phpBB mass-hack being prepared (FuntKlakow-bot)?- general countermeasures

phpBB mass-hack being prepared (FuntKlakow-bot)?- general countermeasures

am 07.03.2006 13:53:37 von Juuso Hukkanen

During the last few days a bot using a name FuntKlakow, has been
registering to at least hundreds (maybe thousands) of phpBB forums.

http://www.google.com/search?hl=com&q=FuntKlakow&btnG=Hae&me ta=

Bot is also capable for posting to forums:
http://forum.uebimiau.org/search.php?search_author=FuntKlako w
http://www.alternativ.ro/forum/search.php?search_author=Funt Klakow

But most on most forums the bot keeps silent.

Ok, what is a danger?
Next time the phpBB announces a critical vulnerability, the bot would
have everything ready (just a post click away) from attacking
thousands of sites/forums.

Best defence against these kinds of bot-members, might be setting up
honeypot-forums, which the search engines can find but to which there
are no permanent links from the web. When new bot-members are
detected, such would be listed at each particular forum makers
homepage.

When a bot would then try to register to a forum, the forum program
would check the user/bot inputted user-name (or other characteristics)
and if those would match to those catched by a honeypot-forums,
registerin such user detais would be eliminated ( and possible IP
banned for some time)

Juuso Hukkanen
(to reply by e-mail set addresses month and year to correct)

ps. damn did send an early draft of this post :)

Re: phpBB mass-hack being prepared (FuntKlakow-bot)?- general countermeasures

am 07.03.2006 15:38:38 von unknown

Post removed (X-No-Archive: yes)

Re: phpBB mass-hack being prepared (FuntKlakow-bot)?- general countermeasures

am 07.03.2006 17:07:12 von comphelp

Juuso Hukkanen writes:

> Best defence against these kinds of bot-members, might be setting up
> honeypot-forums, which the search engines can find but to which there
> are no permanent links from the web. When new bot-members are
> detected, such would be listed at each particular forum makers
> homepage.

I really like the tactic, but I'm confused on how a search engine
might find the honeypot without any permanent link from the web?

Can you give an example? Say, just naming it /forum or something
off the root of a domain?

Thanks for the heads up!

--
Todd H.
http://www.toddh.net/

Re: phpBB mass-hack being prepared (FuntKlakow-bot)?- general countermeasures

am 07.03.2006 17:10:12 von Vampi Fangs

On Tue, 07 Mar 2006 14:53:37 +0200, Juuso Hukkanen
wrote:

>During the last few days a bot using a name FuntKlakow, has been
>registering to at least hundreds (maybe thousands) of phpBB forums.
>
>http://www.google.com/search?hl=com&q=FuntKlakow&btnG=Hae&m eta=
>
>Bot is also capable for posting to forums:
>http://forum.uebimiau.org/search.php?search_author=FuntKlak ow
>http://www.alternativ.ro/forum/search.php?search_author=Fun tKlakow
>
>But most on most forums the bot keeps silent.
>
>Ok, what is a danger?
>Next time the phpBB announces a critical vulnerability, the bot would
>have everything ready (just a post click away) from attacking
>thousands of sites/forums.

nicely malicious ...

the proactive banning of the nefarious FuntKlakow nym seems prudent :)

--

V--V

"It's liberty for all, democracy's our style,
unless you are against us,
then it's prison without trial."

Rolling Stones "Sweet Neo Con"

Re: phpBB mass-hack being prepared (FuntKlakow-bot)?- general countermeasures

am 08.03.2006 10:12:58 von lahippel.at.ieee.org

Leythos wrote:

> In article , juuso_12_2003
> @tele3d.net says...
>> During the last few days a bot using a name FuntKlakow, has been
>> registering to at least hundreds (maybe thousands) of phpBB forums.
>
> What version of PHPBB are you running?
>
> There are known issues with early versions and even known patches for
> later versions.

And then there are those libraries that aren't maintained any more.
http://secunia.com/advisories/19028/

-- Lassi

Re: phpBB mass-hack being prepared (FuntKlakow-bot)?- general countermeasures

am 08.03.2006 12:59:53 von unknown

Post removed (X-No-Archive: yes)