opentype Posted January 15, 2023 Posted January 15, 2023 I am getting these too on one site. Seems to be a clever spam attack, since they do not use new accounts. But they do use repeating IP addresses and those t.me links, both of which you could block. SeNioR- 1
AlexWebsites Posted January 15, 2023 Posted January 15, 2023 I got these on two sites as well. What's interetsing is that on one site it was a user who registered in 2015 with no posts and another it was a user who registered in 2016 with multiple posts that were ok until now. Ban IP 109.107.166.230
opentype Posted January 15, 2023 Posted January 15, 2023 They probably use hacked databases from social media sites and login with accounts that use the same data everywhere. Has anyone checked the server logs to see what these IPs are doing?
PPlanet Posted January 15, 2023 Posted January 15, 2023 I have the same on my site. Maybe just a coincidence but one legit member whose account got locked for failed attempts replied to the automatic message to say it had not been him, so that made me think of brute force, but people using the same password elsewhere with a leak sounds more probable.
Ivan Banic Posted January 16, 2023 Posted January 16, 2023 I have them on my site also. I don't know how they managed to log in. I assumed the attacker don't have access to users email, so I forced password change for every user affected. So far, so good...
Marc Posted January 16, 2023 Posted January 16, 2023 I've moved this to our Community Support area where other Invision Community owners will see it and help where they can. It does seem though this is genuinly clever spammers, and there isnt anything specifically wrong there.
SeNioR- Posted January 16, 2023 Posted January 16, 2023 (edited) 22 hours ago, greek_parea said: They logged into some old inactive account. From a short research you can see that the accounts are 5 or even 10 years old. They didn't reset the password. I wonder how they check if an account exists in the database. Probably some scraping bot. Many forums have been attacked not only on the IC but also on phpBB or vBulletin. Google > "t.me/pump_upp" or "Verifpro.net" Edited January 16, 2023 by SeNioR-
AlexWebsites Posted January 16, 2023 Posted January 16, 2023 Got another one today. The IP Ban setting was not followed and they still used the IP to login and post. I added it to my cloudflare firewall as a rule for now.
loccom Posted January 16, 2023 Posted January 16, 2023 We have seen a few issues with old accounts being used. Some account were comprimised ages ago with a U.S IP and posted spam in a section that is rarely used, then today a russian IP logged in and followed the posts using the same account that posted the spam in the first place. Very odd why they did this. We will do the following Stronger password requirement configured Force password reset on accounts older than 6 months of last login. 2 Factor question on all accounts 2 factor using either sms or Authenticator for mods and admins Turn on email notifications for logins from a different computer / phone CleanTalk (already set up and works a charm) Transporterama 1
Mikorist Posted January 16, 2023 Posted January 16, 2023 On 1/15/2023 at 2:54 PM, greek_parea said: Same here too. After update to 4.7.6. Another forum that is not updated does not have this problem.
Grant_B Posted January 16, 2023 Posted January 16, 2023 1 minute ago, Mikorist said: Same here too. After update to 4.7.6. Another forum that is not updated does not have this problem. We had the same start at the backend of last week prior to updating to 4.7.6 so I don't think it's linked to the update, just coincidental timing.
Mikorist Posted January 16, 2023 Posted January 16, 2023 I have never had anything like this in 12 years. I've had spam users but never like this. dutchsnowden 1
opentype Posted January 16, 2023 Posted January 16, 2023 (edited) As was shown before, many platforms were hit, so there is no reason to assume it is related to IPS or a specific version. Edited January 16, 2023 by opentype
Mikorist Posted January 16, 2023 Posted January 16, 2023 (edited) I cannot reproduce where the problem is. Except that I see that the IP address is from Russia. It simply takes over various users who were never spammers. It looks like some kind of SQL injection. I made paranoid protection on the forum. And now it has eased a bit. Otherwise, spam goes every 10 minutes... https://securityheaders.com/?q=diyaudio.rs&hide=on&followRedirects=on Edited January 16, 2023 by Mikorist
