There is someone who is going around many many boards, all PhpBB boards, constantly logging in as new, different members, usually 12-14 random characters, and not posting.
This is happening on my board. Doing searches I've found this happening on at least two other boards.
On the one board I found, the admin checked and found a few hundred. On my board there's at least 150-200 of these and growing by 3 a day.
The name is always 12-14 random characters the URLs are always different but usually contain 01mob.com redirecting to searchandcatch.com. Whois shows it's some Russian guy in Florida who has besoft.org.
He/they never post. Not ever. No one seems to know what this guy is up to, if he's trying to get into Google somehow via URLs in his profile, or preparing to do a major hack or what!
Now, you wonder why am I posting this on PhpNuke when I mention PhpBB? Because for one, I am using Nuke with BB. For another, this guy must be botting, because he's adding himself as three new users a day, same at the other boards I've talked with. That's 2-300 users so far in over a month at at least three boards for sure, and judging from the Google results above it's in the hundreds of boards, possibly thousands.
Further, if he's botting, then he's also getting past the Nuke security number code at registration. Worse, I can't find his IP in Nuke Sentinal. That's right. He's a member (200 times over) yet none of the tracked users, nor any IPs ever shows a single one of his many logins.
More so, watching my board and portal closely, the other day he came in durin g a 15 minute period. I was excited cause I thought, aha, he's just been in with his latest identity. I look at Sentinel and there were 5 IPs at the time, myself, my partner, MSN bot, two others from other countries. And nothing led to this guy.
Caught it again the very next day, 10 minutes or less after he created yet another new user, checked and no IPs during a 10 minute period at all listed in Sentinal. And even the 15 minute or whatever cookie, doesn't leave a trace, he's in, he's out, bang. A normal user even after leaving would still have a "shadow" showing them still online with their name. But never this guy! Or bot, or whatever!
So, he seems to be using a bot (or has no life), the bot is getting past the numeric box at registration, leaves behind no user thing in Nuke Sentinel via tracked users, and leaves nothing behind in terms of show all IPs. And because he doesn't post, ever, can't track him that way.
Sure, would love to kill all these "members" he is, but at three new ones a day, I'd much rather block him. But he doesn't leave a shadow. Again, he is doing this to boards all over creation.
Anyone know about this? Have any idea what he might be doing? And especially have a way to stop or block or ban him? This is really becoming a major thing out here. Appreciate any and all help!
Evaders99 Site Admin
Joined: Aug 17, 2003
Posts: 12482
Posted:
Sun Dec 25, 2005 12:32 pm
Maybe he's not using the Your_Account system at all, registering through the Forums instead?
I cannot say for the tracking in Sentinel, but the best bet is to check your server's access logs. That should have everything
Maybe he's not using the Your_Account system at all, registering through the Forums instead?
I cannot say for the tracking in Sentinel, but the best bet is to check your server's access logs. That should have everything
Well no. Made sure when integrated Nuke and PhpBB that everyone has a single "entrance door" in, via Nuke's Your_Account system; so he's definitely not getting in through the forums, that's been disabled.
I'll see what my host says about access logs, though with a hundred-something domains, and busy sites, not sure if that will work; but I'll ask. Appreciate the help.
Btw ... any ideas how he's ... getting past the security code at login, not showing an IP in Sentinel or what he might be up to?
l0hByTz Nuke Cadet
Joined: Dec 24, 2005
Posts: 3
Posted:
Sun Dec 25, 2005 9:23 pm
don't you have cpanel?
if you do... well go to
Raw Access Logs
and see the logs... it will tell you what ip did what and so on..it will look like this
172.213.232.83 - - [25/Dec/2005:03:21:33 -0500] "GET /reall/images/blocks/ur-moderator.gif HTTP/1.1" 304 - "http://reallgames.com/reall/modules.php?name=Forums&file=viewforum&f=16&sid=73a6a2165411fd873e8e703fcc4903a3" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54 [en]"
and well if hes using a bot net well you'd be screwed because he'd be using different machines/ips every time
hope you can find out more about it and it helps you catching him/her/them or at least block em
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
