By Anonymous (not verified) on

I my Drupal website an new user NAREMAN registered an new account.
I delete this account, because the data was:

Full Name nareman
E-Mail (public) killerspm@runbox.com
Country nareman

After two days, again this account was created.

I searched google and found a lot of drupal sites, this user was registered.

http://www.google.de/search?hl=de&q=nareman

Any ideas?
Reason?

McChip

Categories: Drupal 4.7.x

Comments

rogerpfaff’s picture

rogerpfaff
he/his
Primary language German
Location Munich
commented

this is a bot registered on different drupal sites to spam and also tries to get into other sites by using the global login feature of drupal. I have also spam comments by this user on my site.

cestmoi’s picture

cestmoi commented

What is "global login feature of drupal" ???

rogerpfaff’s picture

rogerpfaff
he/his
Primary language German
Location Munich
commented

what i am talking of is http://drupal.org/handbook/modules/drupal

a global sites directory to enable logins without registration on your site but another drupal site.

modul’s picture

modul commented

In Dutch, the word "nare man" (with a space) would mean: "awful person, lousy character, creep", something like that. Are we talking about someone with low self-esteem here? :-)

Ludo

cestmoi’s picture

cestmoi commented

So is this a known issue being fixed ?

I did a google search on (nareman AND drupal ) and found lots of websites with this same spam username. Have a look at this drupal site and see te flood of spam drugs ads and below them the spam posts by "nareman". http://www.endymios.com/flash-gallery-module.

Would it be wise to require admin approval of registrations till the problem is fixed ?

Anonymous’s picture

Anonymous (not verified) commented

> Would it be wise to require admin approval of registrations till the problem is fixed ?

I have done this for my website now

McChip

nunovo’s picture

nunovo commented

I have tried to change the registration settings on my site, but am consistently prevented by a spurious error about the location of the picture folder. I wonder if this is related to the spambot in some way.

I also noticed a hyperlink had been written into the banner area of my homepage, linking to a file called asa.html. That file doesn't exist, but had been repeatedly requested by nareman.
---
new, green, and learning: that's me!
currently running at http://nunovo.org.uk/drupal/

kbahey’s picture

kbahey commented

Are you sure this file and header hyperlink are related to the Nareman thing?

Or is it just confusion on your part?

Which Drupal version are you using.
--
Drupal development and customization: 2bits.com
Personal: Baheyeldin.com

--
Drupal performance tuning and optimization, hosting, development, and consulting: 2bits.com, Inc. and Twitter at: @2bits
Personal blog: Ba

nunovo’s picture

nunovo commented

No, I am not sure, that's why I wrote 'I wonder if'.

The other peculiarity has not shown up since I deleted naremann's user account.
That doesn't explain anything, but at least I'm not getting error messages any more.

I am using the current version.
---
new, green, and learning: that's me!
currently running at http://nunovo.org.uk/drupal/

Herbt’s picture

Herbt commented

This bot has left multiple comments on my site, but I have moderation turned on, so I delete them. What's interesting is that I have the captcha module installed and it either gets past it or does the math problem somehow.

User signups are set to admin only, but I am working on a site that will have them open. Outside of human intervention is there another way to stop bots from signing up?

alpinejag’s picture

alpinejag commented

It's just recently started posting comments on one of my sites. The spam module catches all his posts for me though.

kbahey’s picture

kbahey commented

It is easy to block the person's email in /admin/user/rules/add, but that will cause another name/email to be used, then another, then another. So that will not solve the problem, rather cause an arms race.

Can anyone with an affected sites tell us whether you have captcha enabled? Whether math based or graphics?
--
Drupal development and customization: 2bits.com
Personal: Baheyeldin.com

--
Drupal performance tuning and optimization, hosting, development, and consulting: 2bits.com, Inc. and Twitter at: @2bits
Personal blog: Ba

hanief84’s picture

hanief84 commented

http://indiecom.net/node/467 - Check it out!

"Hello from Malaysia! ^^ "
Website: www.indiecom.net
Skype: ga1984

amanda’s picture

amanda commented

I thought I was imagining things when I saw nareman on two unrelated drupal sites, but basically, there is a "nareman" registered on every Drupal site I've ever looked at.

uggg.

I'm amused by the dutch translation, though. Thanks!

avantjer’s picture

avantjer commented

Yes, he's registered on my Drupal site, once as "nareman" and more recently as "naremanuut".
He appears to want to sell "Ambien".

Or maybe he gets paid for clickthroughs?

His Bio: (all live links):

ambien
Buy ambien
Buy ambien online
Purchase ambien
Cheap ambien
Online ambien
ambien no prescription
discount ambien
generic ambien
order ambien

They all link to: "http: // xhttp.net / dvms12 / ambien.html" DON'T FOLLOW IT - He could profit, or worse!!!

rogerpfaff’s picture

rogerpfaff
he/his
Primary language German
Location Munich
commented

The Spam Module helps to prevent this bot from spamming your site. On my site it works like a charm.

asbdpl’s picture

asbdpl commented

Indeed, the Spam module helps against bots, and it is highly configurable; however, it also slows down the site incredibly, at least, if it runs a bunch of regular expressions. I had to deactivate it on my Drupal sites, since average page loading times grew to 20 seconds and more.

What I did was:
* deactivate the tracksbacks module completely
* disallow creation of nodes and comments by anonymous users
* changing default action for "normal" users when crating nodes or comments from "Save" to "Preview"
* installed the captcha module.

Most bots and spammers I discovered so far are not smart enough to check this all. If they become smarter, I'll have to tighten security even more, e.g. check mail addresses of registered users with double opt-in, etc.

Greetings, asb

zinzius’s picture

zinzius commented

Haha ...I just got hit by this f!@#tard yesterday. I ended up writing about him/it and it's hack after I got rid of him..heres a link..
http://zinzi.us/?q=node/578

xano’s picture

xano
he/they
Primary language English
Location Southampton
commented

Hey Zinius,

Taco just told me you experienced this problem and I was immediately interested when he told me the name 'naremanuut'. I have had an account with this name and with the name 'narremanynch' on my website. The users hadn't even visited my site after five months when I deleted them five minutes ago.

Forgot to note the e-mail address and other data though. Bit stupid.