Malicious spam threads

[PokeMRX]

There is a major security problem involving spam threads that trigger an instant virus attack when clicked. All one has to do is to click on such a spam thread. One does not even have to click on any external links.


Here is the URL that launches the malicious attack: starsearchtool.com
Can someone please ban it from all Forumtion forums in order to minimize damages from future spam threads?

[Sanket]

Please give more information on this, as to which threads are being affected.

[PokeMRX]

The only thread that was created by the spambot was in the most popular section of the forum. The thread was about "dish network knife show". That thread is now deleted as well as the spambot. The spambot waited a week so that it would get link posting privileges before making the spam thread. Unfortunately IP-banning and banning of it's e-mail provider was first thought up after the spambot had been deleted.
That's about it.

[SLGray]

The only thread that was created by the spambot was in the most popular section of the forum. The thread was about "dish network satellite skew". That thread is now deleted as well as the spambot. The spambot waited a week so that it would get link posting privileges before making the spam thread. Unfortunately IP-banning and banning of it's e-mail provider was first thought up after the spambot had been deleted.
That's about it.

This also occurred on my forum. I was lucky that I was the first one to see them. I delete them before any member opened them. There was no virus in the threads on my forum.

[Derri]

I've had my fair share of dealings with spam bots both with FM forums and other forums such as Vbulletin and I can safely say I don't think I've ever opened the thread and been given a virus. I've opened a link in the thread and been given a virus via that link I opened but never from just viewing the thread.

In any case I can honestly say I've never known spam to give me a virus from just opening a thread I think this might be a rare occurrence.

My best advice would be to look for what spam bots commonly show themselves as spam:

1. Very random usernames filled with a conviction of random lettering and numbers e.g ifhqg54gg6
   
2. Profile Information such as Name: ibrgwhbuwgj
   
3. Titles with a weird title such as "Buy free dishwashers" or threads started in foreign languages or unusual symbols in threads
   
4. False email addresses or completely stupid or unbelievable email addresses that look like no member would ever have them.

[SLGray]

Correct Derri. I believe that just opening a thread will not give you a virus, but pressing a link in the thread would.

[kirk]

I would set the members activation to either be activated by email or admin.
If set to admin you can always check inactive members list and see right away what may be a bot, then if activated by email the member will have to be sure to use a real email address or wont be able to activate their account.

[Sanket]

Can you take a screenshot of it & provide the content of that post?

[PokeMRX]

I saw it with my own eyes. I clicked on the spam thread and then avast! Internet Security goes nuts about a virus.

The thread is deleted, there is nothing I can do about that, but I still have the virus warning URL from avast:
http://www.avast.com/en-us/lp-pr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_ise_80_0&utm_medium=prg_systray&utm_content=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_vir=URL:Malware&p_prc=C:\Program%20Files%20%28x86%29\Mozilla%20Firefox\firefox.exe&p_obj=http://starsearchtool.com/vries/.fogelholm/ZGVmYXVsdHwxMzY4NTE1Nzg5.lakebeds/dish_network_satellite_skew.kitestring.jpg&p_var=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_pro=2&p_vep=8&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=227&p_lng=en&p_lid=en-us&p_elm=7&p_vbd=1483

[Guest]

Some of the things you should do to avoid spam posts or thread is to NEVER allow guest to post. Guest posting is an open invitation to spam. So you should only allow registered member to post or start threads.

Also have account activation enable for new registrations. You could also ban known spam usernames and ban certain email addresses.

For new members you could also create a usergroup and put all new members in it. Then set it up so that new members can only post on one section of the forum.

This section can be set so it is only visible to certain usergroups and not visible to guests. That way any posts made by new members will not be seen by other members or guests. Until you or a moderator approves them. Then you can check the posts and IP and delete any spam posts and members. Or simply ban the members concerned.

[Sanket]

I have reported this to The Godfather.

[kirk]

Could be something else on your forum to.
Like have you added any new coding or scripts?

Other then that Sanket has now passed it on

[PokeMRX]

Not really. The only thing that has been added is a link to an IRC channel using html coding.

[kirk]

What is IRC?
For the heck of it try removing it and see if it still happens?

[Derri]

What is IRC?
For the heck of it try removing it and see if it still happens?

IRC stands for Internet Relay Chat

Essentially it is a chat held on an online server but there are thousands of servers. The potential of things you can do on IRC is pretty much unlimited. I don't see this being the cause of the problem but I'm not an expert on IRC so it could be.

[PokeMRX]

It's just a link to an IRC channel. It's like adding a link to a website. There is no way that could be the cause.

[Ultron's Vision]

As kirk stated, there is no actual way that clicking a secure forumotion link would be the cause of a virus.

forumotion also disables the use of the <script> tag in all their posts, even if HTML is enabled, so it wasn't a script, either.

Whereas I can imagine a foreign link being the source of evil, yes, I had such things occur to me (over a script it took down my PC so I had to force format it).

[Guest]

What is IRC?
For the heck of it try removing it and see if it still happens?

