Someone wrote this comment in my site - the subject was !!!WOW!!!(id*):

Luckily, I didn't have to ponder much whether it was a naive typo or criticism, because I decided to look up their IP address. The results were interesting, but I'll get back to that in a few lines. Let's just say it called for a further investigation. So I also looked up this exact phrase. And what do you know, they wrote in hundreds of sites.

And this is where Geeklog comes in. See, although they wrote this line in diverse CMSes, they seem to focus heavily on Geeklog. Did you know there is a CMS out there called Xoops looking identical to Geeklog? Well, they focused on that too. So there's something about the Geeklog structure that attracts them like parasites to light.

* This ID changes in every comment.

Unfortunately, they also bother registering sometimes (not in my case), so many Geeklog admins won't let me reply to those comments in order to expose them. Fine, admins out there, your loss. This is what happens when comments are locked from anonymous users.

Now I'll get back to their IP address, 89.111.180.225. It turns out these guys don't just talk but also do. If you look it up, you will see they are a bunch of Islamic Moroccan guys who crack sites and deface them (when they don't write this senseless comment). They cracked and defaced at least one CMS/FMS (well, there's a forum there now. Who knows what was there during the hack). This is why I think they plan something with Geeklog sites

I've also sent an official security report to Geeklog's admins.

So this topic is more for everyone else. Do you think I should write a story about it in here? On the one hand, there's no known actual exploit. On the other hand, this topic would soon get swallowed in the forums and admins who will experience this spam wouldn't this topic even exists.

defacements/hacks can only happen on same system if the same bug is exploitet. The fact that someone has a different system that just looks the same still means its a different system.

As long as there is no geeklog copy that has been compromised, its not more than just a single user from a single IP that is posting sensless comments.

Where did you look up hi religion btw?

Trust me, I wouldn't compare Xoops to Geeklog if it just looked the same. System-wise it seems almost identical except the different name in the "powered by".

As for the religion discovery, look up their IP address and see what they wrote (in the mirror of) the site they (as a group) defaced. I have to say I liked the ascii animation. Who needs fancy Flash, when this is possible.

i've had to deal with these comment/user posts all night. it's not an exploit of any kind, that i've noticed anyway. it's just a generic post and if your stuff isn't locked up then that's that. I installed mevans captcha plugin and so far that seems to have curbed the posts.

Yeah, I also fail to see how this is really any different than any of the other spammers we had to deal with before. In particular, where is that "hacker" site you're talking about?

Btw, the Xoops guys would probably be pretty upset if they knew about your (implied) accusation of plagiarism. Xoops has been around for a long time - almost as long as Geeklog. They're both from the same era, so to speak, which explains some similarities. Why not accuse Slashdot of ripping off Geeklog, while you're at it :wink:

bye, Dirk

Xoops is quite different from Geeklog although it also has blocks and a rights management. Most of the layout comes from the code not from theme files. Maybe someone made a joke and called a Geeklog installation Xoops?

Again, just go to a search engine and look up the IP address I've mentioned. One of the first results supplies a mirror of the site they once defaced. I think it's different because their spam makes no sense and thus I suspect hides another agenda. As they have a history of successfull hacks, I won't be surprised if they plan something. Maybe they're testing Geeklog sites with some tools, I don't know. The ID thing suggests those are not manual spam attacks.

As for Xoops, I guess I was wrong but I was talking about multiple sites which I've seen and not just one. Xoops has a header, a footer, left and right blocks, files with the same names and it attracts this spammer too. I was sure I was in Geeklog until I saw the footer. I didn't mean to accuse them of anything. I was just suprised to find sites so Geeklog like that aren't Geeklog.

BTW, so far I've restored peace by just putting their IP address in Spam-X.

Well anyhow its good to know that there is someone out there mass-posting this stuff and even better that the someone is using the same email address all the time. This hints to me however that there is not a lot of professionalism involved.

We will see if it spreads further.

Says who?

Sorry, I meant IP address, not email....

In that case, I have to ask...says who? Only admins can tell commenters' IP addresses. All I know is they used this IP address in my own site twice. After the second time, I've added it to Spam-X.

The spam that I get, including brute-force attacks on my shell, FTP accounts, email spam etc never comes twice in a row from the same IP address. So if someone is defacing sites and even sending automated spam comments from the same IP address more then once, it means to me that there is no Botnet involved.

What about the different ID each time?

Well you are probably right, someone is using a script to post these comments. I guess it is a counter to see how often it worked. Maybe someone is writing and testing a script, who knows what it is. In any case it would be only one in hundreds that are already out there.
But whatever it is, it will be impossible to know until something happens. The chances that they are plannig a hack by posting spam-comments seems small to me. And spam-comments are not a unknown threat as such. I assume that they found a site with a known flaw and defaced it, there are enough outdated systems around. If they are testing vulnerablities you do not have to do that in the wild, but rather on a test-system at home and then act before the big sites are patched.