Help~ Error Log - multiple attempts to access?

willerby · January 04, 2011, 06:49:14 AM

My error log shows a 70 year old member of my forum (known to me) trying to access his account multiple times every eight minutes and getting his password wrong.

I wrote to him and he wasn't even online. Checking again, the log-in IP addresses are all different! What is going on?

Guest
IP address 209.159.142.164
Today at 11:30
session 6dfc5050bc113c1c707210ead9d36832
http://www.xxx.com/forum/index.php?action=login2
Password incorrect - T28trakgrip

Guest
IP address 192.251.226.205
Today at 11:22
session 105a0e649a593bc8df1dcfb3c5520529
http://www.xxx.com/forum/index.php?action=login2
Password incorrect - T28trakgrip

Guest
IP address 204.8.156.142
Today at 11:14
df715b2ac5299b3e504d0c2f1699eee0
http://www.xxx.com/forum/index.php?action=login2
Password incorrect - T28trakgrip

Guest
IP address 109.169.29.56
Today at 11:06
session 8c60ff88fda385ceaee4778883019407
http://www.xxx.com/forum/index.php?action=login2
Password incorrect - T28trakgrip

and so it goes on every eight minutes, all different IP addresses?

Help!

Illori · January 04, 2011, 07:32:42 AM

looks like someone/something may be trying to hack into that account.

willerby · January 04, 2011, 07:43:04 AM

I can only imagine a spammer bot as its not an admin account. Do such things exist?

And why bother, I can block that username and reissue another even if it is successful.

Illori · January 04, 2011, 07:46:14 AM

spammers will try whatever they can to get access to a forum and do their job. you could try giving that user a new name, in their profile and see if that helps. they dont need to be blocked and issued a new username.

willerby · January 04, 2011, 09:07:11 AM

Now that I am watching the error log, it is also happening to another member... again every eight minutes but this time a member who hasn't visited the site for a while...

Just been back in touch with Trakgrip, the member mentioned above and this activity is causing him grief as when he does log-in each time the spam-bot tries to log-in over the top of him and gets the password wrong the software disconnects him and he has to log-in legitimately again. Will switch his user ID and ban the current but others should be aware that this is potentially why error logs fill with incorrect password attempts...

F*&%£$g spammers

W

willerby · January 04, 2011, 09:30:19 AM

Wait a minute... this doesn't make sense.

Why would a spam bot access a site every eight minutes and try and guess a password? It would take for ever.

Is it possibly a spoiling tactic for SMF forums eg. if the forum has limited password attempts set, that user would have to go through the process of regenerating a password? As differing IP addresses are used, is this some sort of replicable virus? I have no idea what is going on here, just guessing - can someone else throw any light on this?

W

willerby · January 04, 2011, 10:57:04 AM

Having changed the user log-in names for two users affected, all incorrect password traffic has ceased and error log empty...

willerby · January 04, 2011, 02:56:28 PM

http://www.simplemachines.org/community/index.php?topic=415910.0

http://www.simplemachines.org/community/index.php?topic=415865.0

All the same issue...

willerby · January 05, 2011, 08:13:27 AM

Not sure you guys are taking this seriously $:-\$

This bot thing is relentless. I have so far banned 50 IP addresses and still it comes back with more, always trying to login as an existing user every eight minutes. At one point I am sure it used the IP address of a valid member - I banned the IP and then a regular user got locked out nd I had to delete that ban trigger... is that technically possible? I have no idea

I have implemented vbgamers Account Protection mod which allows users to specify IP addresses they want to use and blocks all others but this is a major undertaking for 3,000 members and severely restricts access to the site for users travelling / using variable IP addresses. If the above is correct, not sure how the mod will fare anyway.

If this replicates onto other forums you may need a better solution guys. Sorry...

Dermot · January 05, 2011, 08:25:40 AM

This is also happening to me.

