Russian Hacker hitting our forum with script

**---MAD---** · Sun 22 Jul '07, 5:43am

Best thing to do it add a search waiting time (ie search every 20 seconds). Also, disable searching for guests or enable the truetype image code.

**AVC** · Sun 22 Jul '07, 5:47am

Do you think he is actually pulling content ??

Because the only URL he hits is "search.php/do/process" and no others.

How does one disable search for guests ?

**Scott MacVicar** · Sun 22 Jul '07, 10:19am

Edit usergroup permissions.

Also make sure you are using 3.6.6+ as we moved the flood checking to the start of the process to stop them actually being able to run a search.

**Chousho** · Sun 22 Jul '07, 10:21am

Originally posted by AVC

Do you think he is actually pulling content ??

Because the only URL he hits is "search.php/do/process" and no others.

How does one disable search for guests ?

Usergroup Manager
->Unregistered, Not Logged In
->Forum Searching Permissions
->Can Search Forums = NO

**Joe Gronlund** · Sun 22 Jul '07, 10:25am

Originally posted by AVC

Some of the IP's have been dedicated hosts and proxy IP's that were blacklisted for spam abuse and those I have banned, but this guy keeps coming back with fresh cable TV IP's every few hours.

How do you know he is from Russia??

**AVC** · Sun 22 Jul '07, 8:13pm

Originally posted by Scott MacVicar

Edit usergroup permissions.

Also make sure you are using 3.6.6+ as we moved the flood checking to the start of the process to stop them actually being able to run a search.

We are running 3.6.7 now.

So you are saying we have nothing to worry about?

This guy is still running this script, hitting us every few hours

Joe, I'm pretty sure he is out of Russia, because I have banned a few non-US cable IP's out of Russia from this same user agent, see the linked thread, the IP's are listed there, the first time I started tracking this guy was in another thread, I linked to it in the opening link in the original thread I linked to, here is the link to that single post.

Chousho, thanks for helping out with the instructions !!

**Joe Gronlund** · Mon 23 Jul '07, 4:10am

Originally posted by AVC

Joe, I'm pretty sure he is out of Russia, because I have banned a few non-US cable IP's out of Russia from this same user agent, see the linked thread, the IP's are listed there, the first time I started tracking this guy was in another thread, I linked to it in the opening link in the original thread I linked to, here is the link to that single post.

Chousho, thanks for helping out with the instructions !!

Seems to be stealing IP's from alot of ISP's, but i would personally report these two to comcast
"24.60.69.124, 24.91.149.151", and make a note of the date and time it was used..

[email protected]

**AVC** · Mon 23 Jul '07, 5:06am

Joe, this guy is one of many bot net operators, many bot network operators have been busted by the FBI in the USA, but the guys operating out of Russia are untouchable.

They hijack millions of computers and IP's by dropping virus links everywhere and by spyware, so spam is a tool to increase their numbers so they can further attack the network using IP's that can't be traced back to them.

Forums are a prime target, and you will find by watching guests hitting your forums that you are being attacked too 24/7/365.

These guys are relentless and they are polished professionals using automation who are part of a multi-billion dollar cyber crime trade.

Forums are just tools for them and they consider most forum administrators pawns and very easy targets to take advantage of because few of them even watch the guests hitting their servers.

**Joe Gronlund** · Mon 23 Jul '07, 5:11am

Ok, i wasnt aware of that, most botnet op's use MX servers to commit exchanges.

So i guess he/she isnt as insecure as we think, still running IE 6.0 on Windows XP ?

**Scott MacVicar** · Mon 23 Jul '07, 5:18am

Easiest thing to do is to look at mod_evasive until it passes, its an apache module that blocks too many connections from the same IP.

If they are constant IP addresses then drop them at iptables for a week or so.

**AVC** · Mon 23 Jul '07, 5:19am

Microsoft is aggressively going after these people in co-operation with the FBI because the majority of hijacked zombie computers are Windows systems.

You may want to start writing about this, as I see you are involved with Microsoft OS big time.

**Joe Gronlund** · Mon 23 Jul '07, 5:25am

Originally posted by AVC

Microsoft is aggressively going after these people in co-operation with the FBI because the majority of hijacked zombie computers are Windows systems.

You may want to start writing about this, as I see you are involved with Microsoft OS big time.

We already have, i can't write about it on here though.
We are having a huge problem with MySpace, with it being on hosted on IIS 6.0

**AVC** · Mon 23 Jul '07, 5:36am

Well, get the word out because compromised Microsoft systems are tools for these guys and these zombie machines are a major threat to all of us and to data security.

Here is the latest update on this hackers activity, he is still running his script, but since we disabled "search for guests" as you guys mentioned he is now getting an error message.

I have no idea if he succeeded in getting any content or if he was actually was scraping content from the forum because he only hits one URL, the search.php/do/process.

**Joe Gronlund** · Mon 23 Jul '07, 5:47am

Well from what i have seen , it looks like an issue with the Active Scripting agent in Internet Explorer 6, if these users where to disable active scripting, the agent wouldn't be compromised..

In IE 7, attacks are mostly done using "document.write" and "document.cookie"..
The problem is, we know who these users are that have been compromised, but it falls under a strict privacy act in which we cannot personally contact them...

Russian Hacker hitting our forum with script

Russian Hacker hitting our forum with script

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment