Hackers have found a way to Register with 1 link 8O

Guardian2003 · Posted: Sat Feb 24, 2007 6:48 pm

JoAnne - Sorry for not updating this thread earlier.
Evaders - FYI
Here is what I have found so far based on communications with others who are experiencing the same thing.

These registrations seem to have been done by humans. I say that for the following reasons;
1. I can find no evidence that the new CAPTCHA system in RN 2.10 has been bypassed
2 they fact they are using valid email addresses
3 the accounts are not activated at the same time the registration takes place

The IP address are different - the IP for when the registration takes place and the IP used to 'activate' the accounts are consistently different BUT the IP addresses which are used to do the 'activation' seem to be in the same range which leads me to believe that there may be a number of individuals doing the registrations but the same person (or a very small number of people from the same location) are doing the 'activation's.

The reason we are not seeing anything in Nuke Sentinels Tracked User log is because these accounts are actually dormant (I think Montego found ONE account that has actually been used). So they are registering for an account, someone is clicking the link in the activation email BUT then they never actually log into their account - so Sentinel is only tracking them when they click the activation link but because they never actually log-in, it is not associated with their username.
If you search your raw data logs for each of the suspect usernames, you will probably find 99% of them are from the same IP.

So far I think we have identified only around a dozen different email addresses even though they sign up for more than one account using the same email domain.

If you add these to the forum ban control in the email banning area, this should stop 99% of it.

*@*loan*.com
*@*payday*.com
*@*finance*.com
*@*linkmanager*.com
*@*cashadvance*.com

JoAnne · Worker Joined: Oct 18, 2005 Posts: 127 Location: NYC

Thank you Guardian2003

But why do you suppose they are doing this if they are not leaving spam?

JoAnne

Guardian2003 · Posted: Sat Feb 24, 2007 7:26 pm

I'm pretty sure they will start spamming eventually.

I have just had 5 more register within the last hour but because they are not logging into their acounts the forum ban cntrol isnt doing the job so I would suggest adding those I posted above to Sentinels string blocker instead.

CodyG · Posted: Sun Feb 25, 2007 9:04 am

I had this problem a couple of weeks ago, on a site I don't check everyday.... there were about 25 of these user accounts, all with impossible usernames like: HnVRpHPpIy, bXGbYNMsqn, etc. No spam or anything, just filling up the user table and member list with garbage. I've deleted all those accounts, banned the IPs, and they seem to have gone away. But, I am going to implement my infamous custom registration form for this site. (as soon as the bod approves). No one gets registered automatically. Everything comes through me via email first. I know this isn't a solution for many nukers, but because most of my sites are for persons in my local community, people with real names, it works for me.

Another solution I've dreamed of is an email copy of the registration sent to admin at the time of registration. At least this would give me a heads up on fishy registrations and notify me of new legit registrations sooner than I might come across them on-site.

Guardian2003 · Posted: Sun Feb 25, 2007 9:31 am

Yes it would be nice to get a copy of the registration email so webmasters have a heads-up.

It's times like this that CNBYA has definite advantages!!

montego · Posted: Sun Feb 25, 2007 5:50 pm

Thought that I would also confirm the same. Guardian and I are seeing the exact same thing. From what I can tell, its like Technocrat said, they are going straight to the "finish". I traced them down to they use one IP for the "finish" and then between 10 - 50 minutes later, the activation link comes in from a completely different IP and in many cases, from somewhere completely on the other side of the world.

Guardian and I are testing out a change being done on the RavenNuke side with a new captcha, so we'll see in the coming days if that stops them. If so, then we'll have to figure out how they are doing it in regular nuke. I looked briefly at the code, and I see the gfx_check in the "finish" in PHP-Nuke, but with that weak captcha, it is very possible that they have the right code.

moniek · New Member Joined: Feb 26, 2007 Posts: 1

I also have the same problem with people that are registering with those mail adresses and weird names i noticed it on a couple of my websites.. i tried several things to stop it.
ban certain ip ranges email adresses and names, i even made sure that "modules.php?name=Your_Account&op=new_user" linked back to index when people are trying to register ... but that didn't help at all .. so to me it also looks like they use some kinda scipt or tag to create the accounts

technocrat · Posted: Mon Feb 26, 2007 10:20 am

See I know what I am talking about....sometimes ROTFL

t_henson · Posted: Wed Mar 14, 2007 2:22 am

guardian, i'm trying to add the emails below to my forum ban control, but its not accepting them. how did you get them added?

*@*loan*.com
*@*payday*.com
*@*finance*.com
*@*linkmanager*.com
*@*cashadvance*.com

wiz · Client Joined: Oct 09, 2006 Posts: 394 Location: UK

add them as a string and only add the domain. ie everything 'after' the @

spasticdonkey · Posted: Tue Mar 27, 2007 10:50 pm

like my CAPTCHA ? lol

montego · Posted: Wed Mar 28, 2007 6:45 am

Way too much time on your hands! LOL.