Accounts hackered?!

scheccia · Post by **scheccia** » Sun Jan 15, 2023 7:02 pm

In the last days... More users are hackered, we found topic with link to

te.me/pump_upp

...
I googled this link and there are many phpbb forums with posts with these links, so with hackered account...
is it a coincidence or there is something?

Bigman1971 · Post by **Bigman1971** » Sun Jan 15, 2023 7:52 pm

Same here... have no clue what is happening.

Used where mostly very rare used user accounts... but how did the manage to get the passwords?

Seems to hit many PHPBB forums...

Post by **Kailey** » Sun Jan 15, 2023 8:02 pm

We are aware of old accounts being used to post spam links. This is not an issue with phpBB's security. Most likely these accounts were using the same username/password as used on some other websites.

[Dimetrodon] · Post by **[Dimetrodon]** » Sun Jan 15, 2023 9:30 pm

I've googled it and found it on boards that are not running phpBB as well, so it isn't specific to phpBB.

As for anyone seeing it, don't click the link. It's another crypto scam.

bikeridr · Post by **bikeridr** » Sun Jan 15, 2023 9:33 pm

I reported one this morning, a user with 9 posts since 2015 and it was taken care of within a few minutes.
(I don't use the same password/email configuration in any of my logins).

Post by **Mick** » Mon Jan 16, 2023 4:42 pm

It looks like this person has been busy, you can choose to ban this IP if you wish.

https://cleantalk.org/blacklists/109.107.166.230

[Dimetrodon] · Post by **[Dimetrodon]** » Mon Jan 16, 2023 7:12 pm

Mick wrote: ↑Mon Jan 16, 2023 4:42 pm It looks like this person has been busy, you can choose to ban this IP if you wish.

https://cleantalk.org/blacklists/109.107.166.230

I'm surprised they would brute force just to spam. I would expect it to be more worthwhile to take advantage of many sites not having sufficient anti-spam measures and spam with new accounts.

As for phpBB board owners, this looks promising to ensure people like that have a greater difficulty compromising privileged accounts: https://github.com/phpbb-extensions/teamsecurity

scheccia · Post by **scheccia** » Tue Jan 17, 2023 7:42 am

is very strange, it's very strange, all different users

Post by **Mick** » Tue Jan 17, 2023 8:17 am

Are they all the same IP though?

Le_Spirit · Post by **Le_Spirit** » Tue Jan 17, 2023 8:52 am

^ no they're not, and most of the ip's are comming thru CloudFlare (CF) anyway. What we've done on our board to discourage the spammers, that effectively seem to use old, dormant accounts is to use the word censor in the Administrator control panel -> Posting -> Word censoring option to make those st**pid posts look even st**pider but harmless:

replaced c.rypto p.umps by stinky socks
replaced @.pump_upp by banned
replaced v.erifpro by stop that scam please
replaced v.erifpro.net by stop that scam please

the dots above should be removed of course

scheccia · Post by **scheccia** » Tue Jan 17, 2023 9:26 am

Mick wrote: ↑Tue Jan 17, 2023 8:17 am Are they all the same IP though?

Code: Select all

109.107.166.230
109.107.166.230
109.107.166.230

yes all 3 post

Le_Spirit · Post by **Le_Spirit** » Tue Jan 17, 2023 9:58 am

caught the same spam, with different IP

37.220.87.25

Post by **Mick** » Tue Jan 17, 2023 10:19 am

Le_Spirit wrote: ↑Tue Jan 17, 2023 9:58 amdifferent IP

Cleantalk reports that IP too for the same reasons (brute forcing etc) as the first above https://cleantalk.org/blacklists/37.220.87.25

[Dimetrodon] · Post by **[Dimetrodon]** » Tue Jan 17, 2023 3:12 pm

Banning IPs is a useless endeavor. Criminals of this nature are going to be able to change their IP address.

Post by **Mick** » Tue Jan 17, 2023 3:26 pm

I’m well aware of the issues with IP banning but in this case this spammer did all his work in large bursts using the same IP address because he’d accessed username/password information hence the cleantalk report so a quick ban would halt him in his tracks until he changes things.