Spammers posting through existing accounts with no need to login?

[ActorMike]

We blocked the IP on our firewall since they are hitting Wordpress sites as well according to https://cleantalk.org/blacklists/109.107.166.230

I installed Password Tools 3.7.4 and followed these instructions from @Xon to avoid compromised accounts from being leveraged- https://xenforo.com/community/threads/password-tools.154256/post-1609749

There are other scammer IP'S as well according to @Ludachris - https://xenforo.com/community/threads/password-tools.154256/post-1609790

 

[Max Taxable]

We blocked the IP on our firewall since they are hitting Wordpress sites as well according to https://cleantalk.org/blacklists/109.107.166.230

Can confirm these logins are being done via automation, having been seeing these IP addresses showing up in the login Spaminator logs of each site I admin/manage. No successful logins on any of the sites.



EDIT TO ADD: They're also putting the same link as posted earlier, into the fake captcha trap of the Spaminator add-on.

 

[Wildcat Media]

Welp, two different XenForo forums, and both were hit by the Moldova IP. Same M.O. as well--find a dormant account, and log in. Since the other thread also shows three addresses from the Netherlands (with one of them having a .ru hostname), I'll block those also, even though we have legitimate users from the Netherlands.

 

[Wildcat Media]

EDIT TO ADD: They're also putting the same link as posted earlier, into the fake captcha trap of the Spaminator add-on.

Maybe we shouldn't show Spaminator's hand on this one. But yeah...I think OzzModz is going to get a few sales (including yours truly) after this incident.

 

[Max Taxable]

Maybe we shouldn't show Spaminator's hand on this one. But yeah...I think OzzModz is going to get a few sales (including yours truly) after this incident.

Wasn't trying to promote the product, just giving what Intel I had. Was kind of cool to see it stopped this nonsense dead

 

[StarArmy]

2 accounts affected on my forum. Same Moldovan IP.

 

[Wildcat Media]

Wasn't trying to promote the product, just giving what Intel I had. Was kind of cool to see it stopped this nonsense dead

It was good promotion nonetheless. I just bought the Login and Registration Spaminators myself. I was on the fence about the Login Spaminator but now, having seen that it would have worked on this particular spam, I decided I'd better get it, as some of the staff can get confused and start banning members that they really shouldn't.

 

[webbouk]

We had 13 compromised accounts too. All security locked and banned ip 109.107.166.230

Set the IP address to 109.107.166.* and it will block a wider range of addresses from the same source should it change

Another range to add 119.193.199.* - forum spammer located in Korea

 

[Mr. Jinx]

Seeing as this has been affecting so many boards, maybe this will help - will set users to either require email confirmation or force a password reset (or both) after a specified time.

Hhow does this work exactly?
If I enable this, and have 10.000 users that are inactive for the last 180 days, will it send a password reset email to all of them at once?
I ask this because my mail provider probably won't like that. So I'll have to do it in smaller batches.

 

[Stuart Wright]

Same here. Several accounts compromised and posting spam using 109.107.166.230

 

[Stuart Wright]

Hhow does this work exactly?
If I enable this, and have 10.000 users that are inactive for the last 180 days, will it send a password reset email to all of them at once?
I ask this because my mail provider probably won't like that. So I'll have to do it in smaller batches.

Most likely when they next visit, they will be informed that they need to reset their password and there will be a button to do so.

 

[BassMan]

Another victim here. I'll try to lock account with password reset. For now I've banned them.

 

[Mr. Jinx]

Seeing as this has been affecting so many boards, maybe this will help - will set users to either require email confirmation or force a password reset (or both) after a specified time.

If I set it to 180 days, I get a server 500 error. If I use a bigger time frame, like 5000 days, then it works.

 

[high1976]

If I set is to 180 days, I get a server 500 error. If I use a bigger time frame, like 5000 days, then it works.

just restart the cron job manually til all accounts are checked

 

[benFF]

I got tired of dealing with this, over a thousand to sort out.

Xons password tools didn't work as I guess these accounts only had a single compromise (it checks for at least 3 as default)

Purchased ozzymodz login spaminator a few hours ago and nothing has gotten through since.

 

[puterfixer]

#metoo 2 accounts compromised last night and yesterday, same pattern - existing account with little activity (although one is commonly used for reading), spam messages from the VM hosting service provider in Chișinău, Moldova.

Band-aid fix: banned the IP for now and invalidated the compromised accounts to force a password reset.

The active account replied to my PM confirming reinstating their account.

No idea so far if it was just poor password strength exploited through brute force, or shared password among other sites which got leaked. Both accounts' e-mails are reported as part of leaks on HaveIBeenPwned.com but in different leaks.

Having just checked the access logs, the activity of the spammer seems to navigate through the forums a bit then to attempt to create some threads and to reply to some existing threads. No changes were done to the accounts' profile.

The two accounts breached reported different user-agents for the spam posts:
Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46

The spammer also made a weak attempt to hit the WordPress site, without success. iThemes Security plugin does a wonderful job at detecting brute force login attempts there.

 

[Suzanne O]

Set the IP address to 109.107.166.* and it will block a wider range of addresses from the same source should it change

Another range to add 119.193.199.* - forum spammer located in Korea

that will only block one ip address.
range ban the 109 part

 

[BassMan]

Another victim here. I'll try to lock account with password reset. For now I've banned them.

To add, on a forum with Spaminator from @Ozzy47 no one got through. I can see Korean IP's are blocked, several per hour.

 

[puterfixer]

range ban the 109 part

Let me introduce you to RIPE.net / ARIN.net / APNIC.net that govern the IPv4 space and allocate subnets to different organizations in non-contiguous blocks.

The source IP 109.107.166.230 is part of the subnet 109.107.166.0/24 allocated to Dmytro Nedilskyi in Ukraine. So far there are no indications that you need to extend the ban from the single IP to the entire subnet, yet alone to an even broader class. The entire 109.0.0.0/8 as you suggested would cover a LOT of completely random and unrelated organizations. Why?

I mean, I know you guys down there do things slightly differently but this time it's just a mosquito and you want to nuke it from orbit...

 

[z3r010]

When I get spammers like this coming from a datacenter I generally just ban the provider's AS number with Cloudflare and not have to worry about them changing IP's.