Most of the time they're trying to get my password

Code Select



	 Guest
 192.251.226.205   
 	 Today at 05:08:29 AM 
 8be39087360cb7fb4ce636834bec6efe 
 Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
	 Guest
 192.251.226.205   
 	 Today at 05:13:41 AM 
 aba7be3d46c9690578ca848fd78848a1 
 Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
	 Guest
 199.48.147.44   
 	 Today at 05:19:15 AM 
 8d907c3e694dbb30727a97d29909d4d4 
 Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
	 Guest
 199.48.147.43   
 	 Today at 05:24:44 AM 
 77095c324535426cacf00a766f510caf 
 Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
	 Guest
 193.198.207.8   
 	 Today at 05:29:56 AM 
 3f43ab408658a9d18a8aaa7445d3d59e 
 Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
	 Guest
 81.218.219.122   
 	 Today at 05:35:35 AM 
 2ad9636c356f62082ec3c1f3fa24a4e3 
 Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
	 Guest
 86.61.72.185   
 	 Today at 05:41:00 AM 
 cc138110dd76d2265ff938996ee67b0f 
 Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
	 Guest
 87.236.194.191   
 	 Today at 05:46:20 AM 
 c6a8b09e9bd61eb8cb4501a7de34ec1d 
 Type of error: User

The IP keeps changing and it keeps cutting off my session, aka every fail they get i have to relogin.

It's annoying.

willemjan · January 05, 2011, 08:26:31 AM

Please don't spam the forum with all those posts. I think this is indeed serious, and gave a hint to the support crew.

kat · January 05, 2011, 08:39:37 AM

Could just be script-kiddies trying to hack in.

They're obviously failing, so why worry?

Anyone can see your member's usernames.

That's step one they have sorted.

All they need, is their password. That's why it's good to have a fairly complicated password.

So, they try a load and, when they've exhausted that, they try someone else.

I guess it would help, a bit, if members have different display names to their actual usernames.

Not sure about that, though.

willerby · January 05, 2011, 08:48:20 AM

It's not the hacking its the constant logging out of a member who is legitimately online that is the issue. Each time they fail, the member gets logged out - not a great user experience.

Apologies for the previous posts, just needed some sort of response that this was on the radar

kat · January 05, 2011, 09:03:43 AM

You might solve that, by getting him to change his display name.

IchBin™ · January 05, 2011, 10:00:53 AM

This really is nothing to worry about. The logout problem might be able to be dealt with, but there's no need to panic about a bot trying to login. These types of things literally happen thousands of times on my server and forum every day. As long as you have strong passwords you shouldn't have to worry about them getting in.

azun4i · January 05, 2011, 10:05:38 AM

http://www.simplemachines.org/community/index.php?topic=415865.msg2902801#msg2902801

Remorker · January 05, 2011, 01:51:42 PM

1st Maybe he has a dynamic IP address, and accidentally logged every eight minutes.

2nd Maybe it comes to malicious bot?

-Remorker

willerby · January 05, 2011, 04:19:32 PM

Not sure if this is helpful, but after 24 hrs I seem to have stemmed the flow of log-out problems by banning each IP address as it appears. They appear to be limited in number and randomly used with some much more prevalent than others

For the benefit of others, they are:

81.218.219.122
199.48.147.35
208.66.135.190
109.169.29.56
82.228.252.20
213.112.111.205
199.48.147.45
199.48.147.41
192.251.226.206
80.62.217.18
213.239.192.229
174.36.199.202
95.143.193.145
83.226.245.207
92.9.221.213
192.251.226.205
199.48.147.42
174.36.199.200
195.71.226.87
74.106.17.110
173.193.221.28
155.239.155.200
92.241.184.106
68.71.46.138
199.48.147.39
174.138.169.218
178.63.246.164
178.78.255.254
199.48.147.43
83.170.92.9
174.36.199.201
94.75.253.73
89.208.237.70
89.253.105.39
204.8.156.142
83.142.228.14
78.42.9.166
71.244.55.170
62.141.53.224
199.48.147.36
199.48.147.38
209.159.142.164
188.40.51.2
199.48.147.40
91.213.50.235
83.220.133.86
24.247.220.16
193.198.207.8
79.136.50.205
87.126.133.230
217.19.50.77
83.168.210.55
71.198.26.88

At this point, the automated log-ins are no longer getting through despite repeated attempts. Hope this helps others facing this problem.

W

kat · January 05, 2011, 04:25:54 PM

I just checked-out ten, or so, of those IPs, at http://www.projecthoneypot.org.

Every one is a confirmed Spamtard.

For what it's worth, I've found this to be useful in the fight against bots.

http://english-72682862726.spampoison.com/

Dermot · January 05, 2011, 08:35:04 PM

Well yeah i noticed it's not a bad issue if you have a decent strength password

However having a lot of users who play arcade which need sessions to stay before they finish game to score right, it's annoying.

you spend 15 mins playing a game to find some bot killed your session and you lose that big score, not good.

I've implemented some suggestions, we'll see how they go.

Recaptcha support
Spam poison hook
Safehop support
httpBL

Thanks folks

eyo · January 06, 2011, 06:06:46 AM

the most annoying thing about smf is this logout thing

1cor1313 · January 06, 2011, 06:59:59 AM

Quote from: Dermot on January 05, 2011, 08:35:04 PM

Well yeah i noticed it's not a bad issue if you have a decent strength password

However having a lot of users who play arcade which need sessions to stay before they finish game to score right, it's annoying.

you spend 15 mins playing a game to find some bot killed your session and you lose that big score, not good.

I've implemented some suggestions, we'll see how they go.

Recaptcha support
Spam poison hook
Safehop support
httpBL

Thanks folks

I agree this is very annoying. Is there anyway to stop them from attempting to or at least automating it? A captcha on the login form would be nice

gallitin · January 07, 2011, 04:50:00 PM

Anyway to mass ban those ip addresses? Or do I have to manually add each one?

willerby · January 07, 2011, 05:10:05 PM

One at a time as far as I can tell...

and here are some more (the thing just keeps chugging away)

93.104.215.8
89.77.213.43
212.42.236.140
199.48.147.37
174.36.199.203
18.246.0.69
144.85.24.218
92.241.190.168
80.81.183.178
173.48.174.212
66.230.230.230
66.96.16.32
79.120.86.20
204.152.222.140
77.54.97.144
81.169.155.246
87.236.199.73
89.253.97.235
85.235.31.248
188.124.19.114
94.251.75.55
24.106.191.235
50.22.180.2
173.193.221.27
203.174.87.18
78.107.237.16
98.113.149.36

gallitin · January 07, 2011, 05:24:10 PM

Just installed this I'll let you know if working.

http://custom.simplemachines.org/mods/index.php?mod=2728

willerby · January 07, 2011, 05:48:17 PM

This mod could be my saviour - emulate RC3 and installs fine. Forces members to log-in using email address which screws the bot as these are hidden on my forum...

(Now testing)

http://custom.simplemachines.org/mods/index.php?mod=1665

gallitin · January 07, 2011, 05:55:10 PM

Doesn't force me to login with my e-mail address, what are you talking about?

willerby · January 07, 2011, 06:02:44 PM

Sorry, forgot to add the mod link - added above and here

http://custom.simplemachines.org/mods/index.php?mod=1665

SilverLining · January 07, 2011, 06:10:50 PM

Quote from: laetabi on January 07, 2011, 06:02:44 PM
Sorry, forgot to add the mod link - added above and here

http://custom.simplemachines.org/mods/index.php?mod=1665

Too bad that's not availible for RC4

willerby · January 07, 2011, 06:14:31 PM

Works on RC4 - after download, click advanced tab on Installed Packages and emulate RC3 - will then appear in installed packages list with an Install option and works straight out of the box

And so far doing the job... fingers crossed...

gallitin · January 07, 2011, 07:04:29 PM

Quote from: gallitin on January 07, 2011, 05:24:10 PM
Just installed this I'll let you know if working.

http://custom.simplemachines.org/mods/index.php?mod=2728

Tested. This fixed mine.

AZMazda3 · January 08, 2011, 12:03:45 PM

We've recently had the same issue the last two days, I'm going to ignore it for now. The most annoying thing was the abrupt loggin out of users online.

Brettflan · January 09, 2011, 04:20:20 PM

I've seen this happening now on 2 forums I have administrator access to. Here is a sampling of access log data for the attempts, as best I can tell:

