Information about the recent spamming incident

[Shade]

Yesterday and today, some spam happened on UT99.org.
Here is some information, what exactly happened:

- Around 14 accounts were created (by hand as it looks), which posted over 4000 posts by automation.
- These accounts deleted their own posts afterwards.
- Just before and after these accounts deleted their own posts, the account luluthefirst deleted some of his own posts, too (by now, nearly all of the account's posts are empty) and PMed me to inform me, that I can now move his (empty) posts over to the fake-author "UT99.org" (which I use as author for posts of users who wants to be deleted. So their posts will not be deleted, too).

What I did now:
- I have deleted all spam accounts.
- The registration is open again.There is no security issue, since these few spam accounts where most likely created by hand.
- I have changed the Flood interval (Number of seconds a user must wait between posting new messages) from 10 to 30 seconds.
- I have written a mail to the e-mail adress of the account luluthefirst to inform about the incident and asking for any information, he probably might have for me. The account is banned for now.

For now, it seems like everything is back to normal.
Yet it is unclear, if the spamming here was caused by luluthefirst itself or by another person who just also hijacked his account (which doesn't look like it happened by random).

To the admins of other forums: If you have a user named luluthefirst, please consider to have a close look at this account's actions.

If incidents like that happen again, please don't hesitate to immediately contact me via mail: mail@ut99.org. That's the fastest way to inform me about anything. Thank you!

[JackGriffin]

Not really sure if it is related but I got an email from Bohemia that the DayZ forums were hacked:
http://data.bistudio.com/mailing/html/d ... -2016.html

Could be someone stole login credentials and used them here.

[Shade]

Not really sure if it is related but I got an email from Bohemia that the DayZ forums were hacked:
http://data.bistudio.com/mailing/html/d ... -2016.html

Could be someone stole login credentials and used them here.

For that they would need the plain text password.

[JackGriffin]

Depends on how they were salted. A decent group could decrypt a password database, especially if it were as large as that one. You'd have a lot of easy ones to crack first to apply to the table.

[sektor2111]

Hacked account or not, these spam posts came from let me guess the same IP address. REMOVE access from that range and you can complete spam-bot list (if you are using such thing) - If this would depending on me also known listed proxies would be defaulted to bye bye section.

[Dr.Flay]

The IP range was blocked at the same time as the ban

[LANguy]

I had this problem once. If it becomes a recurring issue and they get through your CAPTCHAs, add a custom field in registration. For example a hidden field that humans won't see, but that a bot crawling the page would see and fill in. If they try to register with that hidden field populated, let them make the account but all their posts become invisible. Spambots won't know they didn't succeed.

Lower tech implementation, a required custom field like: "Are you a spam bot? Type in "no"" with a 2 character input for "no" being the only answer that will permit them to register, pretty much completely killed all the spam in my forum.

[JackGriffin]

OK, now I'm confused. Will the real Slim Shade please stand up? Please stand up?

[papercoffee]

OK, now I'm confused. Will the real Slim Shade please stand up? Please stand up?

It's one of the guys from yesterday.

[JackGriffin]

Yeah, obviously. I have a feeling this board may be in for a rough patch. Name and shame Shade, let the community assist in the defense.

[EvilGrins]

‭

[Shade]

The IPs are too random now. Banning them is useless. But they are logged and the investigation continues. I am in contact with people who have many years of (anti-)hacking experience. UT99.org is no playground for some hackerkiddies, counteraction is garantueed.

(Jfyi: The Spambot "Shade" used ASCII Codes in the name, which were not displayed here. Doing this will not be possible in future registrations.)

[PrinceOfFunky]

What if luluthefirst got hacked?
I meant, I know who luluthefirst is, I just don't remember where I met her, but anyway, I found this on the web: https://productforums.google.com/forum/ ... vyvGTGLePg.
I know it's from late 2010, but still, that user could be the same one from here.
If I remember good she was from Chillingfield (now down since many years I think).

EDIT:

OK, now I'm confused. Will the real Slim Shade please stand up? Please stand up?

It's one of the guys from yesterday.

Idk if you meant that the same "guy" hacked him, but anyway, I don't know if his previous rank was: "Hack coder", like it is now.

[papercoffee]

OK, now I'm confused. Will the real Slim Shade please stand up? Please stand up?

It's one of the guys from yesterday.

Idk if you meant that the same "guy" hacked him, but anyway, I don't know if his previous rank was: "Hack coder", like it is now.

between LANguy and Jack was a post of another Shade (a copycat) ...I meant this guy.
The post is already deleted by the staff crew.

[EvilGrins]

The post is already deleted by the staff crew.

Damn straight!

I scared him away.