spam

[greek_parea]

i see 2 days now spam for members 

[greek_parea]

[opentype]

I am getting these too on one site. Seems to be a clever spam attack, since they do not use new accounts. 

But they do use repeating IP addresses and those t.me links, both of which you could block. 

[AlexWebsites]

I got these on two sites as well. What's interetsing is that on one site it was a user who registered in 2015 with no posts and another it was a user who registered in 2016 with multiple posts that were ok until now.

Ban IP 109.107.166.230

 

[opentype]

They probably use hacked databases from social media sites and login with accounts that use the same data everywhere. 

Has anyone checked the server logs to see what these IPs are doing? 

[PPlanet]

I have the same on my site. Maybe just a coincidence but one legit member whose account got locked for failed attempts replied to the automatic message to say it had not been him, so that made me think of brute force, but people using the same password elsewhere with a leak sounds more probable. 

[Ivan Banic]

I have them on my site also. I don't know how they managed to log in. I assumed the attacker don't have access to users email, so I forced password change for every user affected. So far, so good...

[Marc Stridgen]

I've moved this to our Community Support area where other Invision Community owners will see it and help where they can. It does seem though this is genuinly clever spammers, and there isnt anything specifically wrong there.

[SeNioR-]

22 hours ago, greek_parea said:

They logged into some old inactive account. From a short research you can see that the accounts are 5 or even 10 years old.

They didn't reset the password. I wonder how they check if an account exists in the database. Probably some scraping bot.

Many forums have been attacked not only on the IC but also on phpBB or vBulletin.

Google >  "t.me/pump_upp" or "Verifpro.net"

Edited January 16, 2023 by SeNioR-

[AlexWebsites]

Got another one today. The IP Ban setting was not followed and they still used the IP to login and post. I added it to my cloudflare firewall as a rule for now.

[loccom]

We have seen a few issues with old accounts being used. 

Some account were comprimised ages ago with a U.S IP and posted spam in a section that is rarely used, then today a russian IP logged in and followed the posts using the same account that posted the spam in the first place. Very odd why they did this.

We will do the following

• Stronger password requirement configured
• Force password reset on accounts older than 6 months of last login.
• 2 Factor question on all accounts
• 2 factor using either sms or Authenticator for mods and admins 
• Turn on email notifications for logins from a different computer / phone
• CleanTalk (already set up and works a charm)

[Mikorist]

On 1/15/2023 at 2:54 PM, greek_parea said:

Same here too. After update to 4.7.6. Another forum that is not updated does not have this problem.

[Grant_B]

1 minute ago, Mikorist said:

Same here too. After update to 4.7.6. Another forum that is not updated does not have this problem.

We had the same start at the backend of last week prior to updating to 4.7.6 so I don't think it's linked to the update, just coincidental timing.

[Mikorist]

I have never had anything like this in 12 years. I've had spam users but never like this.

[opentype]

As was shown before, many platforms were hit, so there is no reason to assume it is related to IPS or a specific version. 

Edited January 16, 2023 by opentype

[Mikorist]

I cannot reproduce where the problem is. Except that I see that the IP address is from Russia. It simply takes over various users who were never spammers. It looks like some kind of SQL injection. I made paranoid protection on the forum. And now it has eased a bit. Otherwise, spam goes every 10 minutes...

https://securityheaders.com/?q=diyaudio.rs&hide=on&followRedirects=on

Edited January 16, 2023 by Mikorist

[Mikorist]

7 minutes ago, Mikorist said:

I cannot reproduce where the problem is. Except that I see that the IP address is from Russia. It simply takes over various users who were never spammers. It looks like some kind of SQL injection. I made paranoid protection on the forum. And now it has eased a bit. Otherwise, spam goes every 10 minutes...

https://securityheaders.com/?q=diyaudio.rs&hide=on&followRedirects=on

Onother part on Nginx

       location / {                                     try_files  $uri $uri/ /index.php$is_args$args;

       if ($http_user_agent ~* "(java)")                                           {return 404;}
       if ($http_user_agent ~* "(winhttp|HTTrack|clshttp|archiver|loader)")        {return 404;}
       if ($http_user_agent ~* "(email|harvest|extract|grab|miner)")               {return 404;}
       if ($http_user_agent ~* "(libwww-perl|python|nikto|scan)")                  {return 404;}
       ## Block SQL injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
        return 403;
    }

    ## Block file injections
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=https://") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 403;
    }

    ## Block common exploits
    set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 403;
    }

 

[DawPi]

The same. I have latest IPS4, active antispam and by board is under attack by the last few days.

[Mikorist]

I also changed ciphers according to Probely's advice.

server { listen 443 ssl; ... ssl_protocols TLSv1.2 TLSv1.3; ... }

TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHERSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHERSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-
SHA256

 

Edited January 16, 2023 by Mikorist

[Xeite]

I have similar problem since like a week or two, same type of spam. From old and recent forum users. I'm not sure what to do, and why I have this. Was my forum hacked or it's something else? Shall I Force Password Reset on all users? btw. what message will be emailed to all users if I do? Will there be info that database was hacked? I hope not, users will freak out and blame me. Is there a way to edit a template for such email just in case? 

Edited January 16, 2023 by Xeite

[Luuuk]

3 hours ago, DawPi said:

The same. I have latest IPS4, active antispam and by board is under attack by the last few days.

Also Polish board here under the same type of attack. Since last days hundreds / thousands foreigner bots are "scanning" my forum. After blocking IPs "new set" is in the play. Today first old legit account has been shown as "hijacked" and posted an obvious spam.

But I still am on older 4.6.12.1 so I don't think it has anything to do with the IPS version.

[PPlanet]

3 hours ago, Xeite said:

I have similar problem since like a week or two, same type of spam. From old and recent forum users. I'm not sure what to do, and why I have this.

I'd say, ban that IP address to start with (They may get another one though but it will slow them down). If you don't use Cloudflare you can ban IP addresses in your .htaccess file.

Also force the users whose accounts have been hacked to change password (click to change their passwords yourself and there you'll find that option)

6 hours ago, Grant_B said:

We had the same start at the backend of last week prior to updating to 4.7.6 so I don't think it's linked to the update, just coincidental timing.

That's correct, I can confirm that too. It started before I upgraded to the latest version.

[Malwarebytes Forums]

We had 20 accounts that have logged into the forums from the same IP since 1/14/2023

109.107.166.230
The IP address resolves to server-109-107-166-230.vmbox.cloud
Moscow, Moscow, 109044, Russian Federation
 

3/4 were shown compromised on https://haveibeenpwned.com/

We had about 5 that showed no breach found in their database, but assume as others that some other database or underground site has them listed and were used on a fishing expedition.

We placed the IP into our Clean Talk to also block that IP

At this point we have to assume that all 20 accounts are now compromised and flag them as spammers. In checking, aside from the spam posts these accounts have not posted in years anyways.

 

 

[AlexJ]

29 minutes ago, Malwarebytes Forums said:

At this point we have to assume that all 20 accounts are now compromised and flag them as spammers. In checking, aside from the spam posts these accounts have not posted in years anyways.

 

Doesn't doing force password reset helps? i.e. it sends an email to them for resetting password? OR that's no good? Trying to avoid flagging them as spammers. 

[greek_parea]

anything fixed? again today replys