Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
JoAnne
Worker
Worker


Joined: Oct 18, 2005
Posts: 127
Location: NYC

PostPosted: Thu Feb 22, 2007 7:06 pm Reply with quote

Yes... Hackers have joined one of my sites with just entering one link! Shocked Evil or Very Mad

They did not do any harm that I can see..... no spam.... nothing.... so I don't know what they were trying to accomplish Confused ... maybe just to see if they could do it Confused

Has anyone else seen this happen?



JoAnne ~


Only registered users can see links on this board! Get registered or login!

Only registered users can see links on this board! Get registered or login!

Image
 
View user's profile Send private message Visit poster's website
wiz
Involved
Involved


Joined: Oct 09, 2006
Posts: 413
Location: UK

PostPosted: Thu Feb 22, 2007 7:44 pm Reply with quote

how do you know this..dont post any links or stuff. but how do you know they just entered one link?

sounds to a noob like me it was more of an executable link for a script. And is it a sleeper? therefore no damage is done yet, but the actual work is done..so that they can play later.
 
View user's profile Send private message Visit poster's website AIM Address
JoAnne
PostPosted: Thu Feb 22, 2007 8:07 pm Reply with quote

wiz wrote:
how do you know this..dont post any links or stuff. but how do you know they just entered one link?

sounds to a noob like me it was more of an executable link for a script. And is it a sleeper? therefore no damage is done yet, but the actual work is done..so that they can play later.


There was only one link to the IP which joined 3 times within minutes of each other. Most spam bots that try to enter the forums, use a fictitious email, that comes back as undeliverable and you can see them making attempts to enter the forums..... not these times.

One link and they are registered on my site. They used an activate command.... first I have seen of it.

Don't know what to do to protect against it happening again or if there is anything that can be done Confused
 
wiz
PostPosted: Thu Feb 22, 2007 8:10 pm Reply with quote

well for a start..if you are sure..remove their account. Very Happy
 
JoAnne
PostPosted: Thu Feb 22, 2007 8:26 pm Reply with quote

wiz wrote:
well for a start..if you are sure..remove their account. Very Happy



I banned their user names for now. I have had problems in the past from deleting users entirely.

Strange that they didn't do anything.... but they could be coming back as you stated.
 
wiz
PostPosted: Thu Feb 22, 2007 8:32 pm Reply with quote

rename their account then, mail them suggesting a dodgy link and your policy blah blah.

while you make your judgement..the account is still there and they cant login because the username has changed.

The motive for this, is that you do not delete any legitimate activity that they have accumalated, but it gives you time to assess the threat to your prized (and very neat may i add) website. Hopefully someone more knowlegable will reply soon
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Thu Feb 22, 2007 8:45 pm Reply with quote

The quickest way to tell how it happened it to check your access logs. These are usually available on the site's control panel.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
JoAnne
PostPosted: Thu Feb 22, 2007 8:54 pm Reply with quote

wiz wrote:
rename their account then, mail them suggesting a dodgy link and your policy blah blah.

while you make your judgement..the account is still there and they cant login because the username has changed.

The motive for this, is that you do not delete any legitimate activity that they have accumalated, but it gives you time to assess the threat to your prized (and very neat may i add) website. Hopefully someone more knowlegable will reply soon


Thanks wiz!

I am thinking it might be better to change their password.. if they even entered one.... but they can always enter more users the same way they entered the three they did today..... stinks
 
wiz
PostPosted: Thu Feb 22, 2007 8:59 pm Reply with quote

well no..change their username, u have no way of recovering their original pw, user name, yes because it is not MD5'd.

The motive is..if you are being over cautious, it doesnt appear like that to the legit user, if you say in your email that their account is under review.

Then if they are bad, you remove them, if they are good you restore their username and they can login again.
 
JoAnne
PostPosted: Thu Feb 22, 2007 9:13 pm Reply with quote

wiz wrote:
well no..change their username, u have no way of recovering their original pw, user name, yes because it is not MD5'd.

The motive is..if you are being over cautious, it doesnt appear like that to the legit user, if you say in your email that their account is under review.

Then if they are bad, you remove them, if they are good you restore their username and they can login again.


with the email: ontimepaydayloan.com I doubt very much that they are legit accounts Wink

Besides... anyone that can register that way, I do not want as a member anyway!

