Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 04 Aug 2012, 16:51
huskermax huskermax is offline
 
Join Date: Mar 2010
May have banned user posting under diffrent account.

So I have two users that were banned. I have a pay site. both of these users know each other. First one was banned started another account using his son's credit card but we matched up the ip to his old account.

The 2nd guy get's banned a few weeks later.

Have a new account set up, very active poster that posts just like the 2nd guy that is banned. All of my mods feel like it is the same guy. Different credit card and location then the 2nd banned guy.

IP's used are all local to the LA, California area. (2nd banned guy lives in Texas)

163.150.11.151 - CA (San Bernardino County Superintendent of Schools)
163.150.13.112 - same
163.150.22.112 - same
163.150.28.188 - same
66.74.192.130 - Twentynine Palms, CA
66.74.196.111 - Twentynine Palms, CA
10.80.127.201 - Unknown
The bolded one is new from the last few weeks. On the .com site I have been told this is a private ip address and this is one way a banned poster can beat the system.

I have the:

Proxy to Real IP Conversion

Multiple account login detector

These two have not triggered anything. Is there anything else out there I can use to maybe catch this guy?

If it is the same guy and he was using a desktop connection how would the ip be reordered?
__________________
Reply With Quote
  #2  
Old 05 Aug 2012, 01:49
kh99 kh99 is offline
 
Join Date: Aug 2009
Real name: Kevin
I think the answer is that you can't do anything about it. There are ways to get a different ip or to use a proxy (and not all of them can be detected by a "proxy detector" mod). And even if you're requiring credit cards, it's probably not too hard for most people to get someone else to pay or something. I suppose you could try verifying people by phone or snail mail or something, but that's a lot of work. If the users were banned just because of behavior, then my suggestion would be to not worry about it until/unless they start with the same behavior again (don't let yourself get caught up by the idea that it's a game you have to win, because you can't). If it's some other issue, then I don't think there's a lot you can do.

Edit: about the 10.... ip - I don't know how that happens. That's an ip address that can't be used on the internet (it's for use in a private network). In any case, it won't tell you anything about who used it.

Last edited by kh99; 05 Aug 2012 at 11:45.
Reply With Quote
  #3  
Old 05 Aug 2012, 05:32
Big Al Big Al is offline
 
Join Date: Nov 2011
@huskermax.

10.80.127.201 Shows as-
Blackhole Address
Internal to a network or a router.

You may find it hard to get any more info from it unless you have very advanced (expensive) programs.



RFC 1918 reserves several ranges of network addresses for use on private network in IPv4:

10.0.0.0 10.255.255.255 Is included.


You can Try a Google search on the email used to register.

Last edited by Big Al; 05 Aug 2012 at 12:55.
Reply With Quote
  #4  
Old 06 Aug 2012, 10:59
Sarteck's Avatar
Sarteck Sarteck is offline
 
Join Date: Mar 2008
To use a 10.*.*.* address, wouldn't the user have to be accessing the site from the same internal network as the OP's host?
Reply With Quote
  #5  
Old 06 Aug 2012, 13:24
Disco_Stu's Avatar
Disco_Stu Disco_Stu is offline
 
Join Date: Apr 2012
Originally Posted by Sarteck View Post
To use a 10.*.*.* address, wouldn't the user have to be accessing the site from the same internal network as the OP's host?
"The Calls Are Coming From Inside The House"
Reply With Quote
  #6  
Old 07 Aug 2012, 17:18
huskermax huskermax is offline
 
Join Date: Mar 2010
Originally Posted by Disco_Stu View Post
"The Calls Are Coming From Inside The House"
Same host? That is not that unusual is it?

My mods are thinking this might be a group of posters we have had issues with. Two of them banned and the others did not renew after a suspension.

Each time this poster posts it is written like more then one poster is commenting. Like, we, we are, never posts in first person.

I have a dedicated server, can I do something on that to get any more info?

--------------- Added 07 Aug 2012 at 17:41 ---------------

Originally Posted by Big Al View Post

You can Try a Google search on the email used to register.
Nothing found.

I did exchange one email with this account (so it does work), even in the email it is written like two or more people.
__________________
Reply With Quote
  #7  
Old 07 Aug 2012, 18:06
Disco_Stu's Avatar
Disco_Stu Disco_Stu is offline
 
Join Date: Apr 2012
Give this mod a try.

http://www.vbulletin.org/forum/showthread.php?t=231106

or this:

http://www.vbulletin.org/forum/showthread.php?t=239033

and here's a really good one:

http://www.vbulletin.org/forum/showthread.php?t=264870

Last edited by Disco_Stu; 07 Aug 2012 at 18:19.
Reply With Quote
  #8  
Old 07 Aug 2012, 18:40
nhawk nhawk is offline
 
Join Date: Jan 2011
The 10.xxx.xxx.xxx are private addresses and should never be seen on the internet. Another word for private could be 'internal'. In other words, it is an address on an internal network not a public IP address which is used to access the internet.

If a 10.xxx.xxx.xxx IP address is showing in Who's Online, then the IP address is being spoofed.

Unless you are accessing your site on an internal network with an IP that starts with 10, you can safely add '10.' (10 dot - without the quotes) to the Banned IP Addresses in vBulletin's User Banning Options. That should prevent the user from seeing any part of your board.

The same holds true for 192.168. addresses.

Last edited by nhawk; 07 Aug 2012 at 18:52.
Reply With Quote
  #9  
Old 08 Aug 2012, 05:05
Sarteck's Avatar
Sarteck Sarteck is offline
 
Join Date: Mar 2008
@nhawk, while proxying to get a different IP address is a walk in the park for anyone with some Net savvy, actual spoofing of IP addresses and still having communication is NOT so easy.

While it is possible to spoof the initial SYN packet, if the server sent back a SYN+ACK to the "spoofed" address, then the actual spoofed computer would not get it.

Unless by some chance the person has control of all routing tables between his computer and the server, his computer would NOT be able to communicate with a spoofed address.

Point here is that biodirectional spoofing on the Internet is more or less impossible unless a user has control over all the networks between himself and the target, and unidirectional spoofing will not generate the IP Address into the $_SERVER['REMOTE_ADDR'] due to the SYN+ACK packet not being answered.




On a LAN, there would obviously be more options. But only on the LAN. :P This address IS coming from the LAN if it's being generated in the logs. Maybe someone behind the host's network was vulnerable to being a proxy? Maybe the OP's host itself is a vulnerable proxy and maybe the IP Address he's seeing is actually his own server on the internal side? Maybe someone from within the host is trying to give him a hard time? X3 Who knows for sure?




My suggestion to the OP is to copy any/all logs with the internal network address(es) and contact his host, and explain the situation to them. They will be able to find out which machine on their internal network has those addresses.
Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Diffrent PMs Quota of diffrent user group adersun vBulletin 2.x Full Releases 12 17 Dec 2002 06:10



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 08:52.

Layout Options | Width: Wide Color: