Welcome to Geeklog, Anonymous Friday, November 08 2024 @ 08:49 pm EST
Geeklog Forums
Possible Hackers
Page navigation
Status: offline
abloch
Forum User
Newbie
Registered: 06/26/02
Posts: 7
Has anyone noticed any recent hacking attempts, perhaps to take advantage of
the recently patched security hole? The reason I ask is I've seen a couple of odd new user
submissions to my sites, from a couple of email accounts @mail.ru .
the recently patched security hole? The reason I ask is I've seen a couple of odd new user
submissions to my sites, from a couple of email accounts @mail.ru .
36
29
Quote
Status: offline
Robin
Forum User
Full Member
Registered: 02/15/02
Posts: 725
Looks like I'm not alone.
I don't know whether it was hacking or something else and I wouldn't assume that anyone with mail.ru in the email address is a potential hacker however what happened in my case was that on my three geekloged sites there was a registered user evrika (evrika5@mail.ru). Strange coincidence All trhee account were awaiting activation.
The strangest thing was that I opened my browser and entered one of the sites, I was suddenly logged as evrika
Life is full of suprises Anyone else? I'd say everyone checks your new user submissions.
Geeklog Polish Support Team
I don't know whether it was hacking or something else and I wouldn't assume that anyone with mail.ru in the email address is a potential hacker however what happened in my case was that on my three geekloged sites there was a registered user evrika (evrika5@mail.ru). Strange coincidence All trhee account were awaiting activation.
The strangest thing was that I opened my browser and entered one of the sites, I was suddenly logged as evrika
Life is full of suprises Anyone else? I'd say everyone checks your new user submissions.
Geeklog Polish Support Team
24
35
Quote
Status: offline
abloch
Forum User
Newbie
Registered: 06/26/02
Posts: 7
Evrika5@mail.ru was one of the new users at my sites too. The other suspicious email is valenok55@mail.ru . The reasons that they caught my attention was they both signed up for an account on a site that only uses geeklog for content management and you'd have to be looking for a geeklog site to find the sign up page - any user submissions at that site would be suspicious. Then they signed up at a couple of other sites I maintain.
I haven't yet noticed any odd behavior at my sites, but I'm going to check the logs to see if they have tried anything.
I haven't yet noticed any odd behavior at my sites, but I'm going to check the logs to see if they have tried anything.
40
38
Quote
Status: offline
Nightdude
Forum User
Chatty
Registered: 09/15/04
Posts: 61
I too, in recent days, had a number of "new users", with an email address ending in .ru.
I deleted these users immediately, as this specific site, a school web community, is of no use to anyone outside our state, let alone, our country.
Just as there are ways, to bypass the usual registration process for email addresses using a specific email suffix, is there a way to lock out specific email suffix, ie..... .ru??
ND
I deleted these users immediately, as this specific site, a school web community, is of no use to anyone outside our state, let alone, our country.
Just as there are ways, to bypass the usual registration process for email addresses using a specific email suffix, is there a way to lock out specific email suffix, ie..... .ru??
ND
28
35
Quote
Status: offline
1000ideen
Forum User
Full Member
Registered: 08/04/03
Posts: 1298
Well I noticed these two also. They came through:
72.36.180.18 18.180.36.72.reverse.layeredtech.com
I suppose they are potential sleepers / spammer.
@Robin: was that a site runing GL 1.4.0sr2?
72.36.180.18 18.180.36.72.reverse.layeredtech.com
I suppose they are potential sleepers / spammer.
The strangest thing was that I opened my browser and entered one of the sites, I was suddenly logged as evrika
@Robin: was that a site runing GL 1.4.0sr2?
32
32
Quote
Status: offline
RichardTowler
Forum User
Chatty
Registered: 03/10/05
Posts: 49
Location:UK
same here...
DorisAxline@yandex.ru
evrika5@mail.ru
valenok55@mail.ru
GameFaction - For All Your Gaming Needs
DorisAxline@yandex.ru
evrika5@mail.ru
valenok55@mail.ru
GameFaction - For All Your Gaming Needs
31
40
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Interesting. I see those two mail.ru users on two of my own sites plus another site where I help with administration. But they haven't logged in to any of those sites yet. No such users here on geeklog.net (yet).
My gut feeling is also that those are spammer's accounts, but I have no evidence for or against that.
bye, Dirk
P.S. Don't start nuking your Russian users now just because they happen to use mail.ru ...
My gut feeling is also that those are spammer's accounts, but I have no evidence for or against that.
bye, Dirk
P.S. Don't start nuking your Russian users now just because they happen to use mail.ru ...
30
36
Quote
Status: offline
asmaloney
Forum User
Full Member
Registered: 02/08/04
Posts: 214
I'm suspicious of several accounts [@mail.ru and an alex a.k.a. logos] - all seemingly originating from Russia - because they signed up to multiple [unrelated] sites at roughly the same time but didn't log in to any of them.
