Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
kolla
Hangin' Around


Joined: Apr 20, 2008
Posts: 29

PostPosted: Tue Apr 22, 2008 4:57 pm Reply with quote

Hello friends,

I just found this wonderful place when I was trying to install NukeSentinel
latest version first time install. I tried the install on my local server
to make sure I can do this clean before attempting on the real server.
Local install went OK and now I'm going to read the userguide to help me
understand what I can do with NukeSentinel.

Someone is creating a problem in my phpnuke site by spamming the forums.
This guy/gal is appearing with different usernames (so far 7 I think)
all of which have changing IPs (Real IP appeared masked)
Right now I'm helpless trying to ban this idiot.


Do you have suggestions on how to handle this situation ? Rolling Eyes
 
View user's profile Send private message
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Tue Apr 22, 2008 5:59 pm Reply with quote

Well there are many, many options to block. For example you could add his e-mail addresses or names, words into the the string blocker a la
@mail.ru
@bk.ru
Viagra
You could use the proxy block option too.
You could ban IPs in NukeSentinel or directly in your .htaccess with cidr. You could ban a complete country.
Every situation is a bit different. Is it a human spammer ?
What kind of spam is it ?
 
View user's profile Send private message
kolla
PostPosted: Tue Apr 22, 2008 6:27 pm Reply with quote

Thanks for the reply Susann. Yes this is a human spammer for sure.
he's posting other site names and asking to leave
and join other sites. I get the feeling he's trying to target
another member in the site in particular but I just don't care.
I simply want to stop this pest.

Yes I'm thinking of the proxy block .. not sure what impact
it'll have on others though..
yet to learn about the string blocker... he has many e-mails..
and most seems to point to @live.com

When I check his IP's tracked by the nuke ip_tracking they
point to all over the world.. and there's nothing
unique about them. I guess I can't ban this by IP..

Have to install NukeSentinel and see..
 
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Tue Apr 22, 2008 9:07 pm Reply with quote

Have to ask, but are your forums set up so that anyone can post? Or registered users onl? If anyone can post then you will definitely see stuff like this.

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
kolla
PostPosted: Tue Apr 22, 2008 10:33 pm Reply with quote

Registered users only.
He comes in, registers and posts. 7 different usernames and
7 different E-mail addresses so far. But the IP I'm seeing for a particular ID
is different each time he logs back in so normal IP ban in phpnuke is not effective.

I'm not an expert on IPs and am frustrated by this.
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Wed Apr 23, 2008 7:14 am Reply with quote

Can you tell from NukeSentinel's tracking whether this really is a real human vs. a machine? Sometimes you can tell by the spacing out of their various registration request transactions. Also, do you have the registration captcha turned on? (Although, if you are still using the original PHP-Nuke captcha, its almost no use anymore.)

You might want to try using my Approve Membership Lite or maybe CNBYA so that you can at least review your registrations and have a chance to decline.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Susann
PostPosted: Wed Apr 23, 2008 10:58 am Reply with quote

This sounds they are using proxies.The proxy blocker in NukeSentinel highest level will possible block other services like AOL so to use a membership add-on isn´t a bad idea. We don´t know your NukeVersion or your forums version ? Maybe insecure. Can new users only register through your account ? @live.com is known for referer spam.
With a own server I would always use the service from: Only registered users can see links on this board! Get registered or login!

To hide the memberlist, the groups and links within the forum is recommended but it will not solve completely your problem.

Btw: Don´t hestitate fo fight back. Report spam everywhere.
 
kolla
PostPosted: Wed Apr 23, 2008 11:30 am Reply with quote

Montego:
I haven't fully installed Sentinel on the site
yet (will do so shortly). so don't know full details on this person/machine yet..
Thanks also for the suggestion on the Approve Membership Lite.
Is there a version available for regular phpnuke ?
I'm running v8.0.

Susann:
Yes I also feel proxy blocker will work here.
Will let you know..
 
montego
PostPosted: Wed Apr 23, 2008 11:36 am Reply with quote

kolla, well, there is your first problem (running PHP-Nuke... lol), why not RavenNuke???

Anyways, regarding your question about "is there a version for regular phpnuke?", I personally do not provide nor support the lite version for this - ONLY for RavenNuke. However, you can get the full version, which also includes the ability to add fields, over at Only registered users can see links on this board! Get registered or login!.
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Wed Apr 23, 2008 11:39 am Reply with quote

May I ask how long you have been using nuke 8.0?
May I also mention RavenNuke (available here) has Nuke Sentinel built in along with other security and speed improvements/enhancements.
If you are using the original nuke 8.0 your security image is easily bypassed and registration can be automated through the forum registration (as against nukes normal 'Your Account' registration) process.
Approve Membership Lite is certainly a very helpful tool and Nuke Sentinel will certainly help you combat this spammer but please remember that virgin nuke is very flawed from a security perspective.
It is one thing to chase them all over the site and eventually get them banned, it is another thing entirely to not have the problem in the first place Wink
 
View user's profile Send private message Send e-mail
kolla
PostPosted: Wed Apr 23, 2008 11:46 am Reply with quote

Montego...I actually do this as a hobby...and just only
recently learned all what I know about phpnuke to volunteer
and help run this online community. What this means is
there are lot of things I don't know yet.. Embarassed and frankly
I didn't know about RavenNuke when we built the site.
I'm gathering my knowledge from good folks like you here
only now. Not sure what my options are now...
 
sting
Involved
Involved


Joined: Sep 23, 2003
Posts: 456
Location: Somewhere out there...

PostPosted: Thu Apr 24, 2008 1:24 pm Reply with quote

Approve Membership - especially if you are running this as a hobby. . .

-sting

_________________
You see - I told you I wasn't paranoid. They were really out to get me. 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Susann
PostPosted: Fri Apr 25, 2008 4:05 am Reply with quote

Another option is to downgrade and switch over to RavenNuke.
Guyys did this in the past:
For example: Only registered users can see links on this board! Get registered or login!
 
kolla
PostPosted: Fri Apr 25, 2008 10:46 am Reply with quote

Here's an update of what happened today..
I installed NukeSentinel on the site with no errors
and set the Proxy IP block to highest setting and went to sleep.

Woke up in the morning to find this guy came again with a new ID
and posted two messages in the forums laughing at the staff calling us
stupid. I checked the IP tracking for him and here's what I see:

Image

How is it possible that he's showing different IPs within seconds apart ??
(all over the world too)
I'm frustrated by equally determined to improve my knowledge on this subject..
Hoping someone can shed some light..
 
dad7732
RavenNuke(tm) Development Team


Joined: Mar 18, 2007
Posts: 1242

PostPosted: Fri Apr 25, 2008 11:25 am Reply with quote

FWIW: Every one of those IP's have accessed my site but haven't made it past Sentinel *.17 Smile

I have manually added each to the block list after which, no more attempts. Definitely running a script of sorts.

Cheers, Jay
 
View user's profile Send private message
kolla
PostPosted: Fri Apr 25, 2008 11:33 am Reply with quote

dad7732:

I can add these manually to the block list. Are these auto generated somehow ?
If so.. adding this 5 may not stop this right ?
 
Guardian2003
PostPosted: Fri Apr 25, 2008 11:45 am Reply with quote

Looks like an automated process he is using, are your Forums up to date? There were several fixes in the last two BBtoNuke updates to help address this type of problem.
 
Susann
PostPosted: Fri Apr 25, 2008 12:23 pm Reply with quote

Kolla can you tell me whats the user agent of this 5 IPs ?
Btw:The black list status of these IPs is clear.
 
kolla
PostPosted: Fri Apr 25, 2008 12:55 pm Reply with quote

Susann: Here's what I found as the user agent.
All the previously listed IPs (and more) are here..

Image
 
Susann
PostPosted: Fri Apr 25, 2008 1:02 pm Reply with quote

Thought it could be only "User-Agent" because I found out IPs with this UA also changed the IPs within seconds and this user agent is now banned via .htaccess on my site. I seldom ban user-agents but there are some exeptions.
But I´ll try to find out something about your "User Agent".
 
montego
PostPosted: Fri Apr 25, 2008 1:13 pm Reply with quote

Problem is that it is way too easy to spoof the user agent... among other header values unfortunately.
 
kolla
PostPosted: Fri Apr 25, 2008 2:43 pm Reply with quote

Thanks for looking into this guys. I checked all activities for this user agent
and it seems to me there are 2 new IDs also registered using using this.
(in addition to what he used today)
I'm sure he's going to come back and post with those IDs later.
(consistant with his past behavior.. I changed PWs in DB for every
account he had so he needs new accounts every time)

Pardon my ignorance... but what exactly is a user agent ?
How does it work ?

If I click the "Block" icon for this user agent is that better or using .htaccess
is recommended ? What should I put in .htaccess ?

I'll also wait to see if Susann found any more info..

Thanks again guys.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Fri Apr 25, 2008 3:05 pm Reply with quote

User agent is sent by your browser. It basically tells the server what kind of browser you are using and its compatibility. However, there isn't a standard way to do it. Nor can you verify someone's ID.

My guess is that they are using some kind of anonymous proxy service, that will give them different IPs.

.htaccess is preferred, they won't get access to anything on the server that way.

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
kolla
PostPosted: Fri Apr 25, 2008 3:26 pm Reply with quote

Just as we speak this guy used one of the IDs I suspected and made a post
and left.. (same user agent).. this kind of shows we have a unique user agent
here...

Is there a way to use NukeSentinel to write to .htaccess to block this user agent ?
(I didn't see a user agent blocker)
If not can someone tell me the exact line to put in .htaccess..
(pardon my ignorance please)
 
montego
PostPosted: Fri Apr 25, 2008 5:41 pm Reply with quote

If you block this user agent, you could very well block many, many regular legitimate users of your site. I see nothing with this user agent that isn't generic. You can block via NukeSentinel's Harvester settings, but, again, would be tough because you'd end up blocking a lot of people I suspect.
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©