Please read this important information about Spectre and Meltdown vulnerabilities.
Please read this important information about MX sources lists.
  • MX Linux on social media: here
  • Mepis support still here
Current releases
  • MX-17 Final release info here
  • MX-16.1 release info here
  • antiX-17 release info here
    New users
    • Please read this first, and don't forget to add system and hardware information to posts!
    • Read Forum Rules

PM spammer

If you are having a problem with logging into the site or with registering, then post under this forum to try to get help, or just use the "contact us" link at the bottom of the page to notify the Site Administrators.
Forum Regular
Forum Regular
Posts: 694
Joined: Tue Sep 22, 2015 6:56 pm

Re: PM spammer

#11 Postby skidoo » Sun Jan 08, 2017 2:34 am

...here's the thing

click the `quote` button and view this post.
Notice the embedded (tiny,transparent) beacon image between well...here.

A PM like that may seem like just dumb/annoying spam, but it's often a "probe" toward future attack.
The sender (or his bot) knows/expects his account sending the PM (and/or IP address) will likely be banned. However, it's a throwaway -- mission accomplished. By tricking admin into reading the PM which contains an embedded image (how could you avoid it? PITA -- read PMs using a text-only browser or, prior to reaading PMs, switch on an extension or browser pref which blocks image loading)... when your browser requests the remote image which is hosted on a webserver controlled by (or hacked, logs accessible to) the attacker... the exact url of the PM page you were reading (in some software, this includes sid aka sessionID) is transmitted via referer header and logged, along with the user-agent string and requestor's (admin staffer) IP address.

If the attacker(s) are watching logs realtime, one type of attack attempt would be to paste that sessionID into a url (their probes will have ID'ed the exact version of forum software in use, they'll know if any vulns exist and the associated adminCP url(s) to target) and attempt to hijack the login session.

Is the forum software up-to-date? Maybe a fresh 0day was discovered & the known version in use here matches the list of "known vulnerable" versions?

User avatar
Eadwine Rose
Forum Veteran
Forum Veteran
Posts: 5072
Age: 45
Joined: Wed Jul 12, 2006 2:10 am

Re: PM spammer

#12 Postby Eadwine Rose » Sun Jan 08, 2017 3:25 am

Please leave old topics where they are, thanks. This is from 2010.

MX-17_x64 Horizon 2017-12-15 4.14.0-3-amd64 ext4 Xfce 4.12 * AMD Asus M4A785TD-V EVO AM3 * ASUS GeForce GT640-1GD5-L NVIDIA 387.34 * AMD Proc. Athl II X4 635, sAM3 * HDA ATI SB VT1708S An * 2x4Gb DDR3 1600 Kingst * 22" Samsung SyncM P2250 * HP F2280

Return to “Site Help”

Who is online

Users browsing this forum: No registered users and 2 guests