Code Select

204.8.156.142 - - [08/Jan/2011:03:14:22 -0800]  "GET /?action=login2 HTTP/1.1" 200 2670 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
204.8.156.142 - - [08/Jan/2011:03:14:18 -0800]  "POST /?action=login2 HTTP/1.1" 200 2692 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
92.241.190.168 - - [08/Jan/2011:03:35:40 -0800]  "GET /?action=login2 HTTP/1.1" 200 2671 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.39 - - [08/Jan/2011:03:25:03 -0800]  "POST /?action=login2 HTTP/1.1" 200 2704 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
199.48.147.39 - - [08/Jan/2011:03:25:12 -0800]  "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
92.241.190.168 - - [08/Jan/2011:03:35:36 -0800]  "POST /?action=login2 HTTP/1.1" 200 2694 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
173.45.245.140 - - [08/Jan/2011:03:46:10 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
173.45.245.140 - - [08/Jan/2011:03:46:16 -0800]  "GET /?action=login2 HTTP/1.1" 200 2672 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
80.62.217.18 - - [08/Jan/2011:03:57:35 -0800]  "POST /?action=login2 HTTP/1.1" 200 2705 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
80.62.217.18 - - [08/Jan/2011:03:57:39 -0800]  "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
192.251.226.205 - - [08/Jan/2011:04:08:29 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
192.251.226.205 - - [08/Jan/2011:04:08:31 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
192.251.226.206 - - [08/Jan/2011:04:19:38 -0800]  "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
71.7.104.192 - - [08/Jan/2011:04:30:45 -0800]  "GET /?action=login2 HTTP/1.1" 200 2454 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
192.251.226.206 - - [08/Jan/2011:04:19:44 -0800]  "GET /?action=login2 HTTP/1.1" 200 2681 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
71.7.104.192 - - [08/Jan/2011:04:30:43 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
89.253.97.235 - - [08/Jan/2011:04:42:19 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
89.253.97.235 - - [08/Jan/2011:04:42:14 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.36 - - [08/Jan/2011:04:53:29 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.36 - - [08/Jan/2011:04:53:25 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
174.36.199.202 - - [08/Jan/2011:05:04:28 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
174.36.199.202 - - [08/Jan/2011:05:04:34 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
199.48.147.42 - - [08/Jan/2011:05:16:53 -0800]  "POST /?action=login2 HTTP/1.1" 499 0 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
178.33.149.173 - - [08/Jan/2011:05:26:40 -0800]  "POST /?action=login2 HTTP/1.1" 200 2695 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
178.33.149.173 - - [08/Jan/2011:05:26:46 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
192.251.226.206 - - [08/Jan/2011:05:38:11 -0800]  "GET /?action=login2 HTTP/1.1" 200 2678 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
193.25.5.68 - - [08/Jan/2011:05:38:04 -0800]  "POST /?action=login2 HTTP/1.1" 200 2701 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
83.142.228.14 - - [08/Jan/2011:05:49:53 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
83.142.228.14 - - [08/Jan/2011:05:49:45 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
78.56.131.222 - - [08/Jan/2011:06:00:28 -0800]  "GET /?action=login2 HTTP/1.1" 200 2775 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
78.56.131.222 - - [08/Jan/2011:06:00:23 -0800]  "POST /?action=login2 HTTP/1.1" 200 2796 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
173.193.221.27 - - [08/Jan/2011:06:22:13 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.41 - - [08/Jan/2011:06:11:52 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
199.48.147.41 - - [08/Jan/2011:06:12:04 -0800]  "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
173.193.221.27 - - [08/Jan/2011:06:22:17 -0800]  "GET /?action=login2 HTTP/1.1" 200 2674 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.35 - - [08/Jan/2011:06:33:05 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.35 - - [08/Jan/2011:06:33:11 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
192.251.226.206 - - [08/Jan/2011:06:44:18 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
192.251.226.206 - - [08/Jan/2011:06:44:23 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.36 - - [08/Jan/2011:06:54:53 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.36 - - [08/Jan/2011:06:55:00 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
95.143.193.145 - - [08/Jan/2011:07:05:47 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
95.143.193.145 - - [08/Jan/2011:07:05:51 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.38 - - [08/Jan/2011:07:16:43 -0800]  "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
199.48.147.38 - - [08/Jan/2011:07:16:49 -0800]  "GET /?action=login2 HTTP/1.1" 200 2680 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
204.8.156.142 - - [08/Jan/2011:03:14:22 -0800]  "GET /?action=login2 HTTP/1.1" 200 2670 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
204.8.156.142 - - [08/Jan/2011:03:14:18 -0800]  "POST /?action=login2 HTTP/1.1" 200 2692 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