IRC stands for Internet Relay Chat

Essentially it is a chat held on an online server but there are thousands of servers. The potential of things you can do on IRC is pretty much unlimited. I don't see this being the cause of the problem but I'm not an expert on IRC so it could be.

Some admins do put IRC and also Tiny Chat. Which is a video chat software or site link to Tiny Chat on their forums. Though it's not really a good idea and I don't see the need for it. It would be better to just post a thread telling members where your IRC channel is. Rather than install chat software on the forum. I know Forumotion has it's own chat box that you can install, but I have never enabled this.

[PokeMRX]

Then the explanation must be that I'm delusional. And the IRC link stays. The spambot was created before the IRC channel itself was created, so it can't be because of the IRC link.

I never said that there was a chatbox on the forum. Just a link to an IRC channel which was added into the forum page

[Ultron's Vision]

There is URL Rewriting, though, and this could have caused you to have been redirected to another page.

[PokeMRX]

I was on the Forumotion forum.

In the avast! warning URL there is a part that says '.jpg'. I wonder if the malicious data could have been transferred to the thread when a jpg image the spambot posted was being loaded. I have never heard that something like that would be possible and I don't remember seeing a jpg image in the thread, though it could have been a transparent image.

[Ultron's Vision]

.jpgs usually have the property of being opaque at all time since it's a compressed image (as in, you cannot extract its layers again), so I do not believe that is the cause, either.

forumotion is secure regarding scripts and such, though the spambot could've used an <iframe> to get past the browser's sandbox... but I still doubt getting a virus can happen if you just click on a secure forumotion link.

[PokeMRX]

Ah, well maybe it could have been an image that was like 1 x 1 pixels, or I just didn't look thorough enough.

And I got a virus via the thread. I don't know how it happened, but it happened.

[kirk]

It could be a corrupt image ?, I have seen this happen in the past.
As far as the IRC thing, I only suggested this to try it to be sure.
I mean we are trouble shooting here ? I use avast as well.

If you like set up a temp. Members account and send me the user name and pass so I can see if it comes up for me as we'll.

Let me know what section of the forum it is happening on to if you want me to try it .

Oh copy the link to the image to and go to it so if it is that you know what image you will be looking for to remove. I have seen this happen before but was a different.

[PokeMRX]

The whole spam thread was removed before I even made this thread, so I can't do that.

[kirk]

Yeah so it means it has to be something else causing this.
What section of the forum are you in/on when the avast goes off?

I honestly do not even think it had anything to do with the spam thread.
If it did then it would not be happening any longer because it is no longer there.
I mean you can't have something trigger your avast from a thread or post that is no longer on the board. It can't just magically place/ embed something to your forum somewhere out side of the post/thread it may have been in .

So not sure what to tell you? I have suggested a few things and you seem to not even want to try. We have to rule out everything we possibly can.

So I guess just wait for the godfather . I mean sanket did send it off but was hopping it was something we could have resolved.

Try running you avast scan to make sure you are not infected with anything and try a different browser to and see if it still triggers off .

[PokeMRX]

The forum is clean now that the spam thread is gone. I don't think that I have claimed otherwise. I just want to have a preventive solution / implemention to all Forumotion forums so that this won't happen again.

[kirk]

The forum is clean now that the spam thread is gone. I don't think that I have claimed otherwise. I just want to have a preventive solution / implemention to all Forumotion forums so that this won't happen again.

What??? Now your starting to kill me.lol
Your sitting here telling us that your avast keeps going off even though you have deleted the thread and now your saying your forum is clean?

So then this is solved?

We have already suggested ways to help with spam bots.

The best way is for you and your admins to have to activate all accounts.
Other then that there are several ways suggested above and will be up to you and your staff to find the best methods that work for you and your forum best.

It is all part of running forums/sites.

[PokeMRX]

"I clicked on the spam thread and then avast! Internet Security goes nuts about a virus.

The thread is deleted..."


Sorry about that. Well, I guess there's nothing more to do. Thanks for the help. Topic solved.

[kirk]

The thread is deleted, there is nothing I can do about that, but I still have the virus warning URL from avast:
http://www.avast.com/en-us/lp-pr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_ise_80_0&utm_medium=prg_systray&utm_content=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_vir=URL:Malware&p_prc=C:\Program%20Files%20%28x86%29\Mozilla%20Firefox\firefox.exe&p_obj=http://starsearchtool.com/vries/.fogelholm/ZGVmYXVsdHwxMzY4NTE1Nzg5.lakebeds/dish_network_satellite_skew.kitestring.jpg&p_var=.%2Fpaid%2Fen-us%2Fvirus-alert-default&p_pro=2&p_vep=8&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=227&p_lng=en&p_lid=en-us&p_elm=7&p_vbd=1483

See this is where you got us mixed up.
It sounded like you was saying it was still happening even after you removed the thread?
Why did you not correct us? I mean why did you think Sanket sent this to the godfather for?


No biggie it happens.