NATS Paysite owners: You getting botted with user/pass pre-joins "super123" as pass? - GoFuckYourself.com

gleem · 03-29-2012, 09:24 AM

Anyone else have a guy botting a paysite pre-join 100 times a day with a username & password from the same IP coming through different affiliate links... all the passwords are the same "super123" and all IP's are from China, and there's never an attempt to use a credit card... just entering user/passes into the NATS DB. Since it's coming from different legit affiliate links on different sites, he's obviously crawling the web for join codes... totally nuts.

Am I the only one? Can anyone think of any point in doing this? This bot comes and goes every couple months for the past year, I just blocked all of China's IPs to get rid of him permanently, just curious as hell what the point is to do this for a year?

Any insite appreciated...

NATS 3 owners check your member's database for any user with the password "super123" I think you will be suprised.. found 3 others that had the same deal.

Why · 03-29-2012, 11:58 AM

have you gotten the IP and then grep'd your apache logs to see what else he is doing on your servers?

lucas131 · 03-29-2012, 12:01 PM

how you know his pass? i have been thinking it is crypted in nats, is it there plain? are you kidding me?

gleem · 03-29-2012, 12:02 PM

Quote:

Originally Posted by Why

have you gotten the IP and then grep'd your apache logs to see what else he is doing on your servers?

got the IP, I asked mojo what else he was doing they said nothing, maybe I should check too.

gleem · 03-29-2012, 12:04 PM

Quote:

Originally Posted by lucas131

how you know his pass? i have been thinking it is crypted in nats, is it there plain? are you kidding me?

webmaster passes are encrypted, surfers passes are encrypted in the DB, but not the admin

baryl · 03-29-2012, 12:05 PM

Install mod_geoip

SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
Deny from env=BlockCountry

Tons of problems instantly go away

lucas131 · 03-29-2012, 12:08 PM

Quote:

Originally Posted by gleem

webmaster passes are encrypted, surfers passes are encrypted in the DB, but not the admin

ok thank you i got it now, sounds ok then

gleem · 03-29-2012, 12:19 PM

Quote:

Originally Posted by baryl

Install mod_geoip

SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
Deny from env=BlockCountry

Tons of problems instantly go away

yep, all of china is blocked now.

raymor · 03-29-2012, 12:22 PM

If you catch him in the act, temporarily turn on post logging. Might be trying an evil null, sql infection or similar. Since it continues and since he's crawling for NATS links, he's obviously trying something.specific.

Major (Tom) · 03-29-2012, 12:34 PM

we fixed this problem but we had to disable it to keep our liscense. /:
ds

gleem · 03-29-2012, 12:38 PM

Quote:

Originally Posted by DukeSkywalker

we fixed this problem but we had to disable it to keep our liscense. /:
ds

hmm, other than banning all of china, how can you fix?

Hermes · 03-29-2012, 01:26 PM

Is it worth blocking over 1 Billion potential customers to slow(they could still find a way around) something that wasn't causing any real harm anyway?

Strange stuff it is, but would need some deeper analysis to figure out what they're trying to accomplish.

Could be some kind of "smart" bot that tries to sign up to any site it finds, to do spamming or whatever. I found this: https://www.dlitz.net/blog/2011/10/m...mmon-losenord/ and it looks alot that it's the same guy/bot there too.

geedub · 03-29-2012, 01:31 PM

Quote:

Originally Posted by Hermes

Is it worth blocking over 1 Billion potential customers to slow(they could still find a way around) something that wasn't causing any real harm anyway?

Strange stuff it is, but would need some deeper analysis to figure out what they're trying to accomplish. It could be something harmless like trying to gather some kind info, but could also be trying to exploit something. I think this may be related: https://www.dlitz.net/blog/2011/10/m...mmon-losenord/

Over 1 billion potential customers

Good one!

iSpyCams · 03-29-2012, 01:33 PM

Same here, did the prejoin about a dozen times between November and today on various sites of mine, I also have a few legit surfers using that password lol.

Check out the comments here: http://whatismyipaddress.com/ip/117.41.184.199

gleem · 03-29-2012, 01:34 PM

Quote:

Originally Posted by Hermes

Is it worth blocking over 1 Billion potential customers to slow(they could still find a way around) something that wasn't causing any real harm anyway?

Can't bill chinese, merch accounts won't bill for em, 3rd party billers won't, any IP that is originated in china is close to worthless and is the source for most of the hacking & cheating activity.

Quote:

Originally Posted by Hermes

I think this may be related: https://www.dlitz.net/blog/2011/10/m...mmon-losenord/

How does entering a made up user & email with a known password have anything to do with trying to decrypt logins... they aren't trying to access my members areas, they are just joining my pre-join form.

iSpyCams · 03-29-2012, 01:37 PM

Quote:

Originally Posted by gleem

How does entering a made up user & email with a known password have anything to do with trying to decrypt logins... they aren't trying to access my members areas, they are just joining my pre-join form.

Could be a poorly written bot that is trying to mass join forums for future spamming, or link building through mass profile creation.

Maybe the bot is just looking for forms with a user/pass field and a submit button and either isn't smart enough to detect actual community sites or else just hoping to get lucky.

gleem · 03-29-2012, 01:39 PM

Quote:

Originally Posted by pompousjohn

Could be a poorly written bot that is trying to mass join forums for future spamming, or link building through mass profile creation.

Maybe the bot is just looking for forms with a user/pass field and a submit button and either isn't smart enough to detect actual community sites or else just hoping to get lucky.

probably the best explanation I've heard.

