NATS Paysite owners: You getting botted with user/pass pre-joins "super123" as pass?
 

Anyone else have a guy botting a paysite pre-join 100 times a day with a username & password from the same IP coming through different affiliate links... all the passwords are the same "super123" and all IP's are from China, and there's never an attempt to use a credit card... just entering user/passes into the NATS DB. Since it's coming from different legit affiliate links on different sites, he's obviously crawling the web for join codes... totally nuts.

Am I the only one? Can anyone think of any point in doing this? This bot comes and goes every couple months for the past year, I just blocked all of China's IPs to get rid of him permanently, just curious as hell what the point is to do this for a year?



Any insite appreciated...

NATS 3 owners check your member's database for any user with the password "super123" I think you will be suprised.. found 3 others that had the same deal.

have you gotten the IP and then grep'd your apache logs to see what else he is doing on your servers?

how you know his pass? i have been thinking it is crypted in nats, is it there plain? are you kidding me?

got the IP, I asked mojo what else he was doing they said nothing, maybe I should check too. :thumbsup

webmaster passes are encrypted, surfers passes are encrypted in the DB, but not the admin

Install mod_geoip

SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
Deny from env=BlockCountry


Tons of problems instantly go away

ok thank you i got it now, sounds ok then :)

yep, all of china is blocked now.

If you catch him in the act, temporarily turn on post logging. Might be trying an evil null, sql infection or similar. Since it continues and since he's crawling for NATS links, he's obviously trying something.specific.

we fixed this problem but we had to disable it to keep our liscense. /:
ds

hmm, other than banning all of china, how can you fix?

Is it worth blocking over 1 Billion potential customers to slow(they could still find a way around) something that wasn't causing any real harm anyway?

Strange stuff it is, but would need some deeper analysis to figure out what they're trying to accomplish.

Could be some kind of "smart" bot that tries to sign up to any site it finds, to do spamming or whatever. I found this: https://www.dlitz.net/blog/2011/10/m...mmon-losenord/ and it looks alot that it's the same guy/bot there too.

Over 1 billion potential customers :1orglaugh Good one!

Same here, did the prejoin about a dozen times between November and today on various sites of mine, I also have a few legit surfers using that password lol.

Check out the comments here: http://whatismyipaddress.com/ip/117.41.184.199

Can't bill chinese, merch accounts won't bill for em, 3rd party billers won't, any IP that is originated in china is close to worthless and is the source for most of the hacking & cheating activity.

How does entering a made up user & email with a known password have anything to do with trying to decrypt logins... they aren't trying to access my members areas, they are just joining my pre-join form.

Could be a poorly written bot that is trying to mass join forums for future spamming, or link building through mass profile creation.

Maybe the bot is just looking for forms with a user/pass field and a submit button and either isn't smart enough to detect actual community sites or else just hoping to get lucky.

probably the best explanation I've heard. :thumbsup

Thanks, we did have him in our database, but had taken care of him last year.

He joined via the following IP if it helps. 99.62.117.195

hmm well I not allowed to speak about it /:
ds

Yes I was just editing my last post to add something what pompousjohn just suggested, it looks quite obvious that the amount of "super123" passwords on that swedish board was caused by some kind of bot, and since the password is same here then it's probably same (spam) bot.

That's what it sounds like, it's not xrumer or scrapebox but there are a million other half assed link building and forum spamming software's on the market now...