Thank you wiz
 
JoAnne
PostPosted: Thu Feb 22, 2007 9:15 pm Reply with quote

kguske wrote:
The quickest way to tell how it happened it to check your access logs. These are usually available on the site's control panel.


Hey kguske

Unfortunately the access logs didn't tell me anything more.


JoAnne
 
wiz
PostPosted: Thu Feb 22, 2007 9:18 pm Reply with quote

well you are the owner and admin..if you do not want it..delete it. Its your perogative.

However, i dont know if the experts can dispute this, but maybe keep it, change the details, then explore the account. Your site you have the right to explore anyones account.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Thu Feb 22, 2007 10:44 pm Reply with quote

Hey JoAnne

Send me the links they are using and I will check it out. These are always automated bots, but if they've found a quicker way that doesn't need activation, it could be a flaw somewhere.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
jjh221
Worker
Worker


Joined: Dec 05, 2006
Posts: 178

PostPosted: Thu Feb 22, 2007 11:56 pm Reply with quote

JoAnne, i found an amazon module Only registered users can see links on this board! Get registered or login!
tested on 2.02.02. Doesnt work properly(i could just be a noob) says it only works on PHP-Nuke 6.9 - 7.4. . Ill prob sign up on his site and see if he can get it working with 2.02.02. Looks really good.
 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Fri Feb 23, 2007 6:33 am Reply with quote

evaders99, we definitely could have an issue here and even in 2.10.00! I just had two "odd-ball" userid's sign up yesterday, one using this exact same domain (fishy in my book) and another very close to it.

If this is a bot, its getting past the new captcha. It might actually be a real person? Uuggghh...

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
technocrat
Life Cycles Becoming CPU Cycles


Joined: Jul 07, 2005
Posts: 511

PostPosted: Fri Feb 23, 2007 10:36 am Reply with quote

The spammers are posting to registration file. That's what they were doing in Evo. We are using CNBYA and they would simply send a POST to new_finish3.php and presto. No code validation, no email validation, nothing. So I added sessions to the files to make sure they went through each step.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! / Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message
wiz
PostPosted: Fri Feb 23, 2007 10:54 am Reply with quote

actually ive just found 10 of these accounts on one of my sites..
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Fri Feb 23, 2007 11:46 am Reply with quote

I had 4 toady, one from the same email posted above.
Evaders99 appreciate any feedback if you learn anything from the data sent to you by JoAnne.

I have a feeling though that these are not automated sign-ups - surely there would be many more of them if this was the case?

Out of the four I had today 2 are fully 'registered users' the other two are still sitting in 'pending'.
 
View user's profile Send private message Send e-mail
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Fri Feb 23, 2007 11:51 am Reply with quote

Quote:
I have a feeling though that these are not automated sign-ups



Guardian just google for ontimepaydayloan.com and you´ll find a lot of spam entries in blogs and other sites too.
 
View user's profile Send private message
Guardian2003
PostPosted: Fri Feb 23, 2007 1:33 pm Reply with quote

Thanks Susann I appreciate that but as yet I have found no evidence indicating that the issues posted here are as a result of an automated attack.
I'm not ruling out that they are conducting automated attacks in other places, I'm just trying to make the point that we shouldnt 'assume' its an automated attack.

I have spent a couple of hours pouring over my server error logs and there is nothing in there, I also use a script which emails me if anyone tries to access a file they are not supposed to or doesnt exist and there's nothing there either.

The one peculiarity I do see is that I'm not seeing any Tracked User IP data in Sentinel. I would expect so see one entry per registration confirmation BUT I'm ONLY tracking the last 100 IP's so I'll increase that now and see what the future brings Wink
 
Guardian2003
PostPosted: Fri Feb 23, 2007 2:56 pm Reply with quote

OK I have gone through all me registered users, luckily there are not too many and suprise, suprise!!
Every single one that I would consider a 'sleeper' user who's email address is associated with loans and all that type of thing have come frm the same place.
I check each of the addreess' (a total of 30 going over the last year) and they all came from this range which, incidentally I have seen come up before.

I hope it helps.
Quote:
OrgName: Layered Technologies, Inc.
OrgID: LAYER-3
Address:
Address: 1647 Witt Road Suite#201
City: Frisco
StateProv: TX
PostalCode: 75034
Country: US

ReferralServer: Only registered users can see links on this board! Get registered or login!

