heads up Bots attempting to log into forum using every user that ever posted

winelf · February 12, 2011, 12:36:46 AM

heads up Bots attempting to log into my simple machines' forum using every user that ever posted.
My error log is now up to eight pages. If you have a way to block them, the IPs the bot is using are
64.34.184.153
66.230.230.230
71.165.245.158
74.120.15.150
76.73.56.7
77.109.139.87
81.218.219.122
83.86.110.188
83.142.228.14
83.249.87.238
85.17.92.13
85.235.31.248
87.118.104.203
88.80.28.70
88.208.121.151
89.253.97.235
91.121.170.32
94.249.153.47
95.143.193.145
109.169.29.56
109.123.119.163
137.56.163.46
137.56.163.64
173.193.221.28
192.251.226.205
192.251.226.206
199.48.147.35
199.48.147.36
199.48.147.38
199.48.147.40
199.48.147.41
208.66.135.190
209.44.114.178
209.159.142.164
209.159.143.130
213.220.233.230

hope this helps

ACAMS · February 12, 2011, 01:59:06 AM

Call the police......somebody stole about 3/4 of your list!

Actually, bad behaviour mod and changing to email login stops them.

winelf · February 12, 2011, 03:10:57 AM

They are not trying to register, they are using the names of registered users they mine off the forum and attempting to log in as them by guessing at the password.

more IPs bots are using to try and log in as previously registered users
8.18.38.105
62.141.58.13
62.163.180.154
77.171.107.207
78.47.251.152
81.169.155.246
82.194.86.135
83.163.192.49
85.8.28.11
91.121.152.114
91.213.50.235
93.167.245.178
94.23.215.184
174.138.169.218

Illori · February 12, 2011, 06:56:02 AM

there are several threads on this forum about this issue, do a search and you will find some mods you can install to help.

winelf · February 12, 2011, 01:38:36 PM

thank you!! I'll do that because they are still trying. additional IPs in error log are.

64.34.162.160
66.249.9.107
66.96.16.32
74.120.12.135
78.107.233.68
78.107.237.16
83.170.92.9
85.214.73.63
91.124.187.225
194.0.229.54
195.43.157.85
212.78.238.92
217.114.211.20

winelf · February 12, 2011, 01:55:40 PM

Illori,
I searched using the word "hacker" and only found a ssh login mod. I doubt anyone is listening - they are using bots to try and log in as each user pounding the site in hopes of finding a password that works. What I need is a mod that does something like lock an account if three attempts are made to log in with the wrong password. The software would then send the user an email with a pre-password and a link to a re-enable page where they must type in not only the pre-password but their existing one to log in.
OR

What term would you suggest I search on??
thanks

Spoogs · February 12, 2011, 02:23:42 PM

http://custom.simplemachines.org/mods/index.php?mod=2181

winelf · February 12, 2011, 02:42:09 PM

thank you so much!! I had login attempts set to three before account locked. The BOTs just waited twelve hours and start at it again.
I just made the board so you can't see it if you're not logged in. Thus it will be hard to mine user names. If the bots haven't saved them the attack should be over soon.
I like the IP thing - but it would be nasty when I have to travel for work and I forget to change it :} I'll probably install it though - better safe than sorry!
thanks sooooooooooooo much!!

Illori · February 12, 2011, 03:11:28 PM

http://www.simplemachines.org/community/index.php?topic=416928.0

winelf · February 12, 2011, 03:55:31 PM

thank you so much!!! I have started a ban list with those my host hasn't yet banned. I think I'll send them a link to this discussion so they realize it is not just my forum but a whole lot of forums getting hacked
thanks again!!!

YogiBear · February 12, 2011, 08:35:13 PM

I have found using a screen name different from the sign-in name confounds these wretched robots which are plaguing me at the moment.

b4pjoe · February 13, 2011, 01:24:02 AM

Quote from: Illori on February 12, 2011, 03:11:28 PM
http://www.simplemachines.org/community/index.php?topic=416928.0

The mods listed in this thread worked for a couple of weeks but starting 2 or 3 days ago they are hitting my forum with a vengeance again. The htaccess list posted there has slowed them somewhat but I'm still getting a few failed log ins every hour. Supposedly this is fixed in SMF 1.1.13 and SMF 2.0 RC5 so I'm planning to do that upgrade tomorrow.

krick · February 13, 2011, 11:46:42 PM

The same thing is happening to my server. They seem to hit a random user using a random IP address, roughly once every 5 minutes.

Tamianth · February 14, 2011, 12:26:04 AM

Yup, they are hitting us also like this. I did go a few steps further though due to the password cracking attempts and some of these ips are being used and abused through Tor nodes. Can't have any sympathy for them if they allow or use those unfortunately. The majority of them are known spammer IP's and show up in Stop forum spam and/or Project Honey Pot though. There's other sources to check also, botscout, ippillion, can spam, spam cops etc. Google things like IP and you get a very good result for the most part. I always check new sign up's no matter how well protected we try to be. It only takes one of these dud's to get through and you spend hours cleaning up! Some not as bad as others.

And whats with the who is arin? 90% of the time it doesn't work anymore, I've been running DNS goodies to get arin ISP's ..

krick · February 14, 2011, 12:39:42 AM

I just added a giant list of "deny from" entries to my .htaccess to block the entire torservers network. Hopefully, it will help.

This is the post where I found the list...

http://www.simplemachines.org/community/index.php?topic=416928.msg2949234#msg2949234

I've been using the Anti-Spam Verification Questions for SMF mod for quite some time, and it's amazing how much spam is stopped by a simple question on the registration page.

Astra_200 · February 14, 2011, 06:43:16 AM

These things are hitting me too every 5 mins. I'm using RC4 with security upgrade.

They are Not trying to register as new members...

They are going though all the existing members one at a time trying to log on as them. Maybe they use a system to guess passwords?

The IP's are coming from all over the place, Germany, Italy, Sweden, Russia, Tor servers. and many more.

Never had this problem before, so until I find a fix my forum is in maintenance mode.

Is this really something that is fixed in RC5? Is it actually an SMF bug? Cant really see how.

Kindred · February 14, 2011, 08:44:10 AM

the fact that users are getting logged out by the attempts is fixed.

The fact that the attempts are happening is not something that SMF can do anything about.

青山素子 · February 14, 2011, 11:15:11 AM

Quote from: Astral2000 on February 14, 2011, 06:43:16 AM
Never had this problem before, so until I find a fix my forum is in maintenance mode.

The only fix is to deny everyone the ability to login. Potentially, you could create some kind of stateful system that bans IPs if they try too many times, kinda like fail2ban. That, however, is beyond what SMF should ship with and is also likely to cause legitimate users to get banned at the best of times.

Quote from: Astral2000 on February 14, 2011, 06:43:16 AM
Is this really something that is fixed in RC5? Is it actually an SMF bug? Cant really see how.

The fix is to prevent existing logged-in sessions from being logged out by the brute-force login attempts.

lyndonaus · February 16, 2011, 01:02:14 AM

Quote from: Tamianth on February 14, 2011, 12:26:04 AM
Yup, they are hitting us also like this. I did go a few steps further though due to the password cracking attempts and some of these ips are being used and abused through Tor nodes. Can't have any sympathy for them if they allow or use those unfortunately. The majority of them are known spammer IP's and show up in Stop forum spam and/or Project Honey Pot though. There's other sources to check also, botscout, ippillion, can spam, spam cops etc. Google things like IP and you get a very good result for the most part. I always check new sign up's no matter how well protected we try to be. It only takes one of these dud's to get through and you spend hours cleaning up! Some not as bad as others.

And whats with the who is arin? 90% of the time it doesn't work anymore, I've been running DNS goodies to get arin ISP's ..

Our forum has experienced the same problem since last weekend, I only discovered it when I checked the forum error log and discovered a list of failed log-ins. I quickly realized that the list order was the same as the postings order which is visible to guests.
Since then, I have been putting a ban on the ips which are not behind a TOR node and used random letters for the username in the banlist.
I am still having the same problem but now they are only from TOR nodes but the thing that really pleases me is the list of "Sorry guest, you are banned from this forum" messages appearing in the error log when these idiots return to try to break-in.

Any thoughts how to handle those behind the tor servers?
lyndonaus
PS: I have just read about htaccess lists, so I guess that's the way to go.
What is the go with ARIN?

Tamianth · February 18, 2011, 04:56:09 PM

Its looking like its down to the last of it. I only caught two today in the logs and this was 2 day's worth of them. I ban the tor nodes/ip's also. As I mentioned above, members and staff come first. It is unfortunate that if a ISP chooses to allow this access by Tor that some normal folks would not have access to a particular forum, but most of them tend to be spam IP's to begin with I found, most of them listed with bot scout, project honey pot, can spam, spam cops etc.

News:

heads up Bots attempting to log into forum using every user that ever posted