Announcement

Collapse
No announcement yet.

Thousands of Spammer PMs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Thousands of Spammer PMs

    Stupidily running an older version of vb. 3.6.7 PL1. Just never got around to upgrading it lately.

    Today got a bunch of notices of spammer PMs... but from different user id's. user id's of people who hadn't been on the forums for years. Looking further, they did show "Creating PM" in their profile location. I blocked a couple, but then looked into it further. Turned off global PMs. Looking in the db, there's 11,000 spam PM's in the pmtext from different user id's.

    So I shut the board down and am upgrading to 3.6.10 PL3. Does this sound like something that was just an older exploit? Is there anything else to look out for?

    I will have to delete the PM's manually from the tables. I'm assuming I can just delete the spam PM's from 'pmtext', and their corresponding entries in 'pm' and 'pmreceipt' tables?

    thanks
    arn
    Last edited by macrumors; Wed 16th Jul '08, 5:50pm.

  • #2
    I'm not aware of that being an 'exploit' as such. Spammers have been known to spam without an exploit.

    Assuming this is one or just a few users, you can delete all the PMs they have sent from the 'Quick User Links' in their profile in the Admin CP.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      it's from different users. roughly 11,000 PMs.

      Code:
      mysql> select fromuserid from pmtext order by pmtextid desc limit 100;
      +------------+
      | fromuserid |
      +------------+
      |     167739 |
      |      57102 |
      |       1561 |
      |     102654 |
      |       4551 |
      |      67630 |
      |      81565 |
      |      86302 |
      |      26988 |
      |       5261 |
      |      75825 |
      |     198404 |
      |      65983 |
      |      15862 |
      |     185387 |
      |     185324 |
      |       2124 |
      |      74328 |
      |      13676 |
      |      16478 |
      |      80284 |
      |     197638 |
      |     151081 |
      |     145455 |
      |      68611 |
      |       3391 |
      |     173148 |
      |      16466 |
      |      95898 |
      |     170426 |
      |     160693 |
      |     185225 |
      |     108488 |
      |      14161 |
      |      11350 |
      |        406 |
      |     127435 |
      |      89071 |
      |     147705 |
      |      86122 |
      |     195099 |
      |     171737 |
      |      33283 |
      |      19999 |
      |     121641 |
      |     184484 |
      |      52734 |
      |     127363 |
      |      39053 |
      |      57048 |
      |     122043 |
      |      94740 |
      |     166242 |
      |     155402 |
      |      55716 |
      |      18320 |
      |       9391 |
      |      55198 |
      |     109922 |
      |     128207 |
      |     147384 |
      |     195955 |
      |      37363 |
      |     186293 |
      |     161423 |
      |     158957 |
      |     138913 |
      |      21341 |
      |     127258 |
      |     155073 |
      |      85269 |
      |     141282 |
      |     136000 |
      |     105989 |
      |     121089 |
      |        451 |
      |     182019 |
      |     184762 |
      |     160731 |
      |      20960 |
      |       9867 |
      |      41792 |
      |     157132 |
      |      30295 |
      |      33173 |
      |      60424 |
      |      40083 |
      |      13080 |
      |      79240 |
      |      33307 |
      |     100136 |
      |      37475 |
      |      47856 |
      |     156520 |
      |       2573 |
      |     151262 |
      |     187939 |
      |     145019 |
      |     146074 |
      |      36314 |
      +------------+
      100 rows in set (0.00 sec)
      Will deleting the corresponding rows in those tables cause any problems?

      arn
      Attached Files

      Comment


      • #4
        I'm afraid there is no simple option to do that. The only viable option would be to delete ALL PMs for ALL members.

        To delete all PMs, run these 5 queries:

        UPDATE `user` SET `pmtotal` = '0';
        UPDATE `user` SET `pmunread` = '0';
        TRUNCATE TABLE `pm`;
        TRUNCATE TABLE `pmtext`;
        TRUNCATE TABLE `pmreceipt`;

        Of course, backup your database first.
        Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
        Change CKEditor Colors to Match Style (for 4.1.4 and above)

        Steve Machol Photography


        Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


        Comment


        • #5
          thanks. I think I'll try to do it programatically. I forgot about the pm counts. I'll see about taking those into account.

          btw my online.php is full of different users in the "Creating Private Message" location, all the same IP address. I'll post a screenshot once I remove the non-spammer people.

          strangely don't see that IP in my apache logs

          arn

          Comment


          • #6
            Steve, it looks like this board had the exact same thing. Same IP address and same content of spam.

            http://www.rctech.net/forum/showthread.php?p=4614076

            arn

            Comment


            • #7
              here's an edited screenshot
              Attached Files

              Comment


              • #8
                You should, of course, ban those accounts. Until then you might want to disable PMs for that usergroup:

                Admin CP -> Usergroups -> Usergroup Manager -> Edit Usergroup -> Private Message Permissions -> Maximum Stored Messages: -> 0


                Also please see this:

                How to Reduce Spam and Registration Bots
                Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                Change CKEditor Colors to Match Style (for 4.1.4 and above)

                Steve Machol Photography


                Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                Comment


                • #9
                  steve, I figured out the problem, I'll post a description soon.