Mikorist Posted January 16, 2023 Posted January 16, 2023 7 minutes ago, Mikorist said: I cannot reproduce where the problem is. Except that I see that the IP address is from Russia. It simply takes over various users who were never spammers. It looks like some kind of SQL injection. I made paranoid protection on the forum. And now it has eased a bit. Otherwise, spam goes every 10 minutes... https://securityheaders.com/?q=diyaudio.rs&hide=on&followRedirects=on Onother part on Nginx location / { try_files $uri $uri/ /index.php$is_args$args; if ($http_user_agent ~* "(java)") {return 404;} if ($http_user_agent ~* "(winhttp|HTTrack|clshttp|archiver|loader)") {return 404;} if ($http_user_agent ~* "(email|harvest|extract|grab|miner)") {return 404;} if ($http_user_agent ~* "(libwww-perl|python|nikto|scan)") {return 404;} ## Block SQL injections set $block_sql_injections 0; if ($query_string ~ "union.*select.*\(") { set $block_sql_injections 1; } if ($query_string ~ "union.*all.*select.*") { set $block_sql_injections 1; } if ($query_string ~ "concat.*\(") { set $block_sql_injections 1; } if ($block_sql_injections = 1) { return 403; } ## Block file injections set $block_file_injections 0; if ($query_string ~ "[a-zA-Z0-9_]=https://") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { set $block_file_injections 1; } if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { set $block_file_injections 1; } if ($block_file_injections = 1) { return 403; } ## Block common exploits set $block_common_exploits 0; if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { set $block_common_exploits 1; } if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { set $block_common_exploits 1; } if ($query_string ~ "proc/self/environ") { set $block_common_exploits 1; } if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { set $block_common_exploits 1; } if ($query_string ~ "base64_(en|de)code\(.*\)") { set $block_common_exploits 1; } if ($block_common_exploits = 1) { return 403; }
DawPi Posted January 16, 2023 Posted January 16, 2023 The same. I have latest IPS4, active antispam and by board is under attack by the last few days.
Mikorist Posted January 16, 2023 Posted January 16, 2023 (edited) I also changed ciphers according to Probely's advice. server { listen 443 ssl; ... ssl_protocols TLSv1.2 TLSv1.3; ... } TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHERSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHERSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128- SHA256 Edited January 16, 2023 by Mikorist SeNioR- 1
Xeite Posted January 16, 2023 Posted January 16, 2023 (edited) I have similar problem since like a week or two, same type of spam. From old and recent forum users. I'm not sure what to do, and why I have this. Was my forum hacked or it's something else? Shall I Force Password Reset on all users? btw. what message will be emailed to all users if I do? Will there be info that database was hacked? I hope not, users will freak out and blame me. Is there a way to edit a template for such email just in case? Edited January 16, 2023 by Xeite
Luuuk Posted January 16, 2023 Posted January 16, 2023 3 hours ago, DawPi said: The same. I have latest IPS4, active antispam and by board is under attack by the last few days. Also Polish board here under the same type of attack. Since last days hundreds / thousands foreigner bots are "scanning" my forum. After blocking IPs "new set" is in the play. Today first old legit account has been shown as "hijacked" and posted an obvious spam. But I still am on older 4.6.12.1 so I don't think it has anything to do with the IPS version.
PPlanet Posted January 16, 2023 Posted January 16, 2023 3 hours ago, Xeite said: I have similar problem since like a week or two, same type of spam. From old and recent forum users. I'm not sure what to do, and why I have this. I'd say, ban that IP address to start with (They may get another one though but it will slow them down). If you don't use Cloudflare you can ban IP addresses in your .htaccess file. Also force the users whose accounts have been hacked to change password (click to change their passwords yourself and there you'll find that option) 6 hours ago, Grant_B said: We had the same start at the backend of last week prior to updating to 4.7.6 so I don't think it's linked to the update, just coincidental timing. That's correct, I can confirm that too. It started before I upgraded to the latest version.
Malwarebytes Forums Posted January 17, 2023 Posted January 17, 2023 We had 20 accounts that have logged into the forums from the same IP since 1/14/2023 109.107.166.230 The IP address resolves to server-109-107-166-230.vmbox.cloud Moscow, Moscow, 109044, Russian Federation 3/4 were shown compromised on https://haveibeenpwned.com/ We had about 5 that showed no breach found in their database, but assume as others that some other database or underground site has them listed and were used on a fishing expedition. We placed the IP into our Clean Talk to also block that IP At this point we have to assume that all 20 accounts are now compromised and flag them as spammers. In checking, aside from the spam posts these accounts have not posted in years anyways.
AlexJ Posted January 17, 2023 Posted January 17, 2023 29 minutes ago, Malwarebytes Forums said: At this point we have to assume that all 20 accounts are now compromised and flag them as spammers. In checking, aside from the spam posts these accounts have not posted in years anyways. Doesn't doing force password reset helps? i.e. it sends an email to them for resetting password? OR that's no good? Trying to avoid flagging them as spammers.
greek_parea Posted January 17, 2023 Author Posted January 17, 2023 anything fixed? again today replys
Recommended Posts