a members account must have been hacked or my forum may be hacked.
Someone started to post scam adverts and I received a moderator notification. looking into it the ip address came from Nigeria and the member is Australian
I went to edit the user and noticed an new email yamaharzenthusiast@gmail.com and googling it i noticed there was lots of same stuff going on online. Then I changed email addy to one of mine and login as the member and changed password and went to bed. following morning (Sweden) I received an admin notification that another IP address login twice as same member and another member account. the other account was from NY but the login ip came from AZ. I deleted both members account and all their posts. may not be good but that is what I did.
I have also banned all ip addresses and email addy, I also found a nother account that was registrered with a Nigerian ip addy.
this is where I stand now, I enabled the registration que and don't know what to do more right now. Please advise, what can I do? Thanks Morgan @ BritBike
OK I found out that there is part of my forum the login page has been copied for phishing porpose this scam website is here http://britbikeforum.usa.cc/en/login.htm BEWARE IT WILL STEAL YOUR LOGIN
Do you have Stop Forum Spam installed? It won't stop all registrations of spammers, but it should get a chunk (basically anyone who's been reported to the database as a spammer will show as a spammer, but like a captcha it won't always stop a human capable of updating their connection settings through a proxy).
As for the phishing page, you'll have to report them to their ISP, domain registrar, etc. The service looks like it's run by: http://freeavailabledomains.com/en/
Also are you using the "Domains for HTTP Referer Check" located in your control panel under "Primary Settings" in the "Advanced Options" settings?
Domains for HTTP Referer Check: If there are multiple possible domain names for this site, separate with a pipe. Example: http://example.com|http://www.example.com This box reads http://www.britbike.com
Do you have Stop Forum Spam installed? It won't stop all registrations of spammers, but it should get a chunk (basically anyone who's been reported to the database as a spammer will show as a spammer, but like a captcha it won't always stop a human capable of updating their connection settings through a proxy).
As for the phishing page, you'll have to report them to their ISP, domain registrar, etc. The service looks like it's run by: http://freeavailabledomains.com/en/
I have stop forum spam installed but the problem is that they hijack accounts and I don't like to delete every account, hopefully i can restore when I get it back.
I will look into the isp registrar thank you so much
Any other advise is highly appreciated Cheers Morgan
Giz I deleted two accounts, one had been a pain in the arse for a long time to I din't bother with him. The other one was a good low poster and i had a chat with him so he has now re registered. In the future I will ban instead.
Some good news Morgan -- I'd like to let you know that MalwareBytes has already included that domain in to their phishing database. Other malware blockers may have also done the same.
Also, Giz and I have shared some dialog on your post this morning. Giz may post some of that here for you. They're mostly technical and half of it may not even directly apply to your current situation. I generally tend to share a few dozen ideas when a problem presents itself.
Thank you ID and Giz, here is what I did with my basic skills. I enabled censor and added the full url and parts of it like britbikeforum.usa.cc I have learned that they have posted many PM's with the full url and that's how people click on the link. All new post or PMs with that url will be censored but not the old ones so I rebuilt the PM's I think I have gotten rid of the url links now and with the registration que I can monitor well. hopefully will my ISP abuse take action to.. think positivelly
In addition to what you've just posted, you could also disable PMs for users who have less than 5 posts. This could help curb the "drive by PM spammers."
Unfortunately the only installs I currently have access to is 7.6.0, so some of these items will be worded a little differently, as we've completely overhauled the Control Panel.
See this at the UBB.Wiki: Configuring Limited Groups The group system will use the larger settings from the various groups the user is in, so how I'd do it would be to make a "newbie" group: CP -> Permissions -> Groups -> "Add New Group" tab
Then set that up with the lowest values you'd be comfortable with: CP -> Permissions -> Fourm
Then set that to the group that users join when they sign up (and remove the users group): CP -> Membership -> Registration Settings -> Default Group(s) for New Members
Then back in the permission settings set the "users" group to have a higher set of resources.
Then you'll want to set the users group as a postcount group (so when users hit X amount of posts they'll join): CP -> Permissions -> Groups -> "Posts"
Gizmo that was good info and I learned something about it. I re read it a few time and thinking about something else hit me.
Above will be a little more effective however they do have aan external web page where they phish logins and by doing so they can easily hijack an older members account with many posts so above will not help in that case.
Well, this would have probably caught those initial spam messages that got users offsite to their phishing page in the first place.
You might also send out a mass member email notifying people of the issue and notify them to make sure they're at the correct domain name before ever entering their user login information, and notifying them that hijacked user accounts are being locked until the members can email you to have their information reset.
As for finding out who has been sending messages, your best bet is to run this MySQL query from the Control Panel: (CP -> Tools and Information -> Database Tools -> SQL Command Tab)
Code
SELECT `POST_ID`, `USER_ID`, `POST_BODY` FROM `ubbt_PRIVATE_MESSAGE_POSTS` WHERE `POST_BODY` LIKE '%offendingurl%' LIMIT 0,200;
The above database query will query the Private Message Posts table for "offendingurl" (notice the %%, preserve them when changing the string), starting from the first instance to the 200th; you can remove the limit, but depending on how active they've been you can end up with quite a lot of results returned.
oops just minutes after my post above i noticed two multiple logins, it turned out that one ip was from Nigeria so i caught two comprimized accounts the other ip was from australia and one of the two account held one similar accounts as the previous.
So three accounts has now been banned i have changed Passwords and email addresses to those accounts. One is a highly appreciated moderator...
I think all accounts were comprimized before when I noticed it the first time. I have seen one proof in a PM that is still there.
