This is STRANGE !!!

Started by levely, December 17, 2014, 06:23:41 PM

Previous topic - Next topic

levely

Just had 5 new registrations within an hour, which is unusual because we only get about 2 new members a day.

Here's the strange part. The new registrations were the EXACT same names as active members. I thought SMF blocked people from registering a name that is already in use?

Could this be a security issue?

I'm using 2.0.9 with the Reseller theme. 


Arantor

I would be surprised if they were the EXACT same names. Links to profiles or the member list if these are accessible to guests would be useful.

Shambles

Maybe they are changing their email addresses? Would that show up as a new registration on your forum?

It would on mine.

Just sayin'

levely

No, they were new accounts with 0 posts. Also, one of the usernames that was registered was mine and I'm the Admin on the forum.

I deleted the accounts immediately after I noticed a suspicious pattern.

Burke ♞ Knight

I'd figure the names just look the same, but really are not:

levely could also be done as leveIy and be easily seen as the same if not looked at closely.

Arantor

Which is why I wanted to look at what had happened.

levely

Quote from: ♞ Burke Knight ♞ on December 17, 2014, 06:37:13 PM
I'd figure the names just look the same, but really are not:

levely could also be done as leveIy and be easily seen as the same if not looked at closely.

No, I checked that carefully. It was the exact match for 2 usernames. If this is some sort of attack, I'm sure it will just get worse. I'll post an update if anything changes.

Arantor

I'm not being funny but how exactly did you determine it was an exact match?

There are characters you are not able to see. I thought I'd nailed them all previously. There are other ways characters can be impersonated but without examining them happening I can't work out if there is a vulnerability because all the evidence that would have told me what they were doing has been removed.

levely

Quote from: Arantor on December 17, 2014, 06:50:04 PM
I'm not being funny but how exactly did you determine it was an exact match?

I'm not trying to be funny either...I looked at it. All the characters were identical. For it to happen twice in the same hour, just raises my suspicions.

Then add in the fact that I got the DigiHelp virus this morning when I updated my CCleaner program and needless to say, I'm a little on edge.

busterone

If it happens again, instead of deleting them, allow one of the experts here an opportunity to investigate your forum. If there is a vulnerability, it would not only serve you and your forum to have it discovered, but the entire community would benefit from it.

levely

I just double checked the email I received from the forum. I copied and pasted it below.

Travіs has just signed up as a new member of your forum. Click the link below to
view their profile.

My username is Travis.

Here is the other:

auctionguу has just signed up as a new member of your forum. Click the link below to
view their profile.

There is an active member with the same username - lower case and all.


I tried to register my own username and the forum blocked the duplicate username from being created.

So, if someone had access to my password, could they somehow create a duplicate username?

levely

Quote from: busterone on December 17, 2014, 07:12:46 PM
If it happens again, instead of deleting them, allow one of the experts here an opportunity to investigate your forum. If there is a vulnerability, it would not only serve you and your forum to have it discovered, but the entire community would benefit from it.

Yeah, I'll be actively monitoring every registration for a while to see if it happens again.

Arantor

Well, how about:

SELECT id_member, member_name, real_name, HEX(member_name), HEX(real_name) FROM smf_members WHERE id_member IN (x, y)

Substitute X and Y for your user id and the new registrant's id respectively.

levely

Just got another one. Username: Ꭰrew

It looks like they're using a different font in the D. Is this a different character in a foreign alphabet or something?


Arantor

This is why I asked for the HEX() characters ;)

Burke ♞ Knight

That is what we have been trying to get through to you.
There are symbols and such that closely appear like normal, yet are different enough to make it past the name block....

This is why people need to start reading what we say, and doing as we ask, as we could have saved some time, if you'd just believe that the experts know what they are doing.

levely

I stand corrected. It was an illusion.

On to the next issue. Why would someone be registering names that are nearly identical to other forum members?

Night09

Quote from: levely on December 17, 2014, 07:39:55 PM
I stand corrected. It was an illusion.

On to the next issue. Why would someone be registering names that are nearly identical to other forum members?

Because they can ;)

Bots will do a lot of strange things registering on forums. That may just be the bots way of picking similar usernames that wont stand out for longer giving them chance to either make minimum post count for link planting or in some cases just link planting.

You may come across old abandoned forums taken over by bots filled with millions of spam posts although its not as common now.

Arantor

Because people might think it's a bug in the forum software that has 'deregistered' their powers or something. It's not a new trick.

I would still be curious to know which characters are being used, because that could be something interesting to add to SMF: letting it be smarter about detecting duplicates.

levely

#19
It appears to be the Cherokee alphabet.

http://en.wikipedia.org/wiki/Cherokee_syllabary

Ꭰ Ꭱ Ꭰ Ꭲ Ꭱ Ꭳ Ꭰ Ꭲ Ꭴ Ꭱ Ꭳ Ꭵ Ꭲ Ꭴ Ꭶ Ꭳ Ꭵ Ꭷ Ꭴ Ꭶ Ꭸ Ꭵ Ꭷ Ꭹ Ꭶ Ꭸ Ꭺ Ꭷ Ꭹ Ꭻ Ꭸ Ꭺ Ꭼ Ꭹ Ꭻ Ꭽ Ꭺ Ꭼ Ꭾ Ꭻ Ꭽ Ꭿ Ꭼ Ꭾ Ꮀ Ꭽ Ꭿ Ꮁ Ꭾ Ꮀ Ꮂ Ꭿ Ꮁ Ꮃ Ꮀ Ꮂ Ꮄ Ꮁ Ꮃ Ꮅ Ꮂ Ꮄ Ꮆ Ꮃ Ꮅ Ꮇ Ꮄ Ꮆ Ꮈ Ꮅ Ꮇ


Advertisement: