[Quarterbore]

Quote:

Originally Posted by Swampfox

https://vborg.vbsupport.ru/showthread.php?t=141554

This hack eliminated the bots entirely on 2 forums for me, its simple and works flawlessly, I even have captcha and email verification turned off not sure why it hasnt caught on, only shows 31 installs

Thanks, I have noticed a trend there too and I will add that one as well

Over the past week I have been logging the log-ins for my SPAM TRAP website as the only thing going on there is these dambed bots trying to register then they try to log in and post their spam.

In the process of logging this I have learned something new that may be VERY useful (not that I have worked out how to use this yet).

My log file captures the following:

DATELINE | DATE TIME | IP ADDRESS | IP HOST
USERNAME | PASSWORD | PASSWORD MD5 | PASSWORD MD5 UTF | Cookie


Now, what is VERY intersting is that if a NORMAL user logs in (with an error as that is where I am logging these bots) my logs show the following!

Quote:

1190768869 | 09/25/2007 9:07:49 PM | MYIPADDRESS | MYIPADDRESS
SPAMBOTS | | 21c426cbdb92c2439053c570eb511c30 | 21c426cbdb92c2439053c570eb511c30 | 0

On the OTHER HAND ALL of the bots do not do this! Each bot seems to try to log in three times (likely they get locked out because of the failures) then they go away. NOTE, they are not getting in because I don't allow them to register in the first place but this is looking at the chance that one does get registered...

Here is a copy of the logs (I tried to edit the offensive stuff) of the attempts to log in...

NOTE - THIS IS LESS THEN 24-HRS (What Was Prevented Today)

Quote:

1190689650 | 09/24/2007 11:07:30 PM | 85.140.143.131 | ppp85-140-143-131.pppoe.mtu-net.ru
Enfonstrata | llNHRzj245 | 6b8ddb2b1a18990dfb9b97feb4b62389 | | 0

1190694385 | 09/25/2007 12:26:25 AM | 87.118.103.155 | ns2.km22844.keymachine.de
StellaOpen | WWxu7GU114 | 6e1b948129e81c3d83233fa880c6262b | | 0

1190695173 | 09/25/2007 12:39:33 AM | 80.91.186.250 | undefined.datagroup.com.ua
quinsber | YyFXoDH361 | bc731a0b7dddb77d4b7348024594d0ba | | 0

1190695600 | 09/25/2007 12:46:40 AM | 85.140.143.170 | ppp85-140-143-170.pppoe.mtu-net.ru
Extilmell | yJHvdjK228 | 1cc703aef8dbf0cf98e49737fe629e05 | | 0

1190698067 | 09/25/2007 1:27:47 AM | 200.83.4.4 | phoebe.reb.vtr.net
zerrojkl | sXNjtO5298 | e9c8445e7d325083abeab59625bb6e52 | | 0

1190698722 | 09/25/2007 1:38:43 AM | 222.231.63.18 | 222.231.63.18
Keerpelia | W1KdoKv688 | fd4bd495a57ad36d28d2139af08ee9aa | | 0

1190701731 | 09/25/2007 2:28:51 AM | 88.32.162.19 | host19-162-static.32-88-b.business.telecomitalia.it
habbahabra | 9NXLzJr719 | 57da6a2e49e1118c496a5ff551c152a9 | | 0

1190701830 | 09/25/2007 2:30:30 AM | 67.52.216.8 | smsd.org
BOTTPREPTIORS | IzXme8U492 | 922c5a4ab490c2d0eac09a5d2e543284 | | 0

1190704341 | 09/25/2007 3:12:21 AM | 69.64.64.78 | 69-64-64-78.dedicated.abac.net
PpoCreditCard | kf2IGHt731 | d0e929a43a32577cbc42b900efd359e5 | | 0

1190708522 | 09/25/2007 4:22:02 AM | 67.52.216.8 | smsd.org
Galeenlindy | remkGDc768 | bb30c0885f04621dba92609ebb730938 | | 0

1190709581 | 09/25/2007 4:39:41 AM | 213.133.99.82 | ameria.de
amimaMugCom | EQoHfLn241 | 790e0a8fb40fd3f35606b7d93f3eb1f2 | | 0

1190712433 | 09/25/2007 5:27:13 AM | 89.212.69.255 | 89-212-69-255.dynamic.dsl.t-2.net
floridabulider | 5ugFjem512 | ed9841685ccf4be695c14f4f758bd572 | | 0

1190714808 | 09/25/2007 6:06:48 AM | 208.109.234.231 | ip-208-109-234-231.ip.secureserver.net
arwinmercy | arwinforum | 01f8955f01fafa5d15bb3db95852dadb | | 0

1190714870 | 09/25/2007 6:07:50 AM | 222.240.208.14 | 222.240.208.14
KawlTrearee | qyLBLby862 | a77439170838ddd7c27a2df59386132f | | 0

1190718727 | 09/25/2007 7:12:07 AM | 216.131.74.75 | exchng-75.wn45.reliablehosting.com
kewphileher | t5ouzfx418 | e11924277b607d07ab0761ffd199c80c | | 0

1190719336 | 09/25/2007 7:22:16 AM | 221.12.43.86 | 221.12.43.86
untolomunny | pIGrNGn359 | 9f201815f3319014e504165357eb53e7 | | 0

1190719439 | 09/25/2007 7:23:59 AM | 59.77.21.250 | 59.77.21.250
Booloeroni | u7ngdL5357 | 865bababd90719cececeb813ed68c82b | | 0

1190722200 | 09/25/2007 8:10:00 AM | 62.215.3.45 | 62.215.3.45
Drollibebmamb | WjsFYaB195 | 1c811f5bc01108c27c37cbd5d413dd31 | | 0

1190722386 | 09/25/2007 8:13:06 AM | 88.247.128.68 | mail.und.org.tr
User | free porn videos online | free porn videos online | free porn videos online | 1

1190723032 | 09/25/2007 8:23:52 AM | 220.227.60.3 | 220.227.60.3
SrthStery | ez80vEX645 | 95d49803ba32d4bd4695b2e53e0f7179 | | 0

1190725731 | 09/25/2007 9:08:51 AM | 66.232.102.81 | searchlighttech.com
FastInet | jr0dWS2594 | 15a9276dcc13532cae2e39fd789413bd | | 0

1190725913 | 09/25/2007 9:11:53 AM | 219.240.203.118 | 219.240.203.118
User | turk porno | turk porno | turk porno | 1

1190726002 | 09/25/2007 9:13:22 AM | 70.84.55.187 | bb.37.5446.static.theplanet.com
Hausarzt*Kann | aSu61Q7272 | a4ef18d5760f0a086c8a04072bb56649 | | 0

1190728199 | 09/25/2007 9:49:59 AM | 91.124.242.32 | 32-242-124-91.pool.ukrtel.net
Medcentez | 123456 | e10adc3949ba59abbe56e057f20f883e | | 0

1190729140 | 09/25/2007 10:05:40 AM | 67.52.216.8 | smsd.org
fulsewheelf | F3A1fAR963 | 3c1f919b74d0bd93618aa48fc5c7701a | | 0

1190729871 | 09/25/2007 10:17:51 AM | 99.226.219.220 | CPE0018f8376177-CM00159a646be4.cpe.net.cable.rogers.com
Stasigrag | sU1qfCK668 | e8fa04d4001570dd94d7db49cefe17e9 | | 0

1190733131 | 09/25/2007 11:12:11 AM | 202.105.182.87 | 202.105.182.87
User | ++++ michigan | ++++ michigan | ++++ michigan | 1

1190735986 | 09/25/2007 11:59:46 AM | 62.215.3.45 | 62.215.3.45
enrimetle | ZbeKYt9462 | 686f327ec93cc9237e2bced1e216f5a8 | | 0

1190738286 | 09/25/2007 12:38:06 PM | 207.38.5.178 | ip-addr-207-38-5-178.m9systems.net
Groppelia | jGvgwju553 | 09790176c47b29bdb9f03dc50b27dfe0 | | 0

