cancel
Showing results for 
Search instead for 
Did you mean: 

Our russian Forum-Spammers

ffupi
Grafter
Posts: 370
Registered: 01-08-2007

Our russian Forum-Spammers

Hello
The amount of access-trials by our friends in Russia who are in need to spam my forum has surged in the last few weeks. They can't do anything, because there is user registration and the hurdle of captcha to get registered first. The forum is moderated as well, so nothing will be published without it having been checked. The .htaccess-redirect with banned IPs is as well eleven pages long.
I would like to be able to analyse what they are trying to do. Awstat as well as webalizer give me some idea, but I would like to follow in more depth what they are up to. What would an experienced user do?
Is there any other way of analysing the traffic?
Of concern is to me the amount of pseudo-links from unsavoury webpages which appear in the stats as well. Whenever I go to these pages, there is nothing of a link to my page. So I suspect it is a con to get one as admin to look these pages up. One had even a troyan horse installer, as soon as I surfed to this page it tried to install itself. I then even came accross a backdoorphpshell having been installed at an affiliated webpage, where someone installed NatWest, AbbeyNational and Egg spoof webpages - they only could not activate them because php was running in safe mode (just to say these three banks did not care whatsoever when I told them as well as emailed all the stuff).
I think they try everything to ruin ones perfectly legitimate and proper webpage, and I want to keep a step ahead.
Any ideas or tips?
3 REPLIES
notheruser
Grafter
Posts: 139
Registered: 08-01-2008

Re: Our russian Forum-Spammers

ffupi - you have my sympathy! On a similar vein, I've traced attempted hacks against our company websites, most of which come from Eastern Europe, Russia and China. There's little which can be done about it unfortunately. Have you considered blocking entire blocks of IP's rather than just individual ones? It appears to be a shame to block innocent users in some countries because of the spammers, but if more and more people took this action, it might encourage the local authorities to finally take action.
At one stage my employers network was getting hit by so much SPAM from addresses in China (tens of eMails per second) that our anti-spam system was in danger of crashing, so we just blocked anything with a Chinese IP address at the firewall. Now we may have lost one or two real eMails (though I doubt it!), but it solved the problem!
I've said this before - ISP's ought to allow customers to "opt out" of eMail coming from certain address blocks. If particular countries find that they are having problems communicating with the rest of the world because their email is being dumped, then they will be forced to clamp down on their spammers in order to restore their reputation.
I don't know if PlusNet do anything to ensue their customers who are set up for SMTP mail do not act as open relays - I'd like to think they do.
I doubt that many spammers are trying to lure network admins to their web sites, but you never know - yuo've highlighted one of the big problems of tracking these guys down. At the end of the day, there's little you can do to stop them even when you do track them down - I'd be inclined to stick to protecting your systems as best you can, and as I mentioned, if you find problems coming from the same places persistantly, block chunks of IP addresses.
Prod_Man
Grafter
Posts: 286
Registered: 04-08-2007

Re: Our russian Forum-Spammers

Well you've done everything right so far.
Now you just need to remove Turkish IP's if you run anything like PHPNuke  Cheesy
What part of the traffic do U need to log?
it can be done just depends on what mix of scripts you have,
as in do you use a CMS or a collection of pre-built scripts and your own code?
for example, If I wanted to look at the GET,POST,Time, IP and Host at which clients were connecting...
I'd do something along the lines of, creating a table '_log' with a few fields:
timedate,ip,host,get,post,... etc
You could even enumerate cookies, sessions if anything like that is used.
Make an includable logging PHP which will log all of it into the Table.
Include it into necessary Scripts etc...
Then you can view what's going on, either by PHPMyAdmin or make something to list them.
I'm workong on a similar setup for my own Website for Debugging and Monitoring purposes.
Not sure if that's what you were after, but it maybe a stepping stone.
Jim,
BattleRat
Grafter
Posts: 104
Registered: 01-08-2007

Re: Our russian Forum-Spammers

lets start off with the correct terminology.
Hacker - writer .. a programmer
cracker = some [Censored] of a skript kiddie
it is the Turkish Crackers that are concentrating on php-nuke and similar based websites/forums and the generic weaknesses that have been written into them.
you have to also understand that a MySql database will only hold data that it is told to hold .. no more- no less
therefore the weakness is in the scripts that write to your database -- the website/forum where public/anonymous are allowed write access.
I assume that you have already made your site/forum writeable by registered members only, and that you do have a GFX check enabled and that it is email registration check only.

next step is to download and install Fusion
check out this page
http://www.futurenuke/
wanna be real safe?
make a .htm website with no database
if you need a forum , make a .htm website and use one of the free forums that are widely available online

also check the IP of attempted cracking ..  most attempts of cracking my websites come from inside plusnets own network.
which means that somebody , somewhere has already gained inside access to plusnet's ccgi servers.