Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

Elysia

#40
I used the link provided earlier by The Brain to the Tor nodes list generator here https://check.torproject.org/cgi-bin/TorBulkExitList.py and entered the IP address of our server. The script then generated the list of IP addresses which I was then able to use to create my htaccess.txt list. Perhaps entering different server IP addresses into the list generator tool will result in a different result for other users?

I've just been and checked my forum error log and I've had only 5 new login attempts since I added the big list to the .htaccess file, so it's easy enough to update that now. And of those only 1 attempt wasn't a legit login failure! So if you add to the earlier list
deny from 84.46.12.102
on a new line that will update the .htaccess file.

青山 素子

Quote from: Norv on February 12, 2011, 02:45:35 AM
Mods like those listed here might help with preventing or alleviating the attempts made by particular IPs, as these mods typically use online databases of spammers IPs. I should note there is a certain possibility that those databases are not always accurate, since they contain IPs accumulated by anonymous reports (and those reports could be wrong).

As a quick note, the Project Honeypot http:BL service is populated with confirmed spammers and harvesters. Outside reports aren't accepted. To get on the list, you must visit several of the hidden honeypots and either spam the special e-mail addresses hidden in the page source or spam using the hidden form in the page source. Even if you were curious and visited one of the pots in your browser (like the one hidden in my signature here), you wouldn't get flagged. There is also a very nicely documented removal policy and old entries are expired following a posted policy. It's one of the very few services that does it right and thus has over 90%+ accuracy.


Quote from: Norv on February 12, 2011, 02:45:35 AM
The 1.1.13 patch fixed a problem mentioned here: logged in users could find themselves logged out due to the attempts on their account.

That's great to hear.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


b4pjoe

Quote from: 青山 素子 on February 12, 2011, 01:33:01 PM
As a quick note, the Project Honeypot http:BL service is populated with confirmed spammers and harvesters. Outside reports aren't accepted. To get on the list, you must visit several of the hidden honeypots and either spam the special e-mail addresses hidden in the page source or spam using the hidden form in the page source. Even if you were curious and visited one of the pots in your browser (like the one hidden in my signature here), you wouldn't get flagged. There is also a very nicely documented removal policy and old entries are expired following a posted policy. It's one of the very few services that does it right and thus has over 90%+ accuracy.

I have the Honeypot BL mod installed and it does do what you say but these bots or whatever are different. The only thing it appears that they do is try to log in using existing members user name. I don't think I've ever had one to succeed but even if they did there is very little payload they could reap from being logged in as an existing member. It doesn't make much sense as they are trying very hard to accomplish something that won't do much for them if they succeed.

Arantor

On the contrary, if they succeed, they have your password. How many users share passwords across one or more sites/services?

crash56

Quote from: Elysia on February 11, 2011, 10:22:34 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network. ...///... It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Thank you for this, Elysia.  One of the forums that I look after was getting hit.  Since adding your list to my .htaccess, the only login failure I've had show up in the error message was my own.   ;D  (I flubbed my login.) 


b4pjoe

Quote from: Arantor on February 12, 2011, 07:43:26 PM
On the contrary, if they succeed, they have your password. How many users share passwords across one or more sites/services?

My password certainly is not the same as my banking account, credit card account, or PayPal account passwords. I don't use the same user name either. I would hope no one does this but you're right...probably some do.

Arantor

Probably? Very definitely, the majority of users share passwords between two or more sites. Of course, most people will keep their banking stuff separate but I doubt most people keep their Facebook account separate to a general forum login.

b4pjoe

Quote from: Arantor on February 12, 2011, 10:14:32 PM
Probably? Very definitely, the majority of users share passwords between two or more sites. Of course, most people will keep their banking stuff separate but I doubt most people keep their Facebook account separate to a general forum login.

I still think there are better targets to hit than forums. But maybe they are more successful than it appears. I only see the failed log in in attempts in the error log. If they successfully crack the password that won't be in the log.

mecfs

#48
Using RC3. If I am logged in and someone else tries to log in as me and enters the wrong password, I am logged out. Is this what has changed in RC4-security and RC5? Attempts at bot-blocking is a bandaid on the problem; this "feature" should not exist.

Aleksi "Lex" Kilpinen

This is what was supposed to be stopped with RC5, and the patch.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

mecfs

Quote from: LexArma on February 13, 2011, 03:07:29 AM
This is what was supposed to be stopped with RC5, and the patch.
That is good to hear, thank you.

RVD

Quote from: Elysia on February 11, 2011, 10:22:34 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Where exactly should this file be uploaded to? Thank you for your help.

b4pjoe

Quote from: RVD on February 13, 2011, 01:10:10 PM
Quote from: Elysia on February 11, 2011, 10:22:34 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Where exactly should this file be uploaded to? Thank you for your help.


Copy and paste into the .htaccess file for your domain.

PLAYBOY

I have a very long list here also. But how can i add the words "Deny from" in front of every ip automatically?
My list is about 1000 ips also.

Seo-luntan

 I got a question - if we ban/block/deny all these IPs (I have a lot too) , in the future we'll lose a lot of potential HUMAN users. Do you think that these IPs are only spambots' ? I wonder...

青山 素子

Quote from: PLAYBOY on February 13, 2011, 06:39:31 PM
I have a very long list here also. But how can i add the words "Deny from" in front of every ip automatically?
My list is about 1000 ips also.

If you have a text editor that handles regular expressions, set the find string to "^" and the replace to "Deny from ".


Quote from: Seo-luntan on February 13, 2011, 06:46:18 PM
I got a question - if we ban/block/deny all these IPs (I have a lot too) , in the future we'll lose a lot of potential HUMAN users. Do you think that these IPs are only spambots' ? I wonder...

They are likely normal end-user computers that have been infected and are being used as bots. I'd suggest culling the list regularly.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


TDNY

Quote from: Norv on February 11, 2011, 10:17:40 PM
The behavior related to users being logged out has been investigated in SMF and solved, and the fix is currently available in the SMF 1.1.13 patch and the 2.0 RC4 security patch, as well as in RC5.
Thank you very much for the reports!

Thanks for all the work on this problem,
I Never had an issue with members being logged out OR an issue with log in errors until I updated from 1.1.12 to 1.1.13 last night. This morning I have 3 pages of log in errors. Does the patch just fix the "getting logged out" issue or is it also supposed to stop the log in attempts?

Kindred

there is no real way to stop the log in attempts.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

sheryltoo

This problem started in my forum yesterday so I upgraded to RC4 and added the security patch but it didn't help.
Also, I don't know if this is related but not one member has signed in or posted on my site since I did the upgrade. I keep seeing lots of guest viewing the site but no one signing in.
That's kind of unusal for my site so I don't know if my members are having problems because of the bots or the upgrade.

busterone

You cannot stop the log in attempts with any means other than either blocking them in .htaccess, or by SMF's ban list.  The patch is meant to stop logged in users being logged out by the bots, but it does nothing to stop the attack itself.  If those IPs are listed in the Project Honeypot database as a threat, then they will get redirected away from the forum with no access, but most of these IPs are coming up clean. They are not listed there or in the Stop Forum Spam database. As was previously stated, they are probably innocent users who have been infected by the botnet.

The already suggested methods are pretty much all that can be done. This is a coordinated attack that will have to be ridden out. If these folks are smart enough to see that they are being stopped, they may even start a new botnet with new IPs. What they want to accomplish is anyone's guess, but it could just be some idiot script kiddies looking for kicks, and SMF forums are their present target.

Advertisement: