News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Deleted users mysteriously reappear - SPOOKY : )

Started by Pikachu2000, October 21, 2011, 10:30:31 PM

Previous topic - Next topic

Pikachu2000

Ok here's the deal. I was just made an admin on linuxforum.com [nofollow] to clean up the spammers, and try to get some activity on the forums. The board is running running 2.0 RC3. Here's what I've been seeing:

1) I happen to notice an entire Class A IP range that is nothing but spam accounts.
2) Via the admin menu, I use Members --> Search for Members --> and enter the class A, for example 86.*.*.*
3) Select all returned results and click the Delete button below.
4) Repeat the search to confirm no results remain

Now the accounts are deleted, right? Well that's what I would have thought. Let's say I performed that action at 2000 on 2011-10-15. A few hours later I notice a user in the user list with an 86.*.*.* address, and view the user's profile. The user has a registration date from weeks prior to deleting the entire IP range. The first couple times, I thought I must have missed the deletion, but now I've confirmed that it is indeed happening.

Any clues as to why this is going on? I'm starting to feel like I need some Adderall or something. Come to think of it, that may not be a bad idea, but I digress . . .

Sir Osis of Liver


Try using phpmyadmin instead of the admin functions to delete the members and verify deletions.

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Pikachu2000

I don't have access via phpMyAdmin, and I don't believe this to be a database issue. I did go ahead and create a test account, delete it, and create it again to see if the same behavior was exhibited, and it was not. The second time the account was created showed the proper creation timestamp.

Is there some circumstance under which an account will not appear in a member search, even though it seems to meet all of the selected search criteria? I've tried searching with different user group and post group options selected, but I see no difference.

Pikachu2000

One other thought, and it may turn out to be the simplest explanation. Could this be the result of the spammer jumping from proxy server to proxy server, making the user account show up in a different IP range after logging in from the new address?

Ricky.

Well, you may try to delete two - three account individually and see they get back.. Or may be there spammer are using lots of IPs, may be the user you saw was not using that IP earlier and hence was not deleted that time.

Linuxforum.com is very old so cleaning spam on it will not be that easy !

live627

Quote from: Pikachu2000 on October 22, 2011, 01:01:11 AM
One other thought, and it may turn out to be the simplest explanation. Could this be the result of the spammer jumping from proxy server to proxy server, making the user account show up in a different IP range after logging in from the new address?
Possibly. Also, try installing Bad Behavior and see if that helps.

Sir Osis of Liver


If a member is deleted, everything is gone, inckuding the member id number - the account info is removed from the database and can't be retrieved, except from a backup.  If a spammer wanted to get back in, they'd have to re-register and the account would have a different id and registration timestamp.  They can play games with the IP, but the member account info would be different. 

That's why I suggested using phpmyadmin - you can view the database tables directly to see what's actually in there.  It is a db issue, because that's where member is or isn't.

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Pikachu2000

Quote from: Krash. on October 22, 2011, 01:23:40 AM

If a member is deleted, everything is gone, inckuding the member id number - the account info is removed from the database and can't be retrieved, except from a backup.  If a spammer wanted to get back in, they'd have to re-register and the account would have a different id and registration timestamp.  They can play games with the IP, but the member account info would be different. 

That's why I suggested using phpmyadmin - you can view the database tables directly to see what's actually in there.  It is a db issue, because that's where member is or isn't.

I mean it's not a DB issue in the respect that the DB is undoubtedly doing its job, and if anything isn't happening that should be, it's a coding issue. What I now think is happening is that the spammer is registering from a proxy server/zombie PC, leaving the account for a period of time, and then returning via a different proxy/zombie PC to insert or change the signature spam, thus the IP address updates to reflect the most recent. That would give it the appearance that the account just re-materialized in the previously deleted IP range. Does that sound like a plausible explanation?

Sir Osis of Liver


No, if you deleted the account, it should have been removed from the database, and there's nothing the spammers can do to change that.  They can spoof the IPs, but there's no way I can think of that they'd be able to retrieve a deleted membership.  Even if they get around your IP block, they'd have to register again, and that creates a new member, which you'd be able to see.

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Pikachu2000

Quote from: Krash. on October 22, 2011, 01:44:21 AM

No, if you deleted the account, it should have been removed from the database, and there's nothing the spammers can do to change that.  They can spoof the IPs, but there's no way I can think of that they'd be able to retrieve a deleted membership.  Even if they get around your IP block, they'd have to register again, and that creates a new member, which you'd be able to see.

I don't think you're getting what I'm saying.

a) Spammer A registers from a zombie PC at 192.168.0.1 and creates a profile.
b) I delete all the 10.*.*.* IP range user accounts.
c) Spammer A logs in from a new zombie PC at 10.11.12.13 to update his SEO spam

I look at this user with a registration date of last month and think, "how is that possible, I just deleted all the 10.*.*.* accounts", but what actually happened was simply that the IP address of the account was updated to the last IP address from which the spammer logged in. Make sense?

Sir Osis of Liver

I'm beginning to get the idea.  What you're saying is when you deleted the 10.*.*.* members, the spammer's account wasn't a 10.*.*.* account, but had a different IP outside that range and wasn't deleted.  Now he's back in from a 10.*.*.* IP, and the account is still there and he's using it.

When I delete bot accounts from forums, sometimes by the thousands, I edit the smf_members table directly, and select parameters that are most likely to dump the spammers, and not delete any legit members.  This tends to vary with different forums, but things like 0 posts, specific membergroups, activity, registration status, etc., can be combined to get the most bots and the least real members.  I use .htaccess to block IPs, either individually or by range, but don't use them to delete spammer accounts.

The basic point is, you have to be able to identify the offending accounts by something other than IP, as this is not too difficult to get around.  I don't use any of the admin functions to manage the database, so I don't know what options you have, but I'm sure they're a lot more limited than working with the db directly.  If your host doesn't include phpmyadmin in your package, you should inquire if it can be installed, or consider moving to a better host.  You'll almost certainly run into other situations where you''ll need direct access to the db, and you'll be stuck.

Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Ricky.

May be someone didn't notice my words, I had to deal with one such forum with lots of spammers (but not near linuxforum.com) , spam bots uses lots of ips ... lots of proxy, they create accounts then after month or so again comes back and now posts using that account. Then again from other account post reply to that new topic / post.

What I did, I deleted all spam accounts and then started deleting individually whenever they appear from dormant status..

Pikachu2000

Update: it's what I thought was happening after all. The IP address was simply being updated to reflect the last login address. Since I've gotten all 111,000 spam accounts deleted, there hasn't been another instance of one popping up in a previously deleted IP range. I've also installed Bad Behavior, and that seems to be working pretty well. I've got a question or two about it, but I"ll start a new thread since it's really not related to this one. Thanks for the responses.

Ricky.

Finally someone is reviving that forum, once it used to my regular hangout when I had my first linux fever years back..
Pikachu.. but looks like you are doing start from scratch.. everything new.. seems that my account has been deleted too :P

KensonPlays

One more thing, you still using 2.0 RC3? Gold has been released with many bug-fixes. Try upgrading your SMF install.

Pikachu2000

Quote from: Ricky. on October 23, 2011, 03:15:39 PM
Finally someone is reviving that forum, once it used to my regular hangout when I had my first linux fever years back..
Pikachu.. but looks like you are doing start from scratch.. everything new.. seems that my account has been deleted too :P

Yeah, it had a major crash a few years back and pretty much everything was wiped out. About a year ago or so it was revived, but went largely neglected until now. I kind of offered to clean it up and try to get things back on track as much as possible. Along with being an Admin at linuxforum.com [nofollow], I'm also a mod at phpfreaks.com [nofollow]. Both sites are under the same ownership.

Pikachu2000

Quote from: Kcmartz on October 23, 2011, 03:39:39 PM
One more thing, you still using 2.0 RC3? Gold has been released with many bug-fixes. Try upgrading your SMF install.

That's another thing on the list of stuff to do as soon as I have shell access to the server :)

KensonPlays

I love shell lol. SSH rocks! Do you have everything else in place?

Pikachu2000

Forgive me if I sound ignorant, but I guess that depends on what you mean by "everything else" . . .  :o

KensonPlays

I said that because you said something about "and stuff."


Advertisement: