Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Doodle
Hangin' Around


Joined: Jan 26, 2004
Posts: 46
Location: 127.0.0.1

PostPosted: Thu Sep 09, 2004 1:11 pm Reply with quote

I contacted floridadom.com this morning as per my post in nukecops. I don't usually follow up there but this site was down for a bit. I'll continue the tread here now that it's back up. As per my post on nukecops, here was the reply from floridadom:
Quote:

Hello there.

My name is **** ****** and I am the owner of floridadom.com and a few
other domains.
Wolist.com is one of the domain we host on our servers.

I had no idea about any spam activity from our IP. We never had any
complaints before.

I will personally investigate what might be the source of that activity and
I will make sure this will never happen again.

If you have any questions or concerns you can contact me at ***-***-****.

Sincerely,

**** ******

_________________
Independent Network Solutions Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Thu Sep 09, 2004 1:24 pm Reply with quote

Great, but there is no commitment to inform you of any findings. Maybe I'm too skeptical - but I've sent many messages requesting action (especially when I get phishing emails) and NEVER received a response (actually, one from a European ISP that basically said "Thanks, but we're not liable"). At least (s)he replied, but it makes me wonder why.
 
View user's profile Send private message
Doodle
PostPosted: Thu Sep 09, 2004 1:31 pm Reply with quote

True. Honestly I was surprised I got a response at all. I did send a note to domainsbyproxy informing them of the breach of service so perhaps that will spawn some action.
 
kguske
PostPosted: Thu Sep 09, 2004 3:06 pm Reply with quote

Thanks. Please let us know if you receive additional feedback.
 
beetraham
Regular
Regular


Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)

PostPosted: Thu Sep 09, 2004 4:05 pm Reply with quote

I find it rather disturbing to share as a knowledge, and a personal experience, a possibility to expect all the sites being involved with the registration of this BOT-ADVERTISING-culprit SPAMMING NEWS COMMENTS in the near future.

BTW, this been the case with my site as well - no real harm/damage done, mostly extreme personal annoyance. I have blocked the IP, changed the password, but preserved the account (and kept the performed actions by this account) as a reference for further investigations (if needed).

Hopefully there will not soon be a tenfold of Jacks from Blubberland using variants of the exploit that has been witnessed recently - I doubt it, but it is really only a matter of him publishing the used script exploit, isn't it?

So, apparently a cure is required for these purposes in the near future.

Has anyone of the security pros come up with any estimate on having this FORM based automized NEWS module exploit being blocked by a dedicated security patch? Or perhaps with some kind of a workround other than deactivating the NEWS reply/comment feature?

Please see attached my link as a made last reply regarding the subject - it is just a general spammer-end summary. (common notices).
Only registered users can see links on this board! Get registered or login!

BR,

-beetraham

_________________
- Let there be no windows at your home - 
View user's profile Send private message
Doodle
PostPosted: Thu Sep 09, 2004 5:09 pm Reply with quote

What I am most concerned about is not that he managed to use a script to interactively post spam in the comments (notice the comments he posted seem to be interactive with the subject of the news item, perhaps so we would miss it on busy sites) but the fact that he managed to circumvent the graphic security check in the registration process on so many sites. Mine didn't use the graphic so thats my bad but a lot if sites were.
 
kguske
PostPosted: Thu Sep 09, 2004 6:05 pm Reply with quote

Both are valid concerns:
- using a script to mass register (with and without security graphics)
- using a script to mass post comments

Previous posts here describe how to address the first concern by making it more difficult to mass register. Another option is to require admin approval for registering - not practical for large sites. I'm not sure registering on a single site is really something you can block, unless you possibly check the referer to make sure it was posted from your your_account registration form.

You could possibly have a check to see if someone is mass posting comments (max number of posts per minute - like flood protection), but what if you only had one news story?

And, what if you didn't require membership to post comments? So, you'd have to limit the number of posts by IP address. Again, flood protection.

Or, you could require that the posting of comments was posted from (referred by) your comments (news) form.

