Who is JackFromWales4u2?

Posted: Sat Sep 04, 2004 9:00 pm

I had a random user JackFromWales4u2 register on one of my phpnuke sites. At first I was annoyed at the random registration, but then paranoia took hold. I checked the logs for any obvious or glaring exploits, but I did not see anything.

I then checked the various phpnuke security sites. I was surprised to see that JackFromWales4u2 was also the latest signup at a forum moderator's site.

I then ran a Only registered users can see links on this board! Get registered or login!, and google returned 18600 Shocked

hits!

From a random check of the various google hits, it seems that JackFromWales4u2 has been very busy with a great number of registrations at these various phpnuke and phpbb sites within a span of a couple of days -- September 1-2, 2004.

Now this screams of an exploit/vulnerability! Is there a script or exploit/vulnerability that is out in the wild that is yet unpatched?

Or am I just being paranoid here?
p.s. you might want to check your own sites to see if you've had a visit from JackFromWales4u2, too.

Site Admin Joined: Jun 04, 2004 Posts: 6437

I saw this on several sites, too. Could it be an attempt to identify server and / or return email address info for spamming purposes?

Posted: Sat Sep 04, 2004 9:52 pm

That could be a possible purpose for the mass registrations. My concern is HOW did they register and activate all these phpnuke/phpbb accounts in a seemingly short period of time.

Posted: Sat Sep 04, 2004 10:03 pm

Interesting. Quoth the Raven "Let the Games Begin".

Posted: Sat Sep 04, 2004 10:11 pm

oprime2001,

Do you have an IP address associated with that username?

Posted: Sat Sep 04, 2004 10:17 pm

The registration was activated using Only registered users can see links on this board! Get registered or login!

Posted: Sat Sep 04, 2004 10:23 pm

Interesting, that IP comes back as:
OrgName: Advanced Internet Technologies, Inc.
OrgID: ADIT
Address: 421 Maiden Lane
City: Fayetteville
StateProv: NC
PostalCode: 28301
Country: US

Jack is a Tarheel, not from Wales Shocked

Client Joined: Apr 10, 2004 Posts: 649 Location: UK

Thats interesting isn't it boyo!

sorry couldnt resist it.

I'll keep a watch out for that username.

registered · Client Joined: Sep 25, 2003 Posts: 58

I have this one registered on my site.

Should i loose him ?

Insane Joined: Jul 30, 2004 Posts: 85

I feel like we're in the twighlight zone. Shocked

Posted: Sun Sep 05, 2004 12:14 pm

Registered on my site on September 1, 2004 using a mail.ru email address which is on my restricted list. You should NOT be able to register on my site using this email address so something is awry!

Posted: Sun Sep 05, 2004 12:22 pm

Luckily, I've not seen traces of this fella on my site, but then I don't get a lot of traffic.

Has anyone seen a post by him, or anything other than just a registration? If not, then I would delete his account.

Another thing, is everyone seeing him on the same IP, 66.219.97.51 ?

Posted: Sun Sep 05, 2004 2:51 pm

Can we check all registered members IP's on our site quickly? I mean I have over 500 so far, and most of those dont post on the forum, so I don't get an IP.

Shame if it doesnt register an IP when registering (something I liked about Invision Board the IP on registration was logged) because you can get rid of anyone you dont want if you know their IP.

Posted: Sun Sep 05, 2004 3:03 pm

If you were using the IP Tracking module, you could find it pretty easily. I actually hadn't thought about those who weren't using IP Tracking. Sorry.

Maybe one of the Wizards of Nuke knows of a way to find the last IP, but I sure don't

Posted: Sun Sep 05, 2004 3:10 pm

I only use MS Analysis Sad

I think I'll install IP Tracking now Rolling Eyes

Posted: Sun Sep 05, 2004 3:12 pm

I'm thinking someones developed a reader for the images. It only makes sense. The rest is easy to script.

I bumped my code up to 9 digits and changed the background image color and quality. But am going to hack in a harder to read image when I get time.

Posted: Sun Sep 05, 2004 3:53 pm

I can see that, but it doesn't explain how he got around my email address registration restrictions.

Posted: Sun Sep 05, 2004 4:30 pm

Not your average copy paste script kiddie for sure. I'd guess this is a very high tech entity or individual. But collecting the urls from the emails wouldn't be the hardest thing to do.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

sixonetonoffun wrote:

I'm thinking someones developed a reader for the images. It only makes sense. The rest is easy to script.

I bumped my code up to 9 digits and changed the background image color and quality. But am going to hack in a harder to read image when I get time.

This might get you started

Code:

function gfx($random_num) {


   global $prefix, $db, $module_name;


   require("config.php");


   $datekey = date("F j");


   $rcode = hexdec(md5($_SERVER[HTTP_USER_AGENT] . $sitekey . $random_num . $datekey));


   $code = substr($rcode, 2, 6);


   # $image = ImageCreateFromJPEG("modules/$module_name/images/code_bg.jpg");


   Header("Content-type: image/jpeg");





   $image = ImageCreate(100,20);





   $white=ImageColorAllocate($image,255,255,255);


   ImageFilledRectangle($image,0,0,100,20,$white);





   for ($cnt=0; $cnt<12; $cnt++) {


      $text_color = ImageColorAllocate($image, intval(rand(200,255)), intval(rand(200,255)), intval(rand(200,255)));





      # Depending on your PHP use one of imageellipse or imagearc


      #ImageEllipse($image,($cnt*8),10,intval(rand(15,30)),intval(rand(15,30)), $text_color);


      ImageArc($image,($cnt*8),10,intval(rand(15,30)),intval(rand(15,30)),0,360, $text_color);


   }





   for ($idx=0; $idx<6; $idx++) {


      $text_color = ImageColorAllocate($image, intval(rand(0,128)), intval(rand(0,128)), intval(rand(0,128)));


      $text_color1 = ImageColorAllocate($image, intval(rand(0,128)), intval(rand(0,128)), intval(rand(0,128)));


      ImageString ($image, intval(rand(1,5)), 12+($idx*14), 2, substr($code,$idx,1), $text_color);


      ImageString ($image, intval(rand(1,5)), 11+($idx*14), 2, substr($code,$idx,1), $text_color1);


   }





   ImageJPEG($image, '', 75);


   ImageDestroy($image);


   die();


}

Don't even know where I picked it up. I have another one that is much clearer and is in color but I can't find it right off hand.

Posted: Mon Sep 06, 2004 8:50 am

Seems to come out clearer as a png image. Nice who ever created it.

Posted: Mon Sep 06, 2004 1:05 pm

Does anyone think we need a 3 strikes function with this?
The longer the code is the more likely an error. After changing to 9 chars about 1 in 3 trys I get it wrong and I'm more familar with the login process then the average surfer.

It has some merit in the case of brute force attacks I spose.

Posted: Mon Sep 06, 2004 2:49 pm

By the way its up to 36,600 today!
http://www.google.com/search?sourceid=navclient&ie=UTF-8&q=JackFromWales4u2
Must be a world record for website memberships huh?

Posted: Thu Sep 09, 2004 7:28 am

I posted the original post in the Only registered users can see links on this board! Get registered or login!. A couple of users there are now reporting that the JackFromWales4u2 account is being used to spam news articles on phpnuke websites with comments with a link to (presumably, their) website.

However, what is more disconcerting is that these users are reporting that ALL of their articles/news were spammed! Again, if that doesn't smell of a script/bot, I don't know what does. I don't see a legitimate reason to keep this JackFromWales4u2 account on your site! Evil or Very Mad

Posted: Thu Sep 09, 2004 12:59 pm

44,200 for JackFromWales4u2 on Google today....

Posted: Thu Sep 09, 2004 1:07 pm

I really wonder if the person contacted to investigate this might be the one who did it... It will be interesting to see the replies.