Important information
-- Information on MX15/16 GPG Keys
-- Spectre and Meltdown vulnerabilities

-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-18 Final release info here
-- Migration Information to MX-18 here
-- antiX-17.3 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

PM spammer

If you are having a problem with logging into the site or with registering, then post under this forum to try to get help, or just use the "contact us" link at the bottom of the page to notify the Site Administrators.
Forum Guide
Forum Guide
Posts: 1008
Joined: Tue Sep 22, 2015 6:56 pm

Re: PM spammer


Post by skidoo » Sun Jan 08, 2017 2:34 am

...here's the thing

click the `quote` button and view this post.
Notice the embedded (tiny,transparent) beacon image between well...here.

A PM like that may seem like just dumb/annoying spam, but it's often a "probe" toward future attack.
The sender (or his bot) knows/expects his account sending the PM (and/or IP address) will likely be banned. However, it's a throwaway -- mission accomplished. By tricking admin into reading the PM which contains an embedded image (how could you avoid it? PITA -- read PMs using a text-only browser or, prior to reaading PMs, switch on an extension or browser pref which blocks image loading)... when your browser requests the remote image which is hosted on a webserver controlled by (or hacked, logs accessible to) the attacker... the exact url of the PM page you were reading (in some software, this includes sid aka sessionID) is transmitted via referer header and logged, along with the user-agent string and requestor's (admin staffer) IP address.

If the attacker(s) are watching logs realtime, one type of attack attempt would be to paste that sessionID into a url (their probes will have ID'ed the exact version of forum software in use, they'll know if any vulns exist and the associated adminCP url(s) to target) and attempt to hijack the login session.

Is the forum software up-to-date? Maybe a fresh 0day was discovered & the known version in use here matches the list of "known vulnerable" versions?

User avatar
Eadwine Rose
Forum Veteran
Forum Veteran
Posts: 6885
Joined: Wed Jul 12, 2006 2:10 am

Re: PM spammer


Post by Eadwine Rose » Sun Jan 08, 2017 3:25 am

Please leave old topics where they are, thanks. This is from 2010.

MX-18_x64 20-12-2018 * 4.19.0-1-amd64 ext4 Xfce 4.12.3 * AMD Asus M4A785TD-V EVO AM3 * ASUS GF GT640-1GD5-L NVIDIA 390.87 * AMD Proc. Athl II X4 635, sAM3 * HDA ATI SB VT1708S An * 2x4Gb DDR3 1600 Kingston * Samsung S24D330 & P2250 * HP Envy5030


Return to “Site Help”