Forum Spam, Any Ideas?

registered · Posted: Mon Jan 14, 2008 8:58 pm

A gaming clan that I help out now and then has been getting forum spam. The baddie is able to post a new topic to their forum without being a registered user. The forum post also contains a flash (!!) video.

The clan is running some kind of security lax NukePlatinum distro. I checked it out, and helped them disable SQuery and vWar. The phpBB they are running appears to be 2.0.17 from the admin panel, although it still says 2.0.10 on the forum itself (probably just an old template), and 2.0.13 on the copyright link.

Here is what I found in the log for one of the bad posts:

Code:




12.215.143.218 - - [14/Jan/2008:11:43:21 -0700] "GET /modules.php?name=Forums&file=viewforum&f=44 HTTP/1.0" 200 65163 "http://college-paid.net" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Babya Discoverer  8.0:"


12.215.143.218 - - [14/Jan/2008:11:43:30 -0700] "GET /modules.php?name=Forums&file=posting&mode=newtopic&f=44 HTTP/1.0" 200 77478 "http://xxx.us/modules.php?name=Forums&file=posting&mode=newtopic&f=44" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Babya Discoverer  8.0:"


12.215.143.218 - - [14/Jan/2008:11:43:38 -0700] "POST /modules.php?name=Forums&file=posting HTTP/1.0" 200 50730 "http://xxx.us/modules.php?name=Forums&file=posting&mode=newtopic&f=44" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Babya Discoverer  8.0:"


12.215.143.218 - - [14/Jan/2008:11:43:43 -0700] "GET /modules.php?name=Forums&file=viewtopic&p=27682#27682 HTTP/1.0" 200 63121 "http://xxx.us/modules.php?name=Forums&file=viewtopic&p=27682#27682" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Babya Discoverer  8.0:"

I'm probably going to have to convince them to switch to RavenNuke, or install Sentinel or something, but in the meantime, any idea what they are doing and how I can stop them temporarily? It almost looks like they already have a cookie. Thanks.

Posted: Mon Jan 14, 2008 10:22 pm

Not to ask to obvious a question, but do you know for sure that none of their forums are open to anonymous posting? I only ask because it can be a little tricky to make sure that none are.

Worker Joined: Aug 26, 2007 Posts: 236

I have used bbantispam for 6 months and I have not had a single spam in the forum or elsewhere although the forum is open for guests. It is best and simplest to put the installation code for bbantispam in config.php.
http://www.bbantispam.com/

registered · Posted: Tue Jan 15, 2008 6:40 am

I would definitely make sure they are all the up to 2.0.22 of BBtoNuke and ensure the session checking code is "in" (i.e., if this doesn't jog your memory, PM me as I do not want to discuss the exploit openly).

Posted: Tue Jan 15, 2008 1:02 pm

fkelly wrote:

Not to ask to obvious a question, but do you know for sure that none of their forums are open to anonymous posting? I only ask because it can be a little tricky to make sure that none are.

For some reason I missed your guys replies and had to find out the hard way that this indeed was the case! HA HA HA HA HA

I was pouring over logs, checking the forum files, when it suddenly occurred to me this spammer was only doing this to one particular sub-forum that had been created not long ago by a novice admin.

Always check the obvious first!!! D'OH!!

Boy, did you know those Platinum guys replaced the phpBB copyright statements with THEIR OWN copyright statement in all the forum files? Sheesh! They did mod it, or maybe applied some common forum mods, but they didn't write it!!!

I don't want to ruffle any feathers or make anyone mad, but I'm not impressed with the guts of NukePlatinum. Not only did they integrate some very buggy and exploitable 3rd party modules (vWar, SQuery), but they didn't seem to have security in mind in the stuff they wrote and they didn't seem to respect copyrights either.

Posted: Tue Jan 15, 2008 3:14 pm

Definitely want to update the forums to latest version though, even with registered only turned on it isn't 'safe'.
Careful with that flash file too. There have been recent exploits of flash files on websites generating code which is saved to a random location on the visitors PC which in turn is used to to create a zombie machine - I don't think Norton or some of the other well respected anti-virus has a fix for it yet - only got the data today myself.

registered · Posted: Tue Jan 15, 2008 6:24 pm

Yea copyrights are supposed to be kept - any changes to the files should only ADD to the copyright

Posted: Wed Jan 16, 2008 1:20 am

I seem to remember a VERY lengthy discussion on this fork from maybe a couple of years ago. I believe it was down to a one man 'team' called Steve? The same guy that claimed he was working for FB on the nuke 8.0 release which he was being paid a small fortune for writing a whole new forum for - funny how it never appeared though Wink

Posted: Wed Jan 16, 2008 8:28 am

I would try to update their forums for them, but they apparently have been heavily modded by the Platinum guys. Their copyright headers mention 3 or 4 people.

Posted: Wed Jan 16, 2008 8:52 am

Yikes! - hard to port and full steam 'away' lol.

Posted: Tue Apr 15, 2008 12:07 am

not sure if you fixed this but the same ip shows on everyone so just do if ip == 12.215.143.218 then die(); or headerlocation or something for now might fix it short term well for that ip or just get the webmaster to go with raven nuke or nuke8.1

Posted: Tue Apr 15, 2008 7:36 am

gazj, the forum was incorrectly configured to allow anonymous users to post. Once that was fixed the spamming stopped.