                  Question though. if I delete from the pm tables without affecting people's pm counts, is that going to be a problem? Can those numbers be rebuilt?

                  arn

                  Comment


                  • #10
                    Here's the conclusion to this.

                    Over 1800 accounts were compromised (out of 200,000). They were accessed by a bot who simply used the username as the password. I'm sure this can happen to any large forum.

                    It was a pain to correct. I had to run through the entire database of users to check to see who had a password that was their username. I then invalidated their passwords, requiring them to change their passwords.

                    Of those, there were roughly 1800 like that. There were 2 other accounts who were also compromised but I couldn't figure out how they were accessed - I tried the usual combination of easy passwords.

                    I then had to run through 11,000 spam PM's and remove them from the db, and associated pm tables. I also tried to decrement the private messages counts.

                    This could happen to anyone. There's really no defense besides strong password validation when users create their accounts.

                    arn

                    Comment


                    • #11
                      This would be a good suggestion - have vB check to make sure the password does not equal the username. Frankly I'm surprised I've never see anything like this before given how often people do that.
                      Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                      Change CKEditor Colors to Match Style (for 4.1.4 and above)

                      Steve Machol Photography


                      Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                      Comment


                      • #12
                        We are getting hit with the same problem right now

                        Any help on how we can search the DB for users whose pw matches their username would be great -- it's hashed in the db.

                        Comment


                        • #13
                          I do not know of any query that would do that. Sorry.
                          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                          Change CKEditor Colors to Match Style (for 4.1.4 and above)

                          Steve Machol Photography


                          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                          Comment


                          • #14
                            obviously this script's going around. I think this is going to be a huge problem.

                            if this hits you, shutting down your pm system globally in the control panel will stop more PM's from being sent.

                            I'm talking to septimus about it regarding the scripting required.

                            here's the basic code to find the users in your db with usernames==passwords. I stripped out the destructive part of my code where I actually changed their password to something invalid. This will scan 5000 users and print the results. A more button lets you test the next 5000.

                            Code:
                            <?
                            
                            /* simply script to find usernames == passwords in vb */
                            
                            /* declare some relevant variables */
                            $hostname = "localhost";
                            $dbusername = "USERNAME";
                            $dbpassword = "PASSWORD";
                            /* make connection to database */ 
                            MYSQL_CONNECT($hostname, $dbusername, $dbpassword) OR DIE("Unable to connect to database");
                            
                            $counter=$_GET[counter];
                            if ($counter=="") $counter="0";
                            
                            /* do 5000 users at a time */
                            
                            $counterend=$counter+5000;
                            
                            ?>
                            <a href="?counter=<? print $counterend ?>">More..</a>
                            <?
                            
                            @mysql_select_db( "DATABASENAME") or die( "Unable to select database");
                            $userquery = "SELECT username,userid,password,salt from user where userid>=$counter and userid<=$counterend  order by userid";
                            $userresult = mysql_query($userquery);
                                    if ($userresult) $number = @MYSQL_NUMROWS($userresult);
                                    
                            $i=0;
                            while ($i<$number)
                            {
                            
                            $vbpassword=mysql_result($userresult,$i,"password");
                            $username=mysql_result($userresult,$i,"username");
                            $salt=mysql_result($userresult,$i,"salt");
                            $userid=mysql_result($userresult,$i,"userid");
                            
                            if ((md5(md5($username) . $salt))==$vbpassword)
                            {
                            /* Yes, password equals username */
                            
                            print "YES - $username ($userid)<br />";
                            
                            /* this is where you could do something like set their password to something else in the db. 
                            I removed the code here since I didn't want to post destructive code */
                            
                            }
                            else
                            {
                            //print "NO - $username ($userid)<br />";
                            }
                            
                            $i++;
                            }
                            
                            ?>
                            It's possible to script it so it then deletes the spam PMs from the pm tables, but I'm not comfortable with my code to post it right now.

                            arn
                            Last edited by macrumors; Sat 19th Jul '08, 11:58am.

                            Comment


                            • #15
                              Just to follow up: we had 20k+ PMs sent, which happened even though we have a 30 second throttle set because of the sheer number of users with identical pws.

                              We're running a db query instead of a php script to reset those users' passwords to random:

                              Code:
                              update user set password = md5(concat(md5(rand()),salt)) where password = md5(concat(md5(username),salt));
                              ...Then per a suggestion from Arn we changed our [bad_login] phrase to let people know that their password may have been reset if it wasn't secure enough and so they may need to just request a new password.

                              Now to hunt for a mod that causes vBulletin to require strong passwords (or at least disallows them to be identical to the username!!)

                              Thanks again to Arn for the help!

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X