We have had a hacker out of Russia hit our forum with some sort of automated script that always comes in on "Search.php/process", he hits us from 2 IP addresses at the same time like clockwork everyday for the last few days.

http://www.forumpostersunion.com/showthread.php?t=2600

Do you think this guy is running some sort of content scraper custom programmed since he is hitting "search.php/do/process" and never hits any other URL, is he probing for a hole in the vB script ???

I would like some of the server experts and vB script experts look into this because I have never seen anything like this guy before, he seems to have a large inventory of hijacked zombie computers and their respective IP's at his disposal and is running a large bot network as most of the IP's are US based cable TV connections.

Some of the IP's have been dedicated hosts and proxy IP's that were blacklisted for spam abuse and those I have banned, but this guy keeps coming back with fresh cable TV IP's every few hours.

Best thing to do it add a search waiting time (ie search every 20 seconds). Also, disable searching for guests or enable the truetype image code.

Do you think he is actually pulling content ??

Because the only URL he hits is "search.php/do/process" and no others.

How does one disable search for guests ?

Edit usergroup permissions.

Also make sure you are using 3.6.6+ as we moved the flood checking to the start of the process to stop them actually being able to run a search.

Do you think he is actually pulling content ??

Because the only URL he hits is "search.php/do/process" and no others.

How does one disable search for guests ?
Usergroup Manager
->Unregistered, Not Logged In
->Forum Searching Permissions
->Can Search Forums = NO

Some of the IP's have been dedicated hosts and proxy IP's that were blacklisted for spam abuse and those I have banned, but this guy keeps coming back with fresh cable TV IP's every few hours.

How do you know he is from Russia??

Edit usergroup permissions.

Also make sure you are using 3.6.6+ as we moved the flood checking to the start of the process to stop them actually being able to run a search.


We are running 3.6.7 now.

So you are saying we have nothing to worry about?

This guy is still running this script, hitting us every few hours

Joe, I'm pretty sure he is out of Russia, because I have banned a few non-US cable IP's out of Russia from this same user agent, see the linked thread, the IP's are listed there, the first time I started tracking this guy was in another thread, I linked to it in the opening link in the original thread I linked to, here is the link to that single post (http://www.forumpostersunion.com/showpost.php?p=15208&postcount=90).

Chousho, thanks for helping out with the instructions !!

Joe, I'm pretty sure he is out of Russia, because I have banned a few non-US cable IP's out of Russia from this same user agent, see the linked thread, the IP's are listed there, the first time I started tracking this guy was in another thread, I linked to it in the opening link in the original thread I linked to, here is the link to that single post (http://www.forumpostersunion.com/showpost.php?p=15208&postcount=90).

Chousho, thanks for helping out with the instructions !!


Seems to be stealing IP's from alot of ISP's, but i would personally report these two to comcast
"24.60.69.124, 24.91.149.151", and make a note of the date and time it was used..

abuse@comcast.net

Joe, this guy is one of many bot net operators (http://www.forumpostersunion.com/showthread.php?p=14862&highlight=network#post14862), many bot network operators have been busted by the FBI (http://www.forumpostersunion.com/showthread.php?p=14615&highlight=networks#post14615) in the USA, but the guys operating out of Russia are untouchable.

They hijack millions of computers and IP's by dropping virus links everywhere and by spyware, so spam is a tool to increase their numbers so they can further attack the network using IP's that can't be traced back to them.

Forums are a prime target, and you will find by watching guests hitting your forums that you are being attacked too 24/7/365.

These guys are relentless and they are polished professionals using automation who are part of a multi-billion dollar cyber crime trade.

Forums are just tools for them and they consider most forum administrators pawns and very easy targets to take advantage of because few of them even watch the guests hitting their servers.

Ok, i wasnt aware of that, most botnet op's use MX servers to commit exchanges.

So i guess he/she isnt as insecure as we think, still running IE 6.0 on Windows XP ? :D

Easiest thing to do is to look at mod_evasive until it passes, its an apache module that blocks too many connections from the same IP.

If they are constant IP addresses then drop them at iptables for a week or so.

Microsoft is aggressively going after these people in co-operation with the FBI because the majority of hijacked zombie computers are Windows systems.

You may want to start writing about this, as I see you are involved with Microsoft OS big time.

Microsoft is aggressively going after these people in co-operation with the FBI because the majority of hijacked zombie computers are Windows systems.

You may want to start writing about this, as I see you are involved with Microsoft OS big time.

We already have, i can't write about it on here though.
We are having a huge problem with MySpace, with it being on hosted on IIS 6.0

Well, get the word out because compromised Microsoft systems are tools for these guys and these zombie machines are a major threat to all of us and to data security.

Here is the latest update on this hackers activity (http://www.forumpostersunion.com/showpost.php?p=15351&postcount=4), he is still running his script, but since we disabled "search for guests" as you guys mentioned he is now getting an error message.

I have no idea if he succeeded in getting any content or if he was actually was scraping content from the forum because he only hits one URL, the search.php/do/process.

Well from what i have seen , it looks like an issue with the Active Scripting agent in Internet Explorer 6, if these users where to disable active scripting, the agent wouldn't be compromised..

In IE 7, attacks are mostly done using "document.write" and "document.cookie"..
The problem is, we know who these users are that have been compromised, but it falls under a strict privacy act in which we cannot personally contact them...

Microsoft has quit supporting many older OS and this too is a major problem if automatic updates are not available to millions of computers !!

A sad story indeed for web users and businesses, this is costing billions of dollars due to fraud and wasted time for IT departments.

I would imagine one reason Microsoft is going after bot nets is the fact that they have legal liability due to these security holes.

Here is the latest update on this hackers activity (http://www.forumpostersunion.com/showpost.php?p=15351&postcount=4), he is still running his script, but since we disabled "search for guests" as you guys mentioned he is now getting an error message.
You might also want to set up new registrants as not being able to search until they reach so many posts (5 or so seems good). As well, check if any users have been trying to hit that same page.
Well from what i have seen , it looks like an issue with the Active Scripting agent in Internet Explorer 6, if these users where to disable active scripting, the agent wouldn't be compromised..

In IE 7, attacks are mostly done using "document.write" and "document.cookie"..
The problem is, we know who these users are that have been compromised, but it falls under a strict privacy act in which we cannot personally contact them...
While you may not be able to personally contact them, it would be good to at least have a notification to say "your computer has been compromised via blah blah. Please visit this MS site to find how to detect and remove infections/malware".

LOL, Comcast knows Microsoft machines are zombies, they don't care, as long as the subscriber pays the bill.

This is why the government needs to demand that ISP's invest in security, but to date they are resisting any suggestions by authorities to invest in additional IP network security, so we are stuck with fighting these bot networks that can't be shut down since they are outside of US jurisdiction.

Just to clarify a little bit , and i am sure some will tend to disagree with me here.
But Microsoft don't see these people as hackers, as the media has let you believe a hacker is actually a good person, or someone who helps resolve issues like this..

Hacker:

A person who enjoys learning details of a programming language or system
A person who enjoys actually doing the programming rather than just theorizing about it
A person capable of appreciating someone else's hacking
A person who picks up programming quickly
A person who is an expert at a particular programming language or system, as in "Unix (http://searchenterpriselinux.techtarget.com/sDefinition/0,,sid14_gci213253,00.html) hacker"Cracker:

A cracker is someone who breaks into someone else's computer system, often on a network; bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security.
A cracker can be doing this for profit, maliciously, for some altruistic purpose or cause, or because the challenge is there.
Some breaking-and-entering has been done ostensibly to point out weaknesses in a site's security system.
The term "cracker" is not to be confused with "hacker (http://searchsecurity.techtarget.com/sDefinition/0,,sid_gci212220,00.html)". "section 2 is incorrect"
Hackers generally deplore cracking. However, some journalists ascribe break-ins to "hackers."

I agree mostly with Joe on the semantics of "hacker". While I have defended the use of hacker to people who ascribe it to being that of a criminal, I also would say, not to the same people, that it's not 100% peachy clean.

In order to accurately know how to compromise a system, the program writer of many of these script programs that crackers/sk's use are most likely a hacker in whatever field. They just feel that they can use their knowledge for malicious intent.

I actually tend to think of hacking more in as exploring either a language, hardware, technology, or anything else. Clicking a button on a program to DDoS someone takes no skill.

Yeah Joe, I have heard many defend the term "hacker" as an honorable thing before and many object to that term being applied to cyber criminals, but before there were crackers, hacker was the term most or all used to describe this type of activity, not just the popular media.

A true hacker will gain entrance to your box without you knowing they were ever there. A cracker will use the tools the hacker created to do it and then brag to the world.

Well, what ever you guys want to call them is fine, ZDnet simply calls them hackers and cyber criminals (http://news.zdnet.com/2100-1009-6127304.html).

This hacker/cracker argument is going on for a while now. I go to some great hacker sites myself once in a while, the tools they create and use can teach advanced users much, but professional bot net operators are actually involved in organized crime, in the USA they are being busted and thrown in jail, but those operating in Russia are not going to be stopped anytime soon.

Well, what ever you guys want to call them is fine, ZDnet simply calls them hackers and cyber criminals (http://news.zdnet.com/2100-1009-6127304.html).



All depends on who writes the article.. :)

ZDNET - Hacker and Crackers (http://whitepapers.zdnet.com/whitepaper.aspx?docid=126340)