Who is JackFromWales4u2?

Lieutenant Joined: Jul 13, 2003 Posts: 165

I had a random user JackFromWales4u2 register on one of my phpnuke sites. At first I was annoyed at the random registration, but then paranoia took hold. I checked the logs for any obvious or glaring exploits, but I did not see anything.

I then checked the various phpnuke security sites. I was surprised to see that JackFromWales4u2 was also the latest signup at a forum moderator's site.

I then ran a google search on JackFromWales4u2 , and google returned 18600 Shocked

hits!

From a random check of the various google hits, it seems that JackFromWales4u2 has been very busy with a great number of registrations at these various phpnuke and phpbb sites within a span of a couple of days -- September 1-2, 2004.

Now this screams of an exploit/vulnerability! Is there a script or exploit/vulnerability that is out in the wild that is yet unpatched?

Or am I just being paranoid here?
p.s. you might want to check your own sites to see if you've had a visit from JackFromWales4u2, too.

Posted: Sat Sep 04, 2004 7:34 pm

Interesting......read another topic here about some attack using Jobo or something like that.

I looked it up and it was a program to download entire site content and included the ability to fill in forms and such....

No big deal until you mentioned this.......

now I'm no security guru at all......but this account might dissapper from my site on accident just in case.

Edit: his e-mail@mail.ru Known spamming domain and has been "filterd" out of my mail system for months.

Lieutenant Joined: Jul 13, 2003 Posts: 165

Isn't phpnuke's security image supposed to stop automated registration? The security image is used on my site and on a number of the sites on google search on JackFromWales4u2.

Posted: Sat Sep 04, 2004 7:58 pm

As I said......I'm no security Guru, nor do I use the security image.....but I agree, that's the purpose of that image.

My opinion is based on the fact that I've used the nick BrainSmashR on a variety of stuff for many years and mygoogle search on BrainSmashR only returns 5,740. (5 times more than google search on brainsmashEr in case you ever wondered where the nick idea came from Very Happy

)

I'm supernerd and this guy has nearly 4x the action all by himself? I find that hard to believe.

Posted: Sat Sep 04, 2004 8:35 pm

hello,

jackfromwales4u2 also joined buscandoamor.com.mx but i did not find it unusual until now Shocked

i was more concerned with "customscoop" he or she's been sittin' in spanglishchat.com for 5-6 days now. i did the google thing and it's an news data bank of sorts.

i had 5 php-nuke sites hacked. Telli from codezwiz.com took care of the security for me. i haven't been hacked since. as a foot note, i used the last referrers block to take me to my hackers website. he still had his script up. the site had an .br extension for brazil but when i reported him to nic.br they did the who-is and he turned out to be an argentine mathematician - a college professor!

sad but true,
dan

Nuke Cadet Joined: Sep 05, 2004 Posts: 3

oprime2001 wrote:

I had a random user JackFromWales4u2 register on one of my phpnuke sites. At first I was annoyed at the random registration, but then paranoia took hold. I checked the logs for any obvious or glaring exploits, but I did not see anything.

I then checked the various phpnuke security sites. I was surprised to see that JackFromWales4u2 was also the latest signup at a forum moderator's site.

I then ran a google search on JackFromWales4u2 , and google returned 18600 Shocked

hits!

From a random check of the various google hits, it seems that JackFromWales4u2 has been very busy with a great number of registrations at these various phpnuke and phpbb sites within a span of a couple of days -- September 1-2, 2004.

I did the same here Confused

Anybody with more information about this guy and/or what is he up to with all these accounts??

I hope to hear more....

Posted: Sun Sep 05, 2004 1:11 am

Hmmm, Just checked my nuke site, and sure enough jack is there!

I just changed his password for him! lmao!

Nuke Cadet Joined: Sep 09, 2004 Posts: 1

Just found him on mine and seen what he's done.

He's somehow posted a comment on every single news post with a link in it, which I havent as yet clicked. Im presuming he's a virus spammer or someone astroturfing for their website... either way - BINNED!