1190740515 | 09/25/2007 1:15:15 PM | 200.83.4.4 | phoebe.reb.vtr.net
Baronovenko | yfsIwOe176 | 8983af25398eb1454eabe18c5a8c36d1 | | 0

1190741218 | 09/25/2007 1:26:58 PM | 218.234.21.33 | 218.234.21.33
Riiwipa | 0FUggCh546 | 8d712dd17513037d39ad4d8a4e3a8580 | | 0

1190743609 | 09/25/2007 2:06:49 PM | 220.227.171.155 | 220.227.171.155
User | toons ++++ing | toons ++++ing | toons ++++ing | 1

1190744983 | 09/25/2007 2:29:43 PM | 87.118.98.9 | ns.km10329.keymachine.de
makemoneyoonline | 5Ce9gzP658 | | | 0

1190746246 | 09/25/2007 2:50:46 PM | 85.221.230.38 | skysquad.net
Alignedge | lSb0Cgw252 | 81dbd1ab1f8e1c8d8ebb1aba1054ea79 | | 0

1190747199 | 09/25/2007 3:06:39 PM | 195.76.242.227 | 195.76.242.227
User | old whores porno | old whores porno | old whores porno | 1

1190747846 | 09/25/2007 3:17:26 PM | 217.174.98.198 | mail.bc.km.ru
Umbroetimag | dr3exNb378 | 3b2508169855a9962588b5522e6e5695 | | 0

1190750654 | 09/25/2007 4:04:14 PM | 89.100.30.144 | 089-100-030144.ntlworld.ie
User | russian naked sex amateur | russian naked sex amateur | russian naked sex amateur | 1

1190751342 | 09/25/2007 4:15:42 PM | 87.206.89.35 | chello087206089035.chello.pl
kjsdiuwe | qazxsw | | | 0

1190752433 | 09/25/2007 4:33:53 PM | 211.140.138.39 | 211.140.138.39
Maxarfacixern | OduINOy156 | a85023d8f51a904f460c0655e11805ba | | 0

1190754339 | 09/25/2007 5:05:39 PM | 195.2.114.1 | livani-gw.livani.net.microlink.lv
RobertoBTt | Q4QkH6v998 | b0751d5400c3939a84abe2e5c61e97de | | 0

1190754717 | 09/25/2007 5:11:57 PM | 221.12.134.132 | 221.12.134.132
RobinMiarov | 57ceqwX617 | 491ccf863c2e4fd2796d975a4616e4ac | | 0

1190756504 | 09/25/2007 5:41:44 PM | 85.221.230.38 | skysquad.net
Alignedge | lSb0Cgw252 | 81dbd1ab1f8e1c8d8ebb1aba1054ea79 | | 0

1190758205 | 09/25/2007 6:10:05 PM | 89.54.171.118 | Rab76.r.pppool.de
User | free online porn movies | free online porn movies | free online porn movies | 1

1190758479 | 09/25/2007 6:14:39 PM | 161.200.255.162 | proxy2.chula.ac.th
User | halloween sex | halloween sex | halloween sex | 1

1190758624 | 09/25/2007 6:17:04 PM | 64.246.13.10 | ev1s-64-246-13-10.ev1servers.net
BupitartTaisa | d1DZk3S876Y | b2f1f732b57d3234af20fd5d1d9725d3 | | 0

1190758818 | 09/25/2007 6:20:18 PM | 203.69.39.251 | 203.69.39.251
Nigrantkoll | el1GiNv141 | be73bf3070b498a1d9746e49eae24aeb | | 0

1190759689 | 09/25/2007 6:34:49 PM | 200.83.4.3 | thebe.reb.vtr.net
petergriffinbcd | uq3fiCA826 | 186d4de16113e19632d3dd6ff8c5a432 | | 0

1190760185 | 09/25/2007 6:43:05 PM | 221.12.149.163 | 221.12.149.163
Sraolian | nm3t60c514 | 37d0a434c75ae4c0ca359972d62a2173 | | 0

