Simple Machines Community Forum

I am a new admin and as I was checking out the error log ALL i found was "password incorrect" errors....thousands of them! Something must be wrong for sure. I searched a bit here and found that it seems this is an ongoing issue without a definite solution. Am i wrong? I hope I am..

I would suggest completely clearing your error log and then seeing if they keep coming back, they are what they are...people entering an incorrect password. So it shouldn't be an issue.

not exactly. I find this error nearly everytime i log in. The autofill password is not recognized. When I retype it, I can log in. But every automatic login fails 'for me'. I now assume this is happening across the board, or at least in abundance.

Try turning off your browsers auto-login for your site, or resetting it. Your password that's set in your browser is probably not the correct password.

Actually, i have experiences it in my forum too. Some people say that sometimes they cant log in, that they wrote the right password for sure but they got password incorrect error. It worked on next try though...

Its the same with pms too sometimes, some people say that pms are not sent, without an error.

Its only the case with some members, and problem occurs only for specific members, others dont report any errors. I dont see any errors on error log also.

Seem to be having the same problem today. I check and clear my error logs daily. Starting yesterday I started getting pages of password incorrect errors showing up every few hours. Why now?

Been noticing it on my sites as well. I have my login security mod to check for login attempts on my accounts.

And I noticed a lot of bots are trying all users accounts maybe to spam or something

QuoteI have my login security mod to check for login attempts on my accounts.

What is 'login security mod'?

http://custom.simplemachines.org/mods/index.php?mod=2181

I just found out when I click on the IP address that is associated with the members username in the error log it either shows the IP from a foreign country or it says, 'No members from the specified IP (range) found'.

I'm having same problem, constant errors signing in and  IP addresses all coming from Berlin, Netherlands, Switzerland and places my members are not from.

I don't think it is hack or looks like just spam bots are try to brute force/login into any account to make spam posts or do whatever.

I just updated to 1.1.13, not sure if the update has anything to do with this problem or not.

vbgamer45, anything we can do to stop this?

Nothing that I am aware of other than banning the bots....

Sadly there isn't much you can do to stop other than renaming the action variable for login and banning the bots.

Quote from: vbgamer45 on February 11, 2011, 06:05:39 PM
Nothing that I am aware of other than banning the bots....

No use. Each attempt uses a different IP address.

Exactly there is multiple ip's... so it is tricky I do see them list on stopforumspam so maybe if you have that mod or similar will help if you modify it to check on login

Quote from: vbgamer45 on February 11, 2011, 06:09:29 PM
Sadly there isn't much you can do to stop other than renaming the action variable for login and banning the bots.

Is this a difficult process? I'm not sure how to do this. I will search on the forum to see if I find a topic similar.

Too many different IP addresses to ban. They keep changing constantly. Different user, different IP address.

there is a thread in more detail on this issue in the Building Your Community and other Forum Advice board.

The httpBL seems to be grabbing most of them but a couple have slipped through on my site.  I'm content with this mod.

Thanks. Both helpful posts. I have not installed the project honeypot mod yet. I'll try that and look at the forum post.

Also happening on my site, it should ebb out sometime soon hopefully.

As guests are reading the membernames off the main index of the page visible to guests, BLOCKING those membernames to guests will make it impossible for them to get membernames by searching for "last post by".

There are two MODs, one for 1.1.x and 2.x that say they will do this.

I'm on 1.1.13 and the MOD ( http://custom.simplemachines.org/mods/index.php?mod=2082 ) turns on the "NEW" flag and it can't be turned off.

Can anyone put together a fix that only has to do the following:

If Guest = yes then display "(hidden)" else display membername

when displaying "last post by"?

Grazie!

Cal

Quote from: HamishM on February 11, 2011, 10:44:43 PM
Also happening on my site, it should ebb out sometime soon hopefully.

What do you mean ebb out?

Going to give CloudFlare a try.

The problem is the attackers are screenscraping, so as long as they can see membernames, they can keep trying until they crack a password.  Blocking membernames from guests means they can't try to break in because they won't know the names.

And since it's obviously automated, why should they stop anytime soon?  Has anyone that's reported this seen the attacks "ebb"?  They started reporting them on 31 Jan 2011 and it's 12 Feb now.

Cal

Bots usually give up after a while...........

I have noticed that the bot has not tried to login as me, I think this is because my login name is different to what is shown on the forum........

The bot appears to be walking as much of the site as we allow guests to see, and going into each board hoping for names.  At least that's how it looks from the error log.

So I guess a fix should also look at any place account names are displayed, main index, board index, topic.  We already hid the Info Center.

But we better plan on this type of attack coming back.  Several months ago script kiddies tried exploiting a hole filled two years before.

Quote from: HamishM on February 12, 2011, 02:43:53 AM
Bots usually give up after a while...........

I have noticed that the bot has not tried to login as me, I think this is because my login name is different to what is shown on the forum........

Maybe the anti-spam mods should have a setting that completely blocks/bans those spam-bot ip's when they try to log in.....

-Rik©

I guess a quick, temporary and dirty fix could be (Probably only viable on forums with low membership, I have way to many membs to do it on mine)

Add a space or a full stop after the username in the field "This is the displayed name that people will see.", do it on all member profiles, this would result in the bot getting a "Member does not exist" message.
It would not affect the individual member login process.

Like I said, quick and dirty but will probably work..............

Quote from: Cal O'Shaw on February 12, 2011, 02:50:30 AM
The bot appears to be walking as much of the site as we allow guests to see, and going into each board hoping for names.  At least that's how it looks from the error log.

So I guess a fix should also look at any place account names are displayed, main index, board index, topic.  We already hid the Info Center.

But we better plan on this type of attack coming back.  Several months ago script kiddies tried exploiting a hole filled two years before.

Wow. you are pretty good at this man. I mean seriously i have looked at my raw logs and everything but i couldnt figure out any pattern.

Most ips are from Germany and from proxies.  You cant just block them all because they keep changing their ips. I have been having this issue since yesterday also. I also have that login security mod.


Here is a very quick and easy fix!
I think it would be a very good idea to put a image verification on the login form

But until a good solution i have closed my forum to guests. Its members only for now.

Quote from: HamishM on February 12, 2011, 02:43:53 AM
Bots usually give up after a while...........

I have noticed that the bot has not tried to login as me, I think this is because my login name is different to what is shown on the forum........

Having a different login name then what is shown on the forum is something I had not thought of before. I changed my login name along with a password change, thanks!

QuoteMost ips are from Germany and from proxies.  You cant just block them all because they keep changing their ips. I have been having this issue since yesterday also

You can block whole countries. It started yesterday for us too.

Rico,
Except we're seeing addresses from the UK, Sweden, Germany and elsewhere.  Anti-bot MODs aren't going to be able to keep up with this kind of attack.  We need to have the ability to starve the bots and that would be hiding account names from guests.

---

HamishM,
Yes, but that means going through every account manually, right?
A little decision coding before displaying username based on if the viewer is a guest takes care of all sites, regardless of member count.

if guest = true then nametoshow = "(hidden)" else nametoshow = username
display nametoshow

---

PLAYBOY,
We don't have much of our site open to guests, so I was able to pick up the pattern (accounts not listed on the main index but on a board as the last poster were showing up).  And I did DP for 30 years.

Image verification becomes a pain for your members.  Remember, these guys are trying to pass themselves off as your members to get inside.

You really want to block your audience countries?

We can't block them, so let's starve them.  No names to see, no attack to make.

Quote from: ApplianceJunk on February 12, 2011, 03:14:16 AM

QuoteMost ips are from Germany and from proxies.  You cant just block them all because they keep changing their ips. I have been having this issue since yesterday also

You can block whole countries. It started yesterday for us too.

Do you have a pretty good up-to-date list for ips from each country? and are they %100 accurate?
I am not gonna use in this case but it would be useful in other cases :)

QuoteAnd I did DP for 30 years.

HAHA, thas how...

QuoteImage verification becomes a pain for your members.

yeah but it would be nice (and useful) to have some kinda mod for it so we can at least turn it on and off when necessary.

Most of the ip's they use are listed at Stop Forum Spam, so if the anti-spam mod also checks at log-in (besides registering) it can block/ban those ip's after their first try.

Hiding (user)names for guests is possible.... there is already a Hide Post Authors From Guests mod.

-Rik©

Yes, and as I noted, on my 1.1.13 site it turns on the "new" icon for every topic and will not turn them off.  So it's got a problem.  Hence my request for a quick and dirty.  Tell me what code to put where and I'll do it manually until it can become a MOD.

And before it's mentioned, even if 2.0 RC 5 became the final product today, we'd still wait several months until 2.02 or 2.03 for all the really arcane bugs to come out, all the MODs to catch up, and be sure the 1.x to 2.0 upgrade is bulletproof.  There's a lot of us who just can't give hours to an upgrade and see it hang.  Very cautious.  Part of why I lasted 30 years in DP ;).

QuoteAnd before it's mentioned, even if 2.0 RC 5 became the final product today, we'd still wait several months until 2.02 or 2.03 for all the really arcane bugs to come out, all the MODs to catch up, and be sure the 1.x to 2.0 upgrade is bulletproof.  There's a lot of us who just can't give hours to an upgrade and see it hang.  Very cautious.  Part of why I lasted 30 years in DP .

Totally agree.

I would give it at least a year or year and a half for 2.x to be ready for us. As i have said before in another topic, We are ready for 2.0 but it is not ready for our requests and needs.


Now we need an image verification of somekind to be integrated on the login form (http://www.google.com/recaptcha) so i can open my forum to guests again. Every second my forum is close cost me money, Alarm! alarm! I am loosing money here :p

---

Update: Just to give more info about this bot,
Maybe it would be helpful to people...

I got another type of form (more like a question answer style) on my site and nobody has ever sent any spams through it before. However this bot has been filling its sections and sending them continuously. Here is one of the examples...

---

Form data:

Question 1: betathomeromania
Question 2: Abkhazia
3: betathomeromania
4: google
5: England
6: Elk
7: 143040
8: Konu hakkında hangi kaynaklardan ne derece araştırma yaptınız?: 143040
9: betathomeromania
10: 143040
11:
12: Romania
13:
14: betathomeromania
15: This www is interesting
bet at home romania (http://www.buzzfeed.com/ufcfan/bet-at-home-romania-nscrie-te-i-c-1aqh)
16: betathomeromania
17: This www is interesting
bet at home romania (http://www.buzzfeed.com/ufcfan/bet-at-home-romania-nscrie-te-i-c-1aqh) 

---

So this bot is basically filling in (and tries) every kinda form it sees not just smf.

I closed my forum to guests view but the bot is still trying my password?

It seems like the bot is also saving the membernames. Is there any good solution for this guys? Can anybody help us?

That would not work well for this bot because it keeps changing its ip.

Gosh thankfully, not really thankfully, but I was starting to think I
would go crazy with blocking IP addys. I have given up for now.

I hope there is a simple solution really shortly to stop these, I think I
will go block my site from guests until the solution is found. I really
count on the couple that are viewable, but if it cuts back on this well
it will have to be done :) :)

Thank you to the member who brought this to everyones attention.

I decided since I like perople to read something about my forum
I'd decided to make a new board viewable to 'guests' and hopefully
that will cure this rubbish for the present time.

Probably not really the 'right' thing to do but I've done it anyway.

I dragged a post from a member that i know (banned) will not come
back, well I hope so anyway. Using a banned member I figured they
would only get the ban message and with that I locked the post.
I also didn't include any moderators.

I hope this will get rid of them for now, when things settle down
again I'll revert bac to the original stuff that was viewable to guests
but keep this on hold for any future attacks.

Any improvement yet? Did it really work?
Because i closed my forum to guests but i still get the bots attacks.

Anyone tried that htaccess file someone posted in one of the threads about this?  I don't have enough members to make an accurate test.

You're going to continue getting attacks.  Blocking the membernames is a protection against FUTURE users of the attack code, before they come to your site and try to harvest names.

Which is why it would be really, REALLY great if we could get some sort of patch (even hand edit) to replace membernames with something like "(hidden)" or "(restricted)" when guests come calling.  Because that is going to be the ONLY WAY to cut down the attacks.

If any of the SMF wizards could help us, or at least tell us help is on the way, it would be wonderful.

Again, nothing fancy, with just this simple check before the places where the membername would be displayed, do the following:
if Guest = true then display "(hidden)" else display membername.
The places needed:
- on main index after "last post by"
- on topic index after "last post"
- on topic where membername is displayed

Any help greatly appreciated!

Cal

Quote from: RustyBarnacle on February 12, 2011, 07:01:11 PM
Anyone tried that htaccess file someone posted in one of the threads about this?  I don't have enough members to make an accurate test.

I loaded the .htaccess file assembled by Elysia posted here (http://www.simplemachines.org/community/index.php?topic=416928.msg2949234#msg2949234).  I have only had it in place a couple of hours, so keep in mind that I haven't had a great deal of time to test its effects, but for the first time in several days, my Error Log is empty.  It looks like it has worked.

have you also upgraded to 1.1.13? it was posted in one of the other threads on this issue that they added some code to help with this issue.