GetSCORECash · 03-29-2012, 01:43 PM

Thanks, we did have him in our database, but had taken care of him last year.

He joined via the following IP if it helps. 99.62.117.195

Major (Tom) · 03-29-2012, 01:45 PM

Quote:

Originally Posted by gleem

hmm, other than banning all of china, how can you fix?

hmm well I not allowed to speak about it /:
ds

Hermes · 03-29-2012, 01:47 PM

Quote:

Originally Posted by gleem

How does entering a made up user & email with a known password have anything to do with trying to decrypt logins... they aren't trying to access my members areas, they are just joining my pre-join form.

Yes I was just editing my last post to add something what pompousjohn just suggested, it looks quite obvious that the amount of "super123" passwords on that swedish board was caused by some kind of bot, and since the password is same here then it's probably same (spam) bot.

Profits of Doom · 03-29-2012, 01:56 PM

Quote:

Originally Posted by pompousjohn

Could be a poorly written bot that is trying to mass join forums for future spamming, or link building through mass profile creation.

Maybe the bot is just looking for forms with a user/pass field and a submit button and either isn't smart enough to detect actual community sites or else just hoping to get lucky.

That's what it sounds like, it's not xrumer or scrapebox but there are a million other half assed link building and forum spamming software's on the market now...

03-29-2012, 09:24 AM	#1
gleem Confirmed User Industry Role: Join Date: Jun 2001 Location: Sunny Land Posts: 5,593	NATS Paysite owners: You getting botted with user/pass pre-joins "super123" as pass? Anyone else have a guy botting a paysite pre-join 100 times a day with a username & password from the same IP coming through different affiliate links... all the passwords are the same "super123" and all IP's are from China, and there's never an attempt to use a credit card... just entering user/passes into the NATS DB. Since it's coming from different legit affiliate links on different sites, he's obviously crawling the web for join codes... totally nuts. Am I the only one? Can anyone think of any point in doing this? This bot comes and goes every couple months for the past year, I just blocked all of China's IPs to get rid of him permanently, just curious as hell what the point is to do this for a year? Any insite appreciated... NATS 3 owners check your member's database for any user with the password "super123" I think you will be suprised.. found 3 others that had the same deal. __________________ Contact me: \\// E: webmaster /at/ unprofessional.com

03-29-2012, 12:22 PM	#9
raymor Confirmed User Join Date: Oct 2002 Posts: 3,745	If you catch him in the act, temporarily turn on post logging. Might be trying an evil null, sql infection or similar. Since it continues and since he's crawling for NATS links, he's obviously trying something.specific. __________________ For historical display only. This information is not current: support@bettercgi.com ICQ 7208627 Strongbox - The next generation in site security Throttlebox - The next generation in bandwidth control Clonebox - Backup and disaster recovery on steroids

03-29-2012, 12:34 PM	#10
Major (Tom) Noticing Industry Role: Join Date: Nov 2003 Location: Null Posts: 30,209	we fixed this problem but we had to disable it to keep our liscense. /: ds __________________ My mother said, to get things done You'd better not mess with Major Tom

03-29-2012, 01:26 PM	#12
Hermes Confirmed User Industry Role: Join Date: Oct 2010 Posts: 264	Is it worth blocking over 1 Billion potential customers to slow(they could still find a way around) something that wasn't causing any real harm anyway? Strange stuff it is, but would need some deeper analysis to figure out what they're trying to accomplish. Could be some kind of "smart" bot that tries to sign up to any site it finds, to do spamming or whatever. I found this: https://www.dlitz.net/blog/2011/10/m...mmon-losenord/ and it looks alot that it's the same guy/bot there too. Last edited by Hermes; 03-29-2012 at 01:39 PM..

03-29-2012, 01:43 PM	#18
GetSCORECash Confirmed User Industry Role: Join Date: Mar 2008 Location: Miami Posts: 5,527	Thanks, we did have him in our database, but had taken care of him last year. He joined via the following IP if it helps. 99.62.117.195 __________________ \| skype: getscorecash \| ICQ: 59-271-063 \| New Sites: \| SCORELAND2 \| Roku Channel SCORETV.TV \| 60PLUSMILFS \| \| Big Tit Hooker \| Tits And Tugs \| Big Boobs POV \| Karla James \| \| Naughty Foot Jobs \| Linsey's World \| Busty Arianna Sinn \| Get SCORE Cash \|

03-29-2012, 11:58 AM	#2
Why MFBA Industry Role: Join Date: Mar 2003 Location: PNW Posts: 7,230	have you gotten the IP and then grep'd your apache logs to see what else he is doing on your servers?

03-29-2012, 12:01 PM	#3
lucas131 ¯\_(ツ)_/¯ Industry Role: Join Date: Aug 2004 Posts: 11,475	how you know his pass? i have been thinking it is crypted in nats, is it there plain? are you kidding me?

03-29-2012, 12:05 PM	#6
baryl Confirmed User Industry Role: Join Date: Aug 2011 Location: Las Vegas Posts: 1,086	Install mod_geoip SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry Deny from env=BlockCountry Tons of problems instantly go away

03-29-2012, 01:33 PM	#14
iSpyCams Amateur Gynecologist Industry Role: Join Date: May 2009 Location: Medellin Posts: 4,436	Same here, did the prejoin about a dozen times between November and today on various sites of mine, I also have a few legit surfers using that password lol. Check out the comments here: http://whatismyipaddress.com/ip/117.41.184.199