1. Home
  2. Forums Index
  3. WebmasterWorld / Community Building and User Generated Content 8:43 am May 21, 2026

Forum Moderators: rogerd

Message Too Old, No Replies

Anatomy of a phpBBS Attack.

On ongoing, targeted attack at phpBBS boards.

         

grelmar

1:03 am on Jul 4, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



NB: This should in no way be taken as denigrating the quality of phpBBS software. It is, on the whole, very robust, quick, professional looking software, that will meet many a Webmaster's needs. It is one of two popular BBS packages I use, the other being a cgi/perl based BBS, which is easier for me to deploy simply because I have longer experience with it, and more commercial servers support CGI than do PHP.

7:00am, The Attack is First Detected.

I woke up, put the coffee on, stared at the pot while it brewed, grab a cup, and went over to the box to do my morning warm up. This involves checking in at 4 BBSes I actively control or moderate at. It's usually a nice way to ease into the day, kinda like hanging out at the watercooler (if I still worked at an office). The last board on my morning checklist woke me up with a start. The board is fairly active, but I usually only have 1 or 2 dozen messages to peruse from overnight traffic. I was more than a bit surprised to see new messages in all 11 forums. And my heart sank when I saw new posts on the top 20-30 threads in each forum.

It turned out, there was actually only 5 different messages, from 5 different "guest" posters. I'll post them here (minus the links):

Bugi
Guest

Posted: Fri Jul 02, 2004 11:30 am Post subject: Richest Franchise in Sport
what kind of sport is this? i ve never heard about it and never seen it...
I like - football, tennis, [long.spam.url.com...] figure skating, extreme sports
Dislike - hockey, basketball, car racing, box and all the rest

wlu_lax6
Guest

Posted: Fri Jul 02, 2004 11:28 am Post subject: Glazer & the Buccaneers
Saw that this morning. I've said it before....for all you want to talk about United and their international profile [long.spam.url.ru...] they really seem to do business the right way. I'm interested to see just how much Kenyon had to do with these results, so next year will be interesting.

duko
Guest

Posted: Fri Jul 02, 2004 11:04 am Post subject: Top 20 Wealthiest Soccer clubs
what kind of sport is this? i ve never heard about it and never seen it...
I like - football, tennis, [long.spam.url.com...] figure skating, extreme sports
Dislike - hockey, basketball, car racing, box and all the rest

Lada
Guest

Posted: Fri Jul 02, 2004 12:06 pm Post subject: Richest Franchise in Sport
Topics containing links to people's sites are unneeded and contribute nothing as a whole, much like topics containing content like this one. You could have PMed a moderator and asked this same question and received the same [long.spam.url.com...] response. Please do so in the future.

zumba
Guest

Posted: Fri Jul 02, 2004 11:32 am Post subject: Richest Franchise in Sport
Topics containing links to people's sites are unneeded and contribute nothing as a whole, much like topics containing content like this one. You could have PMed a moderator and asked this same question and received the same [long.spam.url.com...] response. Please do so in the future.

I kinda like the humor value of this last message, though we would find out as the day went on, that it was the most dangerous, because it caused the most CTR from the forums legitimate users.

All in all, there were over 200 messages, with each thread containing 2-5 of the spam messages. A startling number, because between myself and the two other mods on this board, there is only a three hour gap between when the last one goes to bed, and I get up in the morning. So these messages would have all come in within a 3, perhaps 4 hour window.

Variables

Those "guest" names remained constant, and the message bodies did as well, but we would count (over the course of the day, as the attack continued), almost 50 seperate URLs. Also, whoever is directing the attack is using some method of cloaking their IP, so each message was coming in from a different IP address.

Hazard Points

First: The links were all links to hijack sites, as far as we could discern. As mods, we took the (somewhat) risky step of following a few of them to find out where they led. We did this using non-IE browsers behind very heavy firewalls. It became instantly clear that these sites were attempting to install spyware, browser hijacks, general malware.

Second: Potential for DOS. The volume of incoming messages was enough that, on a weaker server, or one with a bandwidth throttle, there would be a potential for the board to go offline. In our case, we were spared from this.

Third: Auto-notify spam. A number of our users had various threads on set to "notify" of response. This led to their mail-boxes getting quickly clogged, and some less than pleasant response from them about this. The boards e-mail address quickly became denoted as a spam address by several spam filters.

Counter-measures
In my humble opinion, we could've handled this much better, but here's a breakdown of what we did do.

First: I quickly dropped a note in the moderator forum, so that the other mods would know what was up when they came online. The note included the guest "names" and copies of the message bodies.

Second: Began the tedious process of deleting the spam messages. At first, it looked like I was getting ahead of the game, but after a while, another "wave" of messages started coming in, and they were being created faster than I was deleting them. I began keeping a close eye on the clock, waiting for 10am, when the admin usually comes online. As a moderator, I was a little hogtied, I couldn't disable guest posting, which is an admin only function. What I could, and did do, was start locking threads that hadn't had a legitimate respones in more than a week. This limited the number of open threads for the bot to exploit greatly, and had an immediate effect on reducing the number of incoming posts.

Third: Well, here's where the timeline breaks down a little. After a while, the admin and the other moderator came online. As they came on, we began working as a team deleting the spam messages, and finally got ahead of the game, where one or two of us could pretty much delete the messages as they came in. There was also a fast and furious discussion in the moderator forum about exactly what we should do to completely put the breaks on the attack. I hate to admit it, but that discussion was not our finest moment, as a group. Personally, I felt closing down guest posting, at least temporarily, was fully justified. Long story short, I got out-voted. Guest posting was never disabled, and is still active on that board. I believe that to be a mistake. The easiest way to deal with an attack of this nature is to disable guest posting

Fourth: The other mod and I kept on top of the incoming spam, deleting it as created, while the admin went to work on making changes to the software to blunt the attack. Once he had adjusted the flood control to prevent more than 1 guest post every 5 minutes, this gave the other mod and I time to help searching for patches.

We also did some quick googling to discover that we were not alone, that this attack was happening to many other phpBBS boards. The purpose of the attack seems to be to generate traffic to the hijack URLs in three ways: directly through CTR from the affected BBSes, through CTR from auto-notify e-mails, and through keyword-spam of google (punch portions of those messages into google and you'll see what I mean).

Fifth: We finally beat the attack by installing a key-generator patch, like the ones you see on many large E-mail services. What the patch does is create a four letter/number combination in graphical form that must be entered before being able to post as a guest, or to register. This is an extremely effective way of defeating automated sign-ups and posting. I give the admin of that forum full credit for finding, modifying, and installing that patch in under 24 hours.

What we should have done
We should have disable guest posting immediately. The admin of that board is almost religiously stuck on allowing guest posting. If guest posting had of been disabled at the outset of the attack, it would've cut the clean-up time in half, reduced the damage to our user's mailboxes and the board's reputation, and given us far more breathing room to search for and apply the neccessary patch. The downside would have been that we might have annoyed a half dozen or less legitimate potential "guest" posters.

What you can do in advance if you have a phpBBS
The easiest thing to do would be to disable guest posting (sounding like a broken record, I know). If, for whatever reason, you don't feel this is appropriate for your forum, then type phpBBS into google, and you will fairly quickly be able to find various communites that have patches and add ons for that software. Find and install a graphical key-generator for registration and guest posting.

blaze

1:45 am on Jul 4, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



yaaa-ikes.

Someone needs to hunt these people down and put them in a very dark and unfriendly jail.

This is going to rapidly undermine the credibility of the internet.

TheDoctor

11:38 am on Jul 4, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Tnaks for the account, grelmar. It's very useful, even for those of us using other software than phpBB.

I think you're right about disabling guest posting, at least temporarily. An alternative would be to force pre-moderation of guest posts, so that genuine posts will eventually get through. (But the last time I looked phpBB didn't have that facility. Has this been introduced yet? It's a really useful tool in circumstances like this.)

RadarCat

8:53 pm on Jul 4, 2004 (gmt 0)

10+ Year Member



I agree with Blaze.

RadarCat

trillianjedi

9:17 pm on Jul 4, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



A very useful post grelmar thanks.

I hope you're getting paid by this admin - turning off guest posting in this situation, even as a temporary measure, is a no-brainer.

Sounds like he wasted a lot of your time.

TJ

vkaryl

1:11 am on Jul 5, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



TheDoctor: I believe premod will be available in phpBB 2.1 or 2.2 whichever they decide to call it when it hits.

Grel - that was a masterly summation of a hectic day. You're to be congratulated that you somehow managed to retain enough sanity just to get it in file! Though I don't have guest posting enabled on ANY of my fora (all phpBB natch), it's definitely good to know about this sort of thing.

Did you by chance report this in detail through the phpBB bug-report system?

rogerd

1:23 am on Jul 5, 2004 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



Nice post, Grelmar, thanks for sharing.

