Re: Suspect phpBB users

[GuidoZ <uberguidoz () gmail com>]

>     We have since upgraded, but among our new users over the last few days
> have been a Weber361, a Weber395, and a nderevyanko.
>     Googling the last user name, I've found 4,900 references—most with
> guestbooks or forums—to which nderevyanko has signed up. He has been
> preceded by a few Webers, and some Irenas, often citing that
> killhim.boom.ru is their home page.

I also noticed that the "nderevyanko" user has put up a number of
posts to sites with the same text:

 http://nderevyanko.narod.ru/ greets you. Came into my website! My
site is better then this one! I'll give you free money!

*OR*

 http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ :
294168488 Contact me asap! I'll give you a free gift!

A good example:
 - http://proxy2.de/guestbook/


Another chunk of similar posts look like this:
(From http://www.hermit.com/guestbook/guestbook.html )

http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ :
294168488 Contact me asap! I'll give you a free gift!

http://softexpert.atspace.com tell you about Egypt pyramids! My ICQ :
294168488 Contact me asap! I'll give you a free gift!

nDerevyanko <nDerevyanko2000 () yahoo com>
NY, NY USA - Friday, December 24, 2004 at 09:31:44 (EST) 

http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
nderevyanko <nderevyanko () mail ru>
NY, NY USA - Friday, December 24, 2004 at 08:51:27 (EST) 

http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
nderevyanko <nderevyanko () mail ru>
NY, NY USA - Friday, December 24, 2004 at 08:51:17 (EST) 

http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
http://nderevyanko.narod.ru/ greets you. Came into my website! My site
is better then this one! I'll give you free money!
nderevyanko <nderevyanko () mail ru>
NY, NY USA - Friday, December 24, 2004 at 08:51:16 (EST)

There is obviously something not right about this user. It could be a
spam bot hoping to create Google spam to the website. It could be
related to the exploits. I haven't visited the listed website(s) yet
to see what they hold. Maybe tomorrow. =)

--
Peace. ~G


On Sat, 25 Dec 2004 18:54:17 -0500, Jack Yan <jack.yan () jyanet com> wrote:
> Dear Full-Disclosure members:
>
> I am not a computer expert, just a regular Joe who hopes this information
> may be useful to you.
>     We are running phpBB and last week, a DoS attack was launched against us.
>     We have since upgraded, but among our new users over the last few days
> have been a Weber361, a Weber395, and a nderevyanko.
>     Googling the last user name, I've found 4,900 references—most with
> guestbooks or forums—to which nderevyanko has signed up. He has been
> preceded by a few Webers, and some Irenas, often citing that
> killhim.boom.ru is their home page.
>     I have heard that there is a phpBB worm doing the rounds over the
> holidays, and wonder if this is related in some way.
>     My hosting company recommended this list and I hope members, being far
> better versed on these matters than me, can get word out.
>     Other than the frequency with which the Webers and nderevyanko have
> signed up to thousands of sites over the last few days, I've no proof that
> they are malicious—but since the DoS attack I am on alert.
>     I hope this information is useful and that this has been a post that's
> considered on-topic.
>
> Yours sincerely,
>
> Jack Yan, LL B, BCA (Hons.), MCA <http://jackyan.com>
> CEO, Jack Yan & Associates <http://jya.net/>
> CEO, Lucire LLC <http://www.lucire.net>
>
> Lucire, the global fashion magazine: <http://www.lucire.com>
> Visit Beyond Branding, <http://www.beyond-branding.com>—in its second printing
>
> ----------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html