Bot hacking targeting xenforo and others

rosal

rosal

Active member
Since 3 January 2021 there is a bot targeting some platforms:

  • Xenforo 1.5x
  • Xenforo 2.x
  • Wordpress
  • phpBB
  • IPS Community Suite

The bot enter in accounts and sometime change passwords.

IP- 178.137.16.56
Email - leonsio@gmail.com

Search for this IP in your forum to check if your forum has been targeted.


At this moment i dont know how the bot have the login data for the account users.


References over internet:

178.137.16.56 | Kyivstar PJSC | AbuseIPDB

www.abuseipdb.com www.abuseipdb.com

Email leonsio@gmail.com spam report

Email leonsio@gmail.com has no spam activity. IP Address spam activity, Whois Details, IP abuse report. Learn more.
cleantalk.org cleantalk.org

IP 178.137.16.56 spam report. Blacklists & IP abuse DB

IP 178.137.16.56 has spam activity on 72 websites, history spam attacks. AS15895 spam rate 12.06%. IP Address spam activity, Whois Details, IP abuse report. Learn more.
cleantalk.org cleantalk.org
 
I have three users who recorded that IP this week. One registered in 2004, one in 2010, one in 2016.

Just because you have that IP in your logs doesn't automatically mean you have issues.
 
Hmmm... I automatically Delete IP usage data after 4 days and still I got 24 users matching the IP.
 
Abraham54 said:
No records of IP-178.137.16.56 exist on my forum.
@woody: 3 members from the Ukraine?

IP Address Lookup for 178.137.16.56 in Lviv, Ukraine

Location: Lviv, Ukraine - 178.137.16.56 is a likley static assigned Cable/DSL IP address allocated to Kyivstar. Learn more.
whatismyipaddress.com
Click to expand...
My site is largely based around Toyota SUV's....a global product with a global audience. 33,752 unique visitors yesterday, only 63% of those US.
 
rdn said:
Hmmm... I automatically Delete IP usage data after 4 days and still I got 24 users matching the IP.
Click to expand...
Something is going on...

Maybe the bot is using login data from other places Data Breaches or is something new related with any security breach in xenforo, because is affecting old users!
 
A lot of people use vpn and proxies, and they might appear to come from the same ip if they use the same service.

If you're using the tools built in (like stopforumspam), it should identify and block any bad registrants. They currently only have 3 reports from that IP, but it's enough to block it from registering. https://www.stopforumspam.com/ipcheck/178.137.16.56

That particular IP would appear to be a mobile phone carrier in or near Kyiv City, Ukraine.
 
Last edited:
We run very different forum systems (1 large, and 1 very small niche one) and both have been visited by this bot since at least as far back as Jan 2. 2 POSTs to add-reply, 19 to login, and 670 GETS. Timing between gets, or even between GET login and then POST (<= 1 second) shows nothing good from this location. /admin.php?users/ip-users shows 3 accounts confirmed compromised (2 well known users, 1 probationary without even posting access yet).

To add to the voices: BLOCK THIS IP.

rosal -- thank you for opening this thread. Without seeing it, this might have gone unnoticed longer...
 
I've been watching the bot since the FP's hint appeared
One should see this bot as a danger.

The bot is currently comparing accounts and passwords found in hacker databases to determine whether they can be used. If he finds such old accounts, he sometimes only changes the password. But he also creates profile postings to test whether the account can be used for writing.

I suspect that this is just a test and the bot verifies data in order to later actively spam with these accounts, also under other IP addresses.

Here as an example an account that has been inactive for 8 years and has now been taken over by the bot ...
1612085870285.webp

Therefore it is nonsense to block the IP. So you miss the opportunity to see which old user accounts may have been compromised and are in hacker databases. These could then also be misused by other IPs.
 
Masetrix said:
The bot is currently comparing accounts and passwords found in hacker databases to determine whether they can be used.
Click to expand...
If it is automation, our Login Spaminator will stop it from logging in to any account you have on your board.

-- James with OzzModz/Snogs
 
Masetrix said:
The bot is currently comparing accounts and passwords found in hacker databases to determine whether they can be used. If he finds such old accounts, he sometimes only changes the password. But he also creates profile postings to test whether the account can be used for writing.
Click to expand...
I found this ip myself (before seeing this post) when a spam post appeared in a profile from a long time user by a long time user. 2 users had been using this ip. I informed those users and blocked the ip.
 
Max Taxable said:
If it is automation, our Login Spaminator will stop it from logging in to any account you have on your board.

-- James with OzzModz/Snogs
Click to expand...

The bot is not only automated.
In larger forums, one person tries to get access.
I conclude that from the procedure that "the bot" used the headings "test" and "i'm in ..." in its first tests.(Profile posting) Only real people do that. :)
 
Masetrix said:
The bot is not only automated.
In larger forums, one person tries to get access.
I conclude that from the procedure that "the bot" used the headings "test" and "i'm in ..." in its first tests. Only real people do that. :)
Click to expand...
After login. Which is beside my point. Then if it's not a bot doing that in bold, if that's from a human, we still assume it is automation doing the brute force login work. Or is it some dude trying 100s maybe even 1000s of passwords manually? You can't know. Login Spaminator stops it and proves it, IF it is done via automation.

IP addresses aren't revealing. Those can be easily spoofed. So can user agent strings.
 
You must log in or register to reply here.
Top Bottom