Posted on: 03/13/06 02:33am
By: abloch
Has anyone noticed any recent hacking attempts, perhaps to take advantage of
the recently patched security hole? The reason I ask is I've seen a couple of odd new user
submissions to my sites, from a couple of email accounts @mail.ru .
Possible Hackers
Posted on: 03/13/06 03:07am
By: Robin
Looks like I'm not alone.
I don't know whether it was hacking or something else and I wouldn't assume that anyone with mail.ru in the email address is a potential hacker however what happened in my case was that on my three geekloged sites there was a registered user evrika (evrika5@mail.ru). Strange coincidence All trhee account were awaiting activation.
The strangest thing was that I opened my browser and entered one of the sites, I was suddenly logged as evrika
Life is full of suprises Anyone else? I'd say everyone checks your new user submissions.
Possible Hackers
Posted on: 03/13/06 03:43am
By: starenka
my site had this strange login also. by the way - one of my topic admins, can't see his posts when logged in. could this be in some way any coincidence?
Possible Hackers
Posted on: 03/13/06 04:56am
By: abloch
Evrika5@mail.ru was one of the new users at my sites too. The other suspicious email is valenok55@mail.ru . The reasons that they caught my attention was they both signed up for an account on a site that only uses geeklog for content management and you'd have to be looking for a geeklog site to find the sign up page - any user submissions at that site would be suspicious. Then they signed up at a couple of other sites I maintain.
I haven't yet noticed any odd behavior at my sites, but I'm going to check the logs to see if they have tried anything.
Possible Hackers
Posted on: 03/13/06 06:20am
By: Nightdude
I too, in recent days, had a number of "new users", with an email address ending in .ru.
I deleted these users immediately, as this specific site, a school web community, is of no use to anyone outside our state, let alone, our country.
Just as there are ways, to bypass the usual registration process for email addresses using a specific email suffix, is there a way to lock out specific email suffix, ie..... .ru??
ND
Possible Hackers - sammer
Posted on: 03/13/06 07:49am
By: 1000ideen
Well I noticed these two also. They came through:
72.36.180.18 18.180.36.72.reverse.layeredtech.com
I suppose they are potential sleepers / spammer.
The strangest thing was that I opened my browser and entered one of the sites, I was suddenly logged as evrika
@Robin: was that a site runing GL 1.4.0sr2?
Possible Hackers
Posted on: 03/13/06 10:37am
By: RichardTowler
same here...
DorisAxline@yandex.ru
evrika5@mail.ru
valenok55@mail.ru
Possible Hackers
Posted on: 03/13/06 02:39pm
By: Dirk
Interesting. I see those two mail.ru users on two of my own sites plus another site where I help with administration. But they haven't logged in to any of those sites yet. No such users here on geeklog.net (yet).
My gut feeling is also that those are spammer's accounts, but I have no evidence for or against that.
bye, Dirk
P.S. Don't start nuking your Russian users now just because they happen to use mail.ru ...
Possible Hackers
Posted on: 03/13/06 02:49pm
By: asmaloney
I'm suspicious of several accounts [@mail.ru and an alex a.k.a. logos] - all seemingly originating from Russia - because they signed up to multiple [unrelated] sites at roughly the same time but didn't log in to any of them.
Like 1000ideen and Dirk, I suspect they're spammers waiting to strike...
Possible Hackers
Posted on: 03/14/06 08:48am
By: Anonymous (Rob)
In addtion to finding those two users (on two sites...), I also checked my error log for one of my websites and found that from mid febuary to march someone was repeatedly attempting unsuccessfully to login using names that don't exist, such as "wept", "now80", "love", and "turned4684". Anyone else check thier error log for odd things like this?
-Rob
Possible Hackers
Posted on: 03/14/06 09:14am
By: 1000ideen
I think such access attempts are rather normal. I have some every now and again.
Possible Hackers
Posted on: 03/14/06 09:46am
By: Anonymous (Renski)
Again, the same here.
evrika5@mail.ru
valenok55@mail.ru
No last login dates on any of them.
I've so got to apply the security patch when I get home from work..
