You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 260 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
Nuke Cops :: View topic - Guy is Getting Past Registration Security Code and Sentinel [ ]
 Forum FAQ  •  Search  •   •  Memberlist  •  Usergroups   •  Register  •  Profile •    •  Log in to check your private messages  •  Log in

 
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
Author Message
Dravyk
Nuke Soldier
Nuke Soldier


Joined: Sep 14, 2004
Posts: 18


PostPosted: Sat Dec 24, 2005 11:57 pm Reply with quoteBack to top

There is someone who is going around many many boards, all PhpBB boards, constantly logging in as new, different members, usually 12-14 random characters, and not posting.

This is happening on my board. Doing searches I've found this happening on at least two other boards.

And if you check Google, you will see there's nearly 600 profiles since November: http://www.google.com/search?hl=en&lr=&safe=off&c2coff=1&rls=GGLD%2CGGLD%3A2003-46%2CGGLD%3Aen&q=besoft++profile

On the one board I found, the admin checked and found a few hundred. On my board there's at least 150-200 of these and growing by 3 a day.

The name is always 12-14 random characters the URLs are always different but usually contain 01mob.com redirecting to searchandcatch.com. Whois shows it's some Russian guy in Florida who has besoft.org.

He/they never post. Not ever. No one seems to know what this guy is up to, if he's trying to get into Google somehow via URLs in his profile, or preparing to do a major hack or what!

Now, you wonder why am I posting this on PhpNuke when I mention PhpBB? Because for one, I am using Nuke with BB. For another, this guy must be botting, because he's adding himself as three new users a day, same at the other boards I've talked with. That's 2-300 users so far in over a month at at least three boards for sure, and judging from the Google results above it's in the hundreds of boards, possibly thousands.

Further, if he's botting, then he's also getting past the Nuke security number code at registration. Worse, I can't find his IP in Nuke Sentinal. That's right. He's a member (200 times over) yet none of the tracked users, nor any IPs ever shows a single one of his many logins.

More so, watching my board and portal closely, the other day he came in durin g a 15 minute period. I was excited cause I thought, aha, he's just been in with his latest identity. I look at Sentinel and there were 5 IPs at the time, myself, my partner, MSN bot, two others from other countries. And nothing led to this guy.

Caught it again the very next day, 10 minutes or less after he created yet another new user, checked and no IPs during a 10 minute period at all listed in Sentinal. And even the 15 minute or whatever cookie, doesn't leave a trace, he's in, he's out, bang. A normal user even after leaving would still have a "shadow" showing them still online with their name. But never this guy! Or bot, or whatever!

So, he seems to be using a bot (or has no life), the bot is getting past the numeric box at registration, leaves behind no user thing in Nuke Sentinel via tracked users, and leaves nothing behind in terms of show all IPs. And because he doesn't post, ever, can't track him that way.

Sure, would love to kill all these "members" he is, but at three new ones a day, I'd much rather block him. But he doesn't leave a shadow. Again, he is doing this to boards all over creation.

Anyone know about this? Have any idea what he might be doing? And especially have a way to stop or block or ban him? This is really becoming a major thing out here. Appreciate any and all help!
Find all posts by DravykView user's profileSend private message
Evaders99
Site Admin
Site Admin


Joined: Aug 17, 2003
Posts: 12482


PostPosted: Sun Dec 25, 2005 12:32 pm Reply with quoteBack to top

Maybe he's not using the Your_Account system at all, registering through the Forums instead?
I cannot say for the tracking in Sentinel, but the best bet is to check your server's access logs. That should have everything

_________________
Helping those that help themselves
Read FIRST or DIE!

"Fighting is terrible, but not as terrible as losing the will to fight."
Star Wars Rebellion Network - Need Help? Evaders Squadron Coding
Find all posts by Evaders99View user's profileSend private messageVisit poster's websiteAIM Address
Dravyk
Nuke Soldier
Nuke Soldier


Joined: Sep 14, 2004
Posts: 18


PostPosted: Sun Dec 25, 2005 9:06 pm Reply with quoteBack to top

Evaders99 wrote:
Maybe he's not using the Your_Account system at all, registering through the Forums instead?
I cannot say for the tracking in Sentinel, but the best bet is to check your server's access logs. That should have everything


Well no. Made sure when integrated Nuke and PhpBB that everyone has a single "entrance door" in, via Nuke's Your_Account system; so he's definitely not getting in through the forums, that's been disabled.

I'll see what my host says about access logs, though with a hundred-something domains, and busy sites, not sure if that will work; but I'll ask. Appreciate the help.

Btw ... any ideas how he's ... getting past the security code at login, not showing an IP in Sentinel or what he might be up to?
Find all posts by DravykView user's profileSend private message
l0hByTz
Nuke Cadet
Nuke Cadet


Joined: Dec 24, 2005
Posts: 3


PostPosted: Sun Dec 25, 2005 9:23 pm Reply with quoteBack to top

don't you have cpanel?
if you do... well go to

Raw Access Logs
and see the logs... it will tell you what ip did what and so on..it will look like this
172.213.232.83 - - [25/Dec/2005:03:21:33 -0500] "GET /reall/images/blocks/ur-moderator.gif HTTP/1.1" 304 - "http://reallgames.com/reall/modules.php?name=Forums&file=viewforum&f=16&sid=73a6a2165411fd873e8e703fcc4903a3" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Opera 7.54 [en]"

and well if hes using a bot net well you'd be screwed because he'd be using different machines/ips every time

hope you can find out more about it and it helps you catching him/her/them or at least block em
Find all posts by l0hByTzView user's profileSend private message
Display posts from previous:      
Post new topic  Reply to topicprinter-friendly view
View previous topic Log in to check your private messages View next topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



Powered by phpBB © 2001, 2005 phpBB Group

Ported by Nuke Cops © 2003 www.nukecops.com
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::
Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.147 Seconds - 419 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::