92.241.190.168 - - [08/Jan/2011:03:35:40 -0800]  "GET /?action=login2 HTTP/1.1" 200 2671 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.39 - - [08/Jan/2011:03:25:03 -0800]  "POST /?action=login2 HTTP/1.1" 200 2704 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
199.48.147.39 - - [08/Jan/2011:03:25:12 -0800]  "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
92.241.190.168 - - [08/Jan/2011:03:35:36 -0800]  "POST /?action=login2 HTTP/1.1" 200 2694 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
173.45.245.140 - - [08/Jan/2011:03:46:10 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
173.45.245.140 - - [08/Jan/2011:03:46:16 -0800]  "GET /?action=login2 HTTP/1.1" 200 2672 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
80.62.217.18 - - [08/Jan/2011:03:57:35 -0800]  "POST /?action=login2 HTTP/1.1" 200 2705 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
80.62.217.18 - - [08/Jan/2011:03:57:39 -0800]  "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
192.251.226.205 - - [08/Jan/2011:04:08:29 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
192.251.226.205 - - [08/Jan/2011:04:08:31 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
192.251.226.206 - - [08/Jan/2011:04:19:38 -0800]  "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
71.7.104.192 - - [08/Jan/2011:04:30:45 -0800]  "GET /?action=login2 HTTP/1.1" 200 2454 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
192.251.226.206 - - [08/Jan/2011:04:19:44 -0800]  "GET /?action=login2 HTTP/1.1" 200 2681 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
71.7.104.192 - - [08/Jan/2011:04:30:43 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
89.253.97.235 - - [08/Jan/2011:04:42:19 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
89.253.97.235 - - [08/Jan/2011:04:42:14 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.36 - - [08/Jan/2011:04:53:29 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.36 - - [08/Jan/2011:04:53:25 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
174.36.199.202 - - [08/Jan/2011:05:04:28 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
174.36.199.202 - - [08/Jan/2011:05:04:34 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
199.48.147.42 - - [08/Jan/2011:05:16:53 -0800]  "POST /?action=login2 HTTP/1.1" 499 0 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
178.33.149.173 - - [08/Jan/2011:05:26:40 -0800]  "POST /?action=login2 HTTP/1.1" 200 2695 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
178.33.149.173 - - [08/Jan/2011:05:26:46 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
192.251.226.206 - - [08/Jan/2011:05:38:11 -0800]  "GET /?action=login2 HTTP/1.1" 200 2678 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
193.25.5.68 - - [08/Jan/2011:05:38:04 -0800]  "POST /?action=login2 HTTP/1.1" 200 2701 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
83.142.228.14 - - [08/Jan/2011:05:49:53 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
83.142.228.14 - - [08/Jan/2011:05:49:45 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
78.56.131.222 - - [08/Jan/2011:06:00:28 -0800]  "GET /?action=login2 HTTP/1.1" 200 2775 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
78.56.131.222 - - [08/Jan/2011:06:00:23 -0800]  "POST /?action=login2 HTTP/1.1" 200 2796 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
173.193.221.27 - - [08/Jan/2011:06:22:13 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.41 - - [08/Jan/2011:06:11:52 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
199.48.147.41 - - [08/Jan/2011:06:12:04 -0800]  "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
173.193.221.27 - - [08/Jan/2011:06:22:17 -0800]  "GET /?action=login2 HTTP/1.1" 200 2674 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.35 - - [08/Jan/2011:06:33:05 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.35 - - [08/Jan/2011:06:33:11 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
192.251.226.206 - - [08/Jan/2011:06:44:18 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
192.251.226.206 - - [08/Jan/2011:06:44:23 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.36 - - [08/Jan/2011:06:54:53 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.36 - - [08/Jan/2011:06:55:00 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
95.143.193.145 - - [08/Jan/2011:07:05:47 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
95.143.193.145 - - [08/Jan/2011:07:05:51 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.38 - - [08/Jan/2011:07:16:43 -0800]  "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
199.48.147.38 - - [08/Jan/2011:07:16:49 -0800]  "GET /?action=login2 HTTP/1.1" 200 2680 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
199.48.147.36 - - [08/Jan/2011:07:27:57 -0800]  "GET /?action=login2 HTTP/1.1" 200 2455 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
199.48.147.36 - - [08/Jan/2011:07:27:55 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
199.48.147.35 - - [08/Jan/2011:07:38:31 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.35 - - [08/Jan/2011:07:38:36 -0800]  "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
76.10.214.89 - - [08/Jan/2011:07:49:40 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
76.10.214.89 - - [08/Jan/2011:07:49:48 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
192.251.226.205 - - [08/Jan/2011:08:00:27 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