Like 1000ideen and Dirk, I suspect they're spammers waiting to strike...
Like 1000ideen and Dirk, I suspect they're spammers waiting to strike...
36
38
Quote
Rob
Anonymous
In addtion to finding those two users (on two sites...), I also checked my error log for one of my websites and found that from mid febuary to march someone was repeatedly attempting unsuccessfully to login using names that don't exist, such as "wept", "now80", "love", and "turned4684". Anyone else check thier error log for odd things like this?
-Rob
-Rob
30
33
Quote
Renski
Anonymous
Again, the same here.
evrika5@mail.ru
valenok55@mail.ru
No last login dates on any of them.
I've so got to apply the security patch when I get home from work..
I'm a little disappionted with the security problems of late, but Im pleased that Geeklog deals with them out in the open. However, I think it was a mistake to get rid of the blacklist, this is the kind of thing it was supposed to cover.
evrika5@mail.ru
valenok55@mail.ru
No last login dates on any of them.
I've so got to apply the security patch when I get home from work..
I'm a little disappionted with the security problems of late, but Im pleased that Geeklog deals with them out in the open. However, I think it was a mistake to get rid of the blacklist, this is the kind of thing it was supposed to cover.
35
33
Quote
Renski
Anonymous
It is fair to say that, without a doubt that, the users evrika5@mail.ru and
valenok55@mail.ru were created using some kind of automated script or program.
Delete the account and block the IP is my advice.
valenok55@mail.ru were created using some kind of automated script or program.
Delete the account and block the IP is my advice.
32
34
Quote
Status: offline
1000ideen
Forum User
Full Member
Registered: 08/04/03
Posts: 1298
Quote by Renski:
I'm a little disappionted with the security problems of late, but Im pleased that Geeklog deals with them out in the open.
I'm a little disappionted with the security problems of late, but Im pleased that Geeklog deals with them out in the open.
In another thread we tried to establish how popular Geeklog is in regard to other CMS by the number of installations. If we go by the number of hacked sites and compare Mambo and Geeklog then Mambo got no chance.
On the other hand not having the black list seems to make it more difficult to secure GL. One has to have GUS, bad behaviour and Spam-x.
As finding and installing current plugins with GL is a problem in itself I also feel that there should be an easier solution. At least the 3 most important spam plugins should be bundeled or get integrated into GL (spam-x is already integrated).
E.g. Firefox got some addons and it is very easy to install and update them. I`d love this to be tue for GL security plugins too.
34
33
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by Renski: However, I think it was a mistake to get rid of the blacklist, this is the kind of thing it was supposed to cover.
Hmm, you seem to be confusing a few things. We didn't "get rid of" MT-Blacklist - the maintainer stopped maintaining it. And it won't help against users registering with your site (how should it?).
bye, Dirk
27
24
Quote
Status: offline
ronack
Forum User
Full Member
Registered: 05/27/03
Posts: 612
It's been a few days since this was talked about but I just want to mention that I have both 1.3.11 and 1.4.0 sr2 sites and it didn't seem to matter, every one of my sites got those same registrants. I turned on User Authoriaztion but I don't want to use that because it could take some time before I authorize the user. I do believe that this is an automated process, hence the need for the visual verification via the image where you have to type in the letters.
Sorry I don't remember the name of it but I'm going to re-look at it.
Sorry I don't remember the name of it but I'm going to re-look at it.
40
53
Quote
Status: offline
1000ideen
Forum User
Full Member
Registered: 08/04/03
Posts: 1298
It`s called Capchas and has lately been discussed on the German forum also. It is already a feature request (project site seems to be down at present).
~~~
BTW I found referrer spam this morning:
HEAD index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58
GET index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58 http://www.jaja-jak-globusy.com/
I never read this "HEAD" what`s that good for?
~~~
BTW I found referrer spam this morning:
HEAD index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58
GET index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58 http://www.jaja-jak-globusy.com/
I never read this "HEAD" what`s that good for?
36
35
Quote
Status: offline
Dirk
Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by 1000ideen: GET index.php Anonymous 70.85.116.229 229.70-85-116.reverse.theplanet.com 19 Mar - 09:58 http://www.jaja-jak-globusy.com/
That's a well-know spammer. Add him to your .htaccess and forget about it ...
Quote by 1000ideen: I never read this "HEAD" what`s that good for?
A GET request returns the entire page while HEAD requests only returns the headers. He's a nice spammer, he doesn't want to cause you too much traffic
bye, Dirk
29
31
Quote
Page navigation
All times are EST. The time is now 08:49 pm.
- Normal Topic
- Sticky Topic
- Locked Topic
- New Post
- Sticky Topic W/ New Post
- Locked Topic W/ New Post
- View Anonymous Posts
- Able to post
- Filtered HTML Allowed
- Censored Content