Moderation for new members
webado
first posts in moderation due to an influx of ugly spam.
I'll change this setting when that spam abates.
Until then hopefully I'll be fast enough to catch all the genuine new
members and their posts to unmoderate them.
Duncan Hill
I just read today on another list how someone uses porn sites to test
their security systems ...
that just has to qualify as the best excuse ever.
Joking aside, I moderate on a totally computer unrelated group and it is
so sad the amount of spam that gets pushed, moderating is a thankless task
more often than not.
I think if anyone on the group does not understand or appreciate what you
are doing to protect them, they should raise their hands and offer you
assistance.
Thanks for your hard work.
Duncan
Happy to help at anytime.
--
Duncan Hill
(DHadmin)
a-ok-site
I feel your pain!!!! I recently had to disable my .net and .org urls
because of the unrelenting assault by spammers and other slime buckets
(I am using that term because it would be inappropriate to use the
words I would like).
Daniel
webado
I am seeing a huge increase in spam in forums and email as well,
despite all the anti-spam measures.
The last one was an email I got to my orders @ email addy (thus a very
comon and sure to exist one for most sites), where they are offering
me SEO services to make my site #1. #1 for what, they didn't say LOL
This one here is special as it seems to attract a lot of porn spam.
All because we cannot block signups and posts containing certain words
and fragments.
a-ok-site
to be normal and pertinent to the forum, but if you click it goes to
porn or Viagra sites and so on. There also seemed to be an increase in
proxy attacks, and there is no telling what the motive behind those
are.
Daniel
Chris Wright
> On my sites they manage to hide the spam in links and such that appear
> to be normal and pertinent to the forum, but if you click it goes to
> porn or Viagra sites and so on. There also seemed to be an increase in
> proxy attacks, and there is no telling what the motive behind those
> are.
>
>
over to the StopBadWare Google group and you'll find out more about the
reasons why.
Forums are one of the sites that we are seeing an increase in attacks.
If an open forum allows content to be published that provides a link /
or delivery vehicle for malware distribution, it can lead your whole
domain being listed at Google and effectively de-listed from the Google
Index.
Two main reasons for hiding the target of the links in the spam:
1. Regular users might actually click on them.
2. If they can push enough posts on enough forums, makes you wonder what
it would do for their PR of those target sites (for those that they
cared about).
On some of the sites I manage, (2) isn't the prevalent option since most
of the sites referenced in the spam are using Fast Flux type methods and
therefore must only be interested in visitors.
But I have seen the odd genuine site. (Geniune only in the fact that
it's a permanent site, spamvertised maybe, but they are either SEO
naieve or stupid or more likely both).
My old personal blog purely exists now so that I can (1) contribute to
project honeypot, and (2) maintain my own personal list of IP's to block
from my other sites. I "hid" the comment controls from real users, but
still the spammers keep on coming, and I keep on adding them to the
blocklist... (note for Webado - hid from real users in a way not to
been seen by Google to be hiding things ;) but I should save that part
for the SEO group)
I've been a member of spamcop for years and spammers rank 1 rung up the
ladder from amoeba in my book, except the amoeba still have the higher IQ...
Chris
a-ok-site
for now. I will concentrate on a way to provide the same, or almost
the same, content in a way that there is absolutely no chance of my
site propagating their spam or malware/badware. To me providing a
forum or other tool that gives users access to content is not worth
the chance that some young person will click a link and end up on a
porn site or worse.
I was visiting your blog yesterday and kind of wondered what was going
on, and hopefully, I didn't trigger anything I wasn't supposed
to...lol.
Daniel
Chris Wright
> I was visiting your blog yesterday and kind of wondered what was going
> on, and hopefully, I didn't trigger anything I wasn't supposed
> to...lol.
a-ok-site
I joined the StopBadWare group and looked around some, but I am a
little confused about getting a StopBadware.org review/scan of my
site. Is it only for flagged sites or can it be used to make sure
that a site is and remains clean?
Chris Wright
> Chris,
>
> I joined the StopBadWare group and looked around some, but I am a
> little confused about getting a StopBadware.org review/scan of my
> site. Is it only for flagged sites or can it be used to make sure
> that a site is and remains clean?
>
>
>
They maintain a list of sites populated with data from Google and other
trusted sources (but I suspect mainly Google).
The good thing is that if your sites not listed, it's not probably
compromised.
(I say probably because there is always a lag between a Google listing,
and a StopBadWare listing).
But trust me, if you had malware on your site, you'd probably know by now...
You only need to do a scan/review of your site, once you have been
reported as having malware on your site.
i.e.
you get listed at SBA or Google
you then clean your site
ensure your site is clean
close the door to the attackers
then request a review at SBA (and maybe via your Google Webmasters
Toolpanel).
That's what the review/scan process is for.
If you request a review of your site BEFORE it is cleaned, and it still
has malware on it when they re-scan it, it adds a bucket load of time
until you get removed from the list.
There is a separate link for checking if your site is listed in the
database (or clearinghouse as they call it)
http://stopbadware.org/home/reportsearch
a-ok-site
Thanks for the great info!
My main concern is that I was using standard ftp and while uploading
files and I had several worms try to attack my computer, but now I am
using secure ftp and have had no more problems on my side. I am not
sure that it was ever a problem on the server side, and I really don't
think the site is compromised, but one can never be to careful.
Daniel
webado
not sure how that works though. I installd their toolbar, but can't
say I've seen anything conclusive anywhere.
>
> - Show quoted text -
Chris Wright
> There's also the McAffe Site Advisor that can do some similar stuff -
> not sure how that works though. I installd their toolbar, but can't
> say I've seen anything conclusive anywhere.
>
>
which is probably the Google malware list (which anyone can access via a
Google API). But in this case, I suspect that Google and McAfee 'share'
information.
McAfee SA also takes input from users, much like the spamcop reporting
system, whereby after a (hidden-) predefined number of user 'bad
reports', it will trigger the site to be listed (I suspect that human
verification is performed before a red-flag is raised rather than it
being totally automatic unlike the spamcop system).
StopBadWare is "not-for-profit" site that merely deals with the
inspection of malware infection sites.
It also performs analysis of the malware that is out there.
a-ok-site
I will give it a whirl and see how it works. I will post the results
when I have something.
Daniel
webado
on a site that had been reported to have badware and was apparently
all cleaned up, so I suspect the human reporting is stronger and
longer lasting than human verification there.
This monring I had the opportunity to see some nasty stuff on a site
I'd have never expecetd to fall prey to this. A Wordpress blog, a
nasty script was added in that ended up inserting an iframe with a bad
site in it, that downloads viruses or whatever (Googled for it and it
turns out it's part of some Russian ring of badware spreaders). It
fortunately never made it into Google's badware list, it was caught
early.
It got cleaned up aparently fully and the software updated, but we
don't know how it happened in the first place and there's always the
lingering fear of a server exploit not just an application
vulnerability.
Not my server luckily, but a blog on a very highly ranked site.
>
> > > - Show quoted text -- Hide quoted text -
a-ok-site
came from a Russian IP....Nuke the #@$%$!!!
I wish I had saved the info but I didn't and there will not be a next
time on my site.
Daniel
Chris Wright
> I don't know, like I said McAffee never returned a conclusive report
> on a site that had been reported to have badware and was apparently
> all cleaned up, so I suspect the human reporting is stronger and
> longer lasting than human verification there.
>
"malware" type files, or those that encourage pop-ups
> This monring I had the opportunity to see some nasty stuff on a site
> I'd have never expecetd to fall prey to this. A Wordpress blog, a
> nasty script was added in that ended up inserting an iframe with a bad
> site in it, that downloads viruses or whatever (Googled for it and it
> turns out it's part of some Russian ring of badware spreaders). It
> fortunately never made it into Google's badware list, it was caught
> early.
>
root level, i.e. when they gained access to one account on a shared
server, they gained access to the whole server and all accounts.
Ipower got on the ball fairly quickly and #1 closed the door, #2 cleaned
up most of the sites without the users even being aware of it, #3
tightened up security scripts pretty damn good.
On the shared hosting accounts I manage now, they are packed with
attempts at hacking the accounts again.
> It got cleaned up aparently fully and the software updated, but we
> don't know how it happened in the first place and there's always the
> lingering fear of a server exploit not just an application
> vulnerability.
>
More than like it was an RFI (Remote File Inclusion) attack, and just as
likely part of the MPACK attacks.
> Not my server luckily, but a blog on a very highly ranked site.
One of the very first things I do on an install of a blog/forum or
similar type of OS is to do a mass search and replace for
name version x-xx (i.e. phpBB 1.2.3.4 or MT 1.2 or WordPress 4.3.2.1)
and replace it with something else.
If a vulnerability gets released for phpBB 4.3.2.1, all the malware guys
need to do is use Google to search for "phpBB 4.3.2.1" and they have a
nice handy list of sites to attack first.
Even if you just remove the version numbers from any software you
install on your sites, you cut your risks down.
Quite recently a very large bank in India itself became hacked using
MPACK and infected every page of the site with a hidden script that
tried to attack multiple vulnerabilities in the visitors browser (not
just Internet Explorer either).
Using Firefox because it's safer is no longer true these days. Using
Firefox with the NoScript addon is almost essential.
And you can't rely on using Firefox to view your site to see if its been
hacked, because some of the malware check for IP's / Browser versions to
see who is looking (to hide from Google et al).
No one is safe these days...
webado
Hopefully they know what they are doing, at least now after having
been hacked.
As for me I rely on my own hoster to know what they are doing at least
server-wide security-wise. They are pretty paranoid about it to the
point we can't even run phpinfo any more, and esepcially any phpbb
forum instalaltion gets disabled automaticlaly if it's not been
updated in a timely manner soon after a new version is available -
LOL
My own applications I try to keep updated. I know about removing
version numbers, and luckily phpbb, coppermine and others already do
it now.
Personally I don't allow user input to blogs, period. No comments, I
originally disallowed that because I had no intention of letting
anyone with an axe to grind express themselves, nor be spammed. Wasn't
even thinking of exploits at the time.
Forums and guestbooks, well keeping them uptodate and not letting them
be indexed by search engines helps.
My email forms are pretty darn tight, no uploads allowed, no html (nor
any kind of js or php code), no extra headers (all sanitized). Boring
stuff.
Not using any of the typical ones like formail or such. Strictly
handcoded, specific to my need. Captcha.
Bite my tongue LOL
Of course I have little control over my clients, unless I keep
checking what they have and use and how, consequently some have been
hacked, but just their sites, all contained.
A real PITA.
A-OK-SITE
Can you approve me again hopefully for the last time. I think I like
this profile....lol.
Daniel