News:

SMF 2.1.2 has been released! Take it for a spin! Read more.

Main Menu

Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

b4pjoe

Quote from: 青山 素子 on January 16, 2011, 12:42:35 AM
I just installed the httpBL modification recently on two of the boards I manage. It seems to work very well. You might want to try it out.

* 青山 素子 is an active contributor to Project Honeypot with 6 HoneyPots and 5 MX records donated.

I've installed this and it is detecting some spam bots...but not the ones trying to log in with members user names.

bluecar1

Quote from: ACAMS on January 15, 2011, 10:41:16 PM
Quote from: bluecar1 on January 14, 2011, 05:48:10 PM
acams,

could you clarify which ip's are the main causes of the logging out issues?

is it all in your HTACCESS list or just some?

thanks

BC1

Most of the ones in the bottom half of my list, I got the top half from Dermot


Here is my list now
acams,

keep an eye out for

62.24.222.132
62.24.222.131

it appears the TT bots are now using these addresses,

can you let me know if you see tham and if they cause the logging out issues thanks

Kindred

since installing the bad behavior, stop forum spammers and honeypot mods, I have cut my spammers to zero in the last 2 days. The mods have caught 50 of them at registration so far... and none of the newly registered users in that time has posted any spam, so it is looking successful.

And I have not had any logout problems either...
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

b4pjoe

Quote from: Kindred on January 17, 2011, 11:33:04 AM
since installing the bad behavior, stop forum spammers and honeypot mods, I have cut my spammers to zero in the last 2 days. The mods have caught 50 of them at registration so far... and none of the newly registered users in that time has posted any spam, so it is looking successful.

And I have not had any logout problems either...

Success! After installing all three it seems to have stopped the spammers dead in their tracks! Thanks for all of the help.

bork

I've installed the 3 mods as suggested (Mod http:BL, Stop Forum Spam and Bad Behaviour) and the three together are blocking a huge amount of malicious activity.

However, I'm still getting a lot of users being logged out.

Looking at the user log, a lot of the IPs involved are present on the Stop Forum Spam database, but the SFP mod only blocks them if they try to register, not if they try to login.

Can anyone suggest any other way to block these IPs or even a mod that makes banning them from the user log faster?

Kindred

unfortunately, the only way I've been able to handle those is by manually scanning the logs once a day and adding the obvious account attempts to the spammer-ban trigger.   after about a week and 30 or so new IPs added to the ban, the hack-attempts have petered out.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

bork

Quote from: Kindred on February 09, 2011, 10:36:57 AMadding the obvious account attempts to the spammer-ban trigger.
Do you mean adding them manually as bans using the forum admin "add new ban" page? Is there any easy way of adding them in bulk as it's very time-consuming adding them one at a time.

I'm currently getting my virtual host provider to firewall them.

Kindred

well, I add them all as new triggers to one ban group (I open two windows - one with the error log and one with the Ban trigger)

Unfortunately, I have not found a good way to do it in bulk... 
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Aleksi "Lex" Kilpinen

If it's IP addresses only that you are blocking, would probably be easier to block them on server level, before they ever get to SMF, so saving some resources and making it easier to block them multiple at a time.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

willerby

The most effective mod for this particular attack is called something like 'force email log-in'.

By requiring users to use their (usually) hidden email address instead of their forum userId the spambot can't trigger a log-out.

Keep using the spambot / antispam software too as it just makes sense.
What type of washing machine is September?

An autumnatic. :)

bork


Thanks, that mod does look excellent - it's just whether I can force the change on my users! I guess after a few days they'd be used to it and if it stops them getting logged out in the middle of posting then they'll probably be converted.

It's been interesting installing the Bad Behaviour/Mod http:BL/Stop Forum Spam mod combo - I've been shocked at the sheer amount of malicious activity on the forums - overnight nearly 1000 IPs were blocked by these mods;  over a whole year the amount will be massive.

Kindred

well, the numbers will level out and die-down, as your logs get up to date with the Spammers and they start hitting a wall.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Roph

Hopefully in 2.0 final we could have an option to require a captcha for logins.

busterone

Bots have already broken captcha and reCaptcha. It is virtually worthless against the spammers these days.

Arantor

Quote from: Roph on February 09, 2011, 04:52:18 PM
Hopefully in 2.0 final we could have an option to require a captcha for logins.

Doubt it, 2.0 has been feature locked for years.

In any case, I think this behaviour's been altered slightly in SVN, not 100% sure on that though, so don't quote me on it.

Norv

The behavior related to users being logged out has been investigated in SMF and solved, and the fix is currently available in the SMF 1.1.13 patch and the 2.0 RC4 security patch, as well as in RC5.
Thank you very much for the reports!
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Elysia

One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

b4pjoe

Thanks for the info Norv and Elysia. I will be adding that info to my .htaccess file right now.

djkimmel

I had about 30 IP addresses used that weren't on that list. But since I downloaded that list, 5 more attempts came in with IP addresses on the above list and only 1 not on it. So I added it since I had seen one was listed as a tor server earlier. httpBL is blocking a few more of them now too than it was earlier today so it has slowed down for me.

Not sure what 1.1.13 patch did? It had no impact on the number of login attempts anyway.

Norv

Mods like those listed here might help with preventing or alleviating the attempts made by particular IPs, as these mods typically use online databases of spammers IPs. I should note there is a certain possibility that those databases are not always accurate, since they contain IPs accumulated by anonymous reports (and those reports could be wrong).

The 1.1.13 patch fixed a problem mentioned here: logged in users could find themselves logged out due to the attempts on their account.

That said, we're keeping an eye on these issues and any information provided can be useful and is very appreciated.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Advertisement: