Welcome to Geeklog Saturday, February 29 2020 @ 02:46 am EST

Geeklog Forums

Odd New User Accounts


Status: offline

Yeraze

Forum User
Newbie
Registered: 19/02/06
Posts: 10
curious
I'm seeing alot of odd new user accounts this morning... The usernames are all what appears to be 8-10 character randomly generated garbage, with email addresses in the "personalloansgalore.com" domain (Which I've now blacklisted). What's troubling is that the HTTP Referrers for these accounts when they're created is other geeklog users.php?mode=new pages. My website (yeraze.com) had 3 this morning (one didn't work apparently), one from http://www.wheelsofterror.com/users.php?mode=new, one from http://www.halomods.com/site2/geeklog-1.3.9/public_html/users.php?mode=new, and one from http://web.takebackthemedia.com/geeklog/public_html/users.php?mode=new, and one from http://spam.tinyweb.net/users.php?mode=new .

Is this a new exploit (The one thing i've noticed is that all 4 of these sites seem to be running older versions of Geeklog, possibly in the 1.3.9 range)? Or is this just spam?
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
I got a few of those, too, on one of my sites. A quick
PHP Formatted Code
Deny from 91.124
in the .htaccess seems to have stopped them for now.

It's not an exploit, just a bot written to register with Geeklog sites. Install the CAPTCHA plugin, it should take care of that.

Btw, did any of those new users manage to log in? The ones I got didn't.

bye, Dirk
 Quote

Status: offline

Yeraze

Forum User
Newbie
Registered: 19/02/06
Posts: 10
no, none of them logged in.. Just created accounts.

Simply adding 'personalloansgalore.com' to the Deny Domain entry in config.php seems to have stopped them for now.
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Okay, that'll work as well. The site in question is still running on 1.4.0, though, which doesn't have the blacklist yet.

We had a similar "bot attack" a while ago and the bots there used several different domain names. So you may want to keep an eye on your new users, just in case.

bye, Dirk
 Quote

Status: offline

jmatt

Forum User
Junior
Registered: 06/01/03
Posts: 30
Location:Tatertown, KY, USA
I just got one suspicious new user account this morning. The email address was @real-cheap-email.com.

I'm using CAPTCHA, with the static images since I don't have the necessary graphics packages installed to use the on-the-fly images. I know that's less secure, so I may have to reconsider and install what I need for the dynamic images.

The reason I'm suspicious of this user is the lack of any other activity from the IP. Most of my users are people stumble into the site accidentally, wander around a little, and then try to do something like add a comment that requires registration.

In this case, all I see from the IP in question is:

66.180.169.35 - - [28/Mar/2007:04:37:05 -0400] "GET /blog/users.php?mode=new HTTP/1.1" 200 10649 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
66.180.169.35 - - [28/Mar/2007:04:37:07 -0400] "GET /blog/javascript/common.js HTTP/1.1" 200 2878 "http://jmatt.net/blog/users.php?mode=new" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
66.180.169.35 - - [28/Mar/2007:04:37:09 -0400] "GET /blog/captcha/captcha.php?.jpg HTTP/1.1" 200 3472 "http://jmatt.net/blog/users.php?mode=new" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
66.180.169.35 - - [28/Mar/2007:04:38:58 -0400] "POST /blog/users.php HTTP/1.1" 200 109 "http://jmatt.net/blog/users.php?mode=new" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
66.180.169.35 - - [28/Mar/2007:04:39:00 -0400] "GET /blog/index.php?msg=1 HTTP/1.1" 200 27741 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
66.180.169.35 - - [28/Mar/2007:04:39:01 -0400] "GET /blog/javascript/common.js HTTP/1.1" 304 - "http://jmatt.net/blog/index.php?msg=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


It looks like he came directly into the signup page without browsing anything else on the site. The IP address also seems to be in a range that belongs to a hosting service, which is a little suspicious for a normal browser.

The 2-minute delay between getting the signup page and sending the response is a little weird, since he didn't include a bio or anything that would take a lot of time to write. It's possible that it took that long to crack the CAPTCHA image. One possible exploit I've thought of for the static images would be to have all the images stored and simply compare the one received to all the stored ones and send back the string for the one that matches. I'm not sure how long that would take, but it seems feasible.

It was about 4 hours from the time he registered until I saw it. At that point, he hadn't tried to login yet. Maybe it's a bot that's not smart enough to read email. I've banned the userid, and banned the domain from new registrations.
 Quote

All times are EST. The time is now 02:46 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content