pouring over my server error logs and there is nothing in there, I also use a script which emails me if anyone tries to access a file they are not supposed to or doesnt exist and there's nothing there either.
The one peculiarity I do see is that I'm not seeing any Tracked User IP data in Sentinel. I would expect so see one entry per registration confirmation BUT I'm ONLY tracking the last 100 IP's so I'll increase that now and see what the future brings |
|
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6373
Location: Vsetin, Czech Republic
|
| Posted:
Fri Feb 23, 2007 2:56 pm |
|
OK I have gone through all me registered users, luckily there are not too many and suprise, suprise!!
Every single one that I would consider a 'sleeper' user who's email address is associated with loans and all that type of thing have come frm the same place.
I check each of the addreess' (a total of 30 going over the last year) and they all came from this range which, incidentally I have seen come up before.
I hope it helps.
| Quote: | OrgName: Layered Technologies, Inc.
OrgID: LAYER-3
Address:
Address: 1647 Witt Road Suite#201
City: Frisco
StateProv: TX
PostalCode: 75034
Country: US
ReferralServer:
NetRange: 72.232.0.0 - 72.232.255.255
CIDR: 72.232.0.0/16
NetName: LAYERED-TECH-
NetHandle: NET-72-232-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LAYEREDTECH.COM
NameServer: NS2.LAYEREDTECH.COM
Comment: Please send all abuse complaints to
Comment: *****@layeredtech.com
RegDate: 2005-09-07
Updated: 2006-03-07
RTechHandle: JPS66-ARIN
RTechName: Suo-Anttila, Jeremy Paul
RTechPhone: +1-972-398-7998
RTechEmail: ***@layeredtech.com
OrgAbuseHandle: LAT-ARIN
OrgAbuseName: LT Abuse Team
OrgAbusePhone: +1-972-398-7998
OrgAbuseEmail: *****@layeredtech.com
OrgNOCHandle: LIT-ARIN
OrgNOCName: LT IP-Network Team
OrgNOCPhone: +1-972-398-7998
OrgNOCEmail: *****@layeredtech.com
OrgTechHandle: LNT3-ARIN
OrgTechName: LT NOC Team
OrgTechPhone: +1-972-398-7998
OrgTechEmail: *****@layeredtech.com
|
I have now blocked the whole range in Sentinel |
|
|
|
|
|
ruger
New Member
Joined: Dec 26, 2005
Posts: 4
|
| Posted:
Fri Feb 23, 2007 7:40 pm |
|
I noticed 3 days ago that I was having the same problem. So far there has been 20 registrations like this. None have recorded ips in nuke sentinel nor any records show in ms analysys. When I check the user database there are no ips as well. This is a partial list of my raw access logs with some of the usernames and ips:
| Quote: | DXIRxDkgtN
81.169.183.122 - - [23/Feb/2007:02:15:00 -0600] "GET /modules.php?name=Your_Account&op=activate&username=DXIRxDkgtN&check_num=ceae7f479557b3650a8a249b80995625 HTTP/1.0" 200 26586 "-" "Mozilla/4.0 (compatible; ICS)"
66.249.65.70 - - [23/Feb/2007:03:08:02 -0600] "GET /modules.php?name=Your_Account&op=userinfo&username=DXIRxDkgtN&PHPSESSID=baf5554f6fa1a29659df60583e732184 HTTP/1.1" 200 4639 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
tUSkxXjhcV
149.9.0.59 - - [23/Feb/2007:04:43:17 -0600] "GET /modules.php?name=Your_Account&op=activate&username=tUSkxXjhcV&check_num=221cdbd49831660e254edeb0c4b51109 HTTP/1.0" 200 26586 "-" "Mozilla/4.0 (compatible; ICS)"
66.249.65.70
CAVvvnNrYJ
213.100.23.130
66.249.65.70
66.254.102.58
149.9.0.57
|
|
|
|
|
|
|
evaders99
Former Moderator in Good Standing
Joined: Apr 30, 2004
Posts: 3221
|
| Posted:
Fri Feb 23, 2007 9:48 pm |
|
CAPCHAs aren't a cure-all, esp when the software is getting smarter.
Generally the bots still have to read the registration page to get the CAPTCHA, before processing it and then going to POST data to the registration fields.
If you don't see that pattern, let me take a look and I'll see if I can duplicate it. |
|
|
|
|
|
JoAnne
Worker
Joined: Oct 18, 2005
Posts: 127
Location: NYC
|
| Posted:
Sat Feb 24, 2007 5:29 pm |
|
| evaders99 wrote: | Hey JoAnne
Send me the links they are using and I will check it out. These are always automated bots, but if they've found a quicker way that doesn't need activation, it could be a flaw somewhere. |
Hey Evaders99
My internet has been down... just came back up a little while ago
I will email you the links
Here is another email associated with the strange registrations:
reciprocallinkmanagers.com
I have been trying to check to see if they are using multiple IPs, one to sign up, a different one to activate, which may be why I am only seeing one link for their IP to their account. Still investigating this now that I have the internet back.
If that is the case, then they are not really entering just one link.
JoAnne |
Last edited by JoAnne on Sat Feb 24, 2007 5:46 pm; edited 1 time in total |
|
|
|
|
JoAnne
Worker
Joined: Oct 18, 2005
Posts: 127
Location: NYC
|
| Posted:
Sat Feb 24, 2007 5:44 pm |
|
Evaders99
Just remembered that you are still an admin on my United Music site if you want to take a look for yourself
JoAnne |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::