I would suggest for the future members use a different screen name from their sign-in name. This does seem to confuse these robots which are also plaguing me at the moment.

Quote from: Cal O'Shaw on February 12, 2011, 07:21:56 PM
You're going to continue getting attacks.  Blocking the membernames is a protection against FUTURE users of the attack code, before they come to your site and try to harvest names.

Which is why it would be really, REALLY great if we could get some sort of patch (even hand edit) to replace membernames with something like "(hidden)" or "(restricted)" when guests come calling.  Because that is going to be the ONLY WAY to cut down the attacks.

If any of the SMF wizards could help us, or at least tell us help is on the way, it would be wonderful.

Again, nothing fancy, with just this simple check before the places where the membername would be displayed, do the following:
if Guest = true then display "(hidden)" else display membername.
The places needed:
- on main index after "last post by"
- on topic index after "last post"
- on topic where membername is displayed

Any help greatly appreciated!

Cal

I think implementing recapctcha on the login secreen would be quicker and easier. But at this stage, i am ok with any kind of solution because im loosing money and visitors every minute.

As I said, the problem with recapcha on the login is that means you will require EVERY member to enter both their password and the capcha phrase.  Depends on the users as to whether the extra step is worth what a site offers.

I think it would be the useful, temporary and easiest solution. or somebody can do both and whoever want they can use it. But somebody needs to help us guys cmon... how long is this suffer gonna take...

So far with closing the forum and using a banned member for
now was the easiest and quickest I could do. I knew it wouldn't
stop the current rubbish, but figured it would stop them using
any other usernames then they already had  :(

Today I will set a 'anon' member up and redo what I have done,
only because I am worried about maybe legal side of dragging
a banned member up. Plus if this banned member was to find
out on the off chance - I wouldn't fancy reading any emails form
them - they have a rather nasty tongue  ::)

As for adding recapctcha at log-on for my forum would only drive
members away. I'm very small and battle as it is to attract members.
I am a free to join forum, no strings and battle against a few other
forums, one free and two paid to join they all have thousands of
members and I have less than 500  :o

This attack is certainly not what I need at the moment!

I have not had any of these attacks myself, so I ask this just out of curiosity. Out of all the admins that have been getting these attacks posting here, how many of you allow guests to view the member list?

Quote from: busterone on February 12, 2011, 10:43:28 PM
I have not had any of these attacks myself, so I ask this just out of curiosity. Out of all the admins that have been getting these attacks posting here, how many of you allow guests to view the member list?

I certainly don't, they seem to be using usernames from post in what is
viewable to the general public ie; not registered users.

Al the usernames tried were only in the 'non registered' members area.

You should consider yourself lucky if you have not been a target :) Whats
your secret?

We do not.

As has been stated in this topic, they are reading the main index and topic indexes and grabbing the member name that follows the strings "last post by" and "last post".

Quote from: squad on February 12, 2011, 10:49:14 PM

Quote from: busterone on February 12, 2011, 10:43:28 PM
I have not had any of these attacks myself, so I ask this just out of curiosity. Out of all the admins that have been getting these attacks posting here, how many of you allow guests to view the member list?

I certainly don't, they seem to be using usernames from post in what is
viewable to the general public ie; not registered users.

Al the usernames tried were only in the 'non registered' members area.

You should consider yourself lucky if you have not been a target :) Whats
your secret?

I have no idea really. I have been using the Stop spammer mod for over a year, and recently httpBL/Project Honeypot. I also have the forum Firewall installed. I can't say any one of them or the combination has anything to do with it to be honest. I have noticed that my forum has seemed to drop off the spammers/bots list lately though. I guess they got tired of never getting in, so moved on. Maybe the spammers communicate with one another about wasting efforts on some sites or something.  :D

Quote from: busterone on February 12, 2011, 10:43:28 PM
I have not had any of these attacks myself, so I ask this just out of curiosity. Out of all the admins that have been getting these attacks posting here, how many of you allow guests to view the member list?

I have never let that happen.

We need a solution guys. Please somebody help us.

Use the .htaccess that has worked fine for me zero attempts. in the past couple hours.

I may have skipped that part. What is htaccess way?

Quote from: vbgamer45 on February 12, 2011, 11:14:52 PM
Use the .htaccess that has worked fine for me zero attempts. in the past couple hours.

Quote from: PLAYBOY on February 12, 2011, 11:16:43 PM
I may have skipped that part. What is htaccess way?

Yes please, how to and what to .htaccess, remembering some of us are not
really as savvy as others :) Especially myself!

http://www.simplemachines.org/community/index.php?topic=416928.0

Thank you.
I think this topic should merged with that one.

It should be noted that some of the suggested MOD fixes are not available for 1.1.x users. 

If an SMF expert is looking at the "hide names from guests" fix that I and some others have been rather urgently requesting, please keep us 1.1.x sites in mind as well as the 2.0 sites.

Thank you

Cal

I have experienced the same - bots harvesting member names, some of them not active for a long time (one over 6 months).  One member has been active only a single time, and that was in the shoutbox - no topic posts of any kind.  I suspect the bot is harvesting user names from the front page shout box, and any other topic that is available to guests.  On my site, neither guests nor regular members have access to see stats, member lists, profiles, or anything that would identify a user.  The only way that a guest (bot) would be able to get a member name is by viewing posts (and the shoutbox).

Here's an interesting observation:  when I set the failed login threshold to "1", I do not get any fake user login attempts recorded in the user error log.  when I set the login threshold to anything higher, the failed logins resume.  I've repeated this only twice, but my forum is now set at "1" and I've not had a failed login for most of the day.  I've not had any members complain yet, but I don't have that many members to begin with.  I'm using 2RC3

EDIT: I just had an IP try to log into my forum that was listed in the .htaccess list of known bad addresses that Elysia posted in another thread, but this event has not triggered any error logs in SMF, Forum Firewall, or httpBL.  I have no idea what this means, but perhaps it will help someone who does.

EDIT2: Now it has been 17 hours with the failed threshold set to "1" and I have not had a single bot login attempt recorded in the error logs.  However, I have one member who is asked to log in periodically, but is not presented with the failed login prompt - just a regular login.  He reports that this not an isolated incident so it might not be related to the failed login threshold setting.

EDIT3: I figured out why the method above works - when I tried to log in as a regular member, and supplied the wrong password, the forum immediately displayed the recover password page, which prompts the user to enter their email address, which of course the bot doesn't have, so it is stopped right in it's tracks.  The down side is that the real members need to be educated that if they truly make a mistake in password entry, they can click the back button to log in again.  Granted this is not a fix for the underlying problem (I hope someone can fix the mod to hide members from guests as is mentioned in another post), but at least it has stopped the login bots on my site.

There is a Hide Post Authors From Guests mod...
http://custom.simplemachines.org/mods/index.php?mod=1892
This will prevent bots from harvesting names.....

It isn't updated to the latest SMF, but that shouldn't be too hard to fix.

-Rik©

I posted to the support topic, asking for an update and noting it turns on the "new" icon and never turns it off.

Quote from: Cal O'Shaw on February 13, 2011, 01:39:34 PM
I posted to the support topic, asking for an update and noting it turns on the "new" icon and never turns it off.

Seems like the author hasn't updated the mod for a long time....

btw there is a anti-spam mod that  checks them as soon as they arrive to the forum and redirect them to a file called warning.php making the whole site invisible to them.....
httpBL mod ⇒ http://custom.simplemachines.org/mods/index.php?mod=2155
But you need to go to Project Honey Pot and register there to become a member of the project, install a Honey Pot in your server and ask them for your own http:BL API key before you can install/use the mod.

Maybe i will look into the 'flagged as unread bug' of the Hide Post Authors From Guests mod if the author is not responding.....

-Rik©

Quote from: Rik© on February 13, 2011, 05:04:29 AM
There is a Hide Post Authors From Guests mod...
http://custom.simplemachines.org/mods/index.php?mod=1892
This will prevent bots from harvesting names.....

It isn't updated to the latest SMF, but that shouldn't be too hard to fix.

-Rik©

Very useful but too late. They already got most (maybe all) of my members.

We still need a stable solution for this. Adding tens of ips everyday or hiding member names are not really good solutions i think.

Quote from: Rik© on February 13, 2011, 01:51:48 PM

Quote from: Cal O'Shaw on February 13, 2011, 01:39:34 PM
I posted to the support topic, asking for an update and noting it turns on the "new" icon and never turns it off.

