Don't Accept Message From Mignulikz

[justsomeguy]

gwapo ko is not the same person as the spammer, the spammer did not have any posts. gwapo has posted questions here before.Also, the domain information you found is the domain information for this forum I believe, not the spammer in particular. ipslink.com is a service of Invision Power Boards, which operates this forum. The forum is what is actually sending out the emails, they aren't coming from the spammer's own mail server.The only information that can be used to identify the spammer is the IP address they accessed the forum with, and only the moderators and admins would have access to that information.

[mstransky]

gwapo ko is not the same person as the spammer, the spammer did not have any posts. gwapo has posted questions here before.Also, the domain information you found is the domain information for this forum I believe, not the spammer in particular. ipslink.com is a service of Invision Power Boards, which operates this forum. The forum is what is actually sending out the emails, they aren't coming from the spammer's own mail server.The only information that can be used to identify the spammer is the IP address they accessed the forum with, and only the moderators and admins would have access to that information.

Very true I was warning that the spammer is just starting to use other member names but the source emails are being launched from this hosting serviceinvisionzone.comThey say they customers are like nasa, and sony and all the big companies and it seems that they have forum codes. it may be a hacker found a backdoor, or is in the back door.Q does w3schools use the same software application as them? I have not look into it that deep yet.This person hates me right now trying to do a bandwidth dump.

[justsomeguy]

invisionzone.com is the service that hosts the IPB forum (IPB = Invision Power Board; the w3schools forum is w3schools.invisionzone.com). This forum is hosted there, as far as I know their sole business is hosting forums for other people. When their forums send email they must have them set up to send via the ipslink.com servers.I don't think there's any backdoor here, this is just how the forum works. The spammer can send a private message to another user, and that user will receive an email letting them know that they have a private message. That's not a backdoor or bug, that's specifically how the forum works.The spammer might be using automated software that is designed to send the same email to several users, I'm sure they're probably doing something like that instead of sending it all themselves. The IPB forum software is popular enough that I'm sure someone would have written software to do that by now.The only way to guard against that would be to have the moderators turn off the ability for new users to send private messages.

[mstransky]

This will be my last post for the night till I wake up.this has been done before from the same area, servers and people in the pasthttp://www.neowin.net/forum/lofiversion/in...hp/t482918.htmlnote the server ip's and gmail names are used again back in 2006 when I glanced at it.reason why I say a back door. you know how it is better to run and call an xml databse with php or asp on the server side then it is to call a database location in html or js. reasons are people can see database locations done by html or js callers.If a forum code is done and sold as a standard package with typical file and folder structures. A hacker buys the same application and then studys the file and folder structure. he then knows if a person did not modify the typical standard structure he can have a better chance manipulating/hacking and finding out information even is it done on another server.that is why some hackers out there make simple email contacts managers for free. then find sites who used the free code scripts, visit and pull a copy of the emails to spam.Just my two cents. I do asp/xml/js databases server side database done in xml control by asp

invisionzone.com is the service that hosts the IPB forum (IPB = Invision Power Board; the w3schools forum is w3schools.invisionzone.com). This forum is hosted there, as far as I know their sole business is hosting forums for other people. When their forums send email they must have them set up to send via the ipslink.com servers.I don't think there's any backdoor here, this is just how the forum works. The spammer can send a private message to another user, and that user will receive an email letting them know that they have a private message. That's not a backdoor or bug, that's specifically how the forum works.The spammer might be using automated software that is designed to send the same email to several users, I'm sure they're probably doing something like that instead of sending it all themselves. The IPB forum software is popular enough that I'm sure someone would have written software to do that by now.The only way to guard against that would be to have the moderators turn off the ability for new users to send private messages.

[s-p-n]

Well apparently the PM system is disabled until the insecurities are fixed. As long as there's no scripting or include-type functions (iframes) allowed, it should be secure, right? Script injections would do that.. Seems simply fixed

[mstransky]

I am starting to see the problem, w3schools is useing the service from invision.com.the other day my url readinvision.w3schools.com/+the url forum linkstoday it readsw3schools.invision.com/+the url forum linksat first it look lok spoofing.so here is a service that has the same duplicate standard application for every user of it.DO a google look up for invision board hacked.I came up with tons of people complianing about how there boards where hacked.That is the whole problem, you may have a template page that includes a command page to send pm'sthe writer may have thought that the template page which loads such command promt scripts or applications into a main page would be protected.So for an example a hacker who knows the setup of an open or free application could bypass template pages and open certin pages that are not protected by themselve alone. That person could take advantange of such loop holes or backdoor command manipulations.I have seen hackers do that to to many free scripts out there which have no sysconfigfile.asp or php which lets the user rename folders or command pages at one file location. I write my scripts like that.Then when a software company has enough free users out there, they tag on a few more bells and whistles and color template choices without really changing the base scripts and pages. Then the same problem follows them with the purchase product line as well.the free invision boards (what I got out of the search results) were hacked hard from 2005-2007.I myself don't care too much for sql so I do all my stuff in xml, and use asp torun it from the server side to generate html and xsl css styled page outputs. I was working on a protale scripts and trying to finish that up in my spare time. I have a few test beta scripts running out there, one has over 2000 menu links on one xml, which displays over 10,000 images by catagories, those image records on on a sepreate xml, and the third xml file is a child record sets which has a few hundred records of its own. three seprate xml files linked like msaccess or a book of xml sheets.I hope to have more spare time to finish my xml portal scripts and test it out on a beta site.Last year I had a hacker try sql injection on the xml database via the input forms, but all it did was put encypted charaters into the nodes of a records set, which later I was able to look at it and then just revome the record after study what they were trying to do.Sorry I went on a drift...I really think w3schools should have/make their own boards and host it themselves.

