Possible user hack

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Get Involved
Post Reply
Feralkiwi
Registered User
Posts: 4
Joined: Mon Jan 23, 2017 4:22 am
Location: New Zealand
Name: Owen

Possible user hack

Post by Feralkiwi »

Possible user hack.

I'm a moderator on a phpBB.
Our site gets many prono and spam topics entered.

What I have found is that the user can be banned by user name and be posting again under the same name on the same day.

Also I find that most of these spammers have "Joined" dates that are months earlier than the current date, eg October last year.

Also I find that the last "log off" date is also from October.

Details for one user I banned;
The board system showed him as registered on 24 Oct 2016 at 3:56pm NZDT and logging off at 24 Oct 2016 at 4:40PM NZDT.
The Board system also shows me Banning him at 20 Dec 2016 at 1:10PM NZDT, the real time and date.
I found this spam post only a few minutes after it was posted and deleted it.

Has anyone else found this discrepancy with spammer dates?
Is there a Back Door that these spammers are using into the board system?

Owen

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69711
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Possible user hack

Post by KevC »

Please fill out the Support Request Template and post it back here to enable us to assist you better.

There are no known 'backdoors'. Often these things have simple explanations like an integrated login, registration allowed through tapatalk , or a duplicate installation someone used for testing and forgot about. You're better off just stopping the spambots registering in the first place and that's relatively simple.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

Feralkiwi
Registered User
Posts: 4
Joined: Mon Jan 23, 2017 4:22 am
Location: New Zealand
Name: Owen

Re: Possible user hack

Post by Feralkiwi »

Thanks for the reply

I tried to look at the form and search "Spambot" but maybe my setting are blocking the site as I get nothing up, just blank pages.

One point though, the dates?

I have looked and the spam users are registered in October last year in bulk.
No problem with that date. registered: Sun Oct 09, 2016 3:36 am

I deleted a users the new topic: Mon Jan 23, 2017 5:11 pm
I banned the user: Mon Jan 23, 2017 5:11 pm, both IP and username.
BUT: User Last active: Tue Jan 24, 2017 5:21 am

another user last active: Mon Jan 23, 2017 2:19 am
that users post deleted: Tue Jan 24, 2017 3:53 am
The post was not present on the board when I was there at :Mon Jan 23, 2017 5:11 pm

And there is the post in my last post showing last logon 2 months earlier.

Please what is going on with these dates as reported from the forum software?
I'm at the first time zone in the world, no one can be 24 hours ahead of me or 2 months behind.

Owen

User avatar
KevC
Support Team Member
Support Team Member
Posts: 69711
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Possible user hack

Post by KevC »

Banning is a bit pointless because you can get round IP bans easily and I think the username ban is only to stop people creating a new account with that name. I'm not so sure it stops that name coming to the board if the account already exists (might be wrong though as I never need to ban anyone).

Priority one should be to stop the bots getting in.
What's the address of the board?
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"

Feralkiwi
Registered User
Posts: 4
Joined: Mon Jan 23, 2017 4:22 am
Location: New Zealand
Name: Owen

Re: Possible user hack

Post by Feralkiwi »

Banning a user by name should stop the same user returning to the board and posting again.

It does not.

The first pic shows the user being banned at 433am
I then find the user has posted 22 more spams and ban the user again.
Also the user is listed as "last active" the 8:01pm the day before.
The user name spelling is the same and the board lists the user as joining in December last.

*removed attached images*

There is something wrong here.

Is it possible that a user can stay "Logged On" for hours and override a ban?
Does the "Last Active" time and date mean the "log off" time or the "log on" time?

Owen
Last edited by JimA on Mon Jan 30, 2017 9:30 pm, edited 1 time in total.
Reason: Attachments with potentially senstive information removed

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5449
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: Possible user hack

Post by Marc »

If you think users are able to bypass bans on your system, please create a new ticket in our incident investigation tracker: https://tracker.phpbb.com/projects/INCIDENT
You can create a new ticket after logging in with your login details from this site.

Please make sure to include logs from the time of the post(s) as well as information on your server setup and installed extensions.

Feralkiwi
Registered User
Posts: 4
Joined: Mon Jan 23, 2017 4:22 am
Location: New Zealand
Name: Owen

Re: Possible user hack

Post by Feralkiwi »

Marc wrote:
Mon Jan 30, 2017 9:29 pm
If you think users are able to bypass bans on your system, please create a new ticket in our incident investigation tracker: https://tracker.phpbb.com/projects/INCIDENT
You can create a new ticket after logging in with your login details from this site.

Please make sure to include logs from the time of the post(s) as well as information on your server setup and installed extensions.
Thanks but that's not happening.
Your link sent me odd places with no report to fill in.
As an invited Moderator on the site in question, I cannot answer those questions re server setup.

I thought you might have been interested in this.
KevC had no answer for the date thing, which suggests something wrong.

Bye.

User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5449
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: Possible user hack

Post by Marc »

It sends you to a place where you can log in in the top right corner. Afterwards, you'll be able to see a big blue button saying "Create ticket" that'll allow you to create a ticket. On the create ticket form you can enter anything you'd like to enter. Then again, I'd suggest contacting your site admin as he'll be able to provide the full information one would need to investigate this.

We are interested in any info put forth. At this point you are however basically stating that someone came into the house but you're not telling us if the backdoor was open all along. :lol:

User avatar
Mick
Support Team Member
Support Team Member
Posts: 22290
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff

Re: Possible user hack

Post by Mick »

Pass this on to your admin:

If your board has been hacked, please do the following before making any modifications to your board (this includes changing passwords, editing files, running the Support Toolkit, etc.):
  1. Save an archive file comprising copies of all the files (this can be done by creating a zip or tarball of the files).
  2. Save a copy of the database.
  3. Save the server access logs for the time of the hack (they may be available in the “logs” directory on the server, in your host’s control panel or only by request directly from your host).
  4. File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.
"The more connected we get the more alone we become" - Kyle Broflovski

Please read: “Am I In The Right Place?” before posting.

User avatar
bbthailand
Translator
Posts: 62
Joined: Wed Jun 18, 2008 6:00 am
Contact:

Re: Possible user hack

Post by bbthailand »

How about this problem ?

User avatar
JimA
Community Team Leader
Community Team Leader
Posts: 7725
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: Possible user hack

Post by JimA »

bbthailand wrote:
Sun Oct 22, 2017 9:06 am
How about this problem ?
Hi! I'm not sure what you mean with that question.

If people have hacked boards, they will be helped through the Incident Tracker, per the responses above from Mick and Marc. Most usually, phpBB is not the point of entrance for these hacks, but rather other software that later causes the user's phpBB install to also get infected.

In the unlikely event that phpBB was the culprit, we would immediately release a security release, which has not happened for the case in this topic. So you have nothing to worry about. :)
Image Jim Mossing Holsteyn - Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.

Post Reply

Return to “phpBB Discussion”