Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

PM spammer

If you are having a problem with logging into the site or with registering, then post under this forum to try to get help, or just use the "contact us" link at the bottom of the page to notify the Site Administrators.
Message
Author
skidoo
Forum Regular
Forum Regular
Posts: 786
Joined: Tue Sep 22, 2015 6:56 pm

Re: PM spammer

#11 Post by skidoo » Sun Jan 08, 2017 2:34 am

well...
Image
...here's the thing

click the `quote` button and view this post.
Notice the embedded (tiny,transparent) beacon image between well...here.

A PM like that may seem like just dumb/annoying spam, but it's often a "probe" toward future attack.
The sender (or his bot) knows/expects his account sending the PM (and/or IP address) will likely be banned. However, it's a throwaway -- mission accomplished. By tricking admin into reading the PM which contains an embedded image (how could you avoid it? PITA -- read PMs using a text-only browser or, prior to reaading PMs, switch on an extension or browser pref which blocks image loading)... when your browser requests the remote image which is hosted on a webserver controlled by (or hacked, logs accessible to) the attacker... the exact url of the PM page you were reading (in some software, this includes sid aka sessionID) is transmitted via referer header and logged, along with the user-agent string and requestor's (admin staffer) IP address.

If the attacker(s) are watching logs realtime, one type of attack attempt would be to paste that sessionID into a url (their probes will have ID'ed the exact version of forum software in use, they'll know if any vulns exist and the associated adminCP url(s) to target) and attempt to hijack the login session.

Is the forum software up-to-date? Maybe a fresh 0day was discovered & the known version in use here matches the list of "known vulnerable" versions?

User avatar
Eadwine Rose
Forum Veteran
Forum Veteran
Posts: 5524
Joined: Wed Jul 12, 2006 2:10 am

Re: PM spammer

#12 Post by Eadwine Rose » Sun Jan 08, 2017 3:25 am

Please leave old topics where they are, thanks. This is from 2010.

Locked.
MX-17.1_x64 Horizon 14-3-2018 * 4.15.0-1-amd64 ext4 Xfce 4.12.3 * AMD Asus M4A785TD-V EVO AM3 * ASUS GF GT640-1GD5-L NVIDIA 384.111 * AMD Proc. Athl II X4 635, sAM3 * HDA ATI SB VT1708S An * 2x4Gb DDR3 1600 Kingst * 22" Samsung SyncM P2250 * HP F2280

Locked

Return to “Site Help”