board77

The Last Homely Site on the Web
It is currently Tue 20 Feb , 2018 9:20 pm

All times are UTC




Post new topic Reply to topic  [ 82 posts ]  Go to page 1, 2, 3, 4, 5  Next
Author Message
PostPosted: Wed 22 Mar , 2006 12:06 pm 
of Vinyamar
User avatar

Joined: Mon 28 Feb , 2005 4:39 pm
Posts: 7795
Location: Ireland
Bot Authors Targeting phpBB Forums Security

Bots are registering user accounts on thousands of phpBB forums across the Internet, raising concerns that the bot's authors are laying the groundwork for mass exploitation down the road. The activity of a bot named FuntKlakow was discussed in a Digg thread Sunday, with many forum owners confirming that FuntKlakow had created accounts and even posted simplistic messages ("O How nice" and "Wow that is cool").

FuntKlakow's post signatures have included links to proxy surfing and "traffic generator" services, raising the prospect that its goal may be spam rather than exploits. But as noted on a German site that issued an early warning about the bot's behavior, "the next time the phpBB announces a critical vulnerability, the bot would have everything ready (just a post click away) from attacking thousands of sites/forums." Google searches suggested the bot may have created accounts on as many as 33,000 forums.

phpBB has experienced a series of security problems in recent years, and has been banned by some web hosts. That hasn't prevented a 79 percent increase in active sites using phpBB between June and December of 2005, according to data from our Web Server Survey and related datasets.

_________________
Image
These are my friends, see how they glisten...


Top
 Profile  
 
 Post subject:
PostPosted: Wed 22 Mar , 2006 12:34 pm 
Try to stay perky
User avatar

Joined: Wed 29 Dec , 2004 10:54 am
Posts: 2587
Jeez! :Q

_________________
Image

"Believe me, every heart has its secret sorrows, which the world knows not;
and oftentimes we call a man cold when he is only sad." ~Robert C. Savage


Top
 Profile  
 
 Post subject:
PostPosted: Wed 22 Mar , 2006 2:06 pm 
Triathlete
User avatar

Joined: Wed 26 Jan , 2005 2:08 am
Posts: 2638
Location: beachcombing
O How nice


Top
 Profile  
 
 Post subject:
PostPosted: Wed 22 Mar , 2006 2:39 pm 
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
User avatar

Joined: Thu 24 Feb , 2005 3:46 pm
Posts: 19640
Okay, I understand most of that, but would anyone like to explain it even further? What exactly does that mean to us? And what should we do?


Lali

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu 23 Mar , 2006 6:16 am 
Kill the headlights and put it in neutral
User avatar

Joined: Tue 09 Aug , 2005 2:27 am
Posts: 5407
I think this explains one recent "phenomenon" at TORC. There will be a topic started in every forum with the same title by the same poster, but with no actual posts to it so you can't view it. It's been happening a couple of times a day from what I've seen, but usually the mods will delete all the topics as soon as they see it in one forum. I think Squiddy said something about changing the way people register? And that that fixes it. Maybe if she's here she can explain more. Though because b77 is with phpBBer, I doubt we can manipulate the software that way.


Top
 Profile  
 
 Post subject:
PostPosted: Thu 23 Mar , 2006 6:44 am 
Wembley bound

Joined: Wed 25 May , 2005 7:34 pm
Posts: 4129
Location: Swiming in a fishbowl.
Doesn't TORC run on a phpbber program?

I saw all those topics about "Free Porn" and I figured that the only reason that one couldn't view the topics was because the mods had gotten to it and deleted it...

:shrug:


Top
 Profile  
 
 Post subject:
PostPosted: Thu 23 Mar , 2006 2:34 pm 
The Man who Knows his Tools
User avatar

Joined: Wed 13 Jul , 2005 10:08 pm
Posts: 1651
Location: Near Tallahassee, Florida
I remember writing bots in my youth. Never for malicious intent (they made great IRC guardians/guns) but they are very complicated.

B77 should be fairly safe given that each account has to be manually approved. If a Ranger sees a user name that tries to join that is suspicious I recommend they email the email account attached to the user name a roundabout question that a bot couldn't answer (an opinion on Tolkien, for example) and judge whether or not to allow membership based on whether or not the answer is human or artificial.

_________________
Image

The best measure of our accomplishments in life is not what goods we have accumulated or the recognition gained from actions we have performed, but what we leave for others who choose to follow the path we made for them.


Top
 Profile  
 
 Post subject:
PostPosted: Thu 23 Mar , 2006 2:48 pm 
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
User avatar

Joined: Thu 24 Feb , 2005 3:46 pm
Posts: 19640
I will take your suggestion to the other Rangers, Fixer. I think it's a good one.

Of course, what do we do if the person says, "I think Tolkien was a big, fat loser"?

:D


Lali

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu 23 Mar , 2006 3:01 pm 
User avatar

Joined: Thu 24 Feb , 2005 12:11 pm
Posts: 14124
Ban them.


Top
 Profile  
 
 Post subject:
PostPosted: Thu 23 Mar , 2006 3:12 pm 
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
User avatar

Joined: Thu 24 Feb , 2005 3:46 pm
Posts: 19640
As you wish....


;)

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu 23 Mar , 2006 4:02 pm 
Waiting for winter
User avatar

Joined: Fri 04 Mar , 2005 1:46 am
Posts: 2380
Location: Jr. High
Fixer wrote:
B77 should be fairly safe given that each account has to be manually approved. If a Ranger sees a user name that tries to join that is suspicious I recommend they email the email account attached to the user name a roundabout question that a bot couldn't answer (an opinion on Tolkien, for example) and judge whether or not to allow membership based on whether or not the answer is human or artificial.


Technically, we are not manually approved. That is we are not Administrator activated (we were at one time, but that has changed now), we are now member activated. The admins do have to turn a new member’s permissions on before they can post though.

Reading the thread about this over the HoF, it seems there is also a visual confirmation setting that can be used to keep bots out. It would solve the problem of having to deal with this. The bot simply would not be able to register.

If a Ranger wants to do this, it is in the Administration panel under General Admin > Configuration. Next to “Enable Visual Confirmation” click “yes”. Then, whenever someone tries to register they have to type in the visual code displayed. That should solve the problem.

I think.


Top
 Profile  
 
 Post subject:
PostPosted: Thu 23 Mar , 2006 5:05 pm 
Kill the headlights and put it in neutral
User avatar

Joined: Tue 09 Aug , 2005 2:27 am
Posts: 5407
TWT wrote:
Doesn't TORC run on a phpbber program?


TORC runs on phpBB software, which is different from phpBBer. It's the same software, but since b77 is on the free version, there aren't a whole lot of software manipulations you can do, IIRC. There are certain things we can change to make ourselves safer, like Tinwe was explaining, but we can only change the settings, we can't change manipulate the software.


Top
 Profile  
 
 Post subject:
PostPosted: Fri 24 Mar , 2006 4:05 am 
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
User avatar

Joined: Thu 24 Feb , 2005 3:46 pm
Posts: 19640
Before I take Tinwe's suggestion, is there any objection? Are there any reasons that I shouldn't enable the visual confirmation? I can't think of any, but this is all pretty new to me.


????

Anyone? I'll wait to hear from a few of you.


Lali

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Fri 24 Mar , 2006 5:08 am 
Wembley bound

Joined: Wed 25 May , 2005 7:34 pm
Posts: 4129
Location: Swiming in a fishbowl.
That's nice. :)


Top
 Profile  
 
 Post subject:
PostPosted: Fri 24 Mar , 2006 5:37 am 
Insolent Pup
User avatar

Joined: Wed 09 Mar , 2005 8:31 pm
Posts: 5381
Location: Many Places
My Counter-Strike clan's forums are having the same problem with bot accounts. I don't know if phpbber.com has any security patches for the problem then.

_________________
The 11/3 Project


Top
 Profile  
 
 Post subject:
PostPosted: Mon 27 Mar , 2006 2:41 pm 
The Grey Amaretto as Supermega-awesome Proud Heretic Girl
User avatar

Joined: Thu 24 Feb , 2005 3:46 pm
Posts: 19640
Well, I did implement the visual confirmation setting for new registrants. I hope that will help protect the board. :)


Lali

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu 06 Apr , 2006 7:09 pm 
Als u het leven te ernstig neemt, mist u de betekenis.
User avatar

Joined: Wed 27 Oct , 2004 8:21 pm
Posts: 8258
Location: Gibraltar
I remember RELIZA.COM about 28 years ago. Anyone remember that talkative program?

_________________
Image
Screenshot from the upcoming ROTK: EEE. PJ, I love ya and all you've done to put us Tolkien geeks into the mainstream, but this crosses a line.


Top
 Profile  
 
 Post subject:
PostPosted: Fri 07 Apr , 2006 6:47 am 
Gloriosus
User avatar

Joined: Wed 08 Dec , 2004 11:10 am
Posts: 1805
Location: history (repeats itself)
Lidless wrote:
I remember RELIZA.COM about 28 years ago. Anyone remember that talkative program?


Do you think that remembering would have a positive effect on you?

_________________
– – –


Top
 Profile  
 
 Post subject:
PostPosted: Sat 16 Dec , 2006 6:49 pm 
Waiting for winter
User avatar

Joined: Fri 04 Mar , 2005 1:46 am
Posts: 2380
Location: Jr. High
Well, here we are nine months later, and the bot problem has not gotten any better, in fact it has gotten considerably worse. I deleted seven at once yesterday, and I’ve already zapped two today. It’s gotten to the point that I’m so trigger happy deleting people that I might be deleting legitimate members at this point.

Something needs to be done.

Voronwë has informed me that civ0 has mods they can install that offer added security against bots. Problem is, I have no idea how to go about contacting civ0 and requesting these things. Alatar was the one who handled this sort of thing in the past, since he was the only Ranger who knew how to do it. That strikes me as a problem. It would be nice if we had some instructions in the How To Be a Ranger thread explaining this procedure.

Alatar, we would greatly appreciate whatever help you could give us on this matter.

Also, it would be good if some of the new Rangers could get involved in this. I’m going to be out of here in two weeks, so it doesn’t make much sense for me to be the one trained for this.

Any volunteers?

_________________
Image

I am a child, I'll last a while.
You can't conceive
of the pleasure in my smile.


Top
 Profile  
 
 Post subject:
PostPosted: Sat 16 Dec , 2006 8:10 pm 
of Vinyamar
User avatar

Joined: Mon 28 Feb , 2005 4:39 pm
Posts: 7795
Location: Ireland
Its pretty straightforward. Go to the Civ0 homepage and log in with the Board Username and Password (which I assume is recorded somewhere!). Then open a trouble ticket and request the mod installation. Thing is I'm not sure whose email addy was used for the board setup, but I strongly suspect it was Cems. My mail was added as an admin of the board (for Civ0's purposes). One of the rangers needs to get their addy on there also, or we need to create a mail address for that purpose on Gmail (not Yahoo).

Let me know if you need help.

_________________
Image
These are my friends, see how they glisten...


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 82 posts ]  Go to page 1, 2, 3, 4, 5  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group