Forged IP address

Today, I had a user post a message from my IP address.  I'm on a cable connection which gives users a unique IP Address.  I run a hardware firewall, a software firewall, Norton AV, and I don't open attachments.  I scan routinely, including today.

I consider it unlikely that I have been "hacked", but I'll take what precautions I can to ensure that I have not.

It is my assumption currently that the posting IP address was forged, by a "bot"

The "user" set up a message on my board, then spammed Yahoo Finance to direct people to my board.  From there, they hoped to direct traffic to their site - there was a link in the message.

It's my assumption that this was an automated process.

Here is one Yahoo Finance link

Here is another

Here is a third

I'm sure there are more.  I've been using version 7.9 of the forum for approximately 1-2 weeks.  My IP address is the most prolific on the board with approx 3000 posts.  If any crawler is able to crawl the board with appropriate permissions, then this would be the most frequent IP address used within the last week.

The IP address that the person registered from is:  24.244.141.102

I track "latest IP address" and "registration IP address" silently in a seperate table.

That address has been banned, of course.

This is all that I can provide at this point as far as the anatomy of the attack goes. 

My forum admin name and password was changed, of course, and the version I am using is SQL Server.   

/agree with dj air

Spoofing IP addresses isn't difficult at all. Heck, you can even spoof the MAC address of your NIC if you want..

wrote: If any crawler is able to crawl the board with appropriate permissions

I've actually mod'ed one of my forums so that the IP tracking is on but only admins have permissions to view it. This is mainly because they freak out even if it's just a message of "your ip is logged." /shakes his head.

Remember, that bots can only crawl the same HTML code that the browser renders. This is why search bots can index a forum but not if you have group or password protected content.

change lines 756 to 761 on the forum_posts.asp file from

'If the user is the admin or moderatir then display the authors IP If (blnAdmin OR blnModerator) AND strAuthorIP <> "" Then Response.Write(" | " & strTxtIP & " <a href=""javascript:openWin('pop_up_IP_blocking.asp?IP= " & strAuthorIP & "&TID=" & lngTopicID & "','move','toolbar=0,location=0,status=0,menubar=0,sc rollbars=1,resizable=1,width=425,height=425')"" class=""smL ink"">" & strAuthorIP & "</a>")       Else           Response.Write(" | " & strTxtIPLogged)             End If

to

'If the user is the admin or moderatir then display the authors IP     If (blnAdmin) AND strAuthorIP <> "" Then Response.Write(" | " & strTxtIP & " <a href=""javascript:openWin('pop_up_IP_blocking.asp?IP= " & strAuthorIP & "&TID=" & lngTopicID & "','move','toolbar=0,location=0,status=0,menubar=0,sc rollbars=1,resizable=1,width=425,height=425')"" class=""smL ink"">" & strAuthorIP & "</a>")      Else         Response.Write(" | " & strTxtIPLogged)             End If

Edited by dj air

only admin/Moderators are able to see Ip Addresses,
no one else can they see IP logged