So now I'm not sure what to do I think they uses ip adresses from different continents. Settings are now enabled registration que, i have enable mandatory age, location, uccupation and hobbies so that I can figure out if someone fishy is there to try to "legally" try to register.
Is there a way to change a password for someone without login as that person? by a SQL command? Its easy to change email address
If I click on Stop forum Spam exactly what does it report? IP address? email? more? I would be ok to use stop forum spamas long as it does not affect the proper members data. I mean if the scammer change email address and use a bad IP then it might work but if they don't change email addy what will happen if I submit Stopforumspam?
I'm all ears for suggestions how to get rid of this problem.. Thanks
PS it looks like the previous phishing website is gone and as far as I know they have not posted any fake links this time.
after posting above I have been thinking would it be good to create a user group called example "quarantine" and copy the login "users" group so when they login they can only read posts or even not read post but certainly not post anything. just so the account is harmless and then when I decide to what to do with the account its easier to handle. anyway I'm just thinking.
if I create a Newbie user group and a quarantine group how much would the database increase? Just curious.. thanks for your help
Or you could just BAN the user from the Control Panel » Member Management » Edit Profile > Permissions tab. Banning the user with an expiration of "never," will block them from using that account again. Also report those spammer user accounts to SFS. This will submit their IP and EMAIL addresses to the SFS service.
In the Control Panel » Registration Settings screen, confirm that you have enabled the following: Enable Email Verification Require A Unique Email Per Account
From reading through the rest of this thread, I can see that you're already on top of this horrible situation. You've put in to place a lot of the tools already written in to UBBT, and you've been further proactive in preventing it from getting out of hand.
Here is another took you can use, if you have access to your "htaccess" file. http://www.ip2location.com/blockvisitorsbycountry.aspx I highly recommend that you read up on what it does, if you are not already aware. And as you've mentioned earlier in your topic, IP addresses can easily be spoofed. So there's that, too. :/
Isaac the first thing i do is to ban the member. Then I want to change the members password but that's impossible because he is banned. So un ban him and become the member to change password. Am I missing something can I change password from CP or must I become the member to change it???
all these members are legit untile their account is hijacked so I can't report the member as Spoof becausethe original email is still on. The spoof has login with his or a borrowed IP what happen with the legit registered and last post that is ok? what happen if I report the account. I hesitate as i'm affraid that I report the legit member.
I registered and tested http://www.ip2location.com/blockvisitorsbycountry.aspx tested to put a few African countries like Nigeria, Liberia and so on and created a list in the .htaccess voila when visiting my britbike domain I ended up as 403 forbidden.... so I removed it again apparantly my Swedish IP didn't make the allowed listor I will have to read better.
Have another question Can I use the sql command to replace a members password?
In the Control Panel » Registration Settings screen, confirm that you have enabled the following: Enable Email Verification Require A Unique Email Per Account
You can report a user directly on SFS's page here. The data that UBB.threads sends with a report is the Username, EMail, and IP. Basically what's marked as "required" on their site.
Once you ban an IP it should be instant, once you submit data to SFS it should also be instant, but there aren't yet checks built in to log a user out should SFS detect them while they're logged in (which will be looked at in a future version).
The user password is stored in an MD5 string, and the only place to change it is in the user panel as a logged in user. So, unless you have an MD5 hash of a specific password, you can't just use a MySQL query to change a password.
You COULD make a "Jailed" group, and set all of the permissions to -1 (disabled) and throw users into there until you can become them and change their login credentials.
Gizmo, I'm hesitating to use the page as i need to fill in email which is not allways the scammer and the user name is the legit persons id. However when a scammer register with his own then its a good thing to report.
Isacc, I'm still struggling, this because I don't know how many accounts that was affected, some may be unused by the scammer up til now so we'll see what the future brings. I struggle to investigate each new member as much as i can, experience is a good help but not all. In a future version I would prefer that in » Control Panel » Member Management >> registration queue the ip address becomes a clickable link to a who is ip look up page. as it is now I need to copy each new member and paste into a who is ip address look up page. That link could be a setting in the Admin area somewhere if one favor a special who is ip page. it would help me a lot. Oh yes the multiple login notification is real good maybe a PM multiple notification could be created too or I may have to set the rights so that a member can only PM to one member at the time.
Also in the logs in » Control Panel » View Admin Logs, IP address can be links as well, its also is good if it log if a member change his email address and maybe password. I don't need to see the pw but just the fact it has been changed could be a clue.
So now my efforts lies in keep looking in the sales forum if there are strange cheep sales offers and if new members look suspicious.
Am a bit tired so my brain may not work correctly right now, take it for what it is.
Well see if I make a jailed group I'm pretty busy right now before I'll be driving thru Europe to Italy for three weeks will be riding classic motorcycles down there.
I am in Italy on vacation right now, having abut suspicion on one member maybe being hijacked. He is posting and asking others to contact him via pm I know that I can login as him and read the pm which is nothing I normally would do however I am interested in checking his IP address when he post pm,s can I check his IP address in his pm if so how. Thanks
if you know the perp's IP address, you can search for it in: Control Panel » Member Management > View/Edit Members (admin/membermanage.php)
and then just click on the "Send PM" tab at the bottom to have a new (auto generated) password sent to that user's email address.
I am thinking that someone might have got in to your DB and downloaded the user and their password files, and then is logging in to each of them one at a time. -- OR as you said, a new user took advantage of how you've setup your forums, and they sent out a bunch of Private Messages to your users to log in their DOMAIN, setup to look just like yours... Phishing. With that, they collected passwords from those users, and is using them to continue forward with their attack.