I'm a little disappionted with the security problems of late, but Im pleased that Geeklog deals with them out in the open. However, I think it was a mistake to get rid of the blacklist, this is the kind of thing it was supposed to cover.
Possible Hackers
Posted on: 03/14/06 10:11am
By: samstone
Me too:
evrika5@mail.ru
valenok55@mail.ru
Sam
Possible Hackers
Posted on: 03/14/06 10:23am
By: Anonymous (Renski)
It is fair to say that, without a doubt that, the users evrika5@mail.ru and
valenok55@mail.ru were created using some kind of automated script or program.
Delete the account and block the IP is my advice.
Possible Hackers
Posted on: 03/14/06 10:39am
By: 1000ideen
[QUOTE BY= Renski]
I'm a little disappionted with the security problems of late, but Im pleased that Geeklog deals with them out in the open.[/QUOTE]
In another thread we tried to establish how popular Geeklog is in regard to other CMS by the number of installations. If we go by the number of hacked sites and compare Mambo and Geeklog then Mambo got no chance.
On the other hand not having the black list seems to make it more difficult to secure GL. One has to have GUS, bad behaviour and Spam-x.
As finding and installing current plugins with GL is a problem in itself I also feel that there should be an easier solution. At least the 3 most important spam plugins should be bundeled or get integrated into GL (spam-x is already integrated).
E.g. Firefox got some addons and it is very easy to install and update them. I`d love this to be tue for GL security plugins too.
Possible Hackers
Posted on: 03/14/06 02:26pm
By: Dirk
[QUOTE BY= Renski] However, I think it was a mistake to get rid of the blacklist, this is the kind of thing it was supposed to cover.[/QUOTE]
Hmm, you seem to be confusing a few things. We didn't "get rid of" MT-Blacklist - the maintainer
stopped maintaining it[*1] . And it won't help against users registering with your site (how should it?).
bye, Dirk
Possible Hackers
Posted on: 03/19/06 08:40am
By: ronack
It's been a few days since this was talked about but I just want to mention that I have both 1.3.11 and 1.4.0 sr2 sites and it didn't seem to matter, every one of my sites got those same registrants. I turned on User Authoriaztion but I don't want to use that because it could take some time before I authorize the user. I do believe that this is an automated process, hence the need for the visual verification via the image where you have to type in the letters.
Sorry I don't remember the name of it but I'm going to re-look at it.
Possible Hackers
Posted on: 03/19/06 08:59am
By: 1000ideen
It`s called Capchas and has lately been discussed on the German forum also. It is already a feature request (project site seems to be down at present).
~~~
BTW I found referrer spam this morning:
HEAD index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58
GET index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58 http://www.jaja-jak-globusy.com/
I never read this "HEAD" what`s that good for?
Possible Hackers
Posted on: 03/19/06 09:58am
By: Dirk
[QUOTE BY= 1000ideen] GET index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58 http://www.jaja-jak-globusy.com/[/QUOTE]
That's a well-know spammer. Add him to your .htaccess and forget about it ...
[QUOTE BY= 1000ideen] I never read this "HEAD" what`s that good for?[/QUOTE]
A GET request returns the entire page while HEAD requests only returns the headers. He's a nice spammer, he doesn't want to cause you too much traffic
bye, Dirk
Possible Hackers
Posted on: 03/19/06 10:51am
By: ronack
Yeah Dirk, in fact I just uploaded a Captcha hack for Custom Registration. This thing was SOOOO easy to install. It's a JavaScript version but works great.
Possible Hackers
Posted on: 03/19/06 11:13am
By: 1000ideen
Where did you upload that? Would you mind giving instructions? As I said many people have been interested in that.
Possible Hackers
Posted on: 03/19/06 03:15pm
By: ronack
I uploaded it to the Hacks section but I don't see it there yet. It's called Simple GL Captcha
You can
download it here[*2] until Dirk approves it on the site. Instructions included.
Image[*3]
Possible Hackers
Posted on: 03/19/06 03:29pm
By: Dirk
[QUOTE BY= ronack] You can
download it here[*2] until Dirk approves it on the site. Instructions included.[/QUOTE]
I was slightly irritated that it's 3 MB. Approved now.
bye, Dirk
Possible Hackers
Posted on: 03/19/06 05:28pm
By: Benta
[QUOTE BY= ronack]Instructions included.
