Announcement

Collapse
No announcement yet.

Thousands of Spammer PMs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    One more followup: the script definitely goes looking through profiles -- my online.php file is filled with attempts to send PMs and also guest viewing users profiles. The spams also happened in alphabetical order, for whatever that's worth.

    Comment


    • #17
      I'm getting hit with this right now, looks like it's up to about 'F', just turned off PM's and closed the board.

      This is nasty, thanks for your help guys - I will use your db query septimus - I hope it;s sound!

      Comment


      • #18
        Originally posted by ED195KW View Post
        I'm getting hit with this right now, looks like it's up to about 'F', just turned off PM's and closed the board.

        This is nasty, thanks for your help guys - I will use your db query septimus - I hope it;s sound!
        The only problem with the db query is it changes it to a random password, which means you won't be able to identify these people afterward. It might make the private message spam cleanup harder.

        arn

        Comment


        • #19
          Originally posted by macrumors View Post
          here's the basic code to find the users in your db with usernames==passwords.
          Thank you macrumors for providing us with this code. I was able to quickly see how many of my users had the same password as their username.

          I hope the vBulletin team adds a check for not allowing the username and password to be the same on version 3.7.3.

          Comment


          • #20
            Originally posted by macrumors View Post
            The only problem with the db query is it changes it to a random password, which means you won't be able to identify these people afterward. It might make the private message spam cleanup harder.
            arn
            Good point -- something to be aware of if you use that DB Query. In our case, we appeared to be lucky because all the PMs had one of just a handful of subject lines and we were able to search the PMs out that way.

            In all honesty, we lucked out in that these spammers could have used certain methods (which I suppose I ought not fully lay out here) to make their deeds harder for admins to detect and hunt down.

            Comment


            • #21
              I actually ran a query outputting all users with their passwords set to their usernames first, then ran your query to change their passwords. Jeez...there were a few of them...

              Comment


              • #22
                My forum got hit by this last Thursday, as well. 16000 spams, all from various users who hadn't been logged in in a while and had username==password.

                Thanks for the script, macrumors.
                What do you Listen-To? http://www.listen-to.com

                i <3 vBulletin.

                Comment


                • #23
                  you should make it so that people cant pm till they get like 10 or 20 post, that will pretty much eliminate all pm spam by bots.

                  Comment


                  • #24
                    Has anyone posted a suggestion yet to have vB check to make sure the username and password are not the same when someone registers or changes their password? If not, then please make this suggestion:

                    http://www.vbulletin.com/forum/forumdisplay.php?f=55
                    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                    Change CKEditor Colors to Match Style (for 4.1.4 and above)

                    Steve Machol Photography


                    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                    Comment


                    • #25
                      Originally posted by wtrk View Post
                      you should make it so that people cant pm till they get like 10 or 20 post, that will pretty much eliminate all pm spam by bots.
                      Actually, it would not in this case. If you read above, these are people's legitimate accounts that have their passwords set as their username.

                      So, you would reduce it, but I had some long standing members with hundreds of posts who had their password = username.

                      Has anyone posted a suggestion yet to have vB check to make sure the username and password are not the same when someone registers or changes their password? If not, then please make this suggestion:
                      done.

                      arn

                      Comment


                      • #26
                        What an ugly problem. Where's the setting in vBulletin to disallow the password chosen to be the same as the username? And if there's not one...yikes! That's bad.

                        Comment


                        • #27
                          Thank you macrumors for reporting this and providing your script for a quick lookup of these accounts

                          I wrote a very quick hack to block logins for new users (they still try to register with username as password even though I added bold warning text to the register form): product file with plugin that, upon recognizing such a user logging in, does immediately log him off again and reset his password to random (septimus' method), offering them the link to reset their pw.

                          The error page looks ugly and I should've used a phrase instead of hard-coded text, but since I noticed users still signing up that way and boldly ignoring the bold warning text, some quick code was necessary; there's still time to update it to look nicer if Jelsoft shouldn't issue an update dealing with it themselves.

                          Comment


                          • #28
                            For anyone searching for a way to get all users that use their username as their password, use the following SQL:

                            PHP Code:
                            SELECT useridusername 
                            FROM user 
                            WHERE password 
                            MD5(CONCAT(MD5(username), salt)); 
                            Don't know how server intense this is, so you might want to add a LIMIT to this.

                            Reset passwords
                            In case you want to invalidate all passwords, you could use something like this:

                            PHP Code:
                            UPDATE user
                            SET password 
                            MD5(RAND())
                            WHERE password MD5(CONCAT(MD5(username), salt)); 


                            This will not logout users that are already logged in!

                            Solution: before running the query above (the password reseting), first run this:
                            PHP Code:
                            DELETE FROM session
                            WHERE userid IN 
                            (SELECT userid FROM user WHERE password MD5(CONCAT(MD5(username), salt))); 
                            And run the reset password query directly after that.


                            Please note:
                            I don't know how server intense this is!
                            Also: create a back-up of you forum before running any of these query's.

                            It also might be good idea to disable the forum while you do this.


                            Edit:
                            Whoops, somebody already posted something like this.

                            Comment


                            • #29
                              Originally posted by Steve Machol View Post
                              Has anyone posted a suggestion yet to have vB check to make sure the username and password are not the same when someone registers or changes their password? If not, then please make this suggestion:

                              http://www.vbulletin.com/forum/forumdisplay.php?f=55
                              Done.

                              http://www.vbulletin.com/forum/showt...95#post1599995

                              Damn, I missed being post 1.6m by 5.

                              -- hugh

                              Comment


                              • #30
                                Originally posted by macrumors View Post
                                here's the basic code to find the users in your db with usernames==passwords. I stripped out the destructive part of my code where I actually changed their password to something invalid. This will scan 5000 users and print the results. A more button lets you test the next 5000.
                                I tried using this and it wouldn't connect to my database... I have 7 or 8 databases on this server and it seemed to be looking for a database name, but when I modified the code to add $dbname = it still didn't work.

                                Any ideas?

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X