Has anyone noticed any recent hacking attempts, perhaps to take advantage of
the recently patched security hole? The reason I ask is I've seen a couple of odd new user
submissions to my sites, from a couple of email accounts @mail.ru .

Looks like I'm not alone.
I don't know whether it was hacking or something else and I wouldn't assume that anyone with mail.ru in the email address is a potential hacker however what happened in my case was that on my three geekloged sites there was a registered user evrika (evrika5@mail.ru). Strange coincidence All trhee account were awaiting activation.

The strangest thing was that I opened my browser and entered one of the sites, I was suddenly logged as evrika

Life is full of suprises Anyone else? I'd say everyone checks your new user submissions.

---

Geeklog Polish Support Team

my site had this strange login also. by the way - one of my topic admins, can't see his posts when logged in. could this be in some way any coincidence?

Evrika5@mail.ru was one of the new users at my sites too. The other suspicious email is valenok55@mail.ru . The reasons that they caught my attention was they both signed up for an account on a site that only uses geeklog for content management and you'd have to be looking for a geeklog site to find the sign up page - any user submissions at that site would be suspicious. Then they signed up at a couple of other sites I maintain.

I haven't yet noticed any odd behavior at my sites, but I'm going to check the logs to see if they have tried anything.

I too, in recent days, had a number of "new users", with an email address ending in .ru.

I deleted these users immediately, as this specific site, a school web community, is of no use to anyone outside our state, let alone, our country.

Just as there are ways, to bypass the usual registration process for email addresses using a specific email suffix, is there a way to lock out specific email suffix, ie..... .ru??

ND

Well I noticed these two also. They came through:
72.36.180.18 18.180.36.72.reverse.layeredtech.com

I suppose they are potential sleepers / spammer.

@Robin: was that a site runing GL 1.4.0sr2?

same here...

DorisAxline@yandex.ru
evrika5@mail.ru
valenok55@mail.ru

---

GameFaction - For All Your Gaming Needs

Interesting. I see those two mail.ru users on two of my own sites plus another site where I help with administration. But they haven't logged in to any of those sites yet. No such users here on geeklog.net (yet).

My gut feeling is also that those are spammer's accounts, but I have no evidence for or against that.

bye, Dirk

P.S. Don't start nuking your Russian users now just because they happen to use mail.ru ...

I'm suspicious of several accounts [@mail.ru and an alex a.k.a. logos] - all seemingly originating from Russia - because they signed up to multiple [unrelated] sites at roughly the same time but didn't log in to any of them.

Like 1000ideen and Dirk, I suspect they're spammers waiting to strike...

In addtion to finding those two users (on two sites...), I also checked my error log for one of my websites and found that from mid febuary to march someone was repeatedly attempting unsuccessfully to login using names that don't exist, such as "wept", "now80", "love", and "turned4684". Anyone else check thier error log for odd things like this?

-Rob

I think such access attempts are rather normal. I have some every now and again.

Again, the same here.

evrika5@mail.ru
valenok55@mail.ru

No last login dates on any of them.

I've so got to apply the security patch when I get home from work..

I'm a little disappionted with the security problems of late, but Im pleased that Geeklog deals with them out in the open. However, I think it was a mistake to get rid of the blacklist, this is the kind of thing it was supposed to cover.

Me too:

evrika5@mail.ru
valenok55@mail.ru

Sam

It is fair to say that, without a doubt that, the users evrika5@mail.ru and
valenok55@mail.ru were created using some kind of automated script or program.

Delete the account and block the IP is my advice.

In another thread we tried to establish how popular Geeklog is in regard to other CMS by the number of installations. If we go by the number of hacked sites and compare Mambo and Geeklog then Mambo got no chance.

On the other hand not having the black list seems to make it more difficult to secure GL. One has to have GUS, bad behaviour and Spam-x.

As finding and installing current plugins with GL is a problem in itself I also feel that there should be an easier solution. At least the 3 most important spam plugins should be bundeled or get integrated into GL (spam-x is already integrated).

E.g. Firefox got some addons and it is very easy to install and update them. I`d love this to be tue for GL security plugins too.

Hmm, you seem to be confusing a few things. We didn't "get rid of" MT-Blacklist - the maintainer stopped maintaining it. And it won't help against users registering with your site (how should it?).

bye, Dirk

It's been a few days since this was talked about but I just want to mention that I have both 1.3.11 and 1.4.0 sr2 sites and it didn't seem to matter, every one of my sites got those same registrants. I turned on User Authoriaztion but I don't want to use that because it could take some time before I authorize the user. I do believe that this is an automated process, hence the need for the visual verification via the image where you have to type in the letters.

Sorry I don't remember the name of it but I'm going to re-look at it.

It`s called Capchas and has lately been discussed on the German forum also. It is already a feature request (project site seems to be down at present).

~~~
BTW I found referrer spam this morning:

HEAD index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58
GET index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58 http://www.jaja-jak-globusy.com/

I never read this "HEAD" what`s that good for?

That's a well-know spammer. Add him to your .htaccess and forget about it ...



A GET request returns the entire page while HEAD requests only returns the headers. He's a nice spammer, he doesn't want to cause you too much traffic

bye, Dirk

Yeah Dirk, in fact I just uploaded a Captcha hack for Custom Registration. This thing was SOOOO easy to install. It's a JavaScript version but works great.