Sergeant Joined: Oct 14, 2003 Posts: 115

he/she used the ip address 66.219.97.51 to get on my site, and put a comment on each news article. The links go to a search engine page (kind of like yahoo directory).

Premium Joined: Sep 13, 2003 Posts: 50

He signed up for my site on Sept 1, 2004. Here is the information from MS_Analysis:

Username: <blank>
E-mail address: jacked4u@mail.ru
Registration Date: Sept 1, 2004
Browser: MSIE 5.01
Operating System: Windows 2000
IP-address: 66.219.97.51
Country: United States
ISP/Host: floridadom.com
Last Time online: 2004-09-08 15:22:19
Hits: 1

I found that he has been adding spam to every one of my News comments. Example:

Quote:

by JackFromWales4u2 on Wednesday, September 08 @ 16:22:51 CDT
(IP: 66.219.97.51)
Really? Every day we get known something new.
Shopping - Gifts [www.wolist.com]

Looks like he has found an automated way of spamming nuke sites, prolly to up his google rankings when the bots index your news page. I did have the security image disabled for signups so perhaps a script signed him up. I've changed his password and sentinel blocked his IP for now but I am curious if he did this on other sites. He is taking advantage of the way nuke works to add spam to our sites I'd say.

Premium Joined: Sep 13, 2003 Posts: 50

Here is the company I think:

Russian Florida, Inc.
18090 Collins Avenue #190
Sunny Isles Beach, FL 33160

also has the domain floridadom.com which has the same contact info:

Russian Florida, Inc.
c/o FloridaDom.com
18090 Collins Avenue
Suite# 190
Sunny Isles Beach, FL 33160

Customer service (954) 457-9440
(Monday to Friday between 10.00am and 6.00pm)

I'd say a nasty email or phone call is forthcoming...

Premium Joined: Sep 13, 2003 Posts: 50

Check your server logs, I found this (gotta be a script):

Quote:

66.219.97.51 - - [08/Sep/2004:16:22:12 -0500] "GET /modules.php?name=Your_Account&op=gfx&random_num=841707 HTTP/1.1" 200 1526 "http://www.indnet.ca/modules.php?name=Your_Account&op=new_user" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
66.219.97.51 - - [08/Sep/2004:16:22:12 -0500] "POST /modules.php?name=Your_Account HTTP/1.1" 302 5 "http://www.indnet.ca/modules.php" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
66.219.97.51 - - [08/Sep/2004:16:22:21 -0500] "GET /modules.php?name=News HTTP/1.1" 200 60958 "http://www.indnet.ca/modules.php" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

then a whole lotta these:

Quote:

66.219.97.51 - - [08/Sep/2004:16:22:22 -0500] "POST /modules.php?name=News&file=comments HTTP/1.1" 302 5 "http://www.indnet.ca/modules.php" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

Premium Joined: Sep 13, 2003 Posts: 50

also owns: RussianFlorida.com
They are registered through godaddy via domainsbyproxy.com so they can hide their contact info in a whois search:
RUSSIANFLORIDA.COM@domainsbyproxy.com

This violates domainsbyproxy's TOS:

Quote:

Domains By Proxy, Inc., will not, under any circumstances, tolerate Spam, UBE (Unauthorized Bulk Email) or UCE (Unauthorized Commercial Email) and will not allow individuals to “hide” behind our services in order to engage in, or to avoid detection from being involved in, these prohibited activities.

Soooo.....another nastygram email.

Premium Joined: Sep 13, 2003 Posts: 50

K...got a response from the owner of floridadom, he is going to investigate.

Posted: Thu Sep 09, 2004 10:26 am

Any news from the ISP yet?

I'd personally appreciate it a lot that the responsible ISP nurturing the malicious NEWS REPLY spammer would come down to here at NukeCops (as NukeCops global coverage is vast) and explain their planned actions (and outcome) to bring this guy down for good.

I wish I'm not loosing my sense of reality - I just feel that in this case it would be justified as a courtesy call.

BR,

-beetraham