1
dreamgear
WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/16 20:56

  • dreamgear

  • Friend of XOOPS

  • Posts: 78

  • Since: 2002/7/18


In the last few hours someone has been registering a bogus username on each of my XOOPS sites. The name is of the form FirstnameNNN where NNN is three digits.

I'm going on a mad patching spree, but my host's server has become very slow at about the same time these accounts were created. I will recover whatever evidence I can, but here's fair warning: Someone is apparently systematically attacking XOOPS installations

Your helpfull suggestions are encouraged.

2
V6-Maniac
Re: WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/16 21:06

  • V6-Maniac

  • Just popping in

  • Posts: 86

  • Since: 2005/2/15


Thx for your warning.
And i will be watching out.

3
jctsup1
Re: WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/16 21:20

  • jctsup1

  • Not too shy to talk

  • Posts: 146

  • Since: 2002/5/23


I am confused as to how someone creating bogus accounts on your sites is considered an attack. Can you please be a little more specific in what this user is trying to do other than create an account.

Thanks
Jeffrey C. Tindillier, CIW
Microsoft MVP - IIS
--------------------------------------------
IIS Tips, Tricks & Resources
http://www.iis-resources.com

4
dreamgear
Re: WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/17 3:12

  • dreamgear

  • Friend of XOOPS

  • Posts: 78

  • Since: 2002/7/18


It's certainly not definitive evidence, but it seems awfully suspicious that all my sites were growing users with made up names that all used the email address "myaccount009@tom.com". "tom.com" is a japanese site (I think). Not sure what kind of site it is.. I don't read japanese. These site were completely unrelated other than that I maintain them and they're on the same host.

Just about done patching.. I'm going to go through the raw logs tomorrow and see if they were up to anything nefarious.

5
beagle
Re: WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/17 3:34

  • beagle

  • Just popping in

  • Posts: 43

  • Since: 2005/3/24


Quote:

dreamgear wrote:
... made up names that all used the email address "myaccount009@tom.com".


I had the same thing on two of my XOOPS sites today...I thought it seemed strange. Both entrys has http://www.iqwork.com as the URL. I deleted it immediately on both sites.

My other XOOPS sites were fine.

6
jjcmoney
Re: WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/17 4:23

  • jjcmoney

  • Just popping in

  • Posts: 34

  • Since: 2003/5/10


I noticed this today too, on the only site that I had allowed new user registrations - martin190 was the name registered.

...deleted it and deactivated new user registration.
JC

7
dreamgear
Re: WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/17 14:23

  • dreamgear

  • Friend of XOOPS

  • Posts: 78

  • Since: 2002/7/18


The latest ones seem to have the email addy set to "myaccount009@gmail.com" and the web site set to "iqwork.com" as the previous poster noted.

8
DefJef
Re: WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/17 14:55

  • DefJef

  • Just popping in

  • Posts: 53

  • Since: 2005/8/8 2


somehow a user made an account with a 1969 join date and -1 posts? username DiVersion? kinda wierd, deleted it.

9
Darihn
Re: WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/17 15:06

  • Darihn

  • Just popping in

  • Posts: 2

  • Since: 2005/7/30


Had 25 users on my site this morning (mainly in the links area and the RSS area). Odd since my site isn't listed. Glad I manually add only the users I choose. Thanks for the heads up.

D

10
Chappy
Re: WARNING! someone may be systematically attacking unpatched xoops sites!
  • 2005/8/17 15:10

  • Chappy

  • Friend of XOOPS

  • Posts: 456

  • Since: 2002/12/14


Hi, DefJef:

You may want to try creating another user and see if it doesn't set the join date for this newly created user to 1969 as well. 1969 is when, if I recollect correctly, the UNIX date code started (thus, when some modules in XOOPS and other programs are created and a date is automatically inserted, the code just starts at 1969). This is called the unix epoch date.

For info on the epoch date, if you'd like to know: http://www.answers.com/topic/epoch-date

For possibly similar problems as your popping up this 1969 date, here's one rather chuckly thread: http://www.webmasterworld.com/forum3/26062.htm

A bug in your upload or 2.2? If you create a new user and the new user has the same creation date, I'd get concerned....

The point is that the new user may have had his account automaticaly created for him on that date and may not have been a script kiddie... Better safe than sorry, though...
MMM...It tastes like chicken! ...

Login

Who's Online

291 user(s) are online (223 user(s) are browsing Support Forums)


Members: 0


Guests: 291


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits