No announcement yet.

Automated registrations by WinHTTP UserAgent - is this an attack?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Automated registrations by WinHTTP UserAgent - is this an attack?

    We've seen some strange behaviour on one of our sites over the past 2 days and although it's not something going wrong with vBulletin, I'm posting it here in case other people are seeing similar behaviour.

    Over the past 36 hours, we've had 5 new attempted registrations. In all 5 cases, the username chosen is of the form ! string !, where string is a string of letters which looks plausible as a username. The email given varies but all 5 are at the same domain. A whois on the domain name gives a registrant in Russia. The email confirmation is not being bounced, so is presumably being accepted by a mail server. The IP address for the mail server is also in Russia. None of the links in the 5 email confirmation messages have been clicked. All other fields in the registration form have been left blank or filled in with a single -. None of the page graphics have been requested from the server, just the register.php file.

    Here's where it gets interesting. The 5 IP addresses the registrations came from are in (in chronological order) Greece, USA, Poland, Poland (again) and Italy. The Apache logs for the time periods in question check perfectly with the IP addresses logged by vBulletin and show the same pattern of behaviour each time...

    One or two GET requests for the register.php file, with a session ID (although this is the first request from this IP address) closely followed by a POST request for the register.php file. This repeats 3 or 4 times, then that IP address is never heard from again. In all cases, the UserAgent is given as "WinHTTP".

    This leads me to a few conclusions and a few questions which might be relevant to users of this forum, although I can't answer them as yet...

    Has someone written a program which tries to sign up to vBulletin boards?
    If so, why? (We use email confirmation and manual authorisation, so none of these attempts at registration have succeeded)
    Is this linked to the DOS attacks on vBulletin?
    Is our website being specifically targetted? (Seems unlikely, but you never know)
    Is this some other form of "innocent" behaviour which I haven't come across before?

    I'd appreciate if anyone with any similar experiences or any comments on this could post them here. I haven't given specifics about names, domains and IP addresses, but if you need any more info to tie up with your own experiences, let me know. Also, if this is in any way linked to the DOS attacks on this site, I'd be more than happy to send in the relevant bits of the logs files to the developers at their request.

  • #2
    Do you have image verification turned on? So bots can't read the letters and only humans can manually enter them?


    • #3
      I just found this default WinHTTP retreive_url code that can be used in c programs, so most likely someone wrote a spam bot or something.

        hConnect = WinHttpConnect( hSession,
      							 0 );
        hRequest = WinHttpOpenRequest( hConnect,
      								 0 );
        httpResult = WinHttpSendRequest( hRequest,
      								   0 );
        httpResult = WinHttpReceiveResponse( hRequest, NULL );
      (adjusted it a bit, so it wouldn't actually work)


      • #4
        Sounds like a spambot trying to do the rounds on your board. As soon as you turn on the image verification there pretty useless as a program can't read text off an image.
        Scott MacVicar

        My Blog | Twitter


        • #5
          Thanks, I'll do that straight away.


          • #6
            Some users registered on my forum using the same type of usernames so it isn't something directed solely at you. Of course, the users didn't do anything and didn't have any information filled out in any of the profile fields. Perhaps they are for future usage, who knows, but I just deleted them and turned on the reg image.


            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.