Spammers posting through existing accounts with no need to login?

[pattycake2]

As we have noticed, these are dormant accts. I had another yesterday, again, dormant. Got to thinking... these dormant accts have never seen my xenforo site - they were imported from my vb conversion. That tells me me the breach is from a long time ago... well before I converted to XF. How many more of you converted to XF from vb, phpbb, or others?

btw: all of my incidents came from the same ip address. I originally banned the ip address, but have now un-banned it so I cam see if other usernames are exposed. On the ones that were hacked, all I did was manually change their password so I would see them in failed logins - did not change any levels

 

[alexm]

As we have noticed, these are dormant accts. I had another yesterday, again, dormant. Got to thinking... these dormant accts have never seen my xenforo site - they were imported from my vb conversion. That tells me me the breach is from a long time ago... well before I converted to XF. How many more of you converted to XF from vb, phpbb, or others?

btw: all of my incidents came from the same ip address. I originally banned the ip address, but have now un-banned it so I cam see if other usernames are exposed. On the ones that were hacked, all I did was manually change their password so I would see them in failed logins - did not change any levels

My one wasn't that dormant... he last posted late December, so a month. The account had been registered since 2012 though and the chances are, he didn't update his password!

 

[MerryDay]

It is, I feel, extremely unlikely anything more than a small percentage of your users will be affected, and, on balance, given the likely vector of the attack (a potentially aged data breach from decades gone by), will only likely affect long dormant accounts.

This isn't true. They are not all "dormant". A few of the accounts were set up as recently as 12mths ago. Some had posts as recent as 12mths ago.
All the spam comes from the Moldova IP: 109.107.166.230

And no, we have never had spam infiltrate our forum that Xenforo did not give as a method to manage.
Currently, spam filters:
/crypto*/i
/crypto/
crypto
/pump/
pump
set to reject is catching most of it.

It would help if we had the ability to have some filters set to reject and some filters that we could manually approve.

 

[Wildcat Media]

That tells me me the breach is from a long time ago... well before I converted to XF. How many more of you converted to XF from vb, phpbb, or others?

I converted a few forums to XF, but that was back around 2011, give or take several months. And the accounts posted to were all newer than the conversion, but, none were for accounts newer than a couple of years at the most.

It's possible that we are also seeing different spammers here--some may be using information from older breaches, where others may use data from newer breaches. I only get the impression that since one spammer has had success with it, we'll be seeing a lot more.

 

[Rhody]

I doubt it has ANYTHING to do with Xenforo. Theyre hitting other brands of forum software, as well as Wordpress. It's the DATA that they are using, IMO.

I still havent had even one on my 2 XF forums, but I have member profiles unavailable for viewing for unregistered. I think that may be a factor, and that maybe the script looks up name matches there before an attempt. I could be wrong, too. It wouldn't be the first time

 

[Wildcat Media]

I doubt it has ANYTHING to do with Xenforo. Theyre hitting other brands of forum software, as well as Wordpress. It's the DATA that they are using, IMO.

IP 109.107.166.230 spam report. Blacklists & IP abuse DB

IP 109.107.166.230 has spam activity on 533 websites, history spam attacks. AS56380 spam rate 3.09%. IP Address spam activity, Whois Details, IP abuse report. Learn more.

cleantalk.org

Yep. I looked at this list a few days ago and like today, the past 50 events logged here (scroll down the page a bit) are all different forum/discussion/blog platforms. Today there are phpBB and vB sites listed among the top 50--there were a handful of Xenforo sites when I checked it earlier this week. It's hitting everyone. Any place a bot can log in and post their spam is a target.

I still havent had even one on my 2 XF forums, but I have member profiles unavailable for viewing for unregistered.

Every forum I manage has member profiles blocked for guest viewers, yet they were hit.

They really don't need to view it. They can simply hit a login form with the data and see if they get in or not. If not, they move on.

 

[sunsky7]

That tells me me the breach is from a long time ago... well before I converted to XF. How many more of you converted to XF from vb, phpbb, or others?

Some sites are seeing spam from accounts created in late 2021.

 

[pattycake2]

Some sites are seeing spam from accounts created in late 2021.

this exact spam.... from ip address 109.107.166.230, with the pump_upp spam?

 

[JamesBrown]

This bot is gently probing with at least a couple hours between tries to guess a users name. It's tried about a dozen times to login as Duglss*** Thing is, we do have a Duglas***. but he was banned for spamming in 2018. So even if they guess right they won't be able to post or change a profile.

 

[MySiteGuy]

Its not necessarily as much of a brute force attack on your server as some might think. A search engine query will tell them which sites any particular username is on.

 

[jeb35]

E-mail: corne27@outlook.com

I say everybody start spamming that email lol

 

[MySiteGuy]

Some sites are seeing spam from accounts created in late 2021.

Its likely an aggregate database compiled from countless breaches over the years.

 

[pattycake2]

Its not necessarily as much of a brute force attack on your server as some might think. A search engine query will tell them which sites any particular username is on.

how? what are you putting in a search to see this?

 

[sunsky7]

how? what are you putting in a search to see this?

"A search engine query will tell them which sites any particular username is on."

A bot can search Google for usernames that match the usernames with known passwords in a database file.

 

[beerForo]

My sites do not allow username login only email/password so I would assume they have the emails as well as usernames, or do not have usernames at all. There is no way to check how they logged in with XF, correct?

 

[pattycake2]

"A search engine query will tell them which sites any particular username is on."

A bot can search Google for usernames that match the usernames with known passwords in a database file.

i'd like to see that search query so I can test it myself for my 7 exploited members

 

[z3r010]

My sites do not allow username login only email/password so I would assume they have the emails as well as usernames, or do not have usernames at all. There is no way to check how they logged in with XF, correct?

They must have usernames as my vbulletin sites were hit at the same time and they are username only.

 

[pattycake2]

My sites do not allow username login only email/password so I would assume they have the emails as well as usernames, or do not have usernames at all. There is no way to check how they logged in with XF, correct?

lemme go look at my raw log files and see if I can tell

 

[nocte]

There is no way to check how they logged in with XF, correct?

well, with the DBT Security addon I had mentioned you can at least monitor how they try to login in (with the failed logins log).

 

[beerForo]

With my site it is email only since I have an add-on, but just wondering for other XF sites if they are using the email or username to log in as that information may be helpful.