| Author |
Message |
Doodle
Hangin' Around
Joined: Jan 26, 2004
Posts: 46
Location: 127.0.0.1
|
 Posted:
Thu Sep 09, 2004 1:11 pm |
|
I contacted floridadom.com this morning as per my post in nukecops. I don't usually follow up there but this site was down for a bit. I'll continue the tread here now that it's back up. As per my post on nukecops, here was the reply from floridadom:
| Quote: |
Hello there.
My name is **** ****** and I am the owner of floridadom.com and a few
other domains.
Wolist.com is one of the domain we host on our servers.
I had no idea about any spam activity from our IP. We never had any
complaints before.
I will personally investigate what might be the source of that activity and
I will make sure this will never happen again.
If you have any questions or concerns you can contact me at ***-***-****.
Sincerely,
**** ****** |
|
_________________
Independent Network Solutions
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ]
[ Only registered users can see links on this board! Get registered or login! ] |
|
  
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6432
|
| Posted:
Thu Sep 09, 2004 1:24 pm |
|
Great, but there is no commitment to inform you of any findings. Maybe I'm too skeptical - but I've sent many messages requesting action (especially when I get phishing emails) and NEVER received a response (actually, one from a European ISP that basically said "Thanks, but we're not liable"). At least (s)he replied, but it makes me wonder why. |
| |
|
|
|
|
Doodle
|
| Posted:
Thu Sep 09, 2004 1:31 pm |
|
True. Honestly I was surprised I got a response at all. I did send a note to domainsbyproxy informing them of the breach of service so perhaps that will spawn some action. |
| |
|
|
|
|
kguske
|
| Posted:
Thu Sep 09, 2004 3:06 pm |
|
Thanks. Please let us know if you receive additional feedback. |
| |
|
|
|
|
beetraham
Regular
Joined: Dec 13, 2003
Posts: 94
Location: Finland (EU)
|
| Posted:
Thu Sep 09, 2004 4:05 pm |
|
I find it rather disturbing to share as a knowledge, and a personal experience, a possibility to expect all the sites being involved with the registration of this BOT-ADVERTISING-culprit SPAMMING NEWS COMMENTS in the near future.
BTW, this been the case with my site as well - no real harm/damage done, mostly extreme personal annoyance. I have blocked the IP, changed the password, but preserved the account (and kept the performed actions by this account) as a reference for further investigations (if needed).
Hopefully there will not soon be a tenfold of Jacks from Blubberland using variants of the exploit that has been witnessed recently - I doubt it, but it is really only a matter of him publishing the used script exploit, isn't it?
So, apparently a cure is required for these purposes in the near future.
Has anyone of the security pros come up with any estimate on having this FORM based automized NEWS module exploit being blocked by a dedicated security patch? Or perhaps with some kind of a workround other than deactivating the NEWS reply/comment feature?
Please see attached my link as a made last reply regarding the subject - it is just a general spammer-end summary. (common notices).
[ Only registered users can see links on this board! Get registered or login! ]
BR,
-beetraham |
_________________
- Let there be no windows at your home - |
|
|
|
|
Doodle
|
| Posted:
Thu Sep 09, 2004 5:09 pm |
|
What I am most concerned about is not that he managed to use a script to interactively post spam in the comments (notice the comments he posted seem to be interactive with the subject of the news item, perhaps so we would miss it on busy sites) but the fact that he managed to circumvent the graphic security check in the registration process on so many sites. Mine didn't use the graphic so thats my bad but a lot if sites were. |
| |
|
|
|
|
kguske
|
| Posted:
Thu Sep 09, 2004 6:05 pm |
|
Both are valid concerns:
- using a script to mass register (with and without security graphics)
- using a script to mass post comments
Previous posts here describe how to address the first concern by making it more difficult to mass register. Another option is to require admin approval for registering - not practical for large sites. I'm not sure registering on a single site is really something you can block, unless you possibly check the referer to make sure it was posted from your your_account registration form.
You could possibly have a check to see if someone is mass posting comments (max number of posts per minute - like flood protection), but what if you only had one news story?
And, what if you didn't require membership to post comments? So, you'd have to limit the number of posts by IP address. Again, flood protection.