That "&bsa=check&member=1" bit seems out of place. I did a text search through the SMF source files and came up with 0 matches for "bsa". I think the full string ("&bsa=check&member=1") could potentially be an easy identifier for the bot in access log files. I notice otherwise it's providing a wide range of legitimate agent strings for a variety of real browsers, so the agent string isn't useful for identifying it.
Also, I notice it's consistently accessing "/?action=login2" on the forum in question, where apparently genuine login attempts are referring to "/index.php" rather than just "/", like so: "/index.php?action=login2" or "/index.php?PHPSESSID=[session_id]&action=login2". I wouldn't bet on that as a safe way to identify it, though.

I checked a few IPs from the full list of attempts and they were each on anonymizing proxies. I have no problem with blocking those, so I'll probably just go through the IPs and get a list of net ranges to block.

The way it's effectively logging users out is the annoying thing for me, as well. It doesn't look like a very effective brute-force method. Still, with their nets apparently spread so wide across a large number of forums, they'll probably get a few accounts out of it.

willerby · January 10, 2011, 02:51:43 AM

I've implemented the 'force email on login' mod referred to above and problem fixed in one hit with no need to block at IP address.

The bot uses the usernames of members to log-in. By switching to email address it can't log users off and eventually goes elsewhere.

mightygiants · January 19, 2011, 01:49:26 PM

Quote from: Brettflan on January 09, 2011, 04:20:20 PM
I've seen this happening now on 2 forums I have administrator access to. Here is a sampling of access log data for the attempts, as best I can tell:

