Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
January 15, 20232 yr I am getting these too on one site. Seems to be a clever spam attack, since they do not use new accounts. But they do use repeating IP addresses and those t.me links, both of which you could block.
January 15, 20232 yr I got these on two sites as well. What's interetsing is that on one site it was a user who registered in 2015 with no posts and another it was a user who registered in 2016 with multiple posts that were ok until now. Ban IP 109.107.166.230
January 15, 20232 yr They probably use hacked databases from social media sites and login with accounts that use the same data everywhere. Has anyone checked the server logs to see what these IPs are doing?
January 15, 20232 yr I have the same on my site. Maybe just a coincidence but one legit member whose account got locked for failed attempts replied to the automatic message to say it had not been him, so that made me think of brute force, but people using the same password elsewhere with a leak sounds more probable.
January 16, 20232 yr I have them on my site also. I don't know how they managed to log in. I assumed the attacker don't have access to users email, so I forced password change for every user affected. So far, so good...
January 16, 20232 yr I've moved this to our Community Support area where other Invision Community owners will see it and help where they can. It does seem though this is genuinly clever spammers, and there isnt anything specifically wrong there.
January 16, 20232 yr 22 hours ago, greek_parea said: They logged into some old inactive account. From a short research you can see that the accounts are 5 or even 10 years old. They didn't reset the password. I wonder how they check if an account exists in the database. Probably some scraping bot. Many forums have been attacked not only on the IC but also on phpBB or vBulletin. Google > "t.me/pump_upp" or "Verifpro.net" Edited January 16, 20232 yr by SeNioR-
January 16, 20232 yr Got another one today. The IP Ban setting was not followed and they still used the IP to login and post. I added it to my cloudflare firewall as a rule for now.
January 16, 20232 yr We have seen a few issues with old accounts being used. Some account were comprimised ages ago with a U.S IP and posted spam in a section that is rarely used, then today a russian IP logged in and followed the posts using the same account that posted the spam in the first place. Very odd why they did this. We will do the following Stronger password requirement configured Force password reset on accounts older than 6 months of last login. 2 Factor question on all accounts 2 factor using either sms or Authenticator for mods and admins Turn on email notifications for logins from a different computer / phone CleanTalk (already set up and works a charm)
January 16, 20232 yr On 1/15/2023 at 2:54 PM, greek_parea said: Same here too. After update to 4.7.6. Another forum that is not updated does not have this problem.
January 16, 20232 yr 1 minute ago, Mikorist said: Same here too. After update to 4.7.6. Another forum that is not updated does not have this problem. We had the same start at the backend of last week prior to updating to 4.7.6 so I don't think it's linked to the update, just coincidental timing.
January 16, 20232 yr I have never had anything like this in 12 years. I've had spam users but never like this.
January 16, 20232 yr As was shown before, many platforms were hit, so there is no reason to assume it is related to IPS or a specific version. Edited January 16, 20232 yr by opentype
January 16, 20232 yr I cannot reproduce where the problem is. Except that I see that the IP address is from Russia. It simply takes over various users who were never spammers. It looks like some kind of SQL injection. I made paranoid protection on the forum. And now it has eased a bit. Otherwise, spam goes every 10 minutes... https://securityheaders.com/?q=diyaudio.rs&hide=on&followRedirects=on Edited January 16, 20232 yr by Mikorist
January 16, 20232 yr 7 minutes ago, Mikorist said: I cannot reproduce where the problem is. Except that I see that the IP address is from Russia. It simply takes over various users who were never spammers. It looks like some kind of SQL injection. I made paranoid protection on the forum. And now it has eased a bit. Otherwise, spam goes every 10 minutes... https://securityheaders.com/?q=diyaudio.rs&hide=on&followRedirects=on Onother part on Nginx location / { try_files $uri $uri/ /index.php$is_args$args; if ($http_user_agent ~* "(java)") {return 404;} if ($http_user_agent ~* "(winhttp|HTTrack|clshttp|archiver|loader)") {return 404;} if ($http_user_agent ~* "(email|harvest|extract|grab|miner)") {return 404;} if ($http_user_agent ~* "(libwww-perl|python|nikto|scan)") {return 404;} ## Block SQL injections set $block_sql_injections 0; if ($query_string ~ "union.*select.*\(") { set $block_sql_injections 1; } if ($query_string ~ "union.*all.*select.*") { set $block_sql_injections 1; } if ($query_string ~ "concat.*\(") { set $block_sql_injections 1; } if ($block_sql_injections = 1) { return 403; } ## Block file injections set $block_file_injections 0; if ($query_string ~ "[a-zA-Z0-9_]=https://") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { set $block_file_injections 1; } if ($block_file_injections = 1) { return 403; } ## Block common exploits set $block_common_exploits 0; if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { set $block_common_exploits 1; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { set $block_common_exploits 1; } if ($query_string ~ "base64_(en|de)code\(.*\)") { set $block_common_exploits 1; } if ($block_common_exploits = 1) { return 403; }
January 16, 20232 yr The same. I have latest IPS4, active antispam and by board is under attack by the last few days.
January 16, 20232 yr I also changed ciphers according to Probely's advice. server { listen 443 ssl; ... ssl_protocols TLSv1.2 TLSv1.3; ... } TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHERSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHERSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128- SHA256 Edited January 16, 20232 yr by Mikorist
January 16, 20232 yr I have similar problem since like a week or two, same type of spam. From old and recent forum users. I'm not sure what to do, and why I have this. Was my forum hacked or it's something else? Shall I Force Password Reset on all users? btw. what message will be emailed to all users if I do? Will there be info that database was hacked? I hope not, users will freak out and blame me. Is there a way to edit a template for such email just in case? Edited January 16, 20232 yr by Xeite
January 16, 20232 yr 3 hours ago, DawPi said: The same. I have latest IPS4, active antispam and by board is under attack by the last few days. Also Polish board here under the same type of attack. Since last days hundreds / thousands foreigner bots are "scanning" my forum. After blocking IPs "new set" is in the play. Today first old legit account has been shown as "hijacked" and posted an obvious spam. But I still am on older 4.6.12.1 so I don't think it has anything to do with the IPS version.
January 16, 20232 yr 3 hours ago, Xeite said: I have similar problem since like a week or two, same type of spam. From old and recent forum users. I'm not sure what to do, and why I have this. I'd say, ban that IP address to start with (They may get another one though but it will slow them down). If you don't use Cloudflare you can ban IP addresses in your .htaccess file. Also force the users whose accounts have been hacked to change password (click to change their passwords yourself and there you'll find that option) 6 hours ago, Grant_B said: We had the same start at the backend of last week prior to updating to 4.7.6 so I don't think it's linked to the update, just coincidental timing. That's correct, I can confirm that too. It started before I upgraded to the latest version.
January 17, 20232 yr We had 20 accounts that have logged into the forums from the same IP since 1/14/2023 109.107.166.230 The IP address resolves to server-109-107-166-230.vmbox.cloud Moscow, Moscow, 109044, Russian Federation 3/4 were shown compromised on https://haveibeenpwned.com/ We had about 5 that showed no breach found in their database, but assume as others that some other database or underground site has them listed and were used on a fishing expedition. We placed the IP into our Clean Talk to also block that IP At this point we have to assume that all 20 accounts are now compromised and flag them as spammers. In checking, aside from the spam posts these accounts have not posted in years anyways.
January 17, 20232 yr 29 minutes ago, Malwarebytes Forums said: At this point we have to assume that all 20 accounts are now compromised and flag them as spammers. In checking, aside from the spam posts these accounts have not posted in years anyways. Doesn't doing force password reset helps? i.e. it sends an email to them for resetting password? OR that's no good? Trying to avoid flagging them as spammers.