Or, you could require that the posting of comments was posted from (referred by) your comments (news) form.
This looks like a whole new line of security patches...Chatserv? |
| |
|
|
|
|
kguske
|
| Posted:
Thu Sep 09, 2004 6:18 pm |
|
The ONLY database update I can think of that should be allowed to be referred by another site is remote rating of downloads / web links.
If Raven et. al developed the object-based CMS discussed here in another thread, this would be a simple change to one method. |
| |
|
|
|
|
Doodle
|
| Posted:
Fri Sep 10, 2004 8:05 pm |
|
Email sent today to them as follows (not that I expect an update):
| Quote: | To date, we have not recieved a response and are anxious to know the results of your investigation before this escalates further.
Please advise. If you find the time, I strongly recommend posting a note on the nukecops security forms at [ Only registered users can see links on this board! Get registered or login! ]
or the Ravenscripts forums at [ Only registered users can see links on this board! Get registered or login! ]
Thanks again in advance for your attention in this matter.
Webmaster
[ Only registered users can see links on this board! Get registered or login! ]
Independent Network Solutions
[ Only registered users can see links on this board! Get registered or login! ] |
|
| |
|
|
|
|
kguske
|
| Posted:
Fri Sep 10, 2004 8:24 pm |
|
One of my sites had a new user named ROBOT that registered without an email address. I'm guessing he used a similar (or the same) script. |
| |
|
|
|
|
Deseroka
Client
Joined: Apr 15, 2003
Posts: 466
Location: FL
|
| Posted:
Fri Sep 10, 2004 9:07 pm |
|
I just logged in and this was the first thing I saw in the forum block.
This guy registered on my site on the 8th. Google has his count up to 80,000 tonight.
He had tried to register at my site last Thursday or Friday. I had deleted his activation email siply because I did not think Jack from Wales would have alot to contribute to an Amrerican Indian forum.(I get sick of people waking up and deciding they would like to be an Indian) However, he snuck in on my while I was without power after the storm Frances.
He registered with the same mail.ru address and has made about 4 comments to a news post. All include a link to this site http://www.wolist.com/wo/arts/illustration/.
I've also seen some request for an image I have in a block.
This guy is so gone! He may be just looking to promote his site, but not at my place...I'm not taking any chances. |
Last edited by Deseroka on Fri Sep 10, 2004 10:24 pm; edited 1 time in total |
|
|
|
|
kguske
|
| Posted:
Fri Sep 10, 2004 10:02 pm |
|
Thanks for the info, Deseroka. Glad you got power back, too. Here in west Broward, we only had a few flickers. Let's just hope Ivan decides not to visit... |
| |
|
|
|
|
Deseroka
|
| Posted:
Fri Sep 10, 2004 10:29 pm |
|
I stayed with a friend. A transformer blew about 1PM Friday afternoon. She still does not have power. The door is closed and locked, Ivan is not welcome!
I have removed all of Jack's comments on my site and banned his IP, removed his account.
He's got a big directory he is listing. Seems he could at least add all of us to it.
Maybe we should all go submit our sites about 50 times. |
| |
|
|
|
|
kguske
|
| Posted:
Sat Sep 11, 2004 5:11 am |
|
It seems a little TOO coincidental that:
WOLIST.COM's domain contact has a WOCATALOG.COM address
FLORIDADOM.COM is a division of RUSSIANFLORIDA.COM
RUSSIANFLORIDA.COM is "Powered by WOCatalog Pro" with a link to WOCATALOG.com
FLORIDADOM.COM domain servers support WOLIST.COM, RUSSIANFLORIDA.COM
DomainsByProxy is the registrar for FLORIDADOM.COM, WOCATALOG.COM, RUSSIANFLORIDA.COM
Although WOLIST.com is registered to a "real" person named Andrey Andrey (Andrei maybe?), the address is a residence with a surprisingly different owner.
My guess is that the owner of this house is related to/influenced by someone named Jack/Andrey who speaks Russian...
I'm also guessing the person who responded to Doodle knows a LOT more about this.
