The forum is setup with with the profilcp images required. It also requires the security question and answer. If I try to skip them from the webpage, the scripts complain. But, I have bogus accounts that appear to be machine generated. (The same user name is registered on 20,000+ sites in 3 days!)
Looking through the raw SQL database and my logs, discovered two interesting things.
1. All of the bogus accounts have no security question.
2. From my logs, it looks like they are doing an end-around insertion
- Code: Select all
211.191.97.246 - - [15/Sep/2006] "GET /forum/profile.php?mode=register&agreed=true HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" ***MARK***211.191.97.246 - - [15/Sep/2006:00:05:06 -0400] "POST /forum/profile.php HTTP/1.1" 302 - "http://snowtire.info/forum/profile.php?mode=register&agreed=true" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
My guesss is that there is an exploit around this.
Looking through google, I see that several other sites are reporting DDOS attacks with the string "/forum/profile.php?mode=register&agreed=true"
A further look gives some sites that appear to claim to have exploits against phpbb. I can't view them from here since they are blocked.
- John