Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Sat Sep 04, 2004 9:00 pm Reply with quote

I had a random user JackFromWales4u2 register on one of my phpnuke sites. At first I was annoyed at the random registration, but then paranoia took hold. I checked the logs for any obvious or glaring exploits, but I did not see anything.

I then checked the various phpnuke security sites. I was surprised to see that JackFromWales4u2 was also the latest signup at a forum moderator's site.

I then ran a Only registered users can see links on this board! Get registered or login!, and google returned 18600 Shocked hits!

From a random check of the various google hits, it seems that JackFromWales4u2 has been very busy with a great number of registrations at these various phpnuke and phpbb sites within a span of a couple of days -- September 1-2, 2004.

Now this screams of an exploit/vulnerability! Is there a script or exploit/vulnerability that is out in the wild that is yet unpatched?

Or am I just being paranoid here?
p.s. you might want to check your own sites to see if you've had a visit from JackFromWales4u2, too.
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Sat Sep 04, 2004 9:27 pm Reply with quote

I saw this on several sites, too. Could it be an attempt to identify server and / or return email address info for spamming purposes?
 
View user's profile Send private message
oprime2001
PostPosted: Sat Sep 04, 2004 9:52 pm Reply with quote

That could be a possible purpose for the mass registrations. My concern is HOW did they register and activate all these phpnuke/phpbb accounts in a seemingly short period of time.
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat Sep 04, 2004 10:03 pm Reply with quote

Interesting. Quoth the Raven "Let the Games Begin".

_________________
[b][size=5]openSUSE 11.4-x86 | Linux 2.6.37.1-1.2desktop i686 | KDE: 4.6.41>=4.7 | XFCE 4.8 | AMD Athlon(tm) XP 3000+ | MSI K7N2 Delta-L | 3GB Black Diamond DDR
| GeForce 6200@433Mhz 512MB | Xorg 1.9.3 | NVIDIA 270.30[/size:2b8 
View user's profile Send private message
GeekyGuy
Client


Joined: Jun 03, 2004
Posts: 302
Location: Huber Heights Ohio

PostPosted: Sat Sep 04, 2004 10:11 pm Reply with quote

oprime2001,

Do you have an IP address associated with that username?

_________________
"The Daytona 500 is ours! We won it, we won it, we won it!", Dale Earnhardt, February 15th, 1998, Daytona 500 
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger ICQ Number
oprime2001
PostPosted: Sat Sep 04, 2004 10:17 pm Reply with quote

The registration was activated using Only registered users can see links on this board! Get registered or login!
 
GeekyGuy
PostPosted: Sat Sep 04, 2004 10:23 pm Reply with quote

Interesting, that IP comes back as:
OrgName: Advanced Internet Technologies, Inc.
OrgID: ADIT
Address: 421 Maiden Lane
City: Fayetteville
StateProv: NC
PostalCode: 28301
Country: US

Jack is a Tarheel, not from Wales Shocked
 
Muffin
Client


Joined: Apr 10, 2004
Posts: 649
Location: UK

PostPosted: Sun Sep 05, 2004 4:39 am Reply with quote

Thats interesting isn't it boyo!

sorry couldnt resist it.

I'll keep a watch out for that username.

_________________
Classic Mini rules the bends & bends the rules!
[img] 
View user's profile Send private message
takaharu
Client


Joined: Sep 25, 2003
Posts: 58

PostPosted: Sun Sep 05, 2004 11:27 am Reply with quote

I have this one registered on my site.

Should i loose him ?

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
Rage
Insane


Joined: Jul 30, 2004
Posts: 85

PostPosted: Sun Sep 05, 2004 11:36 am Reply with quote

I feel like we're in the twighlight zone. Shocked

_________________
It's not that I'm afraid of dying, it's just that I don't want to be there when it happens. - Woody Allen 
View user's profile Send private message
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Sun Sep 05, 2004 12:14 pm Reply with quote

Registered on my site on September 1, 2004 using a mail.ru email address which is on my restricted list. You should NOT be able to register on my site using this email address so something is awry!

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
GeekyGuy
PostPosted: Sun Sep 05, 2004 12:22 pm Reply with quote

Luckily, I've not seen traces of this fella on my site, but then I don't get a lot of traffic.

Has anyone seen a post by him, or anything other than just a registration? If not, then I would delete his account.

Another thing, is everyone seeing him on the same IP, 66.219.97.51 ?
 
Muffin
PostPosted: Sun Sep 05, 2004 2:51 pm Reply with quote

Can we check all registered members IP's on our site quickly? I mean I have over 500 so far, and most of those dont post on the forum, so I don't get an IP.

Shame if it doesnt register an IP when registering (something I liked about Invision Board the IP on registration was logged) because you can get rid of anyone you dont want if you know their IP.
 
GeekyGuy
PostPosted: Sun Sep 05, 2004 3:03 pm Reply with quote

If you were using the IP Tracking module, you could find it pretty easily. I actually hadn't thought about those who weren't using IP Tracking. Sorry.