I haven't had to deal with an automated attack of this magnitude, but on one forum I had a coordinated attack by multiple (registered) posters. Kicking the forum into maintenance mode for a few minutes let me disable the rogue accounts and get ahead of the attack. Guest posting is a whole different can of worms, though. Next time let the admin clean up if he/she is so committed to uncontrolled posting. Even with image verification, you are still subject to human spammers. Good luck

dvduval

1:33 am on Jul 5, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



There may come a day when you have to pay moderators to watch the board in shifts so the board is covered 24/7. Usually big boards have enough moderators to deal with spammers. I've caught them is the act several times, and deleted their username (I require registration) while they were still posting spam. I also have an anti-robotic registration feature where you have to type the numbers before continuing. I don't like doing this because some blind people might not be able register without help, but I'm not sure what other options I have.

Teknorat

6:40 am on Jul 5, 2004 (gmt 0)

10+ Year Member



Sounds like the Admin was entirely to blame for that. I have guest posting turned off on the forum I run and users must confirm with an image and confirm their email. The anti - flood measures are set extremely high (some users don't like it) but it is well worth it. Guest posting is in my opinion the most ridiculous thing any forum could possibly do. Most of our problems come from users who disagree with the content of the forum and register simply to repetitively flood. Fortuantly my moderators are fairly good and get onto it very quickly. All their details get recorded and their email and user name get Googled while their IP is banned and their ISP notified. One of the measures we have taken is to keep all mod information secret. Not all the moderators are known and they are NEVER shown as being online. No one discusses anything related to when the mods are on etc.. publicly. These steps prevent users from targeting times when they know mods are usually not online.

As someone who has been on both sides of the fence I can tell you that flooding a bulletin board is often too easy. Many sites don't bother to think ahead or plan for such an event. Often they openly discuss when mods come on and offline. (Some will even talk about security holes in the software.) A manual flooder is often far more damaging than an automated script. When working in packs they are extremely dangerous. Often when working as a team flooders will create a large amount of accounts before hand. While the names are often extremely different the email addresses being used (provided you have email confirmation) will often be from the same domains. Using a catch all email account allows them to quickly confirm many usernames. Often usernames very similar to Admin and Moderator accounts will be created. (One thing you should never do is use a font which makes I and l or 1 look the same.) Sometimes flooders (or spammers) will post a few messages that completely trash the TOS to see if any mods are online and if so how many. Most Moderators don't have access to any of the IP blocking tools but when an IP address is blocked they simply move onto another. A good attack can be effected using only a free anonymous proxy service. If there is a group of flooders one or two Moderators will not put them off in the slightest. If their objective is to spam a URL or multipule URL's most of the posts will be new messages and posts in popular threads. If their objective is to crash the server or slow down everything or just generally cause you grief you will end up with thousands of posts buried deep in year old topics and hundreds of new topics in each forum. Some BB software allows you to simply click the back button, change the title and repost what has already been copied in. Do NOT use any system that allows this, if you do you are extremely vulnerable to an attack. Sometimes flooders will even go to the extent of engaging a Moderator in an IM conversation while his cohorts go about their wicked ways. If your forum has hard coded links to perform various tasks such as deleting a member flooders will sometimes learn the software themselves and then send all the moderators links to delete users etc using a redirect such as tiny url or their own. (This usually occurs during an attack.) This is a huge security risk in itself as most moderators won't even think twice about clicking something that says "picture of me." When it comes to boards IMO you can never be too safe.

TheDoctor

10:19 am on Jul 5, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Guest posting is in my opinion the most ridiculous thing any forum could possibly do.

This depends on what the forum is meant to do.

For example,one of my forums is what I call a "notice board". Its purpose is to allow people, within the community I serve, to post information about calls for papers, conferences, seminars, etc, to request information off others, and soforth. Links to other pages are encouraged - eg if you're announcing a conference, you should link to the conference web page.

Under these circumstances, guest posting is essential. A large proportion, possibly even a majority of posters will only post once, ever. They're posting to draw attention to one thing only.

But, of course, we've found by experience that pre-moderation is essential if you allow guest posting. It does work in keeping the spammers at bay. It's not just that their efforts don't get posted. Once a spammer or troll realises that their posts aren't appearing immediately, they stop posting and go away.

I'm glad to see that phpBB is eventually getting the facility. IMHO it's a necessity in any forum software.

grelmar

10:32 pm on Jul 5, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Thanks for the responses.

TKRat: Appreciate the input, I'm going to look a little more closely at the forums I have full admin on, and double check for holes.

PreMod: Not avail "officially" for phpBBS, yet, but there are "hacks" available for it.

Guest Posting: On the boards I admin, I don't allow it, largely because I don't have the time to 24/7 babysit them. I know, or actually, guess, that it has limited the activity on those boards, but I have time to let them build. On the board in question, 99% of the time it has been used responsibly, and it has been a big boost to the community. After a couple of "guest" posts, its usually easy to entice someone to get an account, and turn them into an active "member". Tuning up the guest posting to require the code input will alleviate the automated attacks, and the drive-by-manual spamming, well, that's one of the main reasons for the moderators to keep a close eye on things.

As traffic on that forum increases, I'm sure the policy will eventually change.

Side note: Part of me, kinda enjoyed the whole episode. It was a "Live, real-time-challenge" that I seldom get a chance to deal with, and as much as it ticked me off, it got the juices going. While it was happening, although no one said it out loud, I'm guessing the other mod and the admin were thinking the same thing I was "No dang-blamed script kiddie is gonna take MY board down."

Teknorat

12:00 am on Jul 6, 2004 (gmt 0)

10+ Year Member



Yep. If it where a manual attack they would have been getting a kick out of it themselves. There's nothing quite as exhillerating as watching a Message Board go to absolute waste. :-P

vabtz

6:16 pm on Jul 7, 2004 (gmt 0)



- As previously said if you enable guest posting your asking for trouble

esteve999

8:36 pm on Jul 8, 2004 (gmt 0)

10+ Year Member



Great post grelmar.

I agree that turning off guest posting would have been the way to go.

wkitty42

2:57 am on Jul 30, 2004 (gmt 0)

10+ Year Member



very interesting post, grelmar... my background is base on the old dialup bbs' and as such, while there maybe guest access, they can't do anything... your post has been most informative and eye opening... i agree with you and the others about guest posting... that should have been the first thing turned off... then the cleanup and repair could have been taken care of in a more relaxed manner... gotta wonder what these guys are smoking to come up with some of this stuff :)

rogerd

3:11 pm on Jul 31, 2004 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



Guest posting is a big hole, but even member posting can be a problem if registration is easy and automatic. A handful of accounts can wreak quite a bit of havoc in a short time.

buksida

6:37 am on Sep 9, 2004 (gmt 0)

10+ Year Member



I have had spates of "new members" not necessarily posting but creating profiles with the spammy URL as their website (usually with a .ru extension). This would only benefit them if the memberlist file could be spidered - easy enough to prevent using robots.txt.

I'm guessing its a bot that does this, they also tend to create names using punctuation marks so they appear at the top of the member list. Guest posting has been turned off for a long time on my forum, leaving me the arduous job of checking every new member profile as they join.

These people should be line up against walls and shot!

Jenstar

3:16 pm on Sep 9, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I don't allow guest posting, but I was having a problem earlier this year with profile spamming. I added a phpBB hack that disables a member's ability to add a URL in the www profile field until a certain number of posts are made (the default is ten posts). If it was done by a bot, the bot wouldn't realize that field is disabled, so if a new registration is done with a script trying to enter in that field, it will not complete the registration process, and will automatically add the IP used into the IP ban field. I just checked and I have a healthy IP ban listing in my admin panel.

Guest posting is a huge loophole. The right decision would have been to disable it, even for an hour or two, and hope the kiddies go elsewhere. Then the fix could have been made much faster, without having to keep an eye on the spam chaos. I have never allowed guest posting on any of the forums I am involved in. If someone is going to spam the forums anyway, at least they will have to invest a little time to do it ;)

dvduval

3:47 pm on Sep 9, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Last night, someone or a couple of different people started making posts with literally hundreds of the same picture in their post, and then started repeating the post over and over. I deleted their user name only to find they had registered 3 more and were making posts with them as well. Then I turned off user registration, and deactivated the user names. Afterwards, there were some posts that weren't quite right, and I had to go into the database to repair the damage. I still have not reactivated user registration. I'm struggling with why someone would do this and how I can stop it in the future. It was lucky I was online at the time.

rogerd

5:29 pm on Sep 9, 2004 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



You were indeed lucky, dvduval. Left to their own devices for many hours, your spammers may have created a far larger cleanup chore.

I'm not sure that "why" is a operative question much of the time. Walls are spray painted, windows are smashed, and other acts of vandalism continue to occur in the real world. Often, forum spamming is just electronic vandalism, not dissimilar to a graffiti artist tagging a prominent bridge. In some cases, the spammers may drop affiliate links, ads, links to trojan horse downloads, etc. - these are oriented to making money or some other objective. Usually it seems pointless, though.

(Don't forget about IP banning as a possible quick fix for a multi-username attack.)

Jenstar

9:07 pm on Sep 9, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Also, a note to ALWAYS keep your forum software updated! When there is a problem or bug found, most will issue a patch or an updated version, with full instructions on what to do to successfully upgrade. It can help prevent problems down the road :) In the past, bug fixes have included hacker's ability to admin themselves, or to bypass registration, etc.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Community Building and User Generated Content 8:43 am May 21, 2026