[/QUOTE]
Wow, that was *easy*! Nice job!
Maybe the instructions should say to put the .js files in the public_html dir instead of the root of GL...?
Possible Hackers
Posted on: 03/19/06 05:45pm
By: ronack
Yeah your right, Public_html would have been the right choice of words. Not the root of GL but the Root of your site. I'll put that in comments.
Sorry about the 3mb Dirk I gues those JS files are bigger than I thought.
Possible Hackers
Posted on: 03/19/06 05:52pm
By: Benta
[QUOTE BY= ronack]
Sorry about the 3mb Dirk I gues those JS files are bigger than I thought.[/QUOTE]
No, the MBs come from the pictures.
I don't see it said anywhere in the CATCHPA files (but I am not a great reader), but I think that in order for the script to provide security against someone that has access to that (public) set of pictures and associated MD5s, one needs to remake the pictures and put in the new associated MD5s in the script.
Possible Hackers
Posted on: 03/19/06 07:25pm
By: Benta
Hmmm...There is a nicer PHP script for CATCHPA called QuickCAPCHTPA. It uses GDlib to generate the image dynamically. Would be a better implementation. Will take a look at it next weekend.
Possible Hackers
Posted on: 03/19/06 09:03pm
By: eyecravedvd
I was recently hacked by those folks. At least I believe so they logged in using an r57shell script that hides under common file names in your directory most of them however start with a . which most FTP programs can't see.
I found them using SmartFTP.
I removed those two accts as well and banned the IP via my cPanel at my host.
Possible Hackers
Posted on: 03/20/06 10:54pm
By: samstone
I am getting this error after installing the Captcha:
document.xfrm.uword' is null or not an object
Any idea?
Sam
Possible Hackers
Posted on: 03/24/06 11:43am
By: andyofne
killerbee80@mail.ru added to the list. I think this person is simply signing up at various web sites and forums and posting a link back to another site with adult content with hopes of earning refferal credit. Not sure if that's really setting up for spamming or hacking but it's annoying just the same.
(I deleted the same account from two unrelated geeklog sites I run)
Possible Hackers
Posted on: 06/30/06 05:29am
By: RichardTowler
[QUOTE BY= samstone] I am getting this error after installing the Captcha:
document.xfrm.uword' is null or not an object
Any idea?
Sam[/QUOTE]
I'd like to bump this, as I get the same problem, but as I said in the comments, it works on the sign up page, no error , but not any other page on the website where the sign up page isn't on.
Possible Hackers
Posted on: 07/01/06 03:40am
By: Anonymous (ironmax)
I have been getting the same problem and finally dove into the problem with a bit of luck. Okay first remove the body onload statement line from the index.thtml file and save it off.
Current code used in Professional theme
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>{page_title}</title>
<!-- link rel="SHORTCUT ICON" href="{site_url}/favicon.ico" -->
<!--
<meta http-equiv="Pragma" content="no-cache">
-->
<link rel="stylesheet" type="text/css" href="{css_url}" title="{theme}">
</head>
<body onload="document.xfrm.uword.focus();">
{feed_url}
{plg_headercode}
{advanced_editor}
<script type="text/javascript">
function delconfirm()
{
Then goto your /layout/theme/custom directory where your memberdetail.thtml file is located and change it to whats list below. Notice the change for the body onload statement and placement of it.
<!-- This is an example template file for the Custom User Registration Feature -->
<!-- To be located under theme/custom directory - Example XSilver/custom/memberdetail.thtml -->
<body onload="document.xfrm.uword.focus();">
{startblock}
{message}
<div align="center">
<form action="{post_url}" method="post" name="xfrm" onsubmit="return jcap();">
<table width=500 border=0 cellspacing=0 cellpadding=0>
<tr>
This change will work and got rid of the script error messages on the bottom of the IE web browser or other browsers that display such messages.
Possible Hackers
Posted on: 07/01/06 04:29pm
By: Anonymous (Joanna Glass)
I was hacked and don't know how to fix it. I am sure it is a simple fix, but with my 11 month old son teething I just can't seem to get a quiet moment to get my head around it.
How can I fix it?
Jo
http://youpayless.com/
Possible Hackers
Posted on: 07/02/06 02:50am
By: Anonymous (ironmax)
[QUOTE BY= Joanna Glass] I was hacked and don't know how to fix it. I am sure it is a simple fix, but with my 11 month old son teething I just can't seem to get a quiet moment to get my head around it.
How can I fix it?
Jo
http://youpayless.com/
[/QUOTE]
Well Jo...would you enlighten us as to what your problem is and what makes you think that you got hacked? Please elaborate as to what happened and include any log portions that maybe relevent to this. We can't help if we don't know what happened.
I went to your site and it looked normal. The only thing I noticed was the script error message that I had previously had a fix for on my last posting. Follow that and your error script message should go away.
Possible Hackers
Posted on: 07/04/06 06:06am
By: RichardTowler
is anyone else still getting these spammers sign up after installing this?
Possible Hackers
Posted on: 07/04/06 12:39pm
By: Anonymous (ironmax)
I'm not getting them anymore, but then again, I've only had a few spammers, attempt to create an account on my site. But since captcha was installed, there's been no false signups at all.
Possible Hackers
Posted on: 07/04/06 02:20pm
By: chiloso
me threee... when i see new members w/the .ru extension, i delete them from my site. also on my geeklog profile i've removed my site. who do you think is doing this?
Possible Hackers
Posted on: 07/05/06 07:30am
By: RichardTowler
I'm getting like 1 every 2 days ish now, and some other random emails that I'm not sure about it, strange.
Possible Hackers
Posted on: 07/10/06 05:37am
By: RichardTowler
unfortuatly they are increasing in numbers again, and using a more varied range of email addresses.
Possible Hackers
Posted on: 07/10/06 05:50am
By: asmaloney
[QUOTE BY= chiloso] me threee... when i see new members w/the .ru extension, i delete them from my site. also on my geeklog profile i've removed my site. who do you think is doing this? [/QUOTE]
chilso:
An easier way to do this is to simply block any signups from mail.ru. Go to
system/lib-custom.php and add [or modify] the function
custom_usercheck().
Something like this does the trick:
function custom_usercheck ($username, $email)
{
$msg = '';
if ( stristr( $email, '@mail.ru' ) )
{
$msg = 'Due to the number of spam accounts created using this domain, we don't accept registration from <b>mail.ru</b>. If you would still like to sign up, either use a different email address or contact us. We apologise for any inconvenience.';
}
return $msg;
}
- Andy
Possible Hackers
Posted on: 07/22/06 01:48pm
By: RichardTowler
is there any chance of getting something built into geeklog that can help with hte spam sign ups, as I'm pretty much at my end with it.
I will try to get this custom code working, but the fact they can sign up even with the java program running is abit strange, could they be finding a way around it with phpbb?
sorry just more than abit of annoyed that i have 60 members, and 140 in total signed up members that have had to be deleted because they are spam users...
Possible Hackers
Posted on: 08/02/06 07:21pm
By: athenian47
Should I bother installing the CAPTCHA, or has this pretty much been worked around?
Possible Hackers
Posted on: 10/03/06 02:34pm
By: Anonymous (onejed1)
[QUOTE BY= athenian47] Should I bother installing the CAPTCHA, or has this pretty much been worked around?[/QUOTE]
I'd like to know this too... way to many spam accounts to deal with
Possible Hackers
Posted on: 10/03/06 03:13pm
By: mevans
Here is a quote I received today in my forums relating to
gl-captcha v1.0[*4] .
It's still great that you made this CAPTCHA.
In the span of the last 5 days it has stopped 106 attempts, twice they were followed by attempts to login with the user they thought they created.
/Ren�
So I would say it is at least worth a try if you want another tool to help combat spam bots. There are ways to circumvent CAPTCHAs but I have not heard of any issues so far with gl-captcha.
Thanks!
Mark
Re: Possible Hackers
Posted on: 08/25/08 07:45am
By: Anonymous (Timo)
www.mail.ru[*5] is sometimes used by spammers from everywhere.
I know Captcha, it is not the best spam-software, but strong enough to spam forums.
Timo