Announcement

Collapse
No announcement yet.

problem with spammers and possible hackers

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • problem with spammers and possible hackers

    We have been being attacked for the last month and now they have begun to try and hack into our board since they haven't been able to get through our registration blocks to prevent spammers and trolls. I am running vBulletin 3.8.6 Patch Level 1 I have spoken to our host and they said:

    I would strongly suggest providing those results to vBulletin, as the developers would be the best people to tell you whether you are safe from those specific attacks or not.
    Since I have no idea how to tell anyone at vbulletin about this, other then starting a thread here, that's why I'm doing so now. Here is the information I sent my host:

    We've been being spammed a lot and had to install a program that rejects spammers registrations as we were getting something like 100 a day. Well one person who was rejected keeps coming back to the board and when I look to see what he's doing, it says "modifying his profile". I wasn't to worried about it since I didn't think there was anything he could do to cause the site to accept his registration anyway, but each time he does it I get a database error and it looks to me like he is trying to force the board to add him as a member. This is what the error says:

    Database error in vBulletin 3.8.6:

    Invalid SQL:
    SELECT DATEDIFF(NOW(), '2010-07-27 20:18:50') AS DAYS;;

    MySQL Error : MySQL server has gone away
    Error Number : 2006
    Request Date : Tuesday, July 27th 2010 @ 09:56:19 PM
    Error Date : Tuesday, July 27th 2010 @ 09:57:14 PM
    Script : http://www.fresh-hope.com/forums/reg...p?do=addmember
    Referrer : http://www.fresh-hope.com/forums/register.php?
    IP Address : 94.23.18.220
    Username : Naramoria
    Classname : vB_Database
    MySQL Version :

    ***************


    In the line that says script is a link and at the end of the link it says: " do=addmember" which is what made me think this... Is this troll a possible hack attempt do you think or am I being paranoid?
    Hello Cynthia,

    Thank you for contacting support.

    It does appear that he may be attempting to use SQL Injection, however as long as your forum software is up-to-date and the latest version is installed you should certainly be safe. However, if you would like we can ban 94.23.18.220 from the server, so this way it will ensure he can't access the site or attempt any further malicious injections.

    regards,
    Melissa
    It's happening again I'm afraid. The people who are attacking us seem very stubborn. The biggest problem is that they're pro's and constantly switch their IP's. That's why we had to install the two programs we did to intercept them. We installed them a week ago on July 23rd and since then the programs have rejected 409 registrations as spammers.

    This error message is slightly different though. Here is a copy of it:


    Database error in vBulletin 3.8.6:

    Invalid SQL:
    INSERT HIGH_PRIORITY IGNORE INTO vbstopforumspam_remotecache (date, data, spambot, field) VALUES (now(), 'martinkiday', '0', 'username');;


    MySQL Error : MySQL server has gone away
    Error Number : 2006
    Request Date : Friday, July 30th 2010 @ 05:31:02 AM
    Error Date : Friday, July 30th 2010 @ 05:32:20 AM
    Script : http://www.fresh-hope.com/forums/reg...p?do=addmember
    Referrer : http://www.fresh-hope.com/forums/register.php?
    IP Address : 89.212.200.113
    Username : martinkiday
    Classname : vB_Database
    MySQL Version :

    I meant to add that one thing that concerns me now is that they've obviously figured out what the main program we're using to defeat them is: vbstopforumspam

    If you'd like more info about it, it's explained here:
    http://www.vbulletin.org/forum/showt...ng#post1493369

    the other program we're using is Auto-Moderate Evading Banned Members and can be seen here:

    http://www.vbulletin.org/forum/showthread.php?t=207966
    Hello Cynthia,

    Thank you for your reply.

    From the SQL code, it appears they are attempting to inject into the caching system. Honestly, I would strongly suggest providing those results to vBulletin, as the developers would be the best people to tell you whether you are safe from those specific attacks or not. I know from experience that vBulletin is kept up to date regularly and is protected by these type of attacks, however it certainly doesn't hurt to get a second opinion from the source itself .

    Please let us know if there is anything further we may assist you with from here.

    regards,
    Melissa

    Can anyone here tell me if this is all I have to do to contact vbulletin about this, or if I need to go elsewhere? It would certainly ease my mind a lot to know if we're safe from this kind of attack or anything else they come up with in the near future...
    again,I am running vBulletin 3.8.6 Patch Level 1. Thank you for your help.
    Last edited by Cindyl10; Fri 30th Jul '10, 11:08am.

  • #2
    You may want to post the one pertaining to vbstopforumspam in the mod's thread on vbulletin.org. Let the author know what's going on.

    Comment


    • #3
      Thank you, I will tell them as well, but need to contact the folks at vbulletin about this as well...

      Comment


      • #4
        And how exactly are they trying to inject the caching system and with what code? Ask your host to be more exact and not so vague. Then whateevr info they will give you, pass them along to the vb staff by opening a supoort ticket.

        But from the looks of it, I highly doubt that the culprit is vb but the security issue is on the server end.

        Comment


        • #5
          No one has any more information then what I've given here. I will go open a support ticket...or at least try and find out where to do so. Thank you for your help.

          Comment


          • #6
            You open a support ticket in the 'customer area' after logging in to vbulletin.com with your customer number and password.

            Comment


            • #7
              Thank you so much!

              Comment

              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
              Working...
              X