Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Not Solved [Security] What does lll= do? (spam problem)
#1
Not Solved
Hi all, first-time poster! Odd spam problem on our forums. Here's 2 examples :

http://edinburghforteansociety.org.uk/fo...23&lll=608

http://edinburghforteansociety.org.uk/fo...53&lll=104

If you remove the mode/tid/pid/lll bits you can see the posts themselves aren't the problem. Changing the lll value changes the content of the spam. Can anyone explain what the lll variable does?

I've updated to the latest version, I've downloaded all the files and searched them for the offending spam, with no results. Could it be there's some contaminated file that sources the spam text from some other site?

Last resort will be to wipe and reinstall (I backup the database regularly so not a problem, just time-consuming and I want to know what allowed this to happen in the first place). The FTP password I use did stop working and it had to be reset - we're unsure if it was compromised.
#2
Not Solved
Quote:The FTP password I use did stop working and it had to be reset - we're unsure if it was compromised.

how many persons have admin control panel access , ftp access & web server access ?
your forum showteam page is showing only two AND I guess its only one person (you) ...

run file verification tool at tools & maintenance section of admin panel to analyze file changes ...
#3
Not Solved
(2011-09-07, 01:30 PM)ranjani Wrote:
Quote:The FTP password I use did stop working and it had to be reset - we're unsure if it was compromised.

how many persons have admin control panel access , ftp access & web server access ?
your forum showteam page is showing only two AND I guess its only one person (you) ...

run file verification tool at tools & maintenance section of admin panel to analyze file changes ...

Thanks for your speedy response.
I'm the primary admin (2 accounts) - the other person with admin rights doesn't use them (and doesn't show up on the showteam page). I'm the only person who regularly uses FTP for the site, but as far as I know I don't have the means to change the FTP password - for that we have to ask the person who owns the webspace (which has other sites on it).

The "file changes" check says *all* files are changed. I'm running 1.6.4 - was the file changes bug fixed with the new version?
#4
Not Solved
(2011-09-07, 02:14 PM)Goodfellow Wrote: The "file changes" check says *all* files are changed. I'm running 1.6.4 - was the file changes bug fixed with the new version?
Yes it was fixed. If you're still getting that then you either upgraded incorrectly or you really did change all the files. Either way, you should re-upload all the files again to make sure there are no backdoors. Keep a note of custom modifications you made to files, if any.
#5
Not Solved
Odd indeed, I didn't change any files (I'm not a coder) and I can't see any obvious additions to the file contents. Ah well, guess it's a reinstall! Thanks for the help!

(2011-09-07, 02:19 PM)faviouz Wrote:
(2011-09-07, 02:14 PM)Goodfellow Wrote: The "file changes" check says *all* files are changed. I'm running 1.6.4 - was the file changes bug fixed with the new version?
Yes it was fixed. If you're still getting that then you either upgraded incorrectly or you really did change all the files. Either way, you should re-upload all the files again to make sure there are no backdoors. Keep a note of custom modifications you made to files, if any.

#6
Not Solved
^ most of the spam content appears to be in your myBB system templates !! eg. header_welcomeblock_guest
#7
Not Solved
This was not directly inserted in the template. Why do you think he would do that?

I've seen a similar spam "technique" where one could enter something in the URL and it would show some rubbish text in the board statistics. I can't recall where that thread is or what it was exactly though.
#8
Not Solved
^ well, that needs to be checked by the experts (eg.) with the required privileges ...

AND @OP, it will be interesting to know how did you discover it ...

taking a URL as base and appending with &lll=x (x = 1 to 796 <-- max tested value) is getting spam content
AND the spam content appears to be existing on database ...
#9
Not Solved
We were notified of the spam by a friend of the other admin - don't know how he discovered it.

I've now wiped that directory entirely (bit fiddly, there were some hidden files that FireFTP could neither see nor delete in the abercrombb directories) and am reinstalling it elsewhere. I've also cleared local cache. Interestingly, trying one of the dodgy URLs now gives this :

The requested URL /forums/admin/styles/AbercromBB/images/abercrombb/attachtypes/protect.php was not found on this server.

I've had a look at the contents of that file (I backed up everything for forensic analysis) but if it does contain spam, it's not in plain text.

Once I've restored the database, will see if it still occurs.


Forum Jump:


Users browsing this thread: 1 Guest(s)