Hackers have found a way to Register with 1 link 8O

Worker Joined: Oct 18, 2005 Posts: 127 Location: NYC

Yes... Hackers have joined one of my sites with just entering one link! Shocked

They did not do any harm that I can see..... no spam.... nothing.... so I don't know what they were trying to accomplish Confused

... maybe just to see if they could do it Confused

Has anyone else seen this happen?

JoAnne ~

Only registered users can see links on this board! Get registered or login!

Only registered users can see links on this board! Get registered or login!

Involved Joined: Oct 09, 2006 Posts: 413 Location: UK

how do you know this..dont post any links or stuff. but how do you know they just entered one link?

sounds to a noob like me it was more of an executable link for a script. And is it a sleeper? therefore no damage is done yet, but the actual work is done..so that they can play later.

Posted: Thu Feb 22, 2007 8:07 pm

wiz wrote:

how do you know this..dont post any links or stuff. but how do you know they just entered one link?

sounds to a noob like me it was more of an executable link for a script. And is it a sleeper? therefore no damage is done yet, but the actual work is done..so that they can play later.

There was only one link to the IP which joined 3 times within minutes of each other. Most spam bots that try to enter the forums, use a fictitious email, that comes back as undeliverable and you can see them making attempts to enter the forums..... not these times.

One link and they are registered on my site. They used an activate command.... first I have seen of it.

Don't know what to do to protect against it happening again or if there is anything that can be done Confused

Posted: Thu Feb 22, 2007 8:10 pm

well for a start..if you are sure..remove their account. Very Happy

Posted: Thu Feb 22, 2007 8:26 pm

wiz wrote:

well for a start..if you are sure..remove their account. Very Happy

I banned their user names for now. I have had problems in the past from deleting users entirely.

Strange that they didn't do anything.... but they could be coming back as you stated.

Posted: Thu Feb 22, 2007 8:32 pm

rename their account then, mail them suggesting a dodgy link and your policy blah blah.

while you make your judgement..the account is still there and they cant login because the username has changed.

The motive for this, is that you do not delete any legitimate activity that they have accumalated, but it gives you time to assess the threat to your prized (and very neat may i add) website. Hopefully someone more knowlegable will reply soon

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

The quickest way to tell how it happened it to check your access logs. These are usually available on the site's control panel.

Posted: Thu Feb 22, 2007 8:54 pm

wiz wrote:

rename their account then, mail them suggesting a dodgy link and your policy blah blah.

while you make your judgement..the account is still there and they cant login because the username has changed.

The motive for this, is that you do not delete any legitimate activity that they have accumalated, but it gives you time to assess the threat to your prized (and very neat may i add) website. Hopefully someone more knowlegable will reply soon

Thanks wiz!

I am thinking it might be better to change their password.. if they even entered one.... but they can always enter more users the same way they entered the three they did today..... stinks

Posted: Thu Feb 22, 2007 8:59 pm

well no..change their username, u have no way of recovering their original pw, user name, yes because it is not MD5'd.

The motive is..if you are being over cautious, it doesnt appear like that to the legit user, if you say in your email that their account is under review.

Then if they are bad, you remove them, if they are good you restore their username and they can login again.

Posted: Thu Feb 22, 2007 9:13 pm

wiz wrote:

well no..change their username, u have no way of recovering their original pw, user name, yes because it is not MD5'd.

The motive is..if you are being over cautious, it doesnt appear like that to the legit user, if you say in your email that their account is under review.

Then if they are bad, you remove them, if they are good you restore their username and they can login again.

with the email: ontimepaydayloan.com I doubt very much that they are legit accounts Wink

Besides... anyone that can register that way, I do not want as a member anyway!

Thank you wiz

Posted: Thu Feb 22, 2007 9:15 pm

kguske wrote:

The quickest way to tell how it happened it to check your access logs. These are usually available on the site's control panel.

Hey kguske

Unfortunately the access logs didn't tell me anything more.

JoAnne

Posted: Thu Feb 22, 2007 9:18 pm

well you are the owner and admin..if you do not want it..delete it. Its your perogative.

However, i dont know if the experts can dispute this, but maybe keep it, change the details, then explore the account. Your site you have the right to explore anyones account.

registered · Posted: Thu Feb 22, 2007 10:44 pm

Hey JoAnne

Send me the links they are using and I will check it out. These are always automated bots, but if they've found a quicker way that doesn't need activation, it could be a flaw somewhere.

Worker Joined: Dec 05, 2006 Posts: 180

JoAnne, i found an amazon module http://preciogasolina.com/modules.php?name=Downloads&d_op=viewdownload&cid=1
tested on 2.02.02. Doesnt work properly(i could just be a noob) says it only works on PHP-Nuke 6.9 - 7.4. . Ill prob sign up on his site and see if he can get it working with 2.02.02. Looks really good.

registered · Posted: Fri Feb 23, 2007 6:33 am

evaders99, we definitely could have an issue here and even in 2.10.00! I just had two "odd-ball" userid's sign up yesterday, one using this exact same domain (fishy in my book) and another very close to it.

If this is a bot, its getting past the new captcha. It might actually be a real person? Uuggghh...

registered · Posted: Fri Feb 23, 2007 10:36 am

The spammers are posting to registration file. That's what they were doing in Evo. We are using CNBYA and they would simply send a POST to new_finish3.php and presto. No code validation, no email validation, nothing. So I added sessions to the files to make sure they went through each step.

Posted: Fri Feb 23, 2007 10:54 am

actually ive just found 10 of these accounts on one of my sites..

Posted: Fri Feb 23, 2007 11:46 am

I had 4 toady, one from the same email posted above.
Evaders99 appreciate any feedback if you learn anything from the data sent to you by JoAnne.

I have a feeling though that these are not automated sign-ups - surely there would be many more of them if this was the case?

Out of the four I had today 2 are fully 'registered users' the other two are still sitting in 'pending'.

Posted: Fri Feb 23, 2007 11:51 am

Quote:

I have a feeling though that these are not automated sign-ups

Guardian just google for ontimepaydayloan.com and you´ll find a lot of spam entries in blogs and other sites too.

Posted: Fri Feb 23, 2007 1:33 pm

Thanks Susann I appreciate that but as yet I have found no evidence indicating that the issues posted here are as a result of an automated attack.
I'm not ruling out that they are conducting automated attacks in other places, I'm just trying to make the point that we shouldnt 'assume' its an automated attack.

I have spent a couple of hours pouring over my server error logs and there is nothing in there, I also use a script which emails me if anyone tries to access a file they are not supposed to or doesnt exist and there's nothing there either.

The one peculiarity I do see is that I'm not seeing any Tracked User IP data in Sentinel. I would expect so see one entry per registration confirmation BUT I'm ONLY tracking the last 100 IP's so I'll increase that now and see what the future brings Wink

Posted: Fri Feb 23, 2007 2:56 pm

OK I have gone through all me registered users, luckily there are not too many and suprise, suprise!!
Every single one that I would consider a 'sleeper' user who's email address is associated with loans and all that type of thing have come frm the same place.
I check each of the addreess' (a total of 30 going over the last year) and they all came from this range which, incidentally I have seen come up before.

I hope it helps.

Quote:

OrgName: Layered Technologies, Inc.
OrgID: LAYER-3
Address:
Address: 1647 Witt Road Suite#201
City: Frisco
StateProv: TX
PostalCode: 75034
Country: US

ReferralServer: rwhois://rwhois.layeredtech.com:4321

NetRange: 72.232.0.0 - 72.232.255.255
CIDR: 72.232.0.0/16
NetName: LAYERED-TECH-
NetHandle: NET-72-232-0-0-1
Parent: NET-72-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.LAYEREDTECH.COM
NameServer: NS2.LAYEREDTECH.COM
Comment: Please send all abuse complaints to
Comment: *****@layeredtech.com
RegDate: 2005-09-07
Updated: 2006-03-07

RTechHandle: JPS66-ARIN
RTechName: Suo-Anttila, Jeremy Paul
RTechPhone: +1-972-398-7998
RTechEmail: ***@layeredtech.com

OrgAbuseHandle: LAT-ARIN
OrgAbuseName: LT Abuse Team
OrgAbusePhone: +1-972-398-7998
OrgAbuseEmail: *****@layeredtech.com

OrgNOCHandle: LIT-ARIN
OrgNOCName: LT IP-Network Team
OrgNOCPhone: +1-972-398-7998
OrgNOCEmail: *****@layeredtech.com

OrgTechHandle: LNT3-ARIN
OrgTechName: LT NOC Team
OrgTechPhone: +1-972-398-7998
OrgTechEmail: *****@layeredtech.com

I have now blocked the whole range in Sentinel

New Member Joined: Dec 26, 2005 Posts: 4

I noticed 3 days ago that I was having the same problem. So far there has been 20 registrations like this. None have recorded ips in nuke sentinel nor any records show in ms analysys. When I check the user database there are no ips as well. This is a partial list of my raw access logs with some of the usernames and ips:

Quote:

DXIRxDkgtN
81.169.183.122 - - [23/Feb/2007:02:15:00 -0600] "GET /modules.php?name=Your_Account&op=activate&username=DXIRxDkgtN&check_num=ceae7f479557b3650a8a249b80995625 HTTP/1.0" 200 26586 "-" "Mozilla/4.0 (compatible; ICS)"
66.249.65.70 - - [23/Feb/2007:03:08:02 -0600] "GET /modules.php?name=Your_Account&op=userinfo&username=DXIRxDkgtN&PHPSESSID=baf5554f6fa1a29659df60583e732184 HTTP/1.1" 200 4639 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

tUSkxXjhcV
149.9.0.59 - - [23/Feb/2007:04:43:17 -0600] "GET /modules.php?name=Your_Account&op=activate&username=tUSkxXjhcV&check_num=221cdbd49831660e254edeb0c4b51109 HTTP/1.0" 200 26586 "-" "Mozilla/4.0 (compatible; ICS)"
66.249.65.70

CAVvvnNrYJ
213.100.23.130
66.249.65.70
66.254.102.58
149.9.0.57

Posted: Fri Feb 23, 2007 9:48 pm

CAPCHAs aren't a cure-all, esp when the software is getting smarter.
Generally the bots still have to read the registration page to get the CAPTCHA, before processing it and then going to POST data to the registration fields.

If you don't see that pattern, let me take a look and I'll see if I can duplicate it.

Posted: Sat Feb 24, 2007 5:29 pm

evaders99 wrote:

Hey JoAnne

Send me the links they are using and I will check it out. These are always automated bots, but if they've found a quicker way that doesn't need activation, it could be a flaw somewhere.

Hey Evaders99

My internet has been down... just came back up a little while ago

I will email you the links

Here is another email associated with the strange registrations:

reciprocallinkmanagers.com

I have been trying to check to see if they are using multiple IPs, one to sign up, a different one to activate, which may be why I am only seeing one link for their IP to their account. Still investigating this now that I have the internet back.

If that is the case, then they are not really entering just one link.

JoAnne

Posted: Sat Feb 24, 2007 5:44 pm

Evaders99

Just remembered that you are still an admin on my United Music site if you want to take a look for yourself

JoAnne