Forum admins are being warned to block IP 220.127.116.11 after it ran a mass flooding attack against a wide range of vbulletin forums running vbulletin 3.x builds.
The IP signs up to forums using an email address @certifiedtgp.com, and has the username “Robert” followed by a series of alphanumeric characters.
Variants already seen in the wild include Roberteas081F, Roberte129DFB and RobertrasAE91.
The user then floods the forums with the following message:
Hi ya allll !! w000wwwooooo
While most admins may be tempted to see this as an isolated attack, the danger is that an exploit has been found in vbulletin 3.x builds.
This is evidenced by the fact that vbulletin 3.x forums dominate search results for the spam message, with Google already returning nearly 4,000 results.
It suggests that spammers have found a way to crack the custom question feature that helps reduce automated registrations by spambots.
The behaviour so far is similar to previous mass test runs by Xrumer, which uses unique user strings with the same spam message to test how effective new cracking features work.
While so far the spam has been sent from just one IP address to date, the danger is that if this is a new crack, that forum admins, especially on older vbulletin installs, could shortly face a new wave of spam as typically follows a security breach test.
Forum admins saw this happen back in January, when it appeared that Xrumer programmers had managed to crack Google’s Re-captcha.
In the meantime, it is unclear as to whether vbulletin 4.x installs may be affected.
Since vbulletin developer Jelsoft was bought out, and the new owners changed the terms of the licencing system, many forum admins have resisted the temptation to move to vbulletin 4.
This is especially with its problematic bug history, change of user interface, on top of licencing fees that leaves customers who originally bought owned licences feeling punished for their loyalty.
Jelsoft has yet to release an update to the 3.x series since 3.8.7.
In the meantime, existing vb 3.x users may want to keep up with at Xenforo, developed by disguntled ex-Jelsoft employees to create a rival bulletin board system that aims to recreate the strengths they originally coded into vb 3.x in the first place.