Spammers posting through existing accounts with no need to login?

As we have noticed, these are dormant accts. I had another yesterday, again, dormant. Got to thinking... these dormant accts have never seen my xenforo site - they were imported from my vb conversion. That tells me me the breach is from a long time ago... well before I converted to XF. How many more of you converted to XF from vb, phpbb, or others?

btw: all of my incidents came from the same ip address. I originally banned the ip address, but have now un-banned it so I cam see if other usernames are exposed. On the ones that were hacked, all I did was manually change their password so I would see them in failed logins - did not change any levels
 
As we have noticed, these are dormant accts. I had another yesterday, again, dormant. Got to thinking... these dormant accts have never seen my xenforo site - they were imported from my vb conversion. That tells me me the breach is from a long time ago... well before I converted to XF. How many more of you converted to XF from vb, phpbb, or others?

btw: all of my incidents came from the same ip address. I originally banned the ip address, but have now un-banned it so I cam see if other usernames are exposed. On the ones that were hacked, all I did was manually change their password so I would see them in failed logins - did not change any levels
My one wasn't that dormant... he last posted late December, so a month. The account had been registered since 2012 though and the chances are, he didn't update his password!
 
It is, I feel, extremely unlikely anything more than a small percentage of your users will be affected, and, on balance, given the likely vector of the attack (a potentially aged data breach from decades gone by), will only likely affect long dormant accounts.
This isn't true. They are not all "dormant". A few of the accounts were set up as recently as 12mths ago. Some had posts as recent as 12mths ago.
All the spam comes from the Moldova IP: 109.107.166.230

And no, we have never had spam infiltrate our forum that Xenforo did not give as a method to manage.
Currently, spam filters:
/crypto*/i
/crypto/
crypto
/pump/
pump
set to reject is catching most of it.

It would help if we had the ability to have some filters set to reject and some filters that we could manually approve.
 
That tells me me the breach is from a long time ago... well before I converted to XF. How many more of you converted to XF from vb, phpbb, or others?
I converted a few forums to XF, but that was back around 2011, give or take several months. And the accounts posted to were all newer than the conversion, but, none were for accounts newer than a couple of years at the most.

It's possible that we are also seeing different spammers here--some may be using information from older breaches, where others may use data from newer breaches. I only get the impression that since one spammer has had success with it, we'll be seeing a lot more.
 
I doubt it has ANYTHING to do with Xenforo. Theyre hitting other brands of forum software, as well as Wordpress. It's the DATA that they are using, IMO.

I still havent had even one on my 2 XF forums, but I have member profiles unavailable for viewing for unregistered. I think that may be a factor, and that maybe the script looks up name matches there before an attempt. I could be wrong, too. It wouldn't be the first time :)
 
I doubt it has ANYTHING to do with Xenforo. Theyre hitting other brands of forum software, as well as Wordpress. It's the DATA that they are using, IMO.

Yep. I looked at this list a few days ago and like today, the past 50 events logged here (scroll down the page a bit) are all different forum/discussion/blog platforms. Today there are phpBB and vB sites listed among the top 50--there were a handful of Xenforo sites when I checked it earlier this week. It's hitting everyone. Any place a bot can log in and post their spam is a target.

I still havent had even one on my 2 XF forums, but I have member profiles unavailable for viewing for unregistered.
Every forum I manage has member profiles blocked for guest viewers, yet they were hit.

They really don't need to view it. They can simply hit a login form with the data and see if they get in or not. If not, they move on.
 
This bot is gently probing with at least a couple hours between tries to guess a users name. It's tried about a dozen times to login as Duglss*** Thing is, we do have a Duglas***. but he was banned for spamming in 2018. So even if they guess right they won't be able to post or change a profile.

1674250808844.png
 
Last edited:
Its not necessarily as much of a brute force attack on your server as some might think. A search engine query will tell them which sites any particular username is on.
 
My sites do not allow username login only email/password so I would assume they have the emails as well as usernames, or do not have usernames at all. There is no way to check how they logged in with XF, correct?
 
"A search engine query will tell them which sites any particular username is on."

A bot can search Google for usernames that match the usernames with known passwords in a database file.
i'd like to see that search query so I can test it myself for my 7 exploited members
 
My sites do not allow username login only email/password so I would assume they have the emails as well as usernames, or do not have usernames at all. There is no way to check how they logged in with XF, correct?
They must have usernames as my vbulletin sites were hit at the same time and they are username only.
 
With my site it is email only since I have an add-on, but just wondering for other XF sites if they are using the email or username to log in as that information may be helpful.
 
Last edited:
Top Bottom