This looks like a whole new line of security patches...Chatserv?
 
kguske
PostPosted: Thu Sep 09, 2004 6:18 pm Reply with quote

The ONLY database update I can think of that should be allowed to be referred by another site is remote rating of downloads / web links.

If Raven et. al developed the object-based CMS discussed here in another thread, this would be a simple change to one method.
 
Doodle
PostPosted: Fri Sep 10, 2004 8:05 pm Reply with quote

Email sent today to them as follows (not that I expect an update):
Quote:
To date, we have not recieved a response and are anxious to know the results of your investigation before this escalates further.
Please advise. If you find the time, I strongly recommend posting a note on the nukecops security forms at Only registered users can see links on this board! Get registered or login!
or the Ravenscripts forums at Only registered users can see links on this board! Get registered or login!
Thanks again in advance for your attention in this matter.

Webmaster Only registered users can see links on this board! Get registered or login!
Independent Network Solutions Only registered users can see links on this board! Get registered or login!
 
kguske
PostPosted: Fri Sep 10, 2004 8:24 pm Reply with quote

One of my sites had a new user named ROBOT that registered without an email address. I'm guessing he used a similar (or the same) script.
 
Deseroka
Client


Joined: Apr 15, 2003
Posts: 466
Location: FL

PostPosted: Fri Sep 10, 2004 9:07 pm Reply with quote

I just logged in and this was the first thing I saw in the forum block.
This guy registered on my site on the 8th. Google has his count up to 80,000 tonight.
He had tried to register at my site last Thursday or Friday. I had deleted his activation email siply because I did not think Jack from Wales would have alot to contribute to an Amrerican Indian forum.(I get sick of people waking up and deciding they would like to be an Indian) However, he snuck in on my while I was without power after the storm Frances.
He registered with the same mail.ru address and has made about 4 comments to a news post. All include a link to this site Only registered users can see links on this board! Get registered or login!.
I've also seen some request for an image I have in a block.
This guy is so gone! He may be just looking to promote his site, but not at my place...I'm not taking any chances.


Last edited by Deseroka on Fri Sep 10, 2004 10:24 pm; edited 1 time in total 
View user's profile Send private message
kguske
PostPosted: Fri Sep 10, 2004 10:02 pm Reply with quote

Thanks for the info, Deseroka. Glad you got power back, too. Here in west Broward, we only had a few flickers. Let's just hope Ivan decides not to visit...
 
Deseroka
PostPosted: Fri Sep 10, 2004 10:29 pm Reply with quote

I stayed with a friend. A transformer blew about 1PM Friday afternoon. She still does not have power. The door is closed and locked, Ivan is not welcome!
I have removed all of Jack's comments on my site and banned his IP, removed his account.
He's got a big directory he is listing. Seems he could at least add all of us to it.
Maybe we should all go submit our sites about 50 times.
 
kguske
PostPosted: Sat Sep 11, 2004 5:11 am Reply with quote

It seems a little TOO coincidental that:

WOLIST.COM's domain contact has a WOCATALOG.COM address
FLORIDADOM.COM is a division of RUSSIANFLORIDA.COM
RUSSIANFLORIDA.COM is "Powered by WOCatalog Pro" with a link to WOCATALOG.com
FLORIDADOM.COM domain servers support WOLIST.COM, RUSSIANFLORIDA.COM
DomainsByProxy is the registrar for FLORIDADOM.COM, WOCATALOG.COM, RUSSIANFLORIDA.COM

Although WOLIST.com is registered to a "real" person named Andrey Andrey (Andrei maybe?), the address is a residence with a surprisingly different Only registered users can see links on this board! Get registered or login!.

My guess is that the owner of this house is related to/influenced by someone named Jack/Andrey who speaks Russian...

I'm also guessing the person who responded to Doodle knows a LOT more about this.

EDIT: Geez, I just looked at the contact us page on wolist.com - you guessed it: Russian Florida, Inc.

EDIT 2: Additional info about the company is Only registered users can see links on this board! Get registered or login!.
 
Rage
Insane


Joined: Jul 30, 2004
Posts: 85

PostPosted: Sat Sep 11, 2004 7:28 am Reply with quote

Check Only registered users can see links on this board! Get registered or login!, look who makes a comment on the test story. Exclamation

_________________
It's not that I'm afraid of dying, it's just that I don't want to be there when it happens. - Woody Allen 
View user's profile Send private message
Deseroka
PostPosted: Sat Sep 11, 2004 4:21 pm Reply with quote

I do not know if it is coincidence or not, but I was hacked this morning (I am sending my plea to Raven for help as we speak-thought I had done it before leaving earlier, but OE failed and had to close)
Anyway, as I was trying to repair a problem with SPChat, someone got in and did a hack.
He added a super user with the name www and email of Only registered users can see links on this board! Get registered or login!
Beware!
 
GeekyGuy
Client


Joined: Jun 03, 2004
Posts: 302
Location: Huber Heights Ohio

PostPosted: Sat Sep 11, 2004 4:27 pm Reply with quote

You did get the super user removed?

Did you have HTTP Auth enabled?

_________________
"The Daytona 500 is ours! We won it, we won it, we won it!", Dale Earnhardt, February 15th, 1998, Daytona 500 
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger ICQ Number
Rage
PostPosted: Sat Sep 11, 2004 4:28 pm Reply with quote

GeekyGuy wrote:
Did you have HTTP Auth enabled?


I'll emphasise the importance of that question, without this option enabled, you are open to many admin exploits.
 
Deseroka
PostPosted: Sat Sep 11, 2004 5:19 pm Reply with quote

To be honest, at this point I do not know if it was activated or not. I have had a horrible week, I hardly know who I am, much less what I have done in the past.
What really made me angry was their little comment about "hacked by pakistani teams f*** indian hackers"
I do not even know what the heck that is all about, and it makes me sick that people have nothing better to do with their time.
I'm busy enough trying to get my commodity cheese. Very Happy
Hey, I gotta laugh at somethin...
 
GeekyGuy
PostPosted: Sat Sep 11, 2004 5:22 pm Reply with quote

Deseroka,
If there is anything we can do to help, just let us know.

Smile
 
Deseroka
PostPosted: Sat Sep 11, 2004 5:32 pm Reply with quote

Thank you GeekyGuy. Raven is looking into it now for me. I do not know what I would do without him and some of the other people here. Things like this seem to happen to me when I am at the top rung of the stress ladder & it sends me into a non thinking tizzy.
More than once I have had Raven and other site mods/members go above and beyond for me. Your offer is included in that statement.
I found Raven over at NC, so I guess I do have something to be grateful to ZX for....
 
GeekyGuy
PostPosted: Sat Sep 11, 2004 5:45 pm Reply with quote

I am very thankful for everyone here. I've learned a heck of a lot in the last 3 months about PHP Nuke. I'd not even heard of Nuke until my son, GIT-R-DONE was showing me his website. I've been addicted ever since.
 
Deseroka
PostPosted: Sat Sep 11, 2004 5:55 pm Reply with quote

I've been using it a bit over a year. 6.5 had just come out when I started. I have learned alot, but there is still so much I do not know. And when I get stressed (like now) I can not remeber what I do know. I just freak out and start screaming for Raven, LOL RavensScripts
 
GeekyGuy
PostPosted: Sat Sep 11, 2004 6:15 pm Reply with quote

Raven and the gang here have saved my butt a time or too also.
 
Deseroka
PostPosted: Sat Sep 11, 2004 6:32 pm Reply with quote

Raven and I have a running joke about ring kissing. Let me tell you, my lips stay chapped. I have caused Nukeum66 to have a nervous twitch wehn he sees he email from me Rolling Eyes --so far sixone & chat aren't running from me, but I am pretty sure they all have a silver cross and some garlic with my name on it.
Hence my sig...
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©