NetRange: 72.232.0.0 - 72.232.255.255
CIDR: 72.232.0.0/16
NetName: LAYERED-TECH-
NetHandle: NET-72-232-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LAYEREDTECH.COM
NameServer: NS2.LAYEREDTECH.COM
Comment: Please send all abuse complaints to
Comment: *****@layeredtech.com
RegDate: 2005-09-07
Updated: 2006-03-07

RTechHandle: JPS66-ARIN
RTechName: Suo-Anttila, Jeremy Paul
RTechPhone: +1-972-398-7998
RTechEmail: ***@layeredtech.com

OrgAbuseHandle: LAT-ARIN
OrgAbuseName: LT Abuse Team
OrgAbusePhone: +1-972-398-7998
OrgAbuseEmail: *****@layeredtech.com

OrgNOCHandle: LIT-ARIN
OrgNOCName: LT IP-Network Team
OrgNOCPhone: +1-972-398-7998
OrgNOCEmail: *****@layeredtech.com

OrgTechHandle: LNT3-ARIN
OrgTechName: LT NOC Team
OrgTechPhone: +1-972-398-7998
OrgTechEmail: *****@layeredtech.com

I have now blocked the whole range in Sentinel
 
ruger
New Member
New Member


Joined: Dec 26, 2005
Posts: 4

PostPosted: Fri Feb 23, 2007 7:40 pm Reply with quote

I noticed 3 days ago that I was having the same problem. So far there has been 20 registrations like this. None have recorded ips in nuke sentinel nor any records show in ms analysys. When I check the user database there are no ips as well. This is a partial list of my raw access logs with some of the usernames and ips:
Quote:
DXIRxDkgtN
81.169.183.122 - - [23/Feb/2007:02:15:00 -0600] "GET /modules.php?name=Your_Account&op=activate&username=DXIRxDkgtN&check_num=ceae7f479557b3650a8a249b80995625 HTTP/1.0" 200 26586 "-" "Mozilla/4.0 (compatible; ICS)"
66.249.65.70 - - [23/Feb/2007:03:08:02 -0600] "GET /modules.php?name=Your_Account&op=userinfo&username=DXIRxDkgtN&PHPSESSID=baf5554f6fa1a29659df60583e732184 HTTP/1.1" 200 4639 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"



tUSkxXjhcV
149.9.0.59 - - [23/Feb/2007:04:43:17 -0600] "GET /modules.php?name=Your_Account&op=activate&username=tUSkxXjhcV&check_num=221cdbd49831660e254edeb0c4b51109 HTTP/1.0" 200 26586 "-" "Mozilla/4.0 (compatible; ICS)"
66.249.65.70


CAVvvnNrYJ
213.100.23.130
66.249.65.70
66.254.102.58
149.9.0.57
 
View user's profile Send private message
evaders99
PostPosted: Fri Feb 23, 2007 9:48 pm Reply with quote

CAPCHAs aren't a cure-all, esp when the software is getting smarter.
Generally the bots still have to read the registration page to get the CAPTCHA, before processing it and then going to POST data to the registration fields.

If you don't see that pattern, let me take a look and I'll see if I can duplicate it.
 
JoAnne
PostPosted: Sat Feb 24, 2007 5:29 pm Reply with quote

evaders99 wrote:
Hey JoAnne

Send me the links they are using and I will check it out. These are always automated bots, but if they've found a quicker way that doesn't need activation, it could be a flaw somewhere.


Hey Evaders99

My internet has been down... just came back up a little while ago

I will email you the links

Here is another email associated with the strange registrations:

reciprocallinkmanagers.com

I have been trying to check to see if they are using multiple IPs, one to sign up, a different one to activate, which may be why I am only seeing one link for their IP to their account. Still investigating this now that I have the internet back.

If that is the case, then they are not really entering just one link.


JoAnne


Last edited by JoAnne on Sat Feb 24, 2007 5:46 pm; edited 1 time in total 
JoAnne
PostPosted: Sat Feb 24, 2007 5:44 pm Reply with quote

Evaders99


Just remembered that you are still an admin on my United Music site if you want to take a look for yourself


JoAnne
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©