phpbb3 security issue / aka Uhnd12jsxcvsdf

Get help with installation and running phpBB 3.3.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
sameleon1
Registered User
Posts: 1
Joined: Mon May 25, 2020 7:51 pm

phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by sameleon1 »

Hello

I found that many phpbb3 sites were hacked last 2 days. Intruder get access of real user account and create new post with subject "Uhnd12jsxcvsdf". Inside this post is some URL links, see https://www.flat4.org/forum/viewtopic.p ... 17#p388417

You found thousands of same posts on Google. Do you have same experiences ? How to fix it ?


Code: Select all

46.161.11.70 - - [26/May/2022:00:18:35 +0200] "GET /forum/ucp.php HTTP/1.0" 200 13598 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:38 +0200] "POST /forum/ucp.php?mode=login&sid=d08af1da35e72439b11efe4671766130 HTTP/1.0" 302 - "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:39 +0200] "GET /forum/ucp.php?sid=06b22202bd3576474787b9297bdef025 HTTP/1.0" 200 16739 "https://www.flat4.org/forum/ucp.php?sid=06b22202bd3576474787b9297bdef025" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:40 +0200] "GET /forum/ucp.php HTTP/1.0" 200 16739 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:40 +0200] "GET /forum/ucp.php?i=164 HTTP/1.0" 200 24645 "https://www.flat4.org/forum/ucp.php?i=164" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:48 +0200] "POST /forum/ucp.php?i=ucp_profile&mode=profile_info HTTP/1.0" 200 25081 "https://www.flat4.org/forum/ucp.php?i=164" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:48 +0200] "GET /forum/ucp.php?i=ucp_profile&mode=signature HTTP/1.0" 200 26722 "https://www.flat4.org/forum/ucp.php?i=ucp_profile&mode=signature" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:49 +0200] "GET /forum/ucp.php HTTP/1.0" 200 16739 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:49 +0200] "GET /forum/app.php/feed HTTP/1.0" 200 13943 "https://www.flat4.org/forum/app.php/feed" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:50 +0200] "GET /forum/index.php HTTP/1.0" 200 56107 "https://www.flat4.org/forum/index.php" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:50 +0200] "GET /forum/viewforum.php?f=7 HTTP/1.0" 200 620788 "https://www.flat4.org/forum/viewforum.php?f=7" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:51 +0200] "GET /forum/posting.php?mode=post&f=7 HTTP/1.0" 200 35828 "https://www.flat4.org/forum/posting.php?mode=post&f=7" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:18:59 +0200] "POST /forum/posting.php?mode=post&f=7 HTTP/1.0" 302 - "https://www.flat4.org/forum/posting.php?mode=post&f=7" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:00:19:00 +0200] "GET /forum/viewtopic.php?f=7&t=23332 HTTP/1.0" 200 30974 "https://www.flat4.org/forum/viewtopic.php?f=7&t=23332" "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:17:06:05 +0200] "GET /forum/viewtopic.php?f=7&t=23332 HTTP/1.0" 404 3025 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:14 +0200] "GET /forum/ucp.php HTTP/1.0" 200 13598 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:18 +0200] "POST /forum/ucp.php?mode=login&sid=47672c8127b2e5c7c478da5e0d4a224a HTTP/1.0" 302 - "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:18 +0200] "GET /forum/ucp.php?sid=43ae0ec91fe94e14cea921125682be7d HTTP/1.0" 200 16738 "https://www.flat4.org/forum/ucp.php?sid=43ae0ec91fe94e14cea921125682be7d" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:19 +0200] "GET /forum/ucp.php HTTP/1.0" 200 16738 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:19 +0200] "GET /forum/ucp.php?i=164 HTTP/1.0" 200 24645 "https://www.flat4.org/forum/ucp.php?i=164" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:27 +0200] "POST /forum/ucp.php?i=ucp_profile&mode=profile_info HTTP/1.0" 200 14133 "https://www.flat4.org/forum/ucp.php?i=164" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:28 +0200] "GET /forum/ucp.php?i=ucp_profile&mode=profile_info HTTP/1.0" 200 24726 "https://www.flat4.org/forum/ucp.php?i=ucp_profile&mode=profile_info" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:28 +0200] "GET /forum/ucp.php?i=ucp_profile&mode=signature HTTP/1.0" 200 26722 "https://www.flat4.org/forum/ucp.php?i=ucp_profile&mode=signature" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:28 +0200] "GET /forum/ucp.php HTTP/1.0" 200 16738 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:29 +0200] "GET /forum/app.php/feed HTTP/1.0" 200 12280 "https://www.flat4.org/forum/app.php/feed" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:32 +0200] "GET /forum/viewtopic.php?t=12785&p=388403 HTTP/1.0" 200 52228 "https://www.flat4.org/forum/viewtopic.php?t=12785&p=388403" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:33 +0200] "GET /forum/posting.php?mode=reply&f=7&t=12785 HTTP/1.0" 200 72035 "https://www.flat4.org/forum/posting.php?mode=reply&f=7&t=12785" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:41 +0200] "POST /forum/posting.php?mode=reply&f=7&t=12785 HTTP/1.0" 302 - "https://www.flat4.org/forum/posting.php?mode=reply&f=7&t=12785" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:18:26:42 +0200] "GET /forum/viewtopic.php?f=7&t=12785&p=388411 HTTP/1.0" 200 57938 "https://www.flat4.org/forum/viewtopic.php?f=7&t=12785&p=388411#p388411" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:32 +0200] "GET /forum/ucp.php HTTP/1.0" 200 13598 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:35 +0200] "POST /forum/ucp.php?mode=login&sid=6b99f2bde2915d4b297fe3d961dc4555 HTTP/1.0" 200 10441 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:36 +0200] "GET /forum/ucp.php HTTP/1.0" 200 13598 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:37 +0200] "GET /forum/index.php HTTP/1.0" 200 51365 "https://www.flat4.org/index.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:37 +0200] "GET /forum/viewtopic.php?f=39&t=12892&start=1680 HTTP/1.0" 200 84557 "https://www.flat4.org/forum/viewtopic.php?f=39&t=12892&start=1680" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:38 +0200] "GET /forum/posting.php?mode=reply&f=39&t=12892 HTTP/1.0" 200 12464 "https://www.flat4.org/forum/posting.php?mode=reply&f=39&t=12892" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:38 +0200] "GET /forum/viewtopic.php?f=39&t=12892 HTTP/1.0" 200 90163 "https://www.flat4.org/forum/viewtopic.php?f=39&t=12892" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:38 +0200] "GET /forum/posting.php?mode=reply&f=39&t=12892 HTTP/1.0" 200 12464 "https://www.flat4.org/forum/posting.php?mode=reply&f=39&t=12892" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:39 +0200] "GET /forum/viewtopic.php?f=7&t=12785 HTTP/1.0" 200 96790 "https://www.flat4.org/forum/viewtopic.php?f=7&t=12785" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:39 +0200] "GET /forum/posting.php?mode=reply&f=7&t=12785 HTTP/1.0" 200 12462 "https://www.flat4.org/forum/posting.php?mode=reply&f=7&t=12785" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:40 +0200] "GET /forum/viewforum.php?f=7 HTTP/1.0" 200 592673 "https://www.flat4.org/forum/viewforum.php?f=7" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:40 +0200] "GET /forum/posting.php?mode=reply&f=39&t=12892 HTTP/1.0" 200 12464 "https://www.flat4.org/forum/posting.php?mode=reply&f=39&t=12892" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:41 +0200] "GET /forum/viewtopic.php?f=4&t=348&start=580 HTTP/1.0" 200 89114 "https://www.flat4.org/forum/viewtopic.php?f=4&t=348&start=580" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:41 +0200] "GET /forum/posting.php?mode=reply&f=4&t=348 HTTP/1.0" 200 12458 "https://www.flat4.org/forum/posting.php?mode=reply&f=4&t=348" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:42 +0200] "GET /forum/viewtopic.php?f=4&t=348 