Full Disclosure mailing list archives
Re: Suspect phpBB users
From: GuidoZ <uberguidoz () gmail com>
Date: Sun, 26 Dec 2004 06:57:13 -0500
We have since upgraded, but among our new users over the last few days have been a Weber361, a Weber395, and a nderevyanko. Googling the last user name, I've found 4,900 references—most with guestbooks or forums—to which nderevyanko has signed up. He has been preceded by a few Webers, and some Irenas, often citing that killhim.boom.ru is their home page.
I also noticed that the "nderevyanko" user has put up a number of posts to sites with the same text: http://nderevyanko.narod.ru/ greets you. Came into my website! My site is better then this one! I'll give you free money! *OR* http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ : 294168488 Contact me asap! I'll give you a free gift! A good example: - http://proxy2.de/guestbook/ Another chunk of similar posts look like this: (From http://www.hermit.com/guestbook/guestbook.html ) http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ : 294168488 Contact me asap! I'll give you a free gift! http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ : 294168488 Contact me asap! I'll give you a free gift! nDerevyanko <nDerevyanko2000 () yahoo com> NY, NY USA - Friday, December 24, 2004 at 09:31:44 (EST) http://nderevyanko.narod.ru/ greets you. Came into my website! My site is better then this one! I'll give you free money! http://nderevyanko.narod.ru/ greets you. Came into my website! My site is better then this one! I'll give you free money! nderevyanko <nderevyanko () mail ru> NY, NY USA - Friday, December 24, 2004 at 08:51:27 (EST) http://nderevyanko.narod.ru/ greets you. Came into my website! My site is better then this one! I'll give you free money! http://nderevyanko.narod.ru/ greets you. Came into my website! My site is better then this one! I'll give you free money! nderevyanko <nderevyanko () mail ru> NY, NY USA - Friday, December 24, 2004 at 08:51:17 (EST) http://nderevyanko.narod.ru/ greets you. Came into my website! My site is better then this one! I'll give you free money! http://nderevyanko.narod.ru/ greets you. Came into my website! My site is better then this one! I'll give you free money! nderevyanko <nderevyanko () mail ru> NY, NY USA - Friday, December 24, 2004 at 08:51:16 (EST) There is obviously something not right about this user. It could be a spam bot hoping to create Google spam to the website. It could be related to the exploits. I haven't visited the listed website(s) yet to see what they hold. Maybe tomorrow. =) -- Peace. ~G On Sat, 25 Dec 2004 18:54:17 -0500, Jack Yan <jack.yan () jyanet com> wrote:
Dear Full-Disclosure members: I am not a computer expert, just a regular Joe who hopes this information may be useful to you. We are running phpBB and last week, a DoS attack was launched against us. We have since upgraded, but among our new users over the last few days have been a Weber361, a Weber395, and a nderevyanko. Googling the last user name, I've found 4,900 references—most with guestbooks or forums—to which nderevyanko has signed up. He has been preceded by a few Webers, and some Irenas, often citing that killhim.boom.ru is their home page. I have heard that there is a phpBB worm doing the rounds over the holidays, and wonder if this is related in some way. My hosting company recommended this list and I hope members, being far better versed on these matters than me, can get word out. Other than the frequency with which the Webers and nderevyanko have signed up to thousands of sites over the last few days, I've no proof that they are malicious—but since the DoS attack I am on alert. I hope this information is useful and that this has been a post that's considered on-topic. Yours sincerely, Jack Yan, LL B, BCA (Hons.), MCA <http://jackyan.com> CEO, Jack Yan & Associates <http://jya.net/> CEO, Lucire LLC <http://www.lucire.net> Lucire, the global fashion magazine: <http://www.lucire.com> Visit Beyond Branding, <http://www.beyond-branding.com>—in its second printing ---------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Suspect phpBB users Jack Yan (Jan 06)
- Re: Suspect phpBB users GuidoZ (Jan 06)
- Re: Suspect phpBB users Barrie Dempster (Jan 06)