Login or Register  • Home • Downloads • Your Account • Forums •

Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in Who is JackFromWales4u2? Goto page 1, 2, 3  Next View next topic View previous topic   Web RavenPHPScripts (This Site)      Ravens PHP Scripts And Web Hosting Forum Index » Security - PHP Nuke Author Message oprime2001 Worker Joined: Jun 04, 2004 Posts: 119 Location: Chicago IL USA Posted: Sat Sep 04, 2004 9:00 pm I had a random user JackFromWales4u2 register on one of my phpnuke sites. At first I was annoyed at the random registration, but then paranoia took hold. I checked the logs for any obvious or glaring exploits, but I did not see anything. I then checked the various phpnuke security sites. I was surprised to see that JackFromWales4u2 was also the latest signup at a forum moderator's site. I then ran a Only registered users can see links on this board! Get registered or login to the forums! , and google returned 18600 hits! From a random check of the various google hits, it seems that JackFromWales4u2 has been very busy with a great number of registrations at these various phpnuke and phpbb sites within a span of a couple of days -- September 1-2, 2004. Now this screams of an exploit/vulnerability! Is there a script or exploit/vulnerability that is out in the wild that is yet unpatched? Or am I just being paranoid here? p.s. you might want to check your own sites to see if you've had a visit from JackFromWales4u2, too. kguske Site Admin Joined: Jun 04, 2004 Posts: 6044 Posted: Sat Sep 04, 2004 9:27 pm I saw this on several sites, too. Could it be an attempt to identify server and / or return email address info for spamming purposes? oprime2001 Worker Joined: Jun 04, 2004 Posts: 119 Location: Chicago IL USA Posted: Sat Sep 04, 2004 9:52 pm That could be a possible purpose for the mass registrations. My concern is HOW did they register and activate all these phpnuke/phpbb accounts in a seemingly short period of time. sixonetonoffun Spouse Contemplates Divorce Joined: Jan 02, 2003 Posts: 2499 Posted: Sat Sep 04, 2004 10:03 pm Interesting. Quoth the Raven "Let the Games Begin". GeekyGuy Client Joined: Jun 03, 2004 Posts: 302 Location: Huber Heights Ohio Posted: Sat Sep 04, 2004 10:11 pm oprime2001, Do you have an IP address associated with that username? oprime2001 Worker Joined: Jun 04, 2004 Posts: 119 Location: Chicago IL USA Posted: Sat Sep 04, 2004 10:17 pm The registration was activated using Only registered users can see links on this board! Get registered or login to the forums! GeekyGuy Client Joined: Jun 03, 2004 Posts: 302 Location: Huber Heights Ohio Posted: Sat Sep 04, 2004 10:23 pm Interesting, that IP comes back as: OrgName: Advanced Internet Technologies, Inc. OrgID: ADIT Address: 421 Maiden Lane City: Fayetteville StateProv: NC PostalCode: 28301 Country: US Jack is a Tarheel, not from Wales Muffin Client Joined: Apr 10, 2004 Posts: 649 Location: UK Posted: Sun Sep 05, 2004 4:39 am Thats interesting isn't it boyo! sorry couldnt resist it. I'll keep a watch out for that username. takaharu Client Joined: Sep 25, 2003 Posts: 58 Posted: Sun Sep 05, 2004 11:27 am I have this one registered on my site. Should i loose him ? Rage Insane Joined: Jul 30, 2004 Posts: 85 Posted: Sun Sep 05, 2004 11:36 am I feel like we're in the twighlight zone. 64bitguy The Mouse Is Extension Of Arm Joined: Mar 06, 2004 Posts: 1156 Location: Sanbornton, NH USA Posted: Sun Sep 05, 2004 12:14 pm Registered on my site on September 1, 2004 using a mail.ru email address which is on my restricted list. You should NOT be able to register on my site using this email address so something is awry! GeekyGuy Client Joined: Jun 03, 2004 Posts: 302 Location: Huber Heights Ohio Posted: Sun Sep 05, 2004 12:22 pm Luckily, I've not seen traces of this fella on my site, but then I don't get a lot of traffic. Has anyone seen a post by him, or anything other than just a registration? If not, then I would delete his account. Another thing, is everyone seeing him on the same IP, 66.219.97.51 ? Muffin Client Joined: Apr 10, 2004 Posts: 649 Location: UK Posted: Sun Sep 05, 2004 2:51 pm Can we check all registered members IP's on our site quickly? I mean I have over 500 so far, and most of those dont post on the forum, so I don't get an IP. Shame if it doesnt register an IP when registering (something I liked about Invision Board the IP on registration was logged) because you can get rid of anyone you dont want if you know their IP. GeekyGuy Client Joined: Jun 03, 2004 Posts: 302 Location: Huber Heights Ohio Posted: Sun Sep 05, 2004 3:03 pm If you were using the IP Tracking module, you could find it pretty easily. I actually hadn't thought about those who weren't using IP Tracking. Sorry. Maybe one of the Wizards of Nuke knows of a way to find the last IP, but I sure don't Muffin Client Joined: Apr 10, 2004 Posts: 649 Location: UK Posted: Sun Sep 05, 2004 3:10 pm I only use MS Analysis I think I'll install IP Tracking now sixonetonoffun Spouse Contemplates Divorce Joined: Jan 02, 2003 Posts: 2499 Posted: Sun Sep 05, 2004 3:12 pm I'm thinking someones developed a reader for the images. It only makes sense. The rest is easy to script. I bumped my code up to 9 digits and changed the background image color and quality. But am going to hack in a harder to read image when I get time. 64bitguy The Mouse Is Extension Of Arm Joined: Mar 06, 2004 Posts: 1156 Location: Sanbornton, NH USA Posted: Sun Sep 05, 2004 3:53 pm I can see that, but it doesn't explain how he got around my email address registration restrictions. sixonetonoffun Spouse Contemplates Divorce Joined: Jan 02, 2003 Posts: 2499 Posted: Sun Sep 05, 2004 4:30 pm Not your average copy paste script kiddie for sure. I'd guess this is a very high tech entity or individual. But collecting the urls from the emails wouldn't be the hardest thing to do. Raven Site Admin/Owner Joined: Aug 27, 2002 Posts: 16987 Location: Kansas Posted: Sun Sep 05, 2004 7:40 pm sixonetonoffun wrote: I'm thinking someones developed a reader for the images. It only makes sense. The rest is easy to script. I bumped my code up to 9 digits and changed the background image color and quality. But am going to hack in a harder to read image when I get time. This might get you started Code: function gfx($random_num) {    global $prefix, $db, $module_name;    require("config.php");    $datekey = date("F j");    $rcode = hexdec(md5($_SERVER[HTTP_USER_AGENT] . $sitekey . $random_num . $datekey));    $code = substr($rcode, 2, 6);    # $image = ImageCreateFromJPEG("modules/$module_name/images/code_bg.jpg");    Header("Content-type: image/jpeg");    $image = ImageCreate(100,20);    $white=ImageColorAllocate($image,255,255,255);    ImageFilledRectangle($image,0,0,100,20,$white);    for ($cnt=0; $cnt<12; $cnt++) {       $text_color = ImageColorAllocate($image, intval(rand(200,255)), intval(rand(200,255)), intval(rand(200,255)));       # Depending on your PHP use one of imageellipse or imagearc       #ImageEllipse($image,($cnt*8),10,intval(rand(15,30)),intval(rand(15,30)), $text_color);       ImageArc($image,($cnt*8),10,intval(rand(15,30)),intval(rand(15,30)),0,360, $text_color);    }    for ($idx=0; $idx<6; $idx++) {       $text_color = ImageColorAllocate($image, intval(rand(0,128)), intval(rand(0,128)), intval(rand(0,128)));       $text_color1 = ImageColorAllocate($image, intval(rand(0,128)), intval(rand(0,128)), intval(rand(0,128)));       ImageString ($image, intval(rand(1,5)), 12+($idx*14), 2, substr($code,$idx,1), $text_color);       ImageString ($image, intval(rand(1,5)), 11+($idx*14), 2, substr($code,$idx,1), $text_color1);    }    ImageJPEG($image, '', 75);    ImageDestroy($image);    die(); } Don't even know where I picked it up. I have another one that is much clearer and is in color but I can't find it right off hand. sixonetonoffun Spouse Contemplates Divorce Joined: Jan 02, 2003 Posts: 2499 Posted: Mon Sep 06, 2004 8:50 am Seems to come out clearer as a png image. Nice who ever created it. sixonetonoffun Spouse Contemplates Divorce Joined: Jan 02, 2003 Posts: 2499 Posted: Mon Sep 06, 2004 1:05 pm Does anyone think we need a 3 strikes function with this? The longer the code is the more likely an error. After changing to 9 chars about 1 in 3 trys I get it wrong and I'm more familar with the login process then the average surfer. It has some merit in the case of brute force attacks I spose. sixonetonoffun Spouse Contemplates Divorce Joined: Jan 02, 2003 Posts: 2499 Posted: Mon Sep 06, 2004 2:49 pm By the way its up to 36,600 today! Only registered users can see links on this board! Get registered or login to the forums! Must be a world record for website memberships huh? oprime2001 Worker Joined: Jun 04, 2004 Posts: 119 Location: Chicago IL USA Posted: Thu Sep 09, 2004 7:28 am I posted the original post in the Only registered users can see links on this board! Get registered or login to the forums! . A couple of users there are now reporting that the JackFromWales4u2 account is being used to spam news articles on phpnuke websites with comments with a link to (presumably, their) website. However, what is more disconcerting is that these users are reporting that ALL of their articles/news were spammed! Again, if that doesn't smell of a script/bot, I don't know what does. I don't see a legitimate reason to keep this JackFromWales4u2 account on your site! GeekyGuy Client Joined: Jun 03, 2004 Posts: 302 Location: Huber Heights Ohio Posted: Thu Sep 09, 2004 12:59 pm 44,200 for JackFromWales4u2 on Google today.... kguske Site Admin Joined: Jun 04, 2004 Posts: 6044 Posted: Thu Sep 09, 2004 1:07 pm I really wonder if the person contacted to investigate this might be the one who did it... It will be interesting to see the replies. Display posts from previous:   All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year  Oldest FirstNewest First        Ravens PHP Scripts And Web Hosting Forum Index » Security - PHP Nuke Goto page 1, 2, 3  Next  Jump to:  Select a forum Read Me First!!!----------------Board Rules and Regulations Web Hosting Services----------------RWH GeneralRWH Pre Sale QuestionsRWH Client Center Application OnlyRWH OtherFAQ - PHP5 w/phpSuExec Conversion From PHP4PHP5 Conversion Issues From PHP4 RavenNuke(tm) Programming Standards/Approaches/Philosophy----------------RavenNuke / Raven CMS CMS WikiSecurity IssuesConverting/Creating BlocksConverting/Creating ModulesConverting/Creating ThemesConverting/Creating OtherConverting/Creating General DiscussionCertification - Submit Scripts For RavenNuke(tm) CertificationCertification - Modules, Blocks, Other Scripts/Applications Converted For RavenNuke(tm)Certification - All Discussion RavenNuke(tm) v2.5x----------------RavenNuke(tm) v2.5x RavenNuke(tm) v2.4x----------------v2.4 RN Announcementsv2.4 RN Documentationv2.4 RN Issues RavenNuke(tm) v2.3x----------------v2.3 RN Announcementsv2.3 RN Quick Fixesv2.3 RN Issuesv2.3 RN Documentationv2.3 RN Feedback/Suggestionsv2.30.01 RN Security Issuesv2.30.01 RN New Installation Issuesv2.30.01 RN Upgrade Issuesv2.30.01 RN All Other Issues RavenNuke(tm) v2.2x----------------RN v2.20.00 - AnnouncementsRN v2.20.00 - All IssuesRN v2.20.00 - Feedback RavenNuke(tm) Addons----------------FCKeditor/WYSIWYG IssuesnukeFeed/FeedCreatorForum Attachment ModnukeSEOShortLinks/TegoNukeNukePie/SimplePieeCommerce Site Specific Stuff----------------READ ME FIRSTAnnouncementsRaven's v7.0 Customized DistroHack Attempt ScriptRaven's Customized Distribution PacksBUGS/FIXES - Raven's v7.3 Customized DistroCache Lite Admin ModuleNuke Tool Box (TM)Captcha SecurityRaven's RavenNuke(tm) v1.x DistroRaven's RavenNuke(tm) v2.00.00 - v2.02.00 DistroWYSIWYG - Raven's RavenNuke(tm) v2.x DistroRaven's Collapsing Forums BlockGT - Raven's RavenNuke(tm) v2.x DistroRaven's RavenNuke(tm) v2.02.02 DistroPost Fixes - Raven's RavenNuke(tm) v2.02.02 DistroPublic Testing of RavenNuke(tm) v2.10.00HtAccesserIssues/Problems With This Site Security----------------NukeSentinel(tm) Country and IP2Country UpdatesSecurity - PHP NukeSecurity - OtherNukeSentinel(tm) v2.6.xNukeSentinel(tm) v2.5.xNukeSentinel(tm) v2.4.xNukeSentinel(tm)NukeSentinel(tm) Bug ReportsNukeSentinel(tm) Enhancement RequestsNukeSentinel(tm) AnnouncementsPHP-Nuke Patched Series By Chatserv Information About Forums----------------PHPBBBB2NukePunBB PHP-Portal Project (Not General phpnuke!)----------------AnnouncementsDesign Discussions Scripts - General----------------Bug FixesGeneral/Other StuffHow To'sInstallation HelpPost Installation HelpGT - Next Gen and StandardSeeking applications ...ThemesBlocksModulesMaking Nuke Efficientphpnuke 8.1phpnuke 8.0phpnuke 7.9phpnuke 7.8phpnuke 7.7phpnuke 7.6phpnuke 7.6 Bugs/Fixesphpnuke 7.5phpnuke 7.4phpnuke 7.3phpnuke 7.2phpnuke 7.1phpnuke 7.0phpnuke 6.9phpnuke 6.8Bug Fixes for phpnuke 6.5phpnuke 6.5Gallery/Gallery2CNB Your AccountBrowser Specific IssuesUpgrading NukeNuke Treasury NSN Scripts----------------NSN NewsNSN GroupsNSN OtherNSN Gr Downloads - a.k.a NukeDepositoryNSN NukeProject Other CMS/Portal Applications----------------Post NukeNuke PlatinumNuke Evolution PHPBB----------------Stand Alonew/Nuke 6.5w/Nuke 6.9BBtoNuke ModsBBtoNuke General Programming - Server Help----------------PHPMySQLFor HireApacheHTMLCSSJavaScriptServer Help Guestbook Application (KISGB)----------------KISGB General Support Stock Quote Application (KISSQ)----------------KISSQ General Support RavenNuke(tm) v2.10.01----------------RN v2.10.01 - All IssuesRN v2.10.01 - Feedback RavenNuke(tm) v2.10.00----------------RN AnnouncementsRN FAQRN Bug FixesRN Not BugsRN Documentation Issues/SuggestionsRN Enhancement Requests and SuggestionsRN NSN Groups IssuesRN Themes IssuesRN NukeSentinel(tm) issuesRN Installer/Setup IssuesRN Bug Reports - Other IssuesRN Conversion Issues From v2.02RN Conversion Issues From Standard phpNukeRN The Good, The Bad, The Ugly 6.5 Hacks----------------Old Articles Hack Nuke News Module Hack To Allow Ordering of Articles----------------News Module Hack - AnnouncementsNews Module Hack - BugsNews Module Hack - Enhancement RequestsNews Module Hack - Discussion Other Stuff----------------Other - DiscussionOther - Sites To VisitOther - Chit ChatOther - PoliticsOther - Movie ReviewsOther - Humor Religion----------------Religion - GeneralPrayer/Praise Requests Potpourri----------------Rants & Raves Private----------------Reading - AnnouncementsReading - Digital BooksReading - Hard/Soft cover BooksReading - Digital MagazinesReading - Printed Magazines  View next topic View previous topic You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum Forums ©

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2002-2011 by Raven

You can syndicate our news using the file



Website engines core code is © copyright by PHP-Nuke but has been heavily patched and modified by myself and others.
PHP-Nuke is a free software released under the GNU/GPL.


:: fisubice phpbb2 style by Daz :: PHP-Nuke theme by www.nukemods.com :::: fisubice Theme Modified by the RavenNuke™ Team ::
:: :: ::

zerosum