On Sat, 2004-12-25 at 18:54 -0500, Jack Yan wrote: > Dear Full-Disclosure members: > > I am not a computer expert, just a regular Joe who hopes this information > may be useful to you. > We are running phpBB and last week, a DoS attack was launched against us. > We have since upgraded, but among our new users over the last few days > have been a Weber361, a Weber395, and a nderevyanko. > Googling the last user name, I've found 4,900 references—most with > guestbooks or forums—to which nderevyanko has signed up. He has been > preceded by a few Webers, and some Irenas, often citing that > killhim.boom.ru is their home page. I found 10 such users on my forum at the site in my signature. Attached is a CSV file containing the export from phpbb, they all seem to have the same password. none of them have posted anything. Doesn't look like this is a DoS attack or anything like that I believe it's most likely an attempt at google spamming with the URL they set as their homepage. I'd recommend disabling them and modifying the homepage to your own URL. I wouldn't delete them as if they have a script this would be a sign that the site isn't previously tagged and would then allow them to regenerate. The accounts on my site where created on the 22/23 of December incase that becomes relevant (the site being down leads me to believe this is the end of it) With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue http://www.bsrf.org.uk [ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
"user_id","user_active","username","user_password","user_session_time","user_session_page","user_lastvisit","user_regdate","user_level","user_posts","user_timezone","user_style","user_lang","user_dateformat","user_new_privmsg","user_unread_privmsg","user_last_privmsg","user_emailtime","user_viewemail","user_attachsig","user_allowhtml","user_allowbbcode","user_allowsmile","user_allowavatar","user_allow_pm","user_allow_viewonline","user_notify","user_notify_pm","user_popup_pm","user_rank","user_avatar","user_avatar_type","user_email","user_icq","user_website","user_from","user_sig","user_sig_bbcode_uid","user_aim","user_yim","user_msnm","user_occ","user_interests","user_actkey","user_newpasswd" "312","1","heylo782","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1099581940","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","heylo782@xxxxxxxxxxx",,"http://killhim.boom.ru",,,,,,,,,,NULL "327","1","Spamma477","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1100117588","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","Spamma477@xxxxxxxxxxx",,"http://killhim.boom.ru",,,,,,,,,,NULL "347","1","ahyutta","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1100733046","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","ahyutta@xxxxxxxxxx",,"http://www.killhim.boom.ru",,,,,,,,,,NULL "351","1","Beata109","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1100953193","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","charms@xxxxxxxxxxxxx",,"http://www.killhim.boom.ru",,,,,,,,,,NULL "361","1","bitare417","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1101326451","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","bitare@xxxxxxxxxxxxxx",,"http://killhim.boom.ru",,,,,,,,,,NULL "372","1","Irena057","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1102267024","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","Irena057@xxxxxxxxxxx",,"http://www.killhim.boom.ru",,,,,,,,,,NULL "384","1","Violar651","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1102895589","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","Violar651@xxxxxxxxxxx",,"http://www.killhim.boom.ru",,,,,,,,,,NULL "399","1","Weber711","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1103724580","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","Weber711@xxxxxxxxxxx",,"http://killhim.boom.ru",,,,,,,,,,NULL "400","1","Weber755","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1103724627","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","Weber755@xxxxxxxxxxx",,"http://kilhim.boom.ru",,,,,,,,,,NULL "404","1","nderevyanko","b8ca9cc24a10e85812812ae21c511a6d","0","0","0","1103845067","0","0","0.00","1","russian","D M d, Y g:i a","0","0","0",NULL,"0","1","0","1","1","1","1","0","0","1","1","0",,"0","nderevyanko@xxxxxxx",,"http://killhim.boom.ru",,,,,,,,,,NULL
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html