Jump to content

spam

greek_parea
 Share

Recommended Posts

  • Replies 72
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Malwarebytes Forums
Malwarebytes Forums

You don't have to send them a password reset request. Also, they have not seemed to take the time to change the email address associated with the account so if you did change the password, I don't thi

Mark H
Mark H

Just a note for the time being... One thing self-hosted folks can do is to block the IP range of the spammer(s) using 109.107.166.230, but that needs to be done in the server firewall. This

AlexJ
AlexJ

For those using Cloudflare (CF), very simple solution. Do managed challenge for this ASN's. CF firewall is extremely fast.  This IP ASN: AS56380 - Normally all this spam bots use VPN/Proxy or dat

Posted Images

AlexWebsites Veteran

AlexWebsites

Posted
Posted

I got these on two sites as well. What's interetsing is that on one site it was a user who registered in 2015 with no posts and another it was a user who registered in 2016 with multiple posts that were ok until now.

Ban IP 109.107.166.230

Could contain: Page, Text

 

Could contain: Page, Text, Plot, Chart

opentype Grand Master

opentype

Posted
Posted

They probably use hacked databases from social media sites and login with accounts that use the same data everywhere. 

Has anyone checked the server logs to see what these IPs are doing? 

PPlanet Proficient

PPlanet

Posted
Posted

I have the same on my site. Maybe just a coincidence but one legit member whose account got locked for failed attempts replied to the automatic message to say it had not been him, so that made me think of brute force, but people using the same password elsewhere with a leak sounds more probable. 

Ivan Banic Rookie

Ivan Banic

Posted
Posted

I have them on my site also. I don't know how they managed to log in. I assumed the attacker don't have access to users email, so I forced password change for every user affected. So far, so good...

Marc Grand Master

Marc

Posted
Posted

I've moved this to our Community Support area where other Invision Community owners will see it and help where they can. It does seem though this is genuinly clever spammers, and there isnt anything specifically wrong there.

SeNioR- Grand Master

SeNioR-

Posted
Posted (edited)
22 hours ago, greek_parea said:

Could contain: Text, City, Outdoors, Landscape, Nature

They logged into some old inactive account. From a short research you can see that the accounts are 5 or even 10 years old.

They didn't reset the password. I wonder how they check if an account exists in the database. Probably some scraping bot.

Many forums have been attacked not only on the IC but also on phpBB or vBulletin.

Google >  "t.me/pump_upp" or "Verifpro.net"

Edited by SeNioR-
loccom Community Regular

loccom

Posted
Posted

We have seen a few issues with old accounts being used. 

Some account were comprimised ages ago with a U.S IP and posted spam in a section that is rarely used, then today a russian IP logged in and followed the posts using the same account that posted the spam in the first place. Very odd why they did this.

We will do the following

  • Stronger password requirement configured
  • Force password reset on accounts older than 6 months of last login.
  • 2 Factor question on all accounts
  • 2 factor using either sms or Authenticator for mods and admins 
  • Turn on email notifications for logins from a different computer / phone
  • CleanTalk (already set up and works a charm)
Grant_B Explorer

Grant_B

Posted
Posted
1 minute ago, Mikorist said:

Same here too. After update to 4.7.6. Another forum that is not updated does not have this problem.

We had the same start at the backend of last week prior to updating to 4.7.6 so I don't think it's linked to the update, just coincidental timing.

opentype Grand Master

opentype

Posted
Posted (edited)

As was shown before, many platforms were hit, so there is no reason to assume it is related to IPS or a specific version. 

Edited by opentype
Mikorist Apprentice

Mikorist

Posted
Posted (edited)

I cannot reproduce where the problem is. Except that I see that the IP address is from Russia. It simply takes over various users who were never spammers. It looks like some kind of SQL injection. I made paranoid protection on the forum. And now it has eased a bit. Otherwise, spam goes every 10 minutes...

https://securityheaders.com/?q=diyaudio.rs&hide=on&followRedirects=on

Edited by Mikorist
Mikorist Apprentice

Mikorist

Posted
Posted
7 minutes ago, Mikorist said:

I cannot reproduce where the problem is. Except that I see that the IP address is from Russia. It simply takes over various users who were never spammers. It looks like some kind of SQL injection. I made paranoid protection on the forum. And now it has eased a bit. Otherwise, spam goes every 10 minutes...

https://securityheaders.com/?q=diyaudio.rs&hide=on&followRedirects=on

Onother part on Nginx 

       location / {                                     try_files  $uri $uri/ /index.php$is_args$args;

       if ($http_user_agent ~* "(java)")                                           {return 404;}
       if ($http_user_agent ~* "(winhttp|HTTrack|clshttp|archiver|loader)")        {return 404;}
       if ($http_user_agent ~* "(email|harvest|extract|grab|miner)")               {return 404;}
       if ($http_user_agent ~* "(libwww-perl|python|nikto|scan)")                  {return 404;}
       ## Block SQL injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
        return 403;
    }

    ## Block file injections
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=https://") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 403;
    }

    ## Block common exploits
    set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 403;
    }

 

Mikorist Apprentice

Mikorist

Posted
Posted (edited)

I also changed ciphers according to Probely's advice. 

server { listen 443 ssl; ... ssl_protocols TLSv1.2 TLSv1.3; ... }
TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHERSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHERSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-
SHA256

 

Edited by Mikorist
Xeite Explorer

Xeite

Posted
Posted (edited)

I have similar problem since like a week or two, same type of spam. From old and recent forum users. I'm not sure what to do, and why I have this. Was my forum hacked or it's something else? Shall I Force Password Reset on all users? btw. what message will be emailed to all users if I do? Will there be info that database was hacked? I hope not, users will freak out and blame me. Is there a way to edit a template for such email just in case? 

Edited by Xeite
Luuuk Rising Star

Luuuk

Posted
Posted
3 hours ago, DawPi said:

The same. I have latest IPS4, active antispam and by board is under attack by the last few days.

Also Polish board here under the same type of attack. Since last days hundreds / thousands foreigner bots are "scanning" my forum. After blocking IPs "new set" is in the play. Today first old legit account has been shown as "hijacked" and posted an obvious spam.

But I still am on older 4.6.12.1 so I don't think it has anything to do with the IPS version.

PPlanet Proficient

PPlanet

Posted
Posted
3 hours ago, Xeite said:

I have similar problem since like a week or two, same type of spam. From old and recent forum users. I'm not sure what to do, and why I have this.

I'd say, ban that IP address to start with (They may get another one though but it will slow them down). If you don't use Cloudflare you can ban IP addresses in your .htaccess file.

Also force the users whose accounts have been hacked to change password (click to change their passwords yourself and there you'll find that option)

6 hours ago, Grant_B said:

We had the same start at the backend of last week prior to updating to 4.7.6 so I don't think it's linked to the update, just coincidental timing.

That's correct, I can confirm that too. It started before I upgraded to the latest version.

Malwarebytes Forums Enthusiast

Malwarebytes Forums

Posted
Posted

We had 20 accounts that have logged into the forums from the same IP since 1/14/2023

109.107.166.230
The IP address resolves to server-109-107-166-230.vmbox.cloud
Moscow, Moscow, 109044, Russian Federation
 

3/4 were shown compromised on https://haveibeenpwned.com/

We had about 5 that showed no breach found in their database, but assume as others that some other database or underground site has them listed and were used on a fishing expedition.

We placed the IP into our Clean Talk to also block that IP

At this point we have to assume that all 20 accounts are now compromised and flag them as spammers. In checking, aside from the spam posts these accounts have not posted in years anyways.

 

 

AlexJ Veteran

AlexJ

Posted
Posted
29 minutes ago, Malwarebytes Forums said:

At this point we have to assume that all 20 accounts are now compromised and flag them as spammers. In checking, aside from the spam posts these accounts have not posted in years anyways.

 

Doesn't doing force password reset helps? i.e. it sends an email to them for resetting password? OR that's no good? Trying to avoid flagging them as spammers. 

 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Invision Community © 2024 IPS, Inc.
×
×
  • Create New...