Brute Force Spambots attack out of Russia

[drjoe101]

Our SMF board appears to have been the hit by Spambots originating from Russia and using nodes throughout the world including the US.  We have put up a firewall using hxxp:www.sucuri.net [nonactive] to block the attacks but it is possible that board has been infected with Malware that is continuing to operate now independently of needing to be connected elsewhere.

What appears to be happening is that every time someone posts on the forum, that a new bogus member is created awaiting activation.  All of the new members have been registered using the IP address 142.4.218.132.  Also anybody that posts is also assigned that IP address which essentially eliminates the ability to just create a Ban trigger for it.  Banning the IP address actually banned both the Admin as well as the guest account.

Just wondering if anyone else has encountered this at all?  I have refreshed all of the program files but problem has not gone away.  Wondering if a creation and restore of database might work, but in all likelihood the restore would just carry the malware over.  (though not sure exactly how Malware could be lodged into the database itself.) 

Any help or insights would be appreciated... thank you
PS: where does one actually find the guest account in the database?

[Black Tiger]

If there is malware, it is likely that it is in one or more of the forum files.
Via that way, it is in fact possible to infect your database too and then some.
If you are on a shared hosting account, it would be wise to compare your files to original files to see if they are compromised somewhere.

The ip is from some hosting in Canada by the way.

[Black Tiger]

Oh LoL, sorry... the ip is from the firewall you have put up, cloudproxy434-eth0.sucuri.net.

I gues it's not working nicely with SMF. You might better remove that and block russion ip's via .htaccess file.

[drjoe101]

Thanks for your reply.   Duh!  Of course the firewall.   Just noticed another previous post that talked about the current wave of attacks against a variety of different forums.  I have changed the challenge questions, and implemented the KeyCatpcha mod to see if I can thwart some of the damage. 

Not sure how they are managing to still get through the firewall.... perhaps they have the actual IP cached and are using that instead of the DNS.

[Black Tiger]

Did you already try a Russion .htaccess block?
Have al ook here if you want. At the lower part of the page you see what you can copy and paste into a .htaccess file.

Changing questions and Key Captch is nice, you might try Misc Anti Spam too.

[Kindred]

Banning IPs and using a firewall like that is basically pointless...  The spammers are using distributed access points

[Black Tiger]

Pointless? Depends on how you do it and where the attacks are coming from Kindred. I was not talking about banning ip's but banning a complete country, which can be easily done this way.
We had lots of problems from Asian and brazilian spammers already years ago, in spite of anti-spam measures (good things like stopforumspam were not invented yet), so I used the .htaccess to block various Asian country's by ip. They can distribute what they want, but as long as it's coming from the blocked country, they won't get in.
I'm using this methode already for years and works perfectly, provided you don't block too many country's ofcourse. But it's not to be used as main effort to block spam.

Ofcourse I agree with you that the best effort is to start with anti-spam measures like Arantor's mod and things like StopForumSpam.

But in his case if all spam is indeed only or mainly coming from Russia and he is already using anti-spam, blocking Russia would probably also work well. In addition to anti-spam mods ofcourse.

[Arantor]

And such people never ever use VPNs or anything...

[Kindred]

or they use proxies from different countries?  or zombie sites that they have taken over in the EU or US?

[Black Tiger]

Maybe you missed those lines.

Depends on how you do it and where the attacks are coming from Kindred

Where they are coming from....

They can distribute what they want, but as long as it's coming from the blocked country, they won't get in.

Coming from the blocked country.

Ofcourse if it's coming from various country's, it has no or little effect. But drjoe was talking Russia mainly.

[Kindred]

Black Tiger...   if they are using proxies or zombies, then they would appear to be coming from THAT location... not their real location -- that is the entire POINT of creating zombie sites

[Black Tiger]

Yes I know that too. I know what proxy's and zombies are.
But in those cases it's mostly a distributed attack which comes from several country's, or appears to be coming from several country's.
By the way, since zombies are infected pc's or servers, the zombies have real locations themselves.

What I'm trying to explain is that .htaccess could be usefull in -some- cases and is thus not completely pointless.
At least I'm happy with it. Since our Asian block and a yahoo email block, years ago when there were no anti-spam measures except maybe for a captcha our spam registrations went from 100 to 1%.

Nowadays there are also other kind of attacks, like the ones you mention. And that's why I agreed with you that something else should be used as main spam protection.

I only disagree that a .htaccess block would be completely pointless. In some cases it can be a usefull addition.

[Kindred]

I never said "completely pointless"
I said "basically pointless"


Also, there are those of us who run international forums - so blocking an entire country because a few spammers come from there would end up blocking real users as well.

[Black Tiger]

You're quite correct, you said basically. And we agree.

Same reason except for the firewall, I almost can't do anything against the flood of FTP and SMTP attacks on our servers coming from Russia and Ukraine mainly. Several of our customers have customers over there. We can only have the firewall do temp blocks.

[Deaks]

dr i have marked this as solved as you have not responded to any of the replies in over a month if you feel this is in error please update us to what else you have tried.  For what its worth a site I admin on had been hit by russian spammers, I found best bet was banning the usernames and changing the passwords of the spam accounts.  Aswell as adding more questions to the question pool.