|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Who is JackFromWales4u2? |
|
Posted: Sun Sep 05, 2004 3:25 am |
|
|
oprime2001 |
Beginner |
|
|
Joined: Sep 05, 2004 |
Posts: 4 |
|
|
|
|
|
|
|
I had a random user JackFromWales4u2 register on one of my phpnuke sites. At first I was annoyed at the random registration, but then paranoia took hold. I checked the logs for any obvious or glaring exploits, but I did not see anything.
I then checked the various phpnuke security sites. I was surprised to see that JackFromWales4u2 was also the latest signup at a forum moderator's site.
I then ran a google search on JackFromWales4u2, and google returned 18600 hits!
From a random check of the various google hits, it seems that JackFromWales4u2 has been very busy with a great number of registrations at these various phpnuke and phpbb sites within a span of a couple of days -- September 1-2, 2004.
Now this screams of an exploit/vulnerability! Is there a script or exploit/vulnerability that is out in the wild that is yet unpatched?
Or am I just being paranoid here?
p.s. you might want to check your own phpnuke sites to see if you've had a visit from JackFromWales4u2, too. |
|
|
|
|
|
|
f |
|
Posted: Sun Sep 05, 2004 3:10 pm |
|
|
SteX |
Advanced user |
|
|
Joined: May 18, 2004 |
Posts: 181 |
Location: Serbia |
|
|
|
|
|
|
oprime2001 >>> 1,470 results
I dont think that that is bot,because every member must click on activation link (in mail)..Try contact him,maybe he is just a computer freak |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
|
|
|
|
Posted: Sun Sep 05, 2004 8:25 pm |
|
|
oprime2001 |
Beginner |
|
|
Joined: Sep 05, 2004 |
Posts: 4 |
|
|
|
|
|
|
|
But if you take a look at the google hits for oprime2001, most of the hits are on a couple of English sites -- mostly NukeCops, ravenphpscripts and a couple of other phpnuke-related sites.
In contrast, the google search for JackFromWales4u2 returns (now) 24,400 hits over numerous (hundreds? thousands?) different sites using various different languages on all kinds of topics. Furthermore, most of the google results are for registration/profile info -- not regular postings.
What is more disconcerting is what you brought up -- that
Quote: | every member must click on activation link (in mail) | yet most of the JackFromWales4u2 php-nuke memberships seem to have been registered and activated within a very short period of time (september 1-2, 2004). How?
I could just be too paranoid having websites previously defaced, but things seem fishy. Why the mass registrations on different website topics of different languages within a short period of time? |
|
|
|
|
|
|
add user with POST method |
|
Posted: Mon Sep 06, 2004 8:26 am |
|
|
bima |
Regular user |
|
|
Joined: Jun 14, 2004 |
Posts: 16 |
Location: dunia fana |
|
|
|
|
|
|
|
|
|
|
Posted: Mon Sep 06, 2004 10:37 am |
|
|
SteX |
Advanced user |
|
|
Joined: May 18, 2004 |
Posts: 181 |
Location: Serbia |
|
|
|
|
|
|
Thats exploits can only add or del admin account..
We are talking about user account.. |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
|
add user admin |
|
Posted: Mon Sep 06, 2004 10:58 am |
|
|
bima |
Regular user |
|
|
Joined: Jun 14, 2004 |
Posts: 16 |
Location: dunia fana |
|
|
|
|
|
|
SteX wrote: | Thats exploits can only add or del admin account..
We are talking about user account.. |
plz read carefully, do u ???
|
|
|
|
|
|
|
|
|
Posted: Mon Sep 06, 2004 8:25 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
What can i say, is:
1. PhpBB and PhpNuke registration is complete (activated) after
activation email reply. It's not hard to write script or program, which
first does google search for nuke and phpbb, then registers at all the
sites, next logs in to pop3/imap account and retrieves all the emails,
then parses them and finally activates all the accounts.
Only problem i see, is that "turing number" stuff, which is meant to
protect against automated clients (bots). If that image is not enough
"fuzzy" (like in the case of the most nuke installations), then OCR
software can be used and then nothing can stop automated registrations.
2. What's the goal for doing such "spamming"? One reason can be
"googlespam" for trying to elevate some website's pagerank.
But as far as i know, google is allready aware of such attempts and
this kind of "links" does not count for pagerank. |
|
|
|
|
|
|
Re: Who is JackFromWales4u2? |
|
Posted: Thu Sep 09, 2004 8:59 am |
|
|
shmk |
Active user |
|
|
Joined: Jul 22, 2004 |
Posts: 25 |
|
|
|
|
|
|
|
Now the sites are 44300 |
|
|
|
|
|
JackFromWales4u2 == spammer >> persona non grata |
|
Posted: Thu Sep 09, 2004 1:34 pm |
|
|
oprime2001 |
Beginner |
|
|
Joined: Sep 05, 2004 |
Posts: 4 |
|
|
|
|
|
|
|
waraxe wrote: | What can i say, is:
[edit]
2. What's the goal for doing such "spamming"? One reason can be
"googlespam" for trying to elevate some website's pagerank.
But as far as i know, google is allready aware of such attempts and
this kind of "links" does not count for pagerank. |
It seems that waraxe was on to something with the above comments. I posted the original post in the security forum at NukeCops. A couple of users there are now reporting that the JackFromWales4u2 account is being used to spam news articles on phpnuke websites with comments with a link to (presumably, their) website.
However, what is more disconcerting is that these users are reporting that ALL of their articles/news were spammed! Again, if that doesn't smell of a script/bot, I don't know what does. I don't see a legitimate reason to keep this JackFromWales4u2 account on your site! |
|
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|