HTTP/1.0" 200 80097 "https://www.flat4.org/forum/viewtopic.php?f=4&t=348" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:42 +0200] "GET /forum/posting.php?mode=reply&f=4&t=348 HTTP/1.0" 200 12458 "https://www.flat4.org/forum/posting.php?mode=reply&f=4&t=348" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:42 +0200] "GET /forum/viewforum.php?f=4 HTTP/1.0" 200 553178 "https://www.flat4.org/forum/viewforum.php?f=4" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:43 +0200] "GET /forum/posting.php?mode=reply&f=39&t=12892 HTTP/1.0" 200 12464 "https://www.flat4.org/forum/posting.php?mode=reply&f=39&t=12892" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:43 +0200] "GET /forum/viewtopic.php?p=241761 HTTP/1.0" 200 90155 "https://www.flat4.org/forum/viewtopic.php?p=241761" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:44 +0200] "GET /forum/posting.php?mode=reply&f=7&t=12785 HTTP/1.0" 200 12462 "https://www.flat4.org/forum/posting.php?mode=reply&f=7&t=12785" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [26/May/2022:19:44:44 +0200] "GET /forum/viewforum.php?f=39 HTTP/1.0" 200 441957 "https://www.flat4.org/forum/viewforum.php?f=39" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4427.0 Safari/537.36"
46.161.11.70 - - [27/May/2022:03:08:21 +0200] "GET /forum/ucp.php HTTP/1.0" 200 13727 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
46.161.11.70 - - [27/May/2022:03:08:24 +0200] "POST /forum/ucp.php?mode=login&sid=84eaee185edc293c37563862e2dd09b3 HTTP/1.0" 200 10441 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
46.161.11.70 - - [27/May/2022:03:08:25 +0200] "GET /forum/app.php/feed HTTP/1.0" 200 11689 "https://www.flat4.org/forum/app.php/feed" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36"
46.161.11.70 - - [27/May/2022:04:43:11 +0200] "GET /forum/ucp.php HTTP/1.0" 200 13598 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36"
46.161.11.70 - - [27/May/2022:04:43:14 +0200] "POST /forum/ucp.php?mode=login&sid=1442a723021885320af12c39fd593348 HTTP/1.0" 200 10441 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36"
46.161.11.70 - - [27/May/2022:04:43:15 +0200] "GET /forum/app.php/feed HTTP/1.0" 200 11689 "https://www.flat4.org/forum/app.php/feed" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36"
46.161.11.70 - - [27/May/2022:05:45:53 +0200] "GET /forum/ucp.php HTTP/1.0" 200 13598 "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42"
46.161.11.70 - - [27/May/2022:05:45:56 +0200] "POST /forum/ucp.php?mode=login&sid=fc6c323b09b28671db359d2831b4cdd6 HTTP/1.0" 302 - "https://www.flat4.org/forum/ucp.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42"
46.161.11.70 - - [27/May/2022:05:45:57 +0200] "GET /forum/ucp.php?sid=bfce38aad62cc5d43a8de90daee237d9 HTTP/1.0" 200 17972 "https://www.flat4.org/forum/ucp.php?sid=bfce38aad62cc5d43a8de90daee237d9" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42"
46.161.11.70 - - [27/May/2022:05:45:58 +0200] "GET /forum/viewforum.php?f=39 HTTP/1.0" 200 447986 "https://www.flat4.org/forum/viewforum.php?f=39" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42"
46.161.11.70 - - [27/May/2022:05:45:58 +0200] "GET /forum/posting.php?mode=post&f=39 HTTP/1.0" 200 36164 "https://www.flat4.org/forum/posting.php?mode=post&f=39" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42"
46.161.11.70 - - [27/May/2022:05:46:06 +0200] "POST /forum/posting.php?mode=post&f=39 HTTP/1.0" 302 - "https://www.flat4.org/forum/posting.php?mode=post&f=39" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42"
46.161.11.70 - - [27/May/2022:05:46:07 +0200] "GET /forum/viewtopic.php?f=39&t=23334 HTTP/1.0" 200 31668 "https://www.flat4.org/forum/viewtopic.php?f=39&t=23334" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42"
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72329
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by KevC »

Just looks like a regular spam account. I did a search for the topic title and it's on all sorts of sites with different forum platforms.

Happy for someone to correct me but it just looks like a rampant spambot.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
User avatar
Mick
Support Team Member
Support Team Member
Posts: 26455
Joined: Fri Aug 29, 2008 9:49 am

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by Mick »

  • "The more connected we get the more alone we become" - Kyle Broflovski©
  • "The good news is hell is just the product of a morbid human imagination.
    The bad news is, whatever humans can imagine, they can usually create.
    " - Harmony Cobel
User avatar
hamidouki
Registered User
Posts: 344
Joined: Sun Aug 02, 2015 2:33 pm

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by hamidouki »

yes the first links and the message of also
Salutations à la communauté phpBB
Kigen
Registered User
Posts: 29
Joined: Wed Jun 15, 2005 7:17 am
Location: Behind you....
Contact:

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by Kigen »

We had a similar incident occur with this same IP.

I think it probably has a list of compromised credentials. And when it sees an account that matches one it knows the password to it logs into it. Because why login to a random users account if there were a true security vulnerability rather than an administrator's account.
User avatar
Marc
Development Team Leader
Development Team Leader
Posts: 5657
Joined: Tue Oct 30, 2007 10:57 pm
Location: Munich, Germany
Name: Marc
Contact:

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by Marc »

Yes, that's what it seems like. Especially for old accounts that have been inactive for a long time, the chance of them using a very old password that was leaked at some point is certainly higher. I also think that in the past people did not yet pay that much attention to password reuse.
User avatar
KevC
Support Team Member
Support Team Member
Posts: 72329
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by KevC »

From the sites I found that on, the accounts were all made in the previous 2 days so I don't think it's anything more than a normal spambot.
-:|:- Support Request Template -:|:-
Image
"Step up to red alert. Sir, are you absolutely sure? It does mean changing the bulb"
Kigen
Registered User
Posts: 29
Joined: Wed Jun 15, 2005 7:17 am
Location: Behind you....
Contact:

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by Kigen »

KevC wrote: Mon May 30, 2022 10:13 am From the sites I found that on, the accounts were all made in the previous 2 days so I don't think it's anything more than a normal spambot.
In our case the account that was compromised was registered in 2015. It made a few posts shortly after registering asking for assistance with other software. Then it went inactive. It wasn't logged into until the IP listed above logged into it. Then it spammed URLs that were also being spammed by newly registered users. We cannot contact the original user since the domain they registered their email with is no longer registered. So we've basically banned that user.
User avatar
Forex Station
Registered User
Posts: 177
Joined: Thu Apr 06, 2017 2:26 pm
Location: Australia
Contact:

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by Forex Station »

The exact same thing has happened to our site. Just confirming that the accounts posting the spam are only from:
  • A handful of newer accounts that registered within the past two days (we've stopped accepting registrations for now).
  • Dormant user accounts from years ago that only contained a few posts.
Looks like the spammers are indeed using compromised e-mails and/or passwords to gain access to these inactive accounts from the past, so we've deleted the spammy posts and Forced User Reactivation and required everyone on the site to do a Password Change.

Annoying as hell but that's okay, I'll keep playing whack-a-mole for now.
Highly-customized PhpBB board voted as one of the most influential trading sites in the world: forex-station.com 💬
User avatar
hamidouki
Registered User
Posts: 344
Joined: Sun Aug 02, 2015 2:33 pm

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by hamidouki »

I activated cloudflare , and this problems is solved
Salutations à la communauté phpBB
User avatar
hamidouki
Registered User
Posts: 344
Joined: Sun Aug 02, 2015 2:33 pm

Re: phpbb3 security issue / aka Uhnd12jsxcvsdf

Post by hamidouki »

even with cloudflare security, I just discovered that these hackers can post from old accounts, so I have to force the reactivation of these accounts :oops:
Salutations à la communauté phpBB
Post Reply

Return to “[3.3.x] Support Forum”