Possible user hack

Feralkiwi · Post by **Feralkiwi** » Mon Jan 23, 2017 4:38 am

Possible user hack.

I'm a moderator on a phpBB.
Our site gets many prono and spam topics entered.

What I have found is that the user can be banned by user name and be posting again under the same name on the same day.

Also I find that most of these spammers have "Joined" dates that are months earlier than the current date, eg October last year.

Also I find that the last "log off" date is also from October.

Details for one user I banned;
The board system showed him as registered on 24 Oct 2016 at 3:56pm NZDT and logging off at 24 Oct 2016 at 4:40PM NZDT.
The Board system also shows me Banning him at 20 Dec 2016 at 1:10PM NZDT, the real time and date.
I found this spam post only a few minutes after it was posted and deleted it.

Has anyone else found this discrepancy with spammer dates?
Is there a Back Door that these spammers are using into the board system?

Owen

Post by **KevC** » Mon Jan 23, 2017 9:14 am

Please fill out the Support Request Template and post it back here to enable us to assist you better.

There are no known 'backdoors'. Often these things have simple explanations like an integrated login, registration allowed through tapatalk , or a duplicate installation someone used for testing and forgot about. You're better off just stopping the spambots registering in the first place and that's relatively simple.

Feralkiwi · Post by **Feralkiwi** » Mon Jan 23, 2017 8:59 pm

Thanks for the reply

I tried to look at the form and search "Spambot" but maybe my setting are blocking the site as I get nothing up, just blank pages.

One point though, the dates?

I have looked and the spam users are registered in October last year in bulk.
No problem with that date. registered: Sun Oct 09, 2016 3:36 am

I deleted a users the new topic: Mon Jan 23, 2017 5:11 pm
I banned the user: Mon Jan 23, 2017 5:11 pm, both IP and username.
BUT: User Last active: Tue Jan 24, 2017 5:21 am

another user last active: Mon Jan 23, 2017 2:19 am
that users post deleted: Tue Jan 24, 2017 3:53 am
The post was not present on the board when I was there at :Mon Jan 23, 2017 5:11 pm

And there is the post in my last post showing last logon 2 months earlier.

Please what is going on with these dates as reported from the forum software?
I'm at the first time zone in the world, no one can be 24 hours ahead of me or 2 months behind.

Owen

Post by **KevC** » Mon Jan 23, 2017 9:25 pm

Banning is a bit pointless because you can get round IP bans easily and I think the username ban is only to stop people creating a new account with that name. I'm not so sure it stops that name coming to the board if the account already exists (might be wrong though as I never need to ban anyone).

Priority one should be to stop the bots getting in.
What's the address of the board?

Feralkiwi · Post by **Feralkiwi** » Mon Jan 30, 2017 9:09 pm

Banning a user by name should stop the same user returning to the board and posting again.

It does not.

The first pic shows the user being banned at 433am
I then find the user has posted 22 more spams and ban the user again.
Also the user is listed as "last active" the 8:01pm the day before.
The user name spelling is the same and the board lists the user as joining in December last.

*removed attached images*

There is something wrong here.

Is it possible that a user can stay "Logged On" for hours and override a ban?
Does the "Last Active" time and date mean the "log off" time or the "log on" time?

Owen

Post by **Marc** » Mon Jan 30, 2017 9:29 pm

If you think users are able to bypass bans on your system, please create a new ticket in our incident investigation tracker: https://tracker.phpbb.com/projects/INCIDENT
You can create a new ticket after logging in with your login details from this site.

Please make sure to include logs from the time of the post(s) as well as information on your server setup and installed extensions.

Feralkiwi · Post by **Feralkiwi** » Tue Jan 31, 2017 2:18 am

Marc wrote: ↑Mon Jan 30, 2017 9:29 pm If you think users are able to bypass bans on your system, please create a new ticket in our incident investigation tracker: https://tracker.phpbb.com/projects/INCIDENT
You can create a new ticket after logging in with your login details from this site.

Please make sure to include logs from the time of the post(s) as well as information on your server setup and installed extensions.

Thanks but that's not happening.
Your link sent me odd places with no report to fill in.
As an invited Moderator on the site in question, I cannot answer those questions re server setup.

I thought you might have been interested in this.
KevC had no answer for the date thing, which suggests something wrong.

Bye.

Post by **Marc** » Tue Jan 31, 2017 6:33 am

It sends you to a place where you can log in in the top right corner. Afterwards, you'll be able to see a big blue button saying "Create ticket" that'll allow you to create a ticket. On the create ticket form you can enter anything you'd like to enter. Then again, I'd suggest contacting your site admin as he'll be able to provide the full information one would need to investigate this.

We are interested in any info put forth. At this point you are however basically stating that someone came into the house but you're not telling us if the backdoor was open all along.

Post by **Mick** » Tue Jan 31, 2017 12:28 pm

Pass this on to your admin:

If your board has been hacked, please do the following before making any modifications to your board (this includes changing passwords, editing files, running the Support Toolkit, etc.):

Save an archive file comprising copies of all the files (this can be done by creating a zip or tarball of the files).
Save a copy of the database.
Save the server access logs for the time of the hack (they may be available in the “logs” directory on the server, in your host’s control panel or only by request directly from your host).
File a report in the incident tracker. Attach the items from steps 1-3 when you file the report or upload them to a secure location for the incident investigation team to download. Please do not start a new topic on the board, the proper place for incidents reports is the tracker.

bbthailand · Post by **bbthailand** » Sun Oct 22, 2017 9:06 am

How about this problem ?

JimA · Post by **JimA** » Sun Oct 22, 2017 10:17 pm

bbthailand wrote: ↑Sun Oct 22, 2017 9:06 am How about this problem ?

Hi! I'm not sure what you mean with that question.

If people have hacked boards, they will be helped through the Incident Tracker, per the responses above from Mick and Marc. Most usually, phpBB is not the point of entrance for these hacks, but rather other software that later causes the user's phpBB install to also get infected.

In the unlikely event that phpBB was the culprit, we would immediately release a security release, which has not happened for the case in this topic. So you have nothing to worry about.