MyBB Community Forums

This is a hack attempt I haven't seen before...
Can someone explain what they were trying to do with all that $_POST data it doesn't seem like it would ever work.
Perhaps my log of their attempt properly escaped their raw/actual data.

DateTime: 2015-10-15 17:39:33
Username:VictorChic
IP: 174.139.54.170
UA: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
Refferal Page: /forum/member.php?action=register
Current Page: /forum/member.php
Javascript: [Disabled]
$SUPERGLOBALS:

GET =
POST = regcheck1=curity_code|security_image|security_key|security_question|security_text|security_try|security1|security2|security3|securityanswer|securitycheck|Security-Code|securityimage|securityimage_newreg_try|securityimagesjoomlausertry|securityNumberCheck|securityquestion|securityText|securityType|securityVMRegistrationCheck_try|securityWord|sendmessage_formsecurity|serendipity[captcha]|sermun|server_anonce|sfhf5768sfgr|sfvalue1|ShoutboxCheckcode|si_contact_captcha_code|sicherheitscode|sicret_question|sign_captcha|signature|signup_code|signup_secure|simplecaptcha_response|skey|skulltag|sle_anti_spam|sms|smsdestinatario|smtmcap_entry|solution|som|sp_check|spam|spam_answer|spam_check|spam_code|spam_filter|spam_form|spam_prevention|spamanswer|spamblock4|spambot|spamcatch|spamcheck|spamcode|spamfilter|spamnum|spamPrevent|SpamProtection|spamq|spamquiz_answer|spamschutz|spamstop|spmchk|sprotect|sq|squestion|squestion_answer|squid|src_word|srch_word|ssecnum|sshex43|staf_captcha|stealth|sti_imgstring|stringcaptcha|strSecCode|sub_code|subcaptcha|submission_challenge|submitKey|subscribe_captcha|sum|sum_sum|suma|suma1|suma2|summan|supe_seccode|sword|swords|sxscode|taf[captcha]|taf_captcha_code|tarkistus|tbImgCode|tc_answer|term|test|test_type|test2|text_verification|text1|textbarcode|TextBoxCaptcha|TextBoxUserCode|textconfirm|texto_ingresado|the_copied_num|thecode|thing1|ticket[captcha]|tinyturing|tk_checkcode|tmptxt|token|tos_checkword|ts_code|turing|turing_code|tx_comments_pi1[captcha]|txt_captcha|txt_sansr|txt_security_code|txtAnswer|txtcapcha|txtcaptcha|txtcaptchacode|txtCheck|txtcheckcode|txtcode|txtConfirmSubmit|txtHuman|txtimage|txtnumber|txtpkod|txtsecretanswer|txtsecurity|txtSecurityCode|txtsp|txtSpamVerification|txtvalidatecode|txtvalidcode|txtverification|txtverificationcode|txtverify|txtVerifySub|u_rndTxt|u_verify|u_visual_code|ubb_answer|ucode|un_confirm|user.security_answer|user.security_question|user[captcha]|user[security_answer]|User[verifyCode]|user_antispam|user_captcha|user_captcha_string|user_code|user_control_pic|user_field_3|user_graficka|user_guess|user_secretword|user_secure_con|user_secure_question|userAnswer|usercaptcha|usercaptcha_svalue|usercod|usercode|userdigit|userdigits|userfield[field12]|userfield[field17][]|userfield[field21]|userfield[field7]|userfield[field70]|userfield[field71]|userSecurityCode|userstring|userTuringString|UserValidateCode|uword|v|v_content|v_replier|v_secret|v_security|v_str|val[image_verification]|valcode|validacao|validacion|validate|validate_code|validate_key|validate_sign|validatecode|validateCodeInput_register|validation|validation_code|validation_number|validationcode|validator|validcode|value[person][0][captcha][]|varify|vboxcaptcha|vc_code|vchimagekey|Vcode|vdcode|vdocode|ve6rizfi4cayti2onxco0de2|ver|ver_code|ver_sol|vercode|verf|veri|vericode|verif|verif_box|verif_code|verif_code1|verifcode|verificacao|verificador|verification|verification_answer|verification_code|verification_word|VerificationCode|verificCode|verifier|verifnumber|verify_code|verifycheck|verifycode|verifycode2|verifyimg|verifyinput|verifyregcode|verifystr|verifyText|verifytextcode|VerifyWord|verifyX|veriword|vimagecodp|vimgtxt|vip_code|viscode|visconfirm|visual_verification_code|visual_verification_code2|visual_verify_code|visualcode|visualkey|visver_code|vkod|vmathans|vnumber|vote_key|vsaareg_answer|vsaareg_code|vsecc|vu_reg_qu|vvcode|web140|webmaster_aanmelden[Captcha]|weezoverif|weryfikacja|whosey|why|wnr_answer|word_verify|word2|wordVeri|WordVerification|wpcaptchaword|wpcf_not_spam|wpcr_comment_tag|wpremember|wr_key|wsc|wsp_code|wt|x_secretcode|xa16zkymf0|xanswer|xd_12|xicaptchavalue|xoopscaptcha|xtcha|zd_code|zsfCode|zusatzfeld & regcheck2=true & username=VictorChic & password=lQ1qske66U & password2=lQ1qske66U & [email protected] & [email protected] & honeypotter= & referrername= & imagestring=7nvl5 & imagehash=44235d166b746e9723b9a20c589a5a40 & answer=on & question_id=H4XXKghfEHLEzxKRTq2YqzvggPMXU8Zu & allownotices=1 & hideemail=1 & receivepms=1 & pmnotice=1 & invisible=1 & subscriptionmethod=1 & timezoneoffset=6 & dstcorrection=0 & regtime=1444945145 & step=registration & action=do_register & regsubmit=Submit Registration!

Thanks for helping me to understand evil doers.

It's a spam bot.

(2015-10-16, 12:28 AM)Nathan Malcolm Wrote: [ -> ]It's a spam bot.

That's not really the comprehensive explanation I was hoping to receive.

Well, there's not much to explain. It's a bot which tries to post spam to forums/blogs/etc. It's not a hacking attempt.

(2015-10-16, 02:08 AM)Nathan Malcolm Wrote: [ -> ]Well, there's not much to explain. It's a bot which tries to post spam to forums/blogs/etc. It's not a hacking attempt.

To me it appears to be solely an automated registration attempt not an attempt to post spam.  I assume the spam posting comes immediately after because I don't see the spammy data in the $_POST.

Is this a common occurrence for others, because this is the first time I've seen an attempt like this on my forum.

Is this a systematic reconnaissance effort?  Hoping to get details back from a validation prompt or something? else why all the piped data?

Quote:Is this a common occurrence for others, because this is the first time I've seen an attempt like this on my forum.

Billions of requests are made to websites every day trying to post spam. You'll get more attempts by spam bots than human registering on your forum.

Quote:Is this a systematic reconnaissance effort? Hoping to get details back from a validation prompt or something? else why all the piped data?

It seems like a shot in the dark attempt to try and bypass various anti-spam measures. It's not a very advanced bot.

Yes, as Nathan says it seems like a spam bot trying to just post a ton of fields in the hope it gets past the registration and creates an account successfully.