board77

The Last Homely Site on the Web

Bot Authors Targeting phpBB Forums Security

Post Reply   Page 1 of 5  [ 82 posts ]
Jump to page 1 2 3 4 5 »
Author Message
Alatar
Post subject: Bot Authors Targeting phpBB Forums Security
Posted: Wed 22 Mar , 2006 12:06 pm
of Vinyamar
Offline
 
Posts: 8272
Joined: Mon 28 Feb , 2005 4:39 pm
Location: Ireland
Contact: ICQ
 
Bot Authors Targeting phpBB Forums Security

Bots are registering user accounts on thousands of phpBB forums across the Internet, raising concerns that the bot's authors are laying the groundwork for mass exploitation down the road. The activity of a bot named FuntKlakow was discussed in a Digg thread Sunday, with many forum owners confirming that FuntKlakow had created accounts and even posted simplistic messages ("O How nice" and "Wow that is cool").

FuntKlakow's post signatures have included links to proxy surfing and "traffic generator" services, raising the prospect that its goal may be spam rather than exploits. But as noted on a German site that issued an early warning about the bot's behavior, "the next time the phpBB announces a critical vulnerability, the bot would have everything ready (just a post click away) from attacking thousands of sites/forums." Google searches suggested the bot may have created accounts on as many as 33,000 forums.

phpBB has experienced a series of security problems in recent years, and has been banned by some web hosts. That hasn't prevented a 79 percent increase in active sites using phpBB between June and December of 2005, according to data from our Web Server Survey and related datasets.

_________________

[ img ]
These are my friends, see how they glisten...


Top
Profile Quote
Impenitent
Post subject:
Posted: Wed 22 Mar , 2006 12:34 pm
Try to stay perky
User avatar
Offline
 
Posts: 2677
Joined: Wed 29 Dec , 2004 10:54 am
 
Jeez! :Q

_________________

[ img ]

"Believe me, every heart has its secret sorrows, which the world knows not;
and oftentimes we call a man cold when he is only sad." ~Robert C. Savage


Top
Profile Quote
laureanna
Post subject:
Posted: Wed 22 Mar , 2006 2:06 pm
Triathlete
Offline
 
Posts: 2711
Joined: Wed 26 Jan , 2005 2:08 am
Location: beachcombing
 
O How nice


Top
Profile Quote
LalaithUrwen
Post subject:
Posted: Wed 22 Mar , 2006 2:39 pm
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
Offline
 
Posts: 21748
Joined: Thu 24 Feb , 2005 3:46 pm
 
Okay, I understand most of that, but would anyone like to explain it even further? What exactly does that mean to us? And what should we do?


Lali

_________________

[ img ]


Top
Profile Quote
elfshadow
Post subject:
Posted: Thu 23 Mar , 2006 6:16 am
Kill the headlights and put it in neutral
Offline
 
Posts: 5407
Joined: Tue 09 Aug , 2005 2:27 am
 
I think this explains one recent "phenomenon" at TORC. There will be a topic started in every forum with the same title by the same poster, but with no actual posts to it so you can't view it. It's been happening a couple of times a day from what I've seen, but usually the mods will delete all the topics as soon as they see it in one forum. I think Squiddy said something about changing the way people register? And that that fixes it. Maybe if she's here she can explain more. Though because b77 is with phpBBer, I doubt we can manipulate the software that way.


Top
Profile Quote
TWT
Post subject:
Posted: Thu 23 Mar , 2006 6:44 am
Wembley bound
Offline
 
Posts: 4129
Joined: Wed 25 May , 2005 7:34 pm
Location: Swiming in a fishbowl.
 
Doesn't TORC run on a phpbber program?

I saw all those topics about "Free Porn" and I figured that the only reason that one couldn't view the topics was because the mods had gotten to it and deleted it...

:shrug:


Top
Profile Quote
Fixer
Post subject:
Posted: Thu 23 Mar , 2006 2:34 pm
The Man who Knows his Tools
User avatar
Offline
 
Posts: 1651
Joined: Wed 13 Jul , 2005 10:08 pm
Location: Near Tallahassee, Florida
 
I remember writing bots in my youth. Never for malicious intent (they made great IRC guardians/guns) but they are very complicated.

