Go Back   vb.org Archive > vBulletin 4 Discussion > vB4 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 08-04-2012, 03:51 PM
huskermax huskermax is offline
 
Join Date: Mar 2010
Location: Cincinnati
Posts: 146
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default May have banned user posting under diffrent account.

So I have two users that were banned. I have a pay site. both of these users know each other. First one was banned started another account using his son's credit card but we matched up the ip to his old account.

The 2nd guy get's banned a few weeks later.

Have a new account set up, very active poster that posts just like the 2nd guy that is banned. All of my mods feel like it is the same guy. Different credit card and location then the 2nd banned guy.

IP's used are all local to the LA, California area. (2nd banned guy lives in Texas)

Quote:
163.150.11.151 - CA (San Bernardino County Superintendent of Schools)
163.150.13.112 - same
163.150.22.112 - same
163.150.28.188 - same
66.74.192.130 - Twentynine Palms, CA
66.74.196.111 - Twentynine Palms, CA
10.80.127.201 - Unknown
The bolded one is new from the last few weeks. On the .com site I have been told this is a private ip address and this is one way a banned poster can beat the system.

I have the:

Proxy to Real IP Conversion

Multiple account login detector

These two have not triggered anything. Is there anything else out there I can use to maybe catch this guy?

If it is the same guy and he was using a desktop connection how would the ip be reordered?
Reply With Quote
  #2  
Old 08-05-2012, 12:49 AM
kh99 kh99 is offline
 
Join Date: Aug 2009
Location: Maine
Posts: 13,185
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think the answer is that you can't do anything about it. There are ways to get a different ip or to use a proxy (and not all of them can be detected by a "proxy detector" mod). And even if you're requiring credit cards, it's probably not too hard for most people to get someone else to pay or something. I suppose you could try verifying people by phone or snail mail or something, but that's a lot of work. If the users were banned just because of behavior, then my suggestion would be to not worry about it until/unless they start with the same behavior again (don't let yourself get caught up by the idea that it's a game you have to win, because you can't). If it's some other issue, then I don't think there's a lot you can do.

Edit: about the 10.... ip - I don't know how that happens. That's an ip address that can't be used on the internet (it's for use in a private network). In any case, it won't tell you anything about who used it.
Reply With Quote
  #3  
Old 08-05-2012, 04:32 AM
Big Al Big Al is offline
 
Join Date: Nov 2011
Posts: 54
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@huskermax.

10.80.127.201 Shows as-
Blackhole Address
Internal to a network or a router.

You may find it hard to get any more info from it unless you have very advanced (expensive) programs.

RFC 1918 reserves several ranges of network addresses for use on private network in IPv4:

10.0.0.0 – 10.255.255.255 Is included.

You can Try a Google search on the email used to register.
Reply With Quote
  #4  
Old 08-06-2012, 09:59 AM
Sarteck's Avatar
Sarteck Sarteck is offline
 
Join Date: Mar 2008
Posts: 304
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

To use a 10.*.*.* address, wouldn't the user have to be accessing the site from the same internal network as the OP's host?
Reply With Quote
  #5  
Old 08-06-2012, 12:24 PM
Disco_Stu Disco_Stu is offline
 
Join Date: Apr 2012
Posts: 305
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Sarteck View Post
To use a 10.*.*.* address, wouldn't the user have to be accessing the site from the same internal network as the OP's host?
"The Calls Are Coming From Inside The House"
Reply With Quote
Благодарность от:
Sarteck
  #6  
Old 08-07-2012, 04:18 PM
huskermax huskermax is offline
 
Join Date: Mar 2010
Location: Cincinnati
Posts: 146
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Disco_Stu View Post
"The Calls Are Coming From Inside The House"
Same host? That is not that unusual is it?

My mods are thinking this might be a group of posters we have had issues with. Two of them banned and the others did not renew after a suspension.

Each time this poster posts it is written like more then one poster is commenting. Like, we, we are, never posts in first person.

I have a dedicated server, can I do something on that to get any more info?

--------------- Added [DATE]1344361294[/DATE] at [TIME]1344361294[/TIME] ---------------

Quote:
Originally Posted by Big Al View Post

You can Try a Google search on the email used to register.
Nothing found.

I did exchange one email with this account (so it does work), even in the email it is written like two or more people.
Reply With Quote
  #7  
Old 08-07-2012, 05:06 PM
Disco_Stu Disco_Stu is offline
 
Join Date: Apr 2012
Posts: 305
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Give this mod a try.

https://vborg.vbsupport.ru/showthread.php?t=231106

or this:

https://vborg.vbsupport.ru/showthread.php?t=239033

and here's a really good one:

https://vborg.vbsupport.ru/showthread.php?t=264870
Reply With Quote
  #8  
Old 08-07-2012, 05:40 PM
nhawk nhawk is offline
 
Join Date: Jan 2011
Posts: 1,604
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The 10.xxx.xxx.xxx are private addresses and should never be seen on the internet. Another word for private could be 'internal'. In other words, it is an address on an internal network not a public IP address which is used to access the internet.

If a 10.xxx.xxx.xxx IP address is showing in Who's Online, then the IP address is being spoofed.

Unless you are accessing your site on an internal network with an IP that starts with 10, you can safely add '10.' (10 dot - without the quotes) to the Banned IP Addresses in vBulletin's User Banning Options. That should prevent the user from seeing any part of your board.

The same holds true for 192.168. addresses.
Reply With Quote
  #9  
Old 08-08-2012, 04:05 AM
Sarteck's Avatar
Sarteck Sarteck is offline
 
Join Date: Mar 2008
Posts: 304
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

@nhawk, while proxying to get a different IP address is a walk in the park for anyone with some Net savvy, actual spoofing of IP addresses and still having communication is NOT so easy.

While it is possible to spoof the initial SYN packet, if the server sent back a SYN+ACK to the "spoofed" address, then the actual spoofed computer would not get it.

Unless by some chance the person has control of all routing tables between his computer and the server, his computer would NOT be able to communicate with a spoofed address.

Point here is that biodirectional spoofing on the Internet is more or less impossible unless a user has control over all the networks between himself and the target, and unidirectional spoofing will not generate the IP Address into the $_SERVER['REMOTE_ADDR'] due to the SYN+ACK packet not being answered.




On a LAN, there would obviously be more options. But only on the LAN. :P This address IS coming from the LAN if it's being generated in the logs. Maybe someone behind the host's network was vulnerable to being a proxy? Maybe the OP's host itself is a vulnerable proxy and maybe the IP Address he's seeing is actually his own server on the internal side? Maybe someone from within the host is trying to give him a hard time? X3 Who knows for sure?




My suggestion to the OP is to copy any/all logs with the internal network address(es) and contact his host, and explain the situation to them. They will be able to find out which machine on their internal network has those addresses.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:00 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04931 seconds
  • Memory Usage 2,251KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (9)post_thanks_box
  • (1)post_thanks_box_bit
  • (9)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (9)post_thanks_postbit_info
  • (9)postbit
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete