Re: [Full-Disclosure] Suspect phpBB users
From: GuidoZ (uberguidoz_at_gmail.com)
Date: 12/26/04
- Previous message: John Cartwright: "Re: [Full-Disclosure] Jami L Blume/BOARD/FRS is out of the office. (fwd)"
- Next in thread: GuidoZ: "Re: [Full-Disclosure] Suspect phpBB users"
- Maybe reply: GuidoZ: "Re: [Full-Disclosure] Suspect phpBB users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Dec 2004 06:57:13 -0500 To: Jack Yan <jack.yan@jyanet.com>
> We have since upgraded, but among our new users over the last few days
> have been a Weber361, a Weber395, and a nderevyanko.
> Googling the last user name, I've found 4,900 references—most with
> guestbooks or forums—to which nderevyanko has signed up. He has been
> preceded by a few Webers, and some Irenas, often citing that
> killhim.boom.ru is their home page.
I also noticed that the "nderevyanko" user has put up a number of
posts to sites with the same text:
http://nderevyanko.narod.ru/ greets you. Came into my website! My
site is better then this one! I'll give you free money!
*OR*
http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ :
294168488 Contact me asap! I'll give you a free gift!
A good example:
- http://proxy2.de/guestbook/
Another chunk of similar posts look like this:
(From http://www.hermit.com/guestbook/guestbook.html )
http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ :
294168488 Contact me asap! I'll give you a free gift!
http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ :
294168488 Contact me asap! I'll give you a free gift!
nDerevyanko <nDerevyanko2000@yahoo.com>
NY, NY USA - Friday, December 24, 2004 at 09:31:44 (EST)
http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
nderevyanko <nderevyanko@mail.ru>
NY, NY USA - Friday, December 24, 2004 at 08:51:27 (EST)
http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
nderevyanko <nderevyanko@mail.ru>
NY, NY USA - Friday, December 24, 2004 at 08:51:17 (EST)
http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
nderevyanko <nderevyanko@mail.ru>
NY, NY USA - Friday, December 24, 2004 at 08:51:16 (EST)
There is obviously something not right about this user. It could be a
spam bot hoping to create Google spam to the website. It could be
related to the exploits. I haven't visited the listed website(s) yet
to see what they hold. Maybe tomorrow. =)
-- Peace. ~G On Sat, 25 Dec 2004 18:54:17 -0500, Jack Yan <jack.yan@jyanet.com> wrote: > Dear Full-Disclosure members: > > I am not a computer expert, just a regular Joe who hopes this information > may be useful to you. > We are running phpBB and last week, a DoS attack was launched against us. > We have since upgraded, but among our new users over the last few days > have been a Weber361, a Weber395, and a nderevyanko. > Googling the last user name, I've found 4,900 references—most with > guestbooks or forums—to which nderevyanko has signed up. He has been > preceded by a few Webers, and some Irenas, often citing that > killhim.boom.ru is their home page. > I have heard that there is a phpBB worm doing the rounds over the > holidays, and wonder if this is related in some way. > My hosting company recommended this list and I hope members, being far > better versed on these matters than me, can get word out. > Other than the frequency with which the Webers and nderevyanko have > signed up to thousands of sites over the last few days, I've no proof that > they are malicious—but since the DoS attack I am on alert. > I hope this information is useful and that this has been a post that's > considered on-topic. > > Yours sincerely, > > Jack Yan, LL B, BCA (Hons.), MCA <http://jackyan.com> > CEO, Jack Yan & Associates <http://jya.net/> > CEO, Lucire LLC <http://www.lucire.net> > > Lucire, the global fashion magazine: <http://www.lucire.com> > Visit Beyond Branding, <http://www.beyond-branding.com>—in its second printing > > ---------- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: John Cartwright: "Re: [Full-Disclosure] Jami L Blume/BOARD/FRS is out of the office. (fwd)"
- Next in thread: GuidoZ: "Re: [Full-Disclosure] Suspect phpBB users"
- Maybe reply: GuidoZ: "Re: [Full-Disclosure] Suspect phpBB users"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
