Hacker/Spammer Warning!

[Skhilled]

I found these 2 on my site. Not sure if they are trying because I was still using SMF 1.1.6 or not. But here are the IP's for them. They are also on the Stop Forum Spam list: http://www.stopforumspam.com/

83.149.71.137

194.165.42.27

In the error logs look for something like this if you do not find those same IP's. It seems to be a hack of sorts:

Code: [Select]


http://skhilled.com/docs/index.php?topic=180.0 [PLM=0][R] GET http://skhilled.com/docs/index.php?action=register [0,47340,53964] -> [R] POST http://skhilled.com/docs/index.php?action=register2 [0,0,46600] -> [L] GET http://skhilled.com/docs/index.php?action=login [0,24604,48039] -> [L] POST http://skhilled.com/docs/index.php?action=login2 [0,0,12538] -> [N] GET http://www.skhilled.com/docs/index.php?topic=180.0 [0,60498,69209] -> [N] POST http://skhilled.com/docs/index.php?action=quickmod2;topic=180.0 [0,0,46840] -> [N] GET http://skhilled.com/docs/index.php?topic=180.0;prev_next=prev [0,0,62824] -> [N] GET http://skhilled.com/docs/index.php?action=forum [8611,0,61266]If you have not upgraded to SMF 1.1.7, I suggest that you do ASAP. According to Stop Forum Spam, one of them has been VERY active in the last few days. When banning hackers/spammers always remember to ban on the server as well.

[allkvinde]

I found one on my site very early in the morning.

Funny thing is that Skhilled had warned yesterday and I have never had one but did get now.

Below is the information.

Name: plaumepew

IP:       78.157.143.215

e-mail addy used: withlove@yesey.net

This one is listed in "Stop Forum Spam".

[Skhilled]

Yeah, that one's been getting around a lot since yesterday. They change their name and/or email and keep trying. Last year around this time they started up. From the looks of things they are stronger than ever. They just started it seems about 2-3 days ago. Some people have none on their sites yet but sooner or later you will.

I've just noticed that if you view the error logs and see "Unable to send mail to the email address 'user's email here'" for an unregistered user...they will most likely be listed in Stop Forum Spam.

'user's email here' = the email that they are trying to use to register. Probably a fake one since they cannot register.

[allkvinde]

Not sure if this one had registered or not Skhilled when you were on the site but non the less this is also a spammer. I did notice that the yesey.net mail addy is one that the spammer is using.

I was wondering if this could be after my daughter started a Tink-fun fan club on facebook and left it open for all to use. I seem to have been getting hit after she has started that group there. How many others are using facebook, my space and other areas to advertise in that are having these problems?


username: presseFug

e-mail:  kellymoore@yesey.net

IP:      78.157.142.5

[lucky7]

Sorry to go slightly of topic allkvinde, but can one place these whacky IP's on our sites for future reference? In the sense that, banned members on my site are not deleted (email address and addy are) so that when they try to re join under a different addy they immediately flag up as a previous nobhead trying to join.

Can this be possible with these spam/hacker threats? Saving the IP's to the site? 

[allkvinde]

I sure won't be the best to answer this question Lucky but I am sure that there is a way for us to detect them.

At this time I have not found more but I did ban a whole slew of ip's.

It does seem that this site has also been hit and I don't have the power to do anything about it. Just hoping that RR sees them soon.

What a total mess with these fools.

Hopefully we will be informed of the ip's of them so that we can also block them before they come to us.

[Skhilled]

Not sure if this one had registered or not Skhilled when you were on the site but non the less this is also a spammer. I did notice that the yesey.net mail addy is one that the spammer is using.

I was wondering if this could be after my daughter started a Tink-fun fan club on facebook and left it open for all to use. I seem to have been getting hit after she has started that group there. How many others are using facebook, my space and other areas to advertise in that are having these problems?


username: presseFug

e-mail:  kellymoore@yesey.net

IP:      78.157.142.5

It is possible but it is that time of year when they all come out of the woodwork. LOL Places like Facebook and MySpace are potentially a spammer's paradise but if you have to register to view an account then they are logged and can be banned. But by that time, the damage has already been done.

Sorry to go slightly of topic allkvinde, but can one place these whacky IP's on our sites for future reference? In the sense that, banned members on my site are not deleted (email address and addy are) so that when they try to re join under a different addy they immediately flag up as a previous nobhead trying to join.

Can this be possible with these spam/hacker threats? Saving the IP's to the site? 

Stop Form Spam is a one-stop-shopping place for all of the listings of those kinds of IP's. If you register you can add them yourself. You can also download a listing of the current IP's listed there.

If you ban them on IP, username, hostname, etc. (everything in the ban list) you can stop them from coming back only if they do not change ALL of the things that you have banned them on. Most use the same IP but different username and email. Some will change IP and use the same email, username. Mostly the IP will stay the same.

Just remember to ban the IP on the server. If you have more than one site like me (I have multiple test sites) they cannot try to register at the rest of them. You can also ban a range of IP's like 194.27.* on the server. This will ban all IP that start with 194.27. You can also ban email addresses, using *.ru to ban anyone from Russia for example, but most of them seem to be using gmail for email lately. Problem with those I just mentioned are you might be banning actual people who really want to join your site.

The point is no matter what you do they will keep coming back until after the holidays are over then you'll only see then every so often. Same thing happened last year. I spent most of the week of Christmas removing them and helping others to do the same on their sites. If they are starting this early and hitting this hard now, it will probably be a lot worse come Christmas time.

[lucky7]

Many thanks for the info Skhilled and allkvinde, are these hackers and spammers just interested in wrecking sites for the hell of it, or are they just interested in gaining members emails etc to spam them? 

[Jakki]

Well some are just plain gross...my DD's site was spammed with very explicit stuff..and we are upgraded to 1.1.7..Son's was spammed also.

92.113.187.182  This is the gross little person's IP.

[Skhilled]

Many thanks for the info Skhilled and allkvinde, are these hackers and spammers just interested in wrecking sites for the hell of it, or are they just interested in gaining members emails etc to spam them? 

That depends on if they are bots, spammers, or hackers.

Bots will try to register and post spam links and some will try to hack by inserting code wherever they can. They can also try to harvest email addresses so they can spam them later.

Spammers will just post links to duck tails sites or other sites that they have been paid to promote. They can possibly be bots or real people. They may also try to harvest email address.

Hackers...need I say more? All of the above and more.

Well some are just plain gross...my DD's site was spammed with very explicit stuff..and we are upgraded to 1.1.7..Son's was spammed also.

92.113.187.182  This is the gross little person's IP.

That's what they do. The only thing you can do is try to be on top of who is registering at your site. Some can register but not activate...those are usually bots and do not have a real email address.

The only other alternative is to set your site to "Admin Approval". Of course, you'll only want to do that as a last resort.

[Skhilled]

This is what I've done to my personal sites and a few others.

Create a new group that will be right after the newbie group. Give this new group the exact same permissions as the newbie group. If people you know register then just move then to an appropriate member group.

Kill all of the newbie group's permissions except for posting. In this way, if they post a link you can delete it then ban. Also, make sure you check their profile and email address for any links or that the email address does not contain the same wording as the links posted, etc. Delete or rename the links or emails BEFORE banning them. If a search engine has crawled your site before you catch them there will be a link in that search engine to the bot, spammer, hacker's link and/or email address and also to your site.

Remember, once you ban a user you cannot change their details except from make changes to the database. So, make sure that you do this before you ban them! It'll make you life a lot easier.

My bad...you can edit a banned user's settings.
After 5-10 posts (whatever you choose) you'll know if they are serious about joining your site. You can then move them yourself to the new group or let nature take its course. 

[Skhilled]

Also remember to use "Track IP" to find all accounts created by an IP before you ban. I've been finding a lot of IP's here with 4-6 different accounts.

Then ban each account separately on all triggers. Then ban the IP on the server.

[lucky7]

Thanks for that important info Skhilled, hope everybody follows your advice. 

[lucky7]

Further to that . . . just seen this on my site, from a 'guest' that can only view and not post.

8: Undefined index: allow_smfgallery_view
File: /home/*******/**********/Themes/default/Login.template.php (main_above sub template - eval?)
Line: 344
?action=calendar;sa=post;month=11;year=2008;day=8

The last line, ?action=calendar;sa=post;month=11;year=2008;day=8 I clicked over and it redirected me to a POSTING section on the site!! Which appeared to be a live posting section.

Anybody have any ideas, Ive manually banned the IP and server. 

[Master User]

I've noticed an increase in spammer activity at my forum as well, Hmm I thought a big spamming outfit was shut down last week, they said it would make a bit difference, I guess it doesn't take long for them to come back 

[Skhilled]

@ lucky7 - Yeah, I've noticed that as well and some other ones as if they are try to read an non-existent article. Problem was either I had no articles with the number in question or had no articles at all. LOL

The line you have above is probably for a post that would be connected to a calendar event. So, you might want to disallow users from entering any calendar events.

@ MU - This happens every year during the holidays and are probably done by numerous groups and individuals. They appear to come from a lot of different parts of the world as well.

[lucky7]

Cheers Skhilled!  Sorted that guest loophole! 

[Skhilled]

Here are some interested reading materials...

http://en.wikipedia.org/wiki/XRumer

http://www.conradaskland.com/blog/2006/11/xrumer-link-scam-black-hat-seo/