Spammers posting through existing accounts with no need to login?

[Wildcat Media]

Hit by this today, same IP, old account with real posts. Does banning the IP do it? Or wasn't there some fix in one of these posts, a file?

All of the accesses on two forums I was monitoring all used the same Moldova IP address, so this stopped the immediate threat. But yeah...beyond today, I have a feeling this will grow like wildfire, now that a new method has been put into use.

The OzzModz add-on has already blocked login attempts, and all are from different IP addresses. Were they the same spambot? No idea. But to me, any unauthorized access is unwanted, so, good riddance!

 

[Ozzy47]

The OzzModz add-on has already blocked login attempts, and all are from different IP addresses. Were they the same spambot? No idea. But to me, any unauthorized access is unwanted, so, good riddance!

Very possible it’s the same bot program, they can appear as being from any IP

 

[Wildcat Media]

If these logins and passwords have been compromised, it may be helpful to allow the spammer to do their thing so you know which accounts need to be to reset.

Keeping them out completely is best. But the whole incident does make me want to expand on your idea and reset the passwords on all the dormant accounts. I think one of my add-ons can do that (Dragonbytes Security?), or maybe XF can do it also.

It might also do well for XF to incorporate a new password policy system where we can perhaps automatically expire a password that hasn't been accessed for a period of our choosing (one year, for example). We might need a disclaimer during registration telling new members that if they don't access their accounts after X number of days/years/months that the password will automatically be reset.

 

[Wildcat Media]

Very possible it’s the same bot program, they can appear as being from any IP

I'd bet it's the same also. This single Moldovan server woke a lot of us up to the exploit, but I agree--now that it has proven to work, we'll see a lot more of the same exploit from all over the world.

Well, some of us will see it...but others who install the (cough) right add-on (cough) have already dealt with it.

 

[pattycake2]

Banning the IP is just a temporary bandaid. If these logins and passwords have been compromised, it may be helpful to allow the spammer to do their thing so you know which accounts need to be to reset.

agree - i have un-banned the ip. gonna see how many more he's got

 

[MapleOne]

I don't see it as a huge deal, they are effectively giving themselves away with each post. Simply delete the post and force password reset on that account. Wash, rinse, and repeat if it happens again. Eventually all the weak passwords will be weeded out.

Mind you that is ok for smaller forums, for larger forums that might be a task and a half.

 

[pattycake2]

The OzzModz add-on has already blocked login attempts, and all are from different IP addresses. Were they the same spambot? No idea. But to me, any unauthorized access is unwanted, so, good riddance!

which Add-On would that be?

 

[pattycake2]

I don't see it as a huge deal, they are effectively giving themselves away with each post. Simply delete the post and force password reset on that account. Was, rinse, and repeat if it happens again. Eventually all the weak passwords will be weeded out.

Mind you that is ok for smaller forums, for larger forums that might be a task and a half.

170,000 members, 6 million posts over the last 20+ years... yep, - a task and a half

 

[Ozzy47]

which Add-On would that be?

This addon, https://xenforo.com/community/resources/ozzmodz-login-spaminator.7443/

I just updated the addon to record the username the bots try to use, this way you can see if the user actually exists on the site, and lock their account if necessary.

 

[Suzanne O]

Make sure that you switch off guests posting before registering.

 

[Ozzy47]

Make sure that you switch off guests posting before registering.

That has nothing to do with the topic of this thread.

 

[Ozzy47]

and guests can't post at my site

Yeah, that has nothing to do with what we’ve been discussing, ignore it.

 

[MapleOne]

I have some of the OzzMods addons installed and when I look at the logs the vast majority of all nefarious activity comes from two ip addresses

33.139.53.81 & 33.139.53.82

I get a lot of crap from India too but these two IP addresses are spending way too much time snooping on my site. Been watching them for days hit every link they can including contact form, logins etc.

 

[pattycake2]

I get a lot of crap from India too but these two IP addresses are spending way too much time snooping on my site. Been watching them for days hit every link they can including contact form, logins etc.

How are you watching them to know what they have been doing? Another add-on to log actions ??

 

[Wildcat Media]

I get a lot of crap from India too but these two IP addresses are spending way too much time snooping on my site. Been watching them for days hit every link they can including contact form, logins etc.

I don't seem to get a lot of activity on this one forum in terms of spammers, but I also set up two lists of IP address blocks I generated and exported as text files at ip2location.com and inserted them into my firewall (using ipset and iptables), so I have a lot of countries blocked already. But with Cloudflare between us and the Internet, I don't know how effective that is anymore. I have set up challenges at Cloudflare to slow them down, but blocking IPs isn't possible unless it's through a paid account.

 

[sunsky7]

Yes, so far all of the accounts being targeted on my forum were registered in or before 2020.

We have seen accounts from late 2021 spamming, so this is likely a list with data up to 2022.

 

[alexm]

View attachment 280217


I have some of the OzzMods addons installed and when I look at the logs the vast majority of all nefarious activity comes from two ip addresses

33.139.53.81 & 33.139.53.82

I get a lot of crap from India too but these two IP addresses are spending way too much time snooping on my site. Been watching them for days hit every link they can including contact form, logins etc.

I get a lot of crap caught by @Ozzy47's 'Contact Us Log' from that datacentre

 

[ActorMike]

I went to use the Batch User Update to apply a security lock to all users who have not logged in since 1/1/2020, it found 6,000 users, and said it updated them, but didn't actually apply the security lock to those users. Xenforo says this is a bug that will be fixed in the next release and they don't have a workaround, but surely there is a MYSQL statement that could safely be applied to address this?

 

[loulou]

I went to use the Batch User Update to apply a security lock to all users who have not logged in since 1/1/2020, it found 6,000 users, and said it updated them, but didn't actually apply the security lock to those users. Xenforo says this is a bug that will be fixed in the next release and they don't have a workaround, but surely there is a MYSQL statement that could safely be applied to address this?

I've run it over 500k members without issue.
I don't know what criteria is triggering that bug but I'm running latest XF version and not impacted.

 

[ActorMike]

I've run it over 500k members without issue.
I don't know what criteria is triggering that bug but I'm running latest XF version and not impacted.

I got a support message confirming the bug for batch updating users and that it will be fixed in the next release.