Well apparently the PM system is disabled until the insecurities are fixed. As long as there's no scripting or include-type functions (iframes) allowed, it should be secure, right? Script injections would do that.. Seems simply fixed

[artwear]

I received the email also.I forwarded it to a security analyst right away.I don't get on these forums and only posted once.Now, I have made my email address private here.I do know that users of vBulletin forum software have been under attack from spambots.Users post profiles with ###### or drugs and if you click anywhere on the profile, an exe file would start to download...I have spent HOURS the past month alerting webmasters of mostly gaming sites and video sharing sites...the gaming sites are especially hard hit.But, even Red Ruby and Logitech's forums have not been spared.I guess it was a matter of time before this forum was hit also.I trust no links anymore.None.And I have two Macs.Good luck all.

[Guest cactusmitch]

I got a notice of a mignulikz private message in the last couple of days.CM:(

I'm guessing I probably won't be the only one to receive a personal pm from mignulikz. Don't open it, the link first attempts to use active x to download spyware onto your computer, and if that fails it forwards you to adultfriendfinder. Admin please block this guy at the ip level

[jeffman]

Folks, if your account is set up to send you an email whenever you receive a personal message, then you will receive an email. It's nothing to panic over. If you don't like it, change your email settings.

[justsomeguy]

you know how it is better to run and call an xml databse with php or asp on the server side then it is to call a database location in html or js. reasons are people can see database locations done by html or js callers.

I don't understand how that applies here, do you see any database information in any HTML or Javascript code? These forums are entirely PHP/MySQL based, there's no public database information. The database has not been compromised.

If a forum code is done and sold as a standard package with typical file and folder structures. A hacker buys the same application and then studys the file and folder structure. he then knows if a person did not modify the typical standard structure he can have a better chance manipulating/hacking and finding out information even is it done on another server.

Yes, believe me, I'm very aware of how and why systems get compromised. A lot of programmers out there take lazy approaches to do things and open up obvious security holes (phplist is a perfect example of lazy techniques opening up severe holes). The programmers who write the IPB software and other forums like phpbb are pretty decent programmers, they are also aware of the dangers and take steps to mitigate the risks involved. There are a lot of things you can do in PHP to make sure people don't get access to something they shouldn't have access to. I don't think it's fair to assume that the software was compromised - the emails that got sent out did not require any hacking at all. The spammer registered for an account (possibly using an automated program), and since the board made it possible for any user to send a PM to any user, they used a program to send a PM to probably everybody. That's not a bug or a problem, that's specifically how the forum is designed to work. No hacking required, no databases compromised.

the other day my url readinvision.w3schools.com/+the url forum linkstoday it readsw3schools.invision.com/+the url forum links

This forum has always been at w3schools.invisionzone.com, or at least it has during the past 3 years. Check the link you posted from when this place got hacked in 2006, it's the same URL. It has never been invision.w3schools.com, they don't host this forum, invisionzone.com does and always has.

That is the whole problem, you may have a template page that includes a command page to send pm'sthe writer may have thought that the template page which loads such command promt scripts or applications into a main page would be protected.So for an example a hacker who knows the setup of an open or free application could bypass template pages and open certin pages that are not protected by themselve alone. That person could take advantange of such loop holes or backdoor command manipulations.

If you really feel that the forum has vulnerabilities like you're describing, feel free to download the software and take a look through it for yourself. Here's one location you can download version 2.2 from:http://webscripts.softpedia.com/script/Dis...-Board-418.htmlThis is the service w3schools is using:http://www.invisionpower.com/hosting/community.html

the free invision boards (what I got out of the search results) were hacked hard from 2005-2007.

Yes, they were. The vulnerabilities that made those hacks possible have been fixed.

I myself don't care too much for sql so I do all my stuff in xml, and use asp torun it from the server side to generate html and xsl css styled page outputs. I was working on a protale scripts and trying to finish that up in my spare time. I have a few test beta scripts running out there, one has over 2000 menu links on one xml, which displays over 10,000 images by catagories, those image records on on a sepreate xml, and the third xml file is a child record sets which has a few hundred records of its own. three seprate xml files linked like msaccess or a book of xml sheets.

That's cool, I've got a PHP/MySQL system online that I've been working on since Feb 08 that has over 90,000 registered users (not all active), during Mar 09 it had an average of 810 visits and 139000 hits per day, according to Webalizer. I think we all understand the dangers that web applications face, but I don't think this forum has been exploited at all.

[Billy]

I've also received a PM from this guy 07/04/09, but I cannot figure out how to check my PM's on here

[jeffman]

I've also received a PM from this guy 07/04/09, but I cannot figure out how to check my PM's on here

Because of the attack, the admins have temporarily disabled personal messaging.

[goldenbill]

I just received my notice of a PM from "mignulikz" this morning and notified that I do not have permission to use this resource. It's nice to know that the link has been blocked and that action is no fault of mine. ....gbDoes this count as a post? (rhetorical)

[Jonas]

Mignulikz

I don't think there's any backdoor here, this is just how the forum works. The spammer can send a private message to another user, and that user will receive an email letting them know that they have a private message. That's not a backdoor or bug, that's specifically how the forum works.

Of course that’s exactly how it works, spot on. It may be a good idea to turn off PM notification by email if you’re not an active user and don’t want those emails, but either way you should always be wary when someone contacts you personally with a link, and you don’t know them.

The spammer might be using automated software that is designed to send the same email to several users, I'm sure they're probably doing something like that instead of sending it all themselves. The IPB forum software is popular enough that I'm sure someone would have written software to do that by now.

Yeah, I don’t doubt for a second that there are macro-type programs that you can set up to send PMs or emails to each and every member. Since this thing started we have also increasingly seen in the Admin CP that more users than normal get their accounts locked, which happens after a certain amount of unsuccessful attempts at password input, indicating this user is also trying to breach security and access other people’s accounts. The member in question has been banned at the account level and IP level on the forum, and we’re also banning him from the server.

The only way to guard against that would be to have the moderators turn off the ability for new users to send private messages.

Sadly that is the case. Because we have set up a manual registration process, we as administrators/moderators have to manually approve every account that is set up, after they themselves have confirmed their email account through automated email. Then we have to approve them through Admin Panel. The recently implemented reCAPTCHA system in the IPB software has proved highly successful in limiting spybots, and many automated spamming systems. In addition we do random blind-tests of new accounts up against sites such as stopforumspam.com, but we are a limited amount of people, volunteering at that, and we simply can’t check each one, as it is too timeconsuming for us. With this system we often get PMs from new members asking why they can’t post. If we remove the PM system as well for new users I suppose there’s no way for them to contact anyone after registering, and maybe they won’t come back when they can’t post.Finally, disabling the PM system for everyone like now sadly comes at the price of rendering the report system defunct, as reports are delivered through PM.

I really think w3schools should have/make their own boards and host it themselves.

They do have their own boards, they’re just written by Invision Power Boards, and hosted by them too. They continually rewrite the software and make improvements, way better than a computer solutions company in Norway can do. Spammers who come through and wreak havoc on the forums all get through because of human limitations, be it from the programmers of the forum, or the administrator/moderators. It’s simply impossible to stop them, you can only keep them at bay.

I don't understand how that applies here, do you see any database information in any HTML or Javascript code? These forums are entirely PHP/MySQL based, there's no public database information. The database has not been compromised.

The issue at hand here rightly isn’t that the system has been compromised (at least not directly, no access has been gained, no database has been messed with). Someone with malicious intents has gotten through the entire registration process and posted a bad link which some people have clicked. Of course, we can’t stop people from clicking a link and having their computer compromised, all we can do is warn against clicking links from people you don’t know, and try to keep spammers out as effectively as we can.

This forum has always been at w3schools.invisionzone.com, or at least it has during the past 3 years. Check the link you posted from when this place got hacked in 2006, it's the same URL. It has never been invision.w3schools.com, they don't host this forum, invisionzone.com does and always has.

Spot on.We’re always trying to keep this stuff from happening, but we’re only human and on limited capacity. Please always exercise caution and don’t click possibly malicious links from people you don’t know, who contact you personally. Even if it’s someone you know, look for something “off”, such as abnormal turns of phrase etc. Suggestions and ideas for improved security are of course always welcome.

[jeffman]

Thank you for explaining why validators have PM access. That makes sense.Is there any way to limit their PM communications to just the Mods?I might even suggest: if such a limitation is possible, could it be extended to new members who have posted, say, less than 5 times?(I completely understand if your panel does not provide such granular control as might be wished for.)

[USER1]

I don't know why I never got a message from this user, but I'm not that dissappointed.It can't have been too interesting anyway.Even the user name 'Mignulikz' makes no sense at all.

[jounindude]

I got a message from him. I haven't been here in a while, so I wondered why I got a message. I wasn't allowed to view the message. Thanks for posting this.

[Shadeplay23]

This seems to be causing a lot of chaos. I got a similar message at some other IPB forums from the same user.

[RedSkwirrell]

This has probably been resolved by now but I just got back from Italy last night.I got an e-mail the forum advising me I had a personal msg from Mr. mignulikz.That was Tue 07/04/2009 06:48.Haven't been here for a while so I doubted it was genuine anyway.As has been pointed out though, I am concerned that he got by W3Schools security.[edit: As a suggestion, would it not be an idea (for the future) for Admin. to dispatch a follow-up warning e-mail to any forum members this might have affected?]