Code Select Expand
204.8.156.142 - - [08/Jan/2011:03:14:22 -0800] "GET /?action=login2 HTTP/1.1" 200 2670 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 204.8.156.142 - - [08/Jan/2011:03:14:18 -0800] "POST /?action=login2 HTTP/1.1" 200 2692 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 92.241.190.168 - - [08/Jan/2011:03:35:40 -0800] "GET /?action=login2 HTTP/1.1" 200 2671 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.39 - - [08/Jan/2011:03:25:03 -0800] "POST /?action=login2 HTTP/1.1" 200 2704 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" 199.48.147.39 - - [08/Jan/2011:03:25:12 -0800] "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" 92.241.190.168 - - [08/Jan/2011:03:35:36 -0800] "POST /?action=login2 HTTP/1.1" 200 2694 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 173.45.245.140 - - [08/Jan/2011:03:46:10 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 173.45.245.140 - - [08/Jan/2011:03:46:16 -0800] "GET /?action=login2 HTTP/1.1" 200 2672 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 80.62.217.18 - - [08/Jan/2011:03:57:35 -0800] "POST /?action=login2 HTTP/1.1" 200 2705 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 80.62.217.18 - - [08/Jan/2011:03:57:39 -0800] "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 192.251.226.205 - - [08/Jan/2011:04:08:29 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 192.251.226.205 - - [08/Jan/2011:04:08:31 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 192.251.226.206 - - [08/Jan/2011:04:19:38 -0800] "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 71.7.104.192 - - [08/Jan/2011:04:30:45 -0800] "GET /?action=login2 HTTP/1.1" 200 2454 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 192.251.226.206 - - [08/Jan/2011:04:19:44 -0800] "GET /?action=login2 HTTP/1.1" 200 2681 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 71.7.104.192 - - [08/Jan/2011:04:30:43 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 89.253.97.235 - - [08/Jan/2011:04:42:19 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 89.253.97.235 - - [08/Jan/2011:04:42:14 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.36 - - [08/Jan/2011:04:53:29 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.36 - - [08/Jan/2011:04:53:25 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 174.36.199.202 - - [08/Jan/2011:05:04:28 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 174.36.199.202 - - [08/Jan/2011:05:04:34 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 199.48.147.42 - - [08/Jan/2011:05:16:53 -0800] "POST /?action=login2 HTTP/1.1" 499 0 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 178.33.149.173 - - [08/Jan/2011:05:26:40 -0800] "POST /?action=login2 HTTP/1.1" 200 2695 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 178.33.149.173 - - [08/Jan/2011:05:26:46 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 192.251.226.206 - - [08/Jan/2011:05:38:11 -0800] "GET /?action=login2 HTTP/1.1" 200 2678 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 193.25.5.68 - - [08/Jan/2011:05:38:04 -0800] "POST /?action=login2 HTTP/1.1" 200 2701 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 83.142.228.14 - - [08/Jan/2011:05:49:53 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 83.142.228.14 - - [08/Jan/2011:05:49:45 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 78.56.131.222 - - [08/Jan/2011:06:00:28 -0800] "GET /?action=login2 HTTP/1.1" 200 2775 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 78.56.131.222 - - [08/Jan/2011:06:00:23 -0800] "POST /?action=login2 HTTP/1.1" 200 2796 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 173.193.221.27 - - [08/Jan/2011:06:22:13 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.41 - - [08/Jan/2011:06:11:52 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 199.48.147.41 - - [08/Jan/2011:06:12:04 -0800] "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 173.193.221.27 - - [08/Jan/2011:06:22:17 -0800] "GET /?action=login2 HTTP/1.1" 200 2674 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.35 - - [08/Jan/2011:06:33:05 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.35 - - [08/Jan/2011:06:33:11 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 192.251.226.206 - - [08/Jan/2011:06:44:18 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 192.251.226.206 - - [08/Jan/2011:06:44:23 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.36 - - [08/Jan/2011:06:54:53 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.36 - - [08/Jan/2011:06:55:00 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 95.143.193.145 - - [08/Jan/2011:07:05:47 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 95.143.193.145 - - [08/Jan/2011:07:05:51 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.38 - - [08/Jan/2011:07:16:43 -0800] "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 199.48.147.38 - - [08/Jan/2011:07:16:49 -0800] "GET /?action=login2 HTTP/1.1" 200 2680 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 204.8.156.142 - - [08/Jan/2011:03:14:22 -0800] "GET /?action=login2 HTTP/1.1" 200 2670 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 204.8.156.142 - - [08/Jan/2011:03:14:18 -0800] "POST /?action=login2 HTTP/1.1" 200 2692 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 92.241.190.168 - - [08/Jan/2011:03:35:40 -0800] "GET /?action=login2 HTTP/1.1" 200 2671 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.39 - - [08/Jan/2011:03:25:03 -0800] "POST /?action=login2 HTTP/1.1" 200 2704 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" 199.48.147.39 - - [08/Jan/2011:03:25:12 -0800] "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" 92.241.190.168 - - [08/Jan/2011:03:35:36 -0800] "POST /?action=login2 HTTP/1.1" 200 2694 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 173.45.245.140 - - [08/Jan/2011:03:46:10 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 173.45.245.140 - - [08/Jan/2011:03:46:16 -0800] "GET /?action=login2 HTTP/1.1" 200 2672 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 80.62.217.18 - - [08/Jan/2011:03:57:35 -0800] "POST /?action=login2 HTTP/1.1" 200 2705 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 80.62.217.18 - - [08/Jan/2011:03:57:39 -0800] "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 192.251.226.205 - - [08/Jan/2011:04:08:29 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 192.251.226.205 - - [08/Jan/2011:04:08:31 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 192.251.226.206 - - [08/Jan/2011:04:19:38 -0800] "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 71.7.104.192 - - [08/Jan/2011:04:30:45 -0800] "GET /?action=login2 HTTP/1.1" 200 2454 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 192.251.226.206 - - [08/Jan/2011:04:19:44 -0800] "GET /?action=login2 HTTP/1.1" 200 2681 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 71.7.104.192 - - [08/Jan/2011:04:30:43 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 89.253.97.235 - - [08/Jan/2011:04:42:19 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 89.253.97.235 - - [08/Jan/2011:04:42:14 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.36 - - [08/Jan/2011:04:53:29 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.36 - - [08/Jan/2011:04:53:25 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 174.36.199.202 - - [08/Jan/2011:05:04:28 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 174.36.199.202 - - [08/Jan/2011:05:04:34 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 199.48.147.42 - - [08/Jan/2011:05:16:53 -0800] "POST /?action=login2 HTTP/1.1" 499 0 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 178.33.149.173 - - [08/Jan/2011:05:26:40 -0800] "POST /?action=login2 HTTP/1.1" 200 2695 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 178.33.149.173 - - [08/Jan/2011:05:26:46 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 192.251.226.206 - - [08/Jan/2011:05:38:11 -0800] "GET /?action=login2 HTTP/1.1" 200 2678 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 193.25.5.68 - - [08/Jan/2011:05:38:04 -0800] "POST /?action=login2 HTTP/1.1" 200 2701 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 83.142.228.14 - - [08/Jan/2011:05:49:53 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 83.142.228.14 - - [08/Jan/2011:05:49:45 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 78.56.131.222 - - [08/Jan/2011:06:00:28 -0800] "GET /?action=login2 HTTP/1.1" 200 2775 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 78.56.131.222 - - [08/Jan/2011:06:00:23 -0800] "POST /?action=login2 HTTP/1.1" 200 2796 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 173.193.221.27 - - [08/Jan/2011:06:22:13 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.41 - - [08/Jan/2011:06:11:52 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 199.48.147.41 - - [08/Jan/2011:06:12:04 -0800] "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 173.193.221.27 - - [08/Jan/2011:06:22:17 -0800] "GET /?action=login2 HTTP/1.1" 200 2674 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.35 - - [08/Jan/2011:06:33:05 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.35 - - [08/Jan/2011:06:33:11 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 192.251.226.206 - - [08/Jan/2011:06:44:18 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 192.251.226.206 - - [08/Jan/2011:06:44:23 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.36 - - [08/Jan/2011:06:54:53 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.36 - - [08/Jan/2011:06:55:00 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 95.143.193.145 - - [08/Jan/2011:07:05:47 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 95.143.193.145 - - [08/Jan/2011:07:05:51 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.38 - - [08/Jan/2011:07:16:43 -0800] "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 199.48.147.38 - - [08/Jan/2011:07:16:49 -0800] "GET /?action=login2 HTTP/1.1" 200 2680 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 199.48.147.36 - - [08/Jan/2011:07:27:57 -0800] "GET /?action=login2 HTTP/1.1" 200 2455 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 199.48.147.36 - - [08/Jan/2011:07:27:55 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 199.48.147.35 - - [08/Jan/2011:07:38:31 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.35 - - [08/Jan/2011:07:38:36 -0800] "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 76.10.214.89 - - [08/Jan/2011:07:49:40 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 76.10.214.89 - - [08/Jan/2011:07:49:48 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 192.251.226.205 - - [08/Jan/2011:08:00:27 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

That "&bsa=check&member=1" bit seems out of place. I did a text search through the SMF source files and came up with 0 matches for "bsa". I think the full string ("&bsa=check&member=1") could potentially be an easy identifier for the bot in access log files. I notice otherwise it's providing a wide range of legitimate agent strings for a variety of real browsers, so the agent string isn't useful for identifying it.
Also, I notice it's consistently accessing "/?action=login2" on the forum in question, where apparently genuine login attempts are referring to "/index.php" rather than just "/", like so: "/index.php?action=login2" or "/index.php?PHPSESSID=[session_id]&action=login2". I wouldn't bet on that as a safe way to identify it, though.

I checked a few IPs from the full list of attempts and they were each on anonymizing proxies. I have no problem with blocking those, so I'll probably just go through the IPs and get a list of net ranges to block.

The way it's effectively logging users out is the annoying thing for me, as well. It doesn't look like a very effective brute-force method. Still, with their nets apparently spread so wide across a large number of forums, they'll probably get a few accounts out of it.

Is there a way to use this information to create a line in the .htaccess file to block them?

IchBin™ · January 19, 2011, 01:52:17 PM

Not just a line, but multiple lines yes. You just add it to an .htaccess file.

Code Select

order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all

Just add each IP to a separate line in the same manner as above.

mightygiants · January 19, 2011, 02:02:04 PM

Quote from: IchBin™ on January 19, 2011, 01:52:17 PM
Not just a line, but multiple lines yes. You just add it to an .htaccess file.

Code Select Expand
order allow,deny deny from 123.45.6.7 deny from 012.34.5. allow from all

Just add each IP to a separate line in the same manner as above.

Thank you, I was hoping not to bog down the server with a long list of IP addresses to deny.

Blah blah · January 21, 2011, 02:57:04 PM

Anybody have the cb emaillogin 0.2 so I can fix this problem in 2.0rc 1.2?

roonekoos · February 16, 2011, 09:26:15 AM

I have a lot of attacks and block them in the .Htacces file but it is really getting crazy

News:

Help~ Error Log - multiple attempts to access?

kat

kat

kat