EDIT: Geez, I just looked at the contact us page on wolist.com - you guessed it: Russian Florida, Inc.
EDIT 2: Additional info about the company is here. |
| |
|
|
|
|
Rage
Insane
Joined: Jul 30, 2004
Posts: 85
|
| Posted:
Sat Sep 11, 2004 7:28 am |
|
Check http://styles.portedmods.com, look who makes a comment on the test story.  |
_________________
It's not that I'm afraid of dying, it's just that I don't want to be there when it happens. - Woody Allen |
|
|
|
|
Deseroka
|
| Posted:
Sat Sep 11, 2004 4:21 pm |
|
I do not know if it is coincidence or not, but I was hacked this morning (I am sending my plea to Raven for help as we speak-thought I had done it before leaving earlier, but OE failed and had to close)
Anyway, as I was trying to repair a problem with SPChat, someone got in and did a hack.
He added a super user with the name www and email of [ Only registered users can see links on this board! Get registered or login! ]
Beware! |
| |
|
|
|
|
GeekyGuy
Client
Joined: Jun 03, 2004
Posts: 302
Location: Huber Heights Ohio
|
| Posted:
Sat Sep 11, 2004 4:27 pm |
|
You did get the super user removed?
Did you have HTTP Auth enabled? |
_________________
"The Daytona 500 is ours! We won it, we won it, we won it!", Dale Earnhardt, February 15th, 1998, Daytona 500 |
|
  |
|
Rage
|
| Posted:
Sat Sep 11, 2004 4:28 pm |
|
| GeekyGuy wrote: | | Did you have HTTP Auth enabled? |
I'll emphasise the importance of that question, without this option enabled, you are open to many admin exploits. |
| |
|
|
|
|
Deseroka
|
| Posted:
Sat Sep 11, 2004 5:19 pm |
|
To be honest, at this point I do not know if it was activated or not. I have had a horrible week, I hardly know who I am, much less what I have done in the past.
What really made me angry was their little comment about "hacked by pakistani teams f*** indian hackers"
I do not even know what the heck that is all about, and it makes me sick that people have nothing better to do with their time.
I'm busy enough trying to get my commodity cheese. 
Hey, I gotta laugh at somethin... |
| |
|
|
|
|
GeekyGuy
|
| Posted:
Sat Sep 11, 2004 5:22 pm |
|
Deseroka,
If there is anything we can do to help, just let us know.
 |
| |
|
|
|
|
Deseroka
|
| Posted:
Sat Sep 11, 2004 5:32 pm |
|
Thank you GeekyGuy. Raven is looking into it now for me. I do not know what I would do without him and some of the other people here. Things like this seem to happen to me when I am at the top rung of the stress ladder & it sends me into a non thinking tizzy.
More than once I have had Raven and other site mods/members go above and beyond for me. Your offer is included in that statement.
I found Raven over at NC, so I guess I do have something to be grateful to ZX for.... |
| |
|
|
|
|
GeekyGuy
|
| Posted:
Sat Sep 11, 2004 5:45 pm |
|
I am very thankful for everyone here. I've learned a heck of a lot in the last 3 months about PHP Nuke. I'd not even heard of Nuke until my son, GIT-R-DONE was showing me his website. I've been addicted ever since. |
| |
|
|
|
|
Deseroka
|
| Posted:
Sat Sep 11, 2004 5:55 pm |
|
I've been using it a bit over a year. 6.5 had just come out when I started. I have learned alot, but there is still so much I do not know. And when I get stressed (like now) I can not remeber what I do know. I just freak out and start screaming for Raven, LOL  |
| |
|
|
|
|
GeekyGuy
|
| Posted:
Sat Sep 11, 2004 6:15 pm |
|
Raven and the gang here have saved my butt a time or too also. |
| |
|
|
|
|
Deseroka
|
| Posted:
Sat Sep 11, 2004 6:32 pm |
|
Raven and I have a running joke about ring kissing. Let me tell you, my lips stay chapped. I have caused Nukeum66 to have a nervous twitch wehn he sees he email from me  --so far sixone & chat aren't running from me, but I am pretty sure they all have a silver cross and some garlic with my name on it.
Hence my sig... |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
