Announcement

Collapse
No announcement yet.

Ongoing "exploit" being used on our forums

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Ongoing "exploit" being used on our forums

    I just wanted to post information about this exploit for others to be aware of.

    We have an ongoing "exploit" of sorts being used on our forums. Someone (or some script) keeps registering new users to our forums, and setting the homepage of the user to one of several porn sites. We assume this is happening so that this makes the sites show up in web crawler searches and pushes up their ratings in search engines.

    The user names almost always start with ! and often have groups of ! and space (like "! ! ! ! ! *"). The websites often have the term "inceset" or "mature" in them. They are not consistently posted from the same IP address so we are unable to ban the same person. They have unique email addresses but seem to be obviously fake with variants on "[email protected]" etc.

    We HAVE seen one very strange thing. There are a handfull of real and apparently legitimate accounts on our forms (users which post and post real content) who have these porn sites as their homepages. It is not clear how this happens. We haven't asked any of the users if they set them by hand or what. In the past, we have had someone use an exploit on our site by setting up a Javascript web page on a "Free" website like geocities. The Javascript simulates a post to submit a new thread to our forums with racist material. Because the person visiting the geocities web page is cookie authorized, and javascript based form posts seem to originate from the web browser, the new forum thread posts get posted. The posts also have a link back to the same page, so anyone clicking the link will themselves make a post - not unlike a replicating virus.

    We have noticed that the "porn website" exploit is being used on other forums besides ours. A search for "mature-paradise" on google showed several web forums having user profiles with this link.

  • #2
    To try and block this, we have removed all references to "homepage" in our member profile and list display along with our new member signup page. We're going to watch and see if homepage values continue to be set. If so, we know it is an exploit script of some kind. If not, then we know someone is manually doing this.

    Comment


    • #3
      This is caused by a virus or trojan on personal computers that appears to automatically fill in any URL boxes it finds. This was a very big problem a few months ago and was reported on these forums at that time.
      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
      Change CKEditor Colors to Match Style (for 4.1.4 and above)

      Steve Machol Photography


      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


      Comment


      • #4
        Originally posted by Steve Machol
        This is caused by a virus or trojan on personal computers that appears to automatically fill in any URL boxes it finds. This was a very big problem a few months ago and was reported on these forums at that time.
        Makes sense for a few of our accounts, but does it also create all these "! ! ! ! !" type accounts? They keep showing up - users never post - email addresses look bogus.

        Comment


        • #5
          I've had the same new sign ups on my forums. Only 4 so far, but still annoying. Usernames also start with ! and emails are all free email accounts.

          I'll be interested in seeing if removing the "homepage" field will help. Any other thoughts on how to block this?

          Thanks!

          Comment


          • #6
            This may be a bit simplistic, but why not put the exclamation point (!) in the AdminCP > vBulletin Options > User Registration Options > Illegal User Names List? This would be particularly effective if the script generating these accounts is automated...

            Enter names in here that you do not want people to be able to register. If any of the names here are included within the username, the user will told that there is an error. For example, if you make the name John illegal, the name Johnathan will also be disallowed.
            Separate names by spaces.
            The Admin Zone - Resources for Forum Administrators
            Articles - Forum Review
            Interviews:
            KierScottJerryAndreasSteveWayneJakeFlorisLogicianErwin
            Paul M

            Comment


            • #7
              Done. Thanks!

              I also tried banning members based on the email domain, but when I tried registering with a test account using that email domain it still allowed me to register.

              Comment


              • #8
                Originally posted by oldford
                I've had the same new sign ups on my forums. Only 4 so far, but still annoying. Usernames also start with ! and emails are all free email accounts.

                I'll be interested in seeing if removing the "homepage" field will help. Any other thoughts on how to block this?

                Thanks!
                Ah intersting. Glad I'm not alone. Er you know what I mean :^)

                So we did remove the homepage field from all the displays and forms. It does appear to have stopped this - at least I haven't seen any for several days now. Which would make me think it's people doing it manually rather than an automated posting/registration script. Odd someone would do this - it would take a lot of work I'd think.

                Comment


                • #9
                  I also suggest you enable the image verification option during registration if you haven't already. This was added to specifically stop scripts from automatically registering on vB forums.
                  Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                  Change CKEditor Colors to Match Style (for 4.1.4 and above)

                  Steve Machol Photography


                  Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                  Comment


                  • #10
                    I know this thread is old, but I've started getting these fake signups again. Usually a dozen at a time.

                    The usernames follow a pattern, but nothing I can ban without banning legitimate members. I have the image verification turned on. I also have that email domain banned, but they are still able to register. Why is that?

                    Comment


                    • #11
                      Make sure that the banned email addresses are separated by a space and not a carriage return. Other than that, there is no reason the ban should not work on an unhacked forum.
                      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                      Change CKEditor Colors to Match Style (for 4.1.4 and above)

                      Steve Machol Photography


                      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                      Comment


                      • #12
                        Thank you. I did have a return in there instead of a space. Funny how directions work only if you read them!

                        Comment

                        Loading...
                        Working...
                        X