Possibly SMF Hack

Cobra97 · December 10, 2007, 11:46:29 AM

Hi all,

Not sure where to post this, but I think it might be important.
I had a new member join my forum this morning, called peace890
I did a google search on the name and something very strange came up, this name has registered for SMF forums everywhere over the last few days.....It comes up page after page, and each time it's only a SMF forum and this person has never lodged in to any of them.

Is it just me or does this look very strange?

John

thomase · December 10, 2007, 11:55:47 AM

I have had this happen today, when loading the site you get a few pop up boxes saying how leet people have hacked the site, etc, fowards to this address:

h t t p : / / w w w.xcoderx.byethost13.com/stealthis.php?pwned=PHPSESSID=c41e1a82ccc9b787fe142c7dcb140409

SleePy · December 10, 2007, 01:40:10 PM

If you believe that this was done through SMF please fill out a Security Report

Moving to english support

CN CIA · December 10, 2007, 01:50:13 PM

Quote from: thomase on December 10, 2007, 11:55:47 AM
I have had this happen today, when loading the site you get a few pop up boxes saying how leet people have hacked the site, etc, fowards to this address:

h t t p : / / w w w.xcoderx.byethost13.com/stealthis.php?pwned=PHPSESSID=c41e1a82ccc9b787fe142c7dcb140409 [nofollow]

i'd do a virus and spyware scan after viewing that site, all those popus tells me its not a nice site. No telling what your computer could have got from it. I have to go run some scans now....

GravuTrad · December 10, 2007, 02:41:59 PM

And with byethost hosting... >

...

change it, too strict but not too secure...

deTrezS6 · December 10, 2007, 05:02:33 PM

Hey,

I think Oldies mentioning this happening on his forum. From what he described, you're not actually hacked, someone just exploited scripts not properly being escaped.

I'm attempting to re-create the exact bug that I'm believing may have been used, so that I may send a report in - eitherway, Olds probably will send something up if he finds more out (He was mentioning this on IRC; he assumed it was something that was actually a bug in TP or some other mod he was using, but there's no exact way of telling).

Regards,

Trez

Cobra97 · December 10, 2007, 05:41:11 PM

I found the search terms the person used to find all the SMF forums, I used my reverse tracking.

This was used in google

action-register smf fast "inurl:index php "

www.google.co.uk/search?as_q= action-register smf fast&hl=en&num=100&btnG=Google Search&as_epq=inurl%3Aindex php &as_oq=&as_eq=&lr=&cr=&as_ft=i

Goodman854 · December 10, 2007, 06:37:20 PM

They joined my forum too. I figured they were another spam bot. Any word on what it is?

Skhilled · December 11, 2007, 10:22:45 AM

He/she was using the name "footballyears.net". Was spamming a few sites I admin so I kept banning him. Saw him at tinyportalhosting.net yesterday with the name "peace890". Had a different ip but lead to the same site...footballyears.net.

Goodman854 · December 11, 2007, 04:59:02 PM

So does it have any major danger? Is it really making an exploit or just posting links?

Skhilled · December 14, 2007, 05:40:21 AM

As far as my site goes...he just posted links to pron and other sites. Not sure if anything else...haven't noticed anything strange.

I've been noticing a few others doing this but not posting. Just registering at a lot of different sites.

Goodman854 · December 14, 2007, 05:39:52 PM

Oh phew. scared me I get LOADS of spam bots good thing thats all this is. Right?

Skhilled · December 14, 2007, 07:23:58 PM

yeah, nothing in the logs out of the ordinary...

H · December 16, 2007, 05:38:37 PM

There are also some spambots that will register but not post for six months :/.

Skhilled · December 17, 2007, 01:51:12 AM

I think I may have found out what they are doing...harvesting emails. Most sites only allow the viewing of members profiles if you are registered.

A friend's site had a member who fit the same description and he later found out that he we using those emails to spam for that "African leader needing money" scam. The guys started spamming that site's users. After a little digging he found out who the spammer was.

To stop this my suggestions are to use the Contact mod so no one can get email addys by direct emailing...can't see the email address.

Also, not allow new users to see profiles until a certain amount of posts.

Using the Country Flag mod and Captcha does help with some bots. But these newcomers seem to be either a new breed of bots or are humans.

Any other ideas are more than welcome to help stop this.

Goodman854 · December 17, 2007, 12:20:39 PM

Uh oh.

Lilac · December 17, 2007, 12:24:39 PM

We have specifically prevented unapproved members from seeing registration details for reasons like this (though harassment was the main cause).

Goodman854 · December 17, 2007, 09:08:46 PM

Can't bots easily do that on their own?

marinesct · December 21, 2007, 11:16:17 PM

Theres a mod out there that adds an extra security feature: Are You Human?

Ive got it installed. So far, our members have been legit. Only a couple haven't come back after the initial registration. We do have the requirement for a mod to approve the registration set, too. There is an anti-spam mod that works rather well by converting the emails to hexadecimal. I've used this method on static sites as well. Very effective. It's a seemless integration you won't know that's installed unless you look at the source code and look at the "mailto:" line.

So if new members are coming from a google search, then there are two considerations:

1. To kill the bots, try the above mods out. The 'Are You Human' mod should cut out any bots and the anti-spam will defeat the bot harvesters.

2. For the human's, it can get tricky. Since my site is for people with a military background, we have membergroups for that. All non-military/friends fall under the regular member membergroup. They can't view profiles (permission in membergroups). For them to get the email addresses, they would have to either write them down or click every one of them individually, because of the anti-spam mod. Very laborious process.

@Cobra97
How did you do the track back? I think maybe if we were able to annotate the track back into the registration process (need a dev for this one), then we could auto block those that come from met that criteria.

crash56 · December 27, 2007, 02:00:16 PM

Quote from: Skhilled on December 17, 2007, 01:51:12 AM
I think I may have found out what they are doing...harvesting emails. Most sites only allow the viewing of members profiles if you are registered.

A friend's site had a member who fit the same description and he later found out that he we using those emails to spam for that "African leader needing money" scam. The guys started spamming that site's users. After a little digging he found out who the spammer was.

To stop this my suggestions are to use the Contact mod so no one can get email addys by direct emailing...can't see the email address.

Also, not allow new users to see profiles until a certain amount of posts.

Using the Country Flag mod and Captcha does help with some bots. But these newcomers seem to be either a new breed of bots or are humans.

Any other ideas are more than welcome to help stop this.

Crud. We just got hit by one of these harvesters.

Off to put some more security in place.

News:

Possibly SMF Hack

deTrezS6