Thousands of Spammer PMs

**Steve Machol** · Wed 16 Jul '08, 5:39pm

I'm not aware of that being an 'exploit' as such. Spammers have been known to spam without an exploit.

Assuming this is one or just a few users, you can delete all the PMs they have sent from the 'Quick User Links' in their profile in the Admin CP.

**macrumors** · Wed 16 Jul '08, 5:48pm

it's from different users. roughly 11,000 PMs.

Code:

mysql> select fromuserid from pmtext order by pmtextid desc limit 100;
+------------+
| fromuserid |
+------------+
|     167739 |
|      57102 |
|       1561 |
|     102654 |
|       4551 |
|      67630 |
|      81565 |
|      86302 |
|      26988 |
|       5261 |
|      75825 |
|     198404 |
|      65983 |
|      15862 |
|     185387 |
|     185324 |
|       2124 |
|      74328 |
|      13676 |
|      16478 |
|      80284 |
|     197638 |
|     151081 |
|     145455 |
|      68611 |
|       3391 |
|     173148 |
|      16466 |
|      95898 |
|     170426 |
|     160693 |
|     185225 |
|     108488 |
|      14161 |
|      11350 |
|        406 |
|     127435 |
|      89071 |
|     147705 |
|      86122 |
|     195099 |
|     171737 |
|      33283 |
|      19999 |
|     121641 |
|     184484 |
|      52734 |
|     127363 |
|      39053 |
|      57048 |
|     122043 |
|      94740 |
|     166242 |
|     155402 |
|      55716 |
|      18320 |
|       9391 |
|      55198 |
|     109922 |
|     128207 |
|     147384 |
|     195955 |
|      37363 |
|     186293 |
|     161423 |
|     158957 |
|     138913 |
|      21341 |
|     127258 |
|     155073 |
|      85269 |
|     141282 |
|     136000 |
|     105989 |
|     121089 |
|        451 |
|     182019 |
|     184762 |
|     160731 |
|      20960 |
|       9867 |
|      41792 |
|     157132 |
|      30295 |
|      33173 |
|      60424 |
|      40083 |
|      13080 |
|      79240 |
|      33307 |
|     100136 |
|      37475 |
|      47856 |
|     156520 |
|       2573 |
|     151262 |
|     187939 |
|     145019 |
|     146074 |
|      36314 |
+------------+
100 rows in set (0.00 sec)

Will deleting the corresponding rows in those tables cause any problems?

arn

Attached Files

**Steve Machol** · Wed 16 Jul '08, 5:52pm

I'm afraid there is no simple option to do that. The only viable option would be to delete ALL PMs for ALL members.

To delete all PMs, run these 5 queries:

UPDATE `user` SET `pmtotal` = '0';
UPDATE `user` SET `pmunread` = '0';
TRUNCATE TABLE `pm`;
TRUNCATE TABLE `pmtext`;
TRUNCATE TABLE `pmreceipt`;

Of course, backup your database first.

**macrumors** · Wed 16 Jul '08, 6:02pm

thanks. I think I'll try to do it programatically. I forgot about the pm counts. I'll see about taking those into account.

btw my online.php is full of different users in the "Creating Private Message" location, all the same IP address. I'll post a screenshot once I remove the non-spammer people.

strangely don't see that IP in my apache logs

arn

**macrumors** · Wed 16 Jul '08, 6:06pm

Steve, it looks like this board had the exact same thing. Same IP address and same content of spam.

private message movie guy is back - R/C Tech Forums

http://www.rctech.net/forum/showthread.php?p=4614076

R/C Tech Site Forum - private message movie guy is back - Hi I got hit up by a guy the other day "videos" ... Tonight I go to sign and have 2 PMsfrom a guy cursing me bad as he had received somehow those exact same vids I got via my log in name .NO way did I ever go as far to send (I don't even know how to do

arn

**macrumors** · Wed 16 Jul '08, 6:08pm

here's an edited screenshot

Attached Files

**Steve Machol** · Wed 16 Jul '08, 6:12pm

You should, of course, ban those accounts. Until then you might want to disable PMs for that usergroup:

Admin CP -> Usergroups -> Usergroup Manager -> Edit Usergroup -> Private Message Permissions -> Maximum Stored Messages: -> 0

Also please see this:

How to Reduce Spam and Registration Bots

**macrumors** · Wed 16 Jul '08, 7:50pm

steve, I figured out the problem, I'll post a description soon.

Question though. if I delete from the pm tables without affecting people's pm counts, is that going to be a problem? Can those numbers be rebuilt?

arn

**macrumors** · Wed 16 Jul '08, 9:58pm

Here's the conclusion to this.

Over 1800 accounts were compromised (out of 200,000). They were accessed by a bot who simply used the username as the password. I'm sure this can happen to any large forum.

It was a pain to correct. I had to run through the entire database of users to check to see who had a password that was their username. I then invalidated their passwords, requiring them to change their passwords.

Of those, there were roughly 1800 like that. There were 2 other accounts who were also compromised but I couldn't figure out how they were accessed - I tried the usual combination of easy passwords.

I then had to run through 11,000 spam PM's and remove them from the db, and associated pm tables. I also tried to decrement the private messages counts.

This could happen to anyone. There's really no defense besides strong password validation when users create their accounts.

arn

**Steve Machol** · Thu 17 Jul '08, 8:34am

This would be a good suggestion - have vB check to make sure the password does not equal the username. Frankly I'm surprised I've never see anything like this before given how often people do that.

**septimus** · Fri 18 Jul '08, 1:07pm

We are getting hit with the same problem right now

Any help on how we can search the DB for users whose pw matches their username would be great -- it's hashed in the db.

**Steve Machol** · Fri 18 Jul '08, 2:39pm

I do not know of any query that would do that. Sorry.

**macrumors** · Fri 18 Jul '08, 3:42pm

obviously this script's going around. I think this is going to be a huge problem.

if this hits you, shutting down your pm system globally in the control panel will stop more PM's from being sent.

I'm talking to septimus about it regarding the scripting required.

here's the basic code to find the users in your db with usernames==passwords. I stripped out the destructive part of my code where I actually changed their password to something invalid. This will scan 5000 users and print the results. A more button lets you test the next 5000.

Code:

<?

/* simply script to find usernames == passwords in vb */

/* declare some relevant variables */
$hostname = "localhost";
$dbusername = "USERNAME";
$dbpassword = "PASSWORD";
/* make connection to database */ 
MYSQL_CONNECT($hostname, $dbusername, $dbpassword) OR DIE("Unable to connect to database");

$counter=$_GET[counter];
if ($counter=="") $counter="0";

/* do 5000 users at a time */

$counterend=$counter+5000;

?>
<a href="?counter=<? print $counterend ?>">More..</a>
<?

@mysql_select_db( "DATABASENAME") or die( "Unable to select database");
$userquery = "SELECT username,userid,password,salt from user where userid>=$counter and userid<=$counterend  order by userid";
$userresult = mysql_query($userquery);
        if ($userresult) $number = @MYSQL_NUMROWS($userresult);
        
$i=0;
while ($i<$number)
{

$vbpassword=mysql_result($userresult,$i,"password");
$username=mysql_result($userresult,$i,"username");
$salt=mysql_result($userresult,$i,"salt");
$userid=mysql_result($userresult,$i,"userid");

if ((md5(md5($username) . $salt))==$vbpassword)
{
/* Yes, password equals username */

print "YES - $username ($userid)<br />";

/* this is where you could do something like set their password to something else in the db. 
I removed the code here since I didn't want to post destructive code */

}
else
{
//print "NO - $username ($userid)<br />";
}

$i++;
}

?>

It's possible to script it so it then deletes the spam PMs from the pm tables, but I'm not comfortable with my code to post it right now.

arn

**septimus** · Fri 18 Jul '08, 4:14pm

Just to follow up: we had 20k+ PMs sent, which happened even though we have a 30 second throttle set because of the sheer number of users with identical pws.

We're running a db query instead of a php script to reset those users' passwords to random:

Code:

update user set password = md5(concat(md5(rand()),salt)) where password = md5(concat(md5(username),salt));

...Then per a suggestion from Arn we changed our [bad_login] phrase to let people know that their password may have been reset if it wasn't secure enough and so they may need to just request a new password.

Now to hunt for a mod that causes vBulletin to require strong passwords (or at least disallows them to be identical to the username!!)

Thanks again to Arn for the help!

Thousands of Spammer PMs

Thousands of Spammer PMs

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment