Guest trying to login to multiple accounts

[SnowWidow]

I noticed the past couple days that guests are trying to login to my forum. I click on their IP and they are trying to login using various member's accounts but get the incorrect password error. I know this is NOT the member they are trying to log in as (one was my account).

Password incorrect - s*****
?action=login2

Some of the IPs are trying various accounts right after another.

Is this just a bot or should I be worried?

[Mari-chi]

Most likely they are just bots. It is recommended that you upgrade to RC5, or at least apply the security patch for RC4.

Some other bot/spam preventative measures:

• Stop Spammer
• httpBL

[SnowWidow]

I did install the security patch this morning, but I had one "guest" try to login to another account since then. (again, I know it is not that actual member)

[Road Rash Jr.]

Spyder bots do not normaly try to access user accounts. All they're interested in is website or forum content.

If they are trying to access member accounts it's a melicious bot or human, I would ban the IP address either from SMF or better yet from your CPanel.

[SnowWidow]

I've been banning as I see them. They are very random. So far these are the ones just from the past hour or so:

77.255.46.241         
192.251.226.206            
188.162.176.114            
94.19.191.183         

[Mari-chi]

As I said, installing those mods will help reduce that significantly. If I remember correctly, httpBL actually blocks users with reportedly malicious IPs/usernames/e-mails before they can even see your page. You can even configure the setting via your ACP so that any reported IPs that haven't had any "malicious activity" in 'x' number of days can access your forum as a regular guest/member can.

[jhaywod]

We have been experiencing the same issues on our forum since Tuesday, February 8th 2011. So far our ban trigger for these login attempts is up to 58 IP addresses.

A little research has shown a lot of the IP's are included in known SPAM blacklists so they malicious attempts at gaining access to your site. We just upgraded to SMF RC5 today and I am hoping this will help with the issues a little bit. Aside from this I don't know of any other action that can be taken other then the actions stated before and that is to add the IP's to your SMF ban list and to your server IP ban list.

[Road Rash Jr.]

@ jhaywod

I could be wrong but from what I've read about RC 5 there is nothing added that would help with this issue.
Yes there was some security changes but I've read this is mostly for SSI issues which isn't related to spammers attempting access through member accounts.
Forums are social networks and sadly not everyone it attracts are very sociable.
If you want to keep spammers and unwanted bots at bay, the steps Mari-chi suggests are the way to go.

[Aoife]

I just started having this issue today - my members are getting notifications of failed login attempts when and the attempts are coming from multiple IP addresses. I installed the RC4 patch 2 days ago and this just started today. It's been reported to Project Honey Pot on at least one of the IP addresses.

Very worrisome and my members are quite upset, as am I.


UPDATE: I shut down our forums as more members, including myself, were getting the notifications.

[sheryltoo]

I seemed to have started this problem yesterday so I updated to RC 4 and added the security patch but it's still happening.
I installed the stop spammer mod but I'm confused about the honeyspot mod so I'm waiting for some help on that one.

[Suki]

please take a look at this topic:  http://www.simplemachines.org/community/index.php?topic=416928.0;topicseen   it contains more info about this issue.

[Norv]

Please see also, for further information and options,
Simple Machines Forums attacks