Welcome to Geeklog Thursday, November 23 2017 @ 10:55 pm EST


Status: offline

abloch

Forum User
Newbie
Registered: 26/06/2002
Posts: 7
Has anyone noticed any recent hacking attempts, perhaps to take advantage of
the recently patched security hole? The reason I ask is I've seen a couple of odd new user
submissions to my sites, from a couple of email accounts @mail.ru .

Status: offline

Robin

Forum User
Full Member
Registered: 15/02/2002
Posts: 725
Looks like I'm not alone.
I don't know whether it was hacking or something else and I wouldn't assume that anyone with mail.ru in the email address is a potential hacker however what happened in my case was that on my three geekloged sites there was a registered user evrika (evrika5@mail.ru). Strange coincidence All trhee account were awaiting activation.

The strangest thing was that I opened my browser and entered one of the sites, I was suddenly logged as evrika

Life is full of suprises Anyone else? I'd say everyone checks your new user submissions.
Geeklog Polish Support Team

Status: offline

starenka

Forum User
Newbie
Registered: 26/02/2006
Posts: 9
my site had this strange login also. by the way - one of my topic admins, can't see his posts when logged in. could this be in some way any coincidence?

Status: offline

abloch

Forum User
Newbie
Registered: 26/06/2002
Posts: 7
Evrika5@mail.ru was one of the new users at my sites too. The other suspicious email is valenok55@mail.ru . The reasons that they caught my attention was they both signed up for an account on a site that only uses geeklog for content management and you'd have to be looking for a geeklog site to find the sign up page - any user submissions at that site would be suspicious. Then they signed up at a couple of other sites I maintain.

I haven't yet noticed any odd behavior at my sites, but I'm going to check the logs to see if they have tried anything.

Status: offline

Nightdude

Forum User
Chatty
Registered: 15/09/2004
Posts: 61
I too, in recent days, had a number of "new users", with an email address ending in .ru.

I deleted these users immediately, as this specific site, a school web community, is of no use to anyone outside our state, let alone, our country.

Just as there are ways, to bypass the usual registration process for email addresses using a specific email suffix, is there a way to lock out specific email suffix, ie..... .ru??

ND


Status: offline

1000ideen

Forum User
Full Member
Registered: 04/08/2003
Posts: 1289
Well I noticed these two also. They came through:
72.36.180.18 18.180.36.72.reverse.layeredtech.com

I suppose they are potential sleepers / spammer.


The strangest thing was that I opened my browser and entered one of the sites, I was suddenly logged as evrika

@Robin: was that a site runing GL 1.4.0sr2?

Status: offline

RichardTowler

Forum User
Chatty
Registered: 10/03/2005
Posts: 49
Location:UK
same here...

DorisAxline@yandex.ru
evrika5@mail.ru
valenok55@mail.ru
GameFaction - For All Your Gaming Needs

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/2002
Posts: 13073
Location:Stuttgart, Germany
Interesting. I see those two mail.ru users on two of my own sites plus another site where I help with administration. But they haven't logged in to any of those sites yet. No such users here on geeklog.net (yet).

My gut feeling is also that those are spammer's accounts, but I have no evidence for or against that.

bye, Dirk

P.S. Don't start nuking your Russian users now just because they happen to use mail.ru ...

Status: offline

asmaloney

Forum User
Full Member
Registered: 08/02/2004
Posts: 214
I'm suspicious of several accounts [@mail.ru and an alex a.k.a. logos] - all seemingly originating from Russia - because they signed up to multiple [unrelated] sites at roughly the same time but didn't log in to any of them.

Like 1000ideen and Dirk, I suspect they're spammers waiting to strike...

Rob

Anonymous
In addtion to finding those two users (on two sites...), I also checked my error log for one of my websites and found that from mid febuary to march someone was repeatedly attempting unsuccessfully to login using names that don't exist, such as "wept", "now80", "love", and "turned4684". Anyone else check thier error log for odd things like this?

-Rob

Status: offline

1000ideen

Forum User
Full Member
Registered: 04/08/2003
Posts: 1289
I think such access attempts are rather normal. I have some every now and again.

Renski

Anonymous
Again, the same here.

evrika5@mail.ru
valenok55@mail.ru

No last login dates on any of them.

I've so got to apply the security patch when I get home from work..

I'm a little disappionted with the security problems of late, but Im pleased that Geeklog deals with them out in the open. However, I think it was a mistake to get rid of the blacklist, this is the kind of thing it was supposed to cover.

Status: offline

samstone

Forum User
Full Member
Registered: 29/09/2002
Posts: 820
Me too:

evrika5@mail.ru
valenok55@mail.ru

Sam

Renski

Anonymous
It is fair to say that, without a doubt that, the users evrika5@mail.ru and
valenok55@mail.ru were created using some kind of automated script or program.

Delete the account and block the IP is my advice.

Status: offline

1000ideen

Forum User
Full Member
Registered: 04/08/2003
Posts: 1289
Quote by Renski:
I'm a little disappionted with the security problems of late, but Im pleased that Geeklog deals with them out in the open.


In another thread we tried to establish how popular Geeklog is in regard to other CMS by the number of installations. If we go by the number of hacked sites and compare Mambo and Geeklog then Mambo got no chance.

On the other hand not having the black list seems to make it more difficult to secure GL. One has to have GUS, bad behaviour and Spam-x.

As finding and installing current plugins with GL is a problem in itself I also feel that there should be an easier solution. At least the 3 most important spam plugins should be bundeled or get integrated into GL (spam-x is already integrated).

E.g. Firefox got some addons and it is very easy to install and update them. I`d love this to be tue for GL security plugins too.

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/2002
Posts: 13073
Location:Stuttgart, Germany
Quote by Renski: However, I think it was a mistake to get rid of the blacklist, this is the kind of thing it was supposed to cover.

Hmm, you seem to be confusing a few things. We didn't "get rid of" MT-Blacklist - the maintainer stopped maintaining it. And it won't help against users registering with your site (how should it?).

bye, Dirk

Status: offline

ronack

Forum User
Full Member
Registered: 27/05/2003
Posts: 612
It's been a few days since this was talked about but I just want to mention that I have both 1.3.11 and 1.4.0 sr2 sites and it didn't seem to matter, every one of my sites got those same registrants. I turned on User Authoriaztion but I don't want to use that because it could take some time before I authorize the user. I do believe that this is an automated process, hence the need for the visual verification via the image where you have to type in the letters.

Sorry I don't remember the name of it but I'm going to re-look at it.


Status: offline

1000ideen

Forum User
Full Member
Registered: 04/08/2003
Posts: 1289
It`s called Capchas and has lately been discussed on the German forum also. It is already a feature request (project site seems to be down at present).

~~~
BTW I found referrer spam this morning:

HEAD index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58
GET index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58 http://www.jaja-jak-globusy.com/

I never read this "HEAD" what`s that good for?

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/2002
Posts: 13073
Location:Stuttgart, Germany
Quote by 1000ideen: GET index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58 http://www.jaja-jak-globusy.com/

That's a well-know spammer. Add him to your .htaccess and forget about it ...


Quote by 1000ideen: I never read this "HEAD" what`s that good for?

A GET request returns the entire page while HEAD requests only returns the headers. He's a nice spammer, he doesn't want to cause you too much traffic

bye, Dirk

Status: offline

ronack

Forum User
Full Member
Registered: 27/05/2003
Posts: 612
Yeah Dirk, in fact I just uploaded a Captcha hack for Custom Registration. This thing was SOOOO easy to install. It's a JavaScript version but works great.

All times are EST. The time is now 10:55 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content