1190762550 | 09/25/2007 7:22:30 PM | 218.234.21.33 | 218.234.21.33
Invoignmymn | A7uKguG483 | 7250926356cf10a4748af767fdde3337 | | 0

1190764601 | 09/25/2007 7:56:41 PM | 200.83.4.3 | thebe.reb.vtr.net
Test | VQsaBLPzLa | 8945b4cb1bfb8cb5c95c137fc60ed9a0 | | 0

1190766243 | 09/25/2007 8:24:03 PM | 200.83.4.3 | thebe.reb.vtr.net
PeterPatrickJohnQ | BbpLPjE837 | ac95e9f1f453ceaae1f9818823aaa099 | | 0

1190766974 | 09/25/2007 8:36:14 PM | 66.98.212.79 | dabworx.com
rengerts | szjiVob517 | 2ba907a47e096bf581eae3c72b628f62 | | 0

1190767848 | 09/25/2007 8:50:48 PM | 85.221.230.38 | skysquad.net
Alignedge | lSb0Cgw252 | 81dbd1ab1f8e1c8d8ebb1aba1054ea79 | | 0

1190768150 | 09/25/2007 8:55:50 PM | 67.52.216.8 | smsd.org
pharmalinks | jkxjdsads1 | fe446b8dadb1c8a9a6dcc31048daf982 | | 0

--------------- Added at 21:22 ---------------

Note: In the above post I had to edit out a LOT of attempts to get that down to the point that it fit in a post (What you see above is ONE THIRD of what my log has as almost all of these attempts above were tried three times!!!)....

NOW, I learned in this process that these BOTS register on as many forums as they can with these same usernames and passwords! If your site has bot problems, try searching for some of these members and if you have them, try the password and it may well work!

I certainly am not posting this so that people can log in using these bot usernames or passwords to cause problems and this is a VERY SMALL sample of what I have logged over the past several days. Just the same, I was able to google a few of these names and find these bot accounts on other forums (beyond my own) and I was able to log in using the username and password.

For those sites that got a PM to the ADMIN saying, "I am a BOT, BAN me or I will be back" sorry for the intrusion, I was just trying to understand the problem. I was the one that sent you the PMs (at least if it was before now).

Now, what I would like to figure out is how we can add a check in the login page to see if the password is being submitted as plain text (not-hidden). In my experience, all of the bots have been submitting the password as plain text BUT the PASSWORD MD5 UTF looks to be sent as hidden text.

I can not explain this, but the trend is absolute?

If this is a mistake posting all of these... please feel free to edit the post above or send me a PM and I will edit it when I am online... These are ALL login attempts from bots!

I am posting with the hope we can learn how to fix this problem...

--------------- Added at 21:48 ---------------

OK, Now, in case I have not made it clear why I feel that what I am sharing has the potential to be significant...

I did a google search (at random) for one of the usernames from my logs. Note that this is a BOT and the password is posted above...

When you search for this username in google I get OVER 25,000 HITS!!!

http://www.google.com/search?hl=en&s...an&btnG=Search

Now, this account is the same bot on at least some of these as I just checked about five sites with the password from my logs and I was able to get in!!!

Now, if these bots are creating acounts, and god help us if we don't detect them in time, and if they were to mass attack our sites they could really mess up a larger website and community.

Sorry to be standing on my soapbox but that google link points out why I am trying to get more interest in what I am trying to look at as their are programers on here that are far more skilled then I am and I would love to get more people interested in what we can do about this problem....

--------------- Added at 22:25 ---------------

OK, I have hacked my code that logs registration attempts to also log the timezone.

I will post the results in a say or two after I get some data... I will also try to recode my script so and post it so that if sites want a way to monitor the registration or log-in attempts on their site that they can. Note, you can never see user passwords (they are hidden) but bots are very obvious because they seem to NEVER be hidden!

Cheers!

p.s. I have also uploaded my latest Registration LOG file for everyone... Mind you, I have been working on this for about 3-weeks and these bots keep comming!