Re: [Full-Disclosure] Suspect phpBB users

From: GuidoZ (uberguidoz_at_gmail.com)
Date: 12/26/04

  • Next message: Raistlin: "Re: [Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts"
    Date: Sun, 26 Dec 2004 06:57:13 -0500
    To: Jack Yan <jack.yan@jyanet.com>
    
    

    > We have since upgraded, but among our new users over the last few days
    > have been a Weber361, a Weber395, and a nderevyanko.
    > Googling the last user name, I've found 4,900 references—most with
    > guestbooks or forums—to which nderevyanko has signed up. He has been
    > preceded by a few Webers, and some Irenas, often citing that
    > killhim.boom.ru is their home page.

    I also noticed that the "nderevyanko" user has put up a number of
    posts to sites with the same text:

     http://nderevyanko.narod.ru/ greets you. Came into my website! My
    site is better then this one! I'll give you free money!

    *OR*

     http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ :
    294168488 Contact me asap! I'll give you a free gift!

    A good example:
     - http://proxy2.de/guestbook/

    Another chunk of similar posts look like this:
    (From http://www.hermit.com/guestbook/guestbook.html )

    http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ :
    294168488 Contact me asap! I'll give you a free gift!

    http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ :
    294168488 Contact me asap! I'll give you a free gift!

    nDerevyanko <nDerevyanko2000@yahoo.com>
    NY, NY USA - Friday, December 24, 2004 at 09:31:44 (EST)

    http://nderevyanko.narod.ru/ greets you. Came into my website! My site
    is better then this one! I'll give you free money!
    http://nderevyanko.narod.ru/ greets you. Came into my website! My site
    is better then this one! I'll give you free money!
    nderevyanko <nderevyanko@mail.ru>
    NY, NY USA - Friday, December 24, 2004 at 08:51:27 (EST)

    http://nderevyanko.narod.ru/ greets you. Came into my website! My site
    is better then this one! I'll give you free money!
    http://nderevyanko.narod.ru/ greets you. Came into my website! My site
    is better then this one! I'll give you free money!
    nderevyanko <nderevyanko@mail.ru>
    NY, NY USA - Friday, December 24, 2004 at 08:51:17 (EST)

    http://nderevyanko.narod.ru/ greets you. Came into my website! My site
    is better then this one! I'll give you free money!
    http://nderevyanko.narod.ru/ greets you. Came into my website! My site
    is better then this one! I'll give you free money!
    nderevyanko <nderevyanko@mail.ru>
    NY, NY USA - Friday, December 24, 2004 at 08:51:16 (EST)

    There is obviously something not right about this user. It could be a
    spam bot hoping to create Google spam to the website. It could be
    related to the exploits. I haven't visited the listed website(s) yet
    to see what they hold. Maybe tomorrow. =)

    --
    Peace. ~G
    On Sat, 25 Dec 2004 18:54:17 -0500, Jack Yan <jack.yan@jyanet.com> wrote:
    > Dear Full-Disclosure members:
    > 
    > I am not a computer expert, just a regular Joe who hopes this information
    > may be useful to you.
    >     We are running phpBB and last week, a DoS attack was launched against us.
    >     We have since upgraded, but among our new users over the last few days
    > have been a Weber361, a Weber395, and a nderevyanko.
    >     Googling the last user name, I've found 4,900 references—most with
    > guestbooks or forums—to which nderevyanko has signed up. He has been
    > preceded by a few Webers, and some Irenas, often citing that
    > killhim.boom.ru is their home page.
    >     I have heard that there is a phpBB worm doing the rounds over the
    > holidays, and wonder if this is related in some way.
    >     My hosting company recommended this list and I hope members, being far
    > better versed on these matters than me, can get word out.
    >     Other than the frequency with which the Webers and nderevyanko have
    > signed up to thousands of sites over the last few days, I've no proof that
    > they are malicious—but since the DoS attack I am on alert.
    >     I hope this information is useful and that this has been a post that's
    > considered on-topic.
    > 
    > Yours sincerely,
    > 
    > Jack Yan, LL B, BCA (Hons.), MCA <http://jackyan.com>
    > CEO, Jack Yan & Associates <http://jya.net/>
    > CEO, Lucire LLC <http://www.lucire.net>
    > 
    > Lucire, the global fashion magazine: <http://www.lucire.com>
    > Visit Beyond Branding, <http://www.beyond-branding.com>—in its second printing
    > 
    > ----------
    > 
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Raistlin: "Re: [Full-Disclosure] Re: New Santy-Worm attacks *all* PHP-skripts"