B77 should be fairly safe given that each account has to be manually approved. If a Ranger sees a user name that tries to join that is suspicious I recommend they email the email account attached to the user name a roundabout question that a bot couldn't answer (an opinion on Tolkien, for example) and judge whether or not to allow membership based on whether or not the answer is human or artificial.

_________________

[ img ]

The best measure of our accomplishments in life is not what goods we have accumulated or the recognition gained from actions we have performed, but what we leave for others who choose to follow the path we made for them.


Top
Profile Quote
LalaithUrwen
Post subject:
Posted: Thu 23 Mar , 2006 2:48 pm
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
Offline
 
Posts: 21748
Joined: Thu 24 Feb , 2005 3:46 pm
 
I will take your suggestion to the other Rangers, Fixer. I think it's a good one.

Of course, what do we do if the person says, "I think Tolkien was a big, fat loser"?

:D


Lali

_________________

[ img ]


Top
Profile Quote
yovargas
Post subject:
Posted: Thu 23 Mar , 2006 3:01 pm
User avatar
Offline
 
Posts: 14772
Joined: Thu 24 Feb , 2005 12:11 pm
 
Ban them.


Top
Profile Quote
LalaithUrwen
Post subject:
Posted: Thu 23 Mar , 2006 3:12 pm
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
Offline
 
Posts: 21748
Joined: Thu 24 Feb , 2005 3:46 pm
 
As you wish....


;)

_________________

[ img ]


Top
Profile Quote
tinwe
Post subject:
Posted: Thu 23 Mar , 2006 4:02 pm
Waiting for winter
User avatar
Offline
 
Posts: 2380
Joined: Fri 04 Mar , 2005 1:46 am
Location: Jr. High
 
Fixer wrote:
B77 should be fairly safe given that each account has to be manually approved. If a Ranger sees a user name that tries to join that is suspicious I recommend they email the email account attached to the user name a roundabout question that a bot couldn't answer (an opinion on Tolkien, for example) and judge whether or not to allow membership based on whether or not the answer is human or artificial.
Technically, we are not manually approved. That is we are not Administrator activated (we were at one time, but that has changed now), we are now member activated. The admins do have to turn a new member’s permissions on before they can post though.

Reading the thread about this over the HoF, it seems there is also a visual confirmation setting that can be used to keep bots out. It would solve the problem of having to deal with this. The bot simply would not be able to register.

If a Ranger wants to do this, it is in the Administration panel under General Admin > Configuration. Next to “Enable Visual Confirmation” click “yes”. Then, whenever someone tries to register they have to type in the visual code displayed. That should solve the problem.

I think.


Top
Profile Quote
elfshadow
Post subject:
Posted: Thu 23 Mar , 2006 5:05 pm
Kill the headlights and put it in neutral
Offline
 
Posts: 5407
Joined: Tue 09 Aug , 2005 2:27 am
 
TWT wrote:
Doesn't TORC run on a phpbber program?
TORC runs on phpBB software, which is different from phpBBer. It's the same software, but since b77 is on the free version, there aren't a whole lot of software manipulations you can do, IIRC. There are certain things we can change to make ourselves safer, like Tinwe was explaining, but we can only change the settings, we can't change manipulate the software.


Top
Profile Quote
LalaithUrwen
Post subject:
Posted: Fri 24 Mar , 2006 4:05 am
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
Offline
 
Posts: 21748
Joined: Thu 24 Feb , 2005 3:46 pm
 
Before I take Tinwe's suggestion, is there any objection? Are there any reasons that I shouldn't enable the visual confirmation? I can't think of any, but this is all pretty new to me.


????

Anyone? I'll wait to hear from a few of you.


Lali

_________________

[ img ]


Top
Profile Quote
TWT
Post subject:
Posted: Fri 24 Mar , 2006 5:08 am
Wembley bound
Offline
 
Posts: 4129
Joined: Wed 25 May , 2005 7:34 pm
Location: Swiming in a fishbowl.
 
That's nice. :)


Top
Profile Quote
TheEllipticalDisillusion
Post subject:
Posted: Fri 24 Mar , 2006 5:37 am
Insolent Pup
User avatar
Offline
 
Posts: 5381
Joined: Wed 09 Mar , 2005 8:31 pm
Location: Many Places
 
My Counter-Strike clan's forums are having the same problem with bot accounts. I don't know if phpbber.com has any security patches for the problem then.

_________________

The 11/3 Project


Top
Profile Quote
LalaithUrwen
Post subject:
Posted: Mon 27 Mar , 2006 2:41 pm
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
Offline
 
Posts: 21748
Joined: Thu 24 Feb , 2005 3:46 pm
 
Well, I did implement the visual confirmation setting for new registrants. I hope that will help protect the board. :)


Lali

_________________

[ img ]


Top
Profile Quote
Lidless
Post subject:
Posted: Thu 06 Apr , 2006 7:09 pm
Als u het leven te ernstig neemt, mist u de betekenis.
Offline
 
Posts: 8261
Joined: Wed 27 Oct , 2004 8:21 pm
Location: London
 
I remember RELIZA.COM about 28 years ago. Anyone remember that talkative program?

_________________

[ img ]


Top
Profile Quote
Mummpizz
Post subject:
Posted: Fri 07 Apr , 2006 6:47 am
Gloriosus
User avatar
Offline
 
Posts: 1805
Joined: Wed 08 Dec , 2004 11:10 am
Location: history (repeats itself)
Contact: Website
 
Lidless wrote:
I remember RELIZA.COM about 28 years ago. Anyone remember that talkative program?
Do you think that remembering would have a positive effect on you?

_________________

– – –


Top
Profile Quote
tinwe
Post subject:
Posted: Sat 16 Dec , 2006 6:49 pm
Waiting for winter
User avatar
Offline
 
Posts: 2380
Joined: Fri 04 Mar , 2005 1:46 am
Location: Jr. High
 
Well, here we are nine months later, and the bot problem has not gotten any better, in fact it has gotten considerably worse. I deleted seven at once yesterday, and I’ve already zapped two today. It’s gotten to the point that I’m so trigger happy deleting people that I might be deleting legitimate members at this point.

Something needs to be done.

Voronwë has informed me that civ0 has mods they can install that offer added security against bots. Problem is, I have no idea how to go about contacting civ0 and requesting these things. Alatar was the one who handled this sort of thing in the past, since he was the only Ranger who knew how to do it. That strikes me as a problem. It would be nice if we had some instructions in the How To Be a Ranger thread explaining this procedure.

Alatar, we would greatly appreciate whatever help you could give us on this matter.

Also, it would be good if some of the new Rangers could get involved in this. I’m going to be out of here in two weeks, so it doesn’t make much sense for me to be the one trained for this.

Any volunteers?

_________________

[ img ]

I am a child, I'll last a while.
You can't conceive
of the pleasure in my smile.


Top
Profile Quote
Alatar
Post subject:
Posted: Sat 16 Dec , 2006 8:10 pm
of Vinyamar
Offline
 
Posts: 8272
Joined: Mon 28 Feb , 2005 4:39 pm
Location: Ireland
Contact: ICQ
 
Its pretty straightforward. Go to the Civ0 homepage and log in with the Board Username and Password (which I assume is recorded somewhere!). Then open a trouble ticket and request the mod installation. Thing is I'm not sure whose email addy was used for the board setup, but I strongly suspect it was Cems. My mail was added as an admin of the board (for Civ0's purposes). One of the rangers needs to get their addy on there also, or we need to create a mail address for that purpose on Gmail (not Yahoo).

Let me know if you need help.

_________________

[ img ]
These are my friends, see how they glisten...


Top
Profile Quote
Display: Sort by: Direction:
Post Reply   Page 1 of 5  [ 82 posts ]
Return to “Business Room” | Jump to page 1 2 3 4 5 »
Jump to: