Announcement

Collapse
No announcement yet.

Ongoing "exploit" being used on our forums

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • oldford
    replied
    Thank you. I did have a return in there instead of a space. Funny how directions work only if you read them!

    Leave a comment:


  • Steve Machol
    replied
    Make sure that the banned email addresses are separated by a space and not a carriage return. Other than that, there is no reason the ban should not work on an unhacked forum.

    Leave a comment:


  • oldford
    replied
    I know this thread is old, but I've started getting these fake signups again. Usually a dozen at a time.

    The usernames follow a pattern, but nothing I can ban without banning legitimate members. I have the image verification turned on. I also have that email domain banned, but they are still able to register. Why is that?

    Leave a comment:


  • Steve Machol
    replied
    I also suggest you enable the image verification option during registration if you haven't already. This was added to specifically stop scripts from automatically registering on vB forums.

    Leave a comment:


  • timh
    replied
    Originally posted by oldford
    I've had the same new sign ups on my forums. Only 4 so far, but still annoying. Usernames also start with ! and emails are all free email accounts.

    I'll be interested in seeing if removing the "homepage" field will help. Any other thoughts on how to block this?

    Thanks!
    Ah intersting. Glad I'm not alone. Er you know what I mean :^)

    So we did remove the homepage field from all the displays and forms. It does appear to have stopped this - at least I haven't seen any for several days now. Which would make me think it's people doing it manually rather than an automated posting/registration script. Odd someone would do this - it would take a lot of work I'd think.

    Leave a comment:


  • oldford
    replied
    Done. Thanks!

    I also tried banning members based on the email domain, but when I tried registering with a test account using that email domain it still allowed me to register.

    Leave a comment:


  • the Sandman
    replied
    This may be a bit simplistic, but why not put the exclamation point (!) in the AdminCP > vBulletin Options > User Registration Options > Illegal User Names List? This would be particularly effective if the script generating these accounts is automated...

    Enter names in here that you do not want people to be able to register. If any of the names here are included within the username, the user will told that there is an error. For example, if you make the name John illegal, the name Johnathan will also be disallowed.
    Separate names by spaces.

    Leave a comment:


  • oldford
    replied
    I've had the same new sign ups on my forums. Only 4 so far, but still annoying. Usernames also start with ! and emails are all free email accounts.

    I'll be interested in seeing if removing the "homepage" field will help. Any other thoughts on how to block this?

    Thanks!

    Leave a comment:


  • timh
    replied
    Originally posted by Steve Machol
    This is caused by a virus or trojan on personal computers that appears to automatically fill in any URL boxes it finds. This was a very big problem a few months ago and was reported on these forums at that time.
    Makes sense for a few of our accounts, but does it also create all these "! ! ! ! !" type accounts? They keep showing up - users never post - email addresses look bogus.

    Leave a comment:


  • Steve Machol
    replied
    This is caused by a virus or trojan on personal computers that appears to automatically fill in any URL boxes it finds. This was a very big problem a few months ago and was reported on these forums at that time.

    Leave a comment:


  • timh
    replied
    To try and block this, we have removed all references to "homepage" in our member profile and list display along with our new member signup page. We're going to watch and see if homepage values continue to be set. If so, we know it is an exploit script of some kind. If not, then we know someone is manually doing this.

    Leave a comment:


  • timh
    started a topic Ongoing "exploit" being used on our forums

    Ongoing "exploit" being used on our forums

    I just wanted to post information about this exploit for others to be aware of.

    We have an ongoing "exploit" of sorts being used on our forums. Someone (or some script) keeps registering new users to our forums, and setting the homepage of the user to one of several porn sites. We assume this is happening so that this makes the sites show up in web crawler searches and pushes up their ratings in search engines.

    The user names almost always start with ! and often have groups of ! and space (like "! ! ! ! ! *"). The websites often have the term "inceset" or "mature" in them. They are not consistently posted from the same IP address so we are unable to ban the same person. They have unique email addresses but seem to be obviously fake with variants on "[email protected]" etc.

    We HAVE seen one very strange thing. There are a handfull of real and apparently legitimate accounts on our forms (users which post and post real content) who have these porn sites as their homepages. It is not clear how this happens. We haven't asked any of the users if they set them by hand or what. In the past, we have had someone use an exploit on our site by setting up a Javascript web page on a "Free" website like geocities. The Javascript simulates a post to submit a new thread to our forums with racist material. Because the person visiting the geocities web page is cookie authorized, and javascript based form posts seem to originate from the web browser, the new forum thread posts get posted. The posts also have a link back to the same page, so anyone clicking the link will themselves make a post - not unlike a replicating virus.

    We have noticed that the "porn website" exploit is being used on other forums besides ours. A search for "mature-paradise" on google showed several web forums having user profiles with this link.
Loading...
Working...
X