Maybe one of the Wizards of Nuke knows of a way to find the last IP, but I sure don't
 
Muffin
PostPosted: Sun Sep 05, 2004 3:10 pm Reply with quote

I only use MS Analysis Sad

I think I'll install IP Tracking now Rolling Eyes
 
sixonetonoffun
PostPosted: Sun Sep 05, 2004 3:12 pm Reply with quote

I'm thinking someones developed a reader for the images. It only makes sense. The rest is easy to script.

I bumped my code up to 9 digits and changed the background image color and quality. But am going to hack in a harder to read image when I get time.
 
64bitguy
PostPosted: Sun Sep 05, 2004 3:53 pm Reply with quote

I can see that, but it doesn't explain how he got around my email address registration restrictions.
 
sixonetonoffun
PostPosted: Sun Sep 05, 2004 4:30 pm Reply with quote

Not your average copy paste script kiddie for sure. I'd guess this is a very high tech entity or individual. But collecting the urls from the emails wouldn't be the hardest thing to do.
 
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sun Sep 05, 2004 7:40 pm Reply with quote

sixonetonoffun wrote:
I'm thinking someones developed a reader for the images. It only makes sense. The rest is easy to script.

I bumped my code up to 9 digits and changed the background image color and quality. But am going to hack in a harder to read image when I get time.
This might get you started
Code:
function gfx($random_num) {

   global $prefix, $db, $module_name;
   require("config.php");
   $datekey = date("F j");
   $rcode = hexdec(md5($_SERVER[HTTP_USER_AGENT] . $sitekey . $random_num . $datekey));
   $code = substr($rcode, 2, 6);
   # $image = ImageCreateFromJPEG("modules/$module_name/images/code_bg.jpg");
   Header("Content-type: image/jpeg");

   $image = ImageCreate(100,20);

   $white=ImageColorAllocate($image,255,255,255);
   ImageFilledRectangle($image,0,0,100,20,$white);

   for ($cnt=0; $cnt<12; $cnt++) {
      $text_color = ImageColorAllocate($image, intval(rand(200,255)), intval(rand(200,255)), intval(rand(200,255)));

      # Depending on your PHP use one of imageellipse or imagearc
      #ImageEllipse($image,($cnt*8),10,intval(rand(15,30)),intval(rand(15,30)), $text_color);
      ImageArc($image,($cnt*8),10,intval(rand(15,30)),intval(rand(15,30)),0,360, $text_color);
   }

   for ($idx=0; $idx<6; $idx++) {
      $text_color = ImageColorAllocate($image, intval(rand(0,128)), intval(rand(0,128)), intval(rand(0,128)));
      $text_color1 = ImageColorAllocate($image, intval(rand(0,128)), intval(rand(0,128)), intval(rand(0,128)));
      ImageString ($image, intval(rand(1,5)), 12+($idx*14), 2, substr($code,$idx,1), $text_color);
      ImageString ($image, intval(rand(1,5)), 11+($idx*14), 2, substr($code,$idx,1), $text_color1);
   }

   ImageJPEG($image, '', 75);
   ImageDestroy($image);
   die();
}
Don't even know where I picked it up. I have another one that is much clearer and is in color but I can't find it right off hand.
 
View user's profile Send private message
sixonetonoffun
PostPosted: Mon Sep 06, 2004 8:50 am Reply with quote

Seems to come out clearer as a png image. Nice who ever created it.
 
sixonetonoffun
PostPosted: Mon Sep 06, 2004 1:05 pm Reply with quote

Does anyone think we need a 3 strikes function with this?
The longer the code is the more likely an error. After changing to 9 chars about 1 in 3 trys I get it wrong and I'm more familar with the login process then the average surfer.

It has some merit in the case of brute force attacks I spose.
 
sixonetonoffun
PostPosted: Mon Sep 06, 2004 2:49 pm Reply with quote

By the way its up to 36,600 today! Only registered users can see links on this board! Get registered or login!
Must be a world record for website memberships huh?
 
oprime2001
PostPosted: Thu Sep 09, 2004 7:28 am Reply with quote

I posted the original post in the Only registered users can see links on this board! Get registered or login!. A couple of users there are now reporting that the JackFromWales4u2 account is being used to spam news articles on phpnuke websites with comments with a link to (presumably, their) website.

However, what is more disconcerting is that these users are reporting that ALL of their articles/news were spammed! Again, if that doesn't smell of a script/bot, I don't know what does. I don't see a legitimate reason to keep this JackFromWales4u2 account on your site! Evil or Very Mad
 
GeekyGuy
PostPosted: Thu Sep 09, 2004 12:59 pm Reply with quote

44,200 for JackFromWales4u2 on Google today....
 
kguske
PostPosted: Thu Sep 09, 2004 1:07 pm Reply with quote

I really wonder if the person contacted to investigate this might be the one who did it... It will be interesting to see the replies.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©