Seems like the author hasn't updated the mod for a long time....

btw there is a anti-spam mod that  checks them as soon as they arrive to the forum and redirect them to a file called warning.php making the whole site invisible to them.....
httpBL mod ⇒ http://custom.simplemachines.org/mods/index.php?mod=2155
But you need to go to Project Honey Pot and register there to become a member of the project, install a Honey Pot in your server and ask them for your own http:BL API key before you can install/use the mod.

Maybe i will look into the 'flagged as unread bug' of the Hide Post Authors From Guests mod if the author is not responding.....

-Rik©

http:BL is a fantastic mod, and I've installed it on my site a while ago.  It had helped capture two mail harvesters, more than 50 content spammers, and has helped catch 493 spammers for Project Honey Pot as of today.  I also have Stop Forum Spam installed, CrawlProtect, and Forum Firewall.  None of these measures has caught these login bots because their IP addresses come up squeaky clean.

I've been getting a lot of these errors on both of my forums since around the 1st of this month. I upgraded to version 1.1.13 from 1.1.12 as soon as the upgrade came out but the errors continue to pour in. A friend of mine with a version 1.1.12 forum hasn't received any of these errors. I'm not inferring that it's an upgrade issue since the errors have poured in on both 1.1.1 versions, I just wish they would come up with a fix. It gets me really nervous seeing all these login attempts.

@PLAYBOY,

We need to hide the names from Guests to prevent THE NEXT ATTACK.  Because at some point the script will get passed to some new kiddie who will launch it and harvest names to try to break in.

I've been reading the logs and we found several accounts being used over and over.  So we took one of the accounts (happens to be our "public face" account) and changed the login name.  And the attempts on that account no longer show up.  Sure, the bot is still attacking, but now it gets turned away on that specific account because the name the attacker harvested is no longer valid.

In order to stop them from collecting a new set of names and starting over, we need to HIDE ACCOUNT NAMES FROM GUESTS!

SMF Support, please help us!  Give us a MOD or security patch or cut and paste instructions or SOMETHING so we can render this type of attack impotent!  We need a fix for 1.1.x to hide the names from guests!

PLEASE!

Cal
SMF 1.1.13 site admin

The upgrades to 1.13 and 2RC5 should fix the issue of users being logged out but your error log will still show the bot attempts.

httpBL will divert many of the IP addresses before they attempt to log-in (but their are thousands).

The best fix however is to force users to use email address instead of username to log-in.

There is a mod for this but not easy to find on blackberry - force email log-in.

http://custom.simplemachines.org/mods/index.php?mod=1665

Assuming one can contact all the members to tell them of the change.  Assuming you have the resources to deal with all the annoyed members who don't get the message.

And just wondering... when this MOD is installed, what is shown on the main index, by each board, next to the words "last post by"?  Is it the user's membername or his email address.  If it's the email address, then this MOD will be useless the next time the attackers harvest names.

The BEST solution is to hide the names of who posted from guests.  If they don't know who posted then they don't have anything valid to place in the userid field.

Cal

The forum functions as now with usernames shown.

Login just asks for email address instead of userid. Works fine on my forum with 3000 members?

I personally want guests to see the usernames. I dont mind if my usernames are being harvested because they cant do anything with just a username if i use this email method or any other method.

So my problem isnt the username. Guests (who doesnt want to become a member and prefer to watch only) should be able to know and recognize the users.

This email method sounds good (and smart) but im not sure...
Can you turn it on and off?

Only by uninstalling the mod as far as I can tell. But should be a simple addition to the mod - worth requesting?

Maybe this should be core functionality in future?

This just stuck me, like a bolt, probably been covered previously ????

Of course we are all of the opinion that readers of this thread are nice people and would not be taking note of these suggestions. Even logged out I can still read what is here  :(

We have put a lot of trust in this and other similar posts over the last few days!

Edit: Fix spelling errors (grandchild trying to annoy me!)

I continue to get around 70 to 75 of these errors every day on both my forums even though one is way more active that the other. I wish someone knowledgeable could at least tell us just how dangerous this attack could be. It's obvious that it would be lights out if they cracked an admin password but other than that????

I sure hope someone on the team can fix this.

I think Facebook may be having a similar problem as I just got half a dozen authentication errors from them.

I am faced with the same problem  sort of.  I run a new install;  eveyrthing is fine. I log in as admin - everything is fine. Now to access the admin section, I have to log in again.. this always fails I get this message :  Session verification failed. Please try logging out and back in again, and then try again.   I can't even log out.  I can't log in ?  I destroy the files and upload a new  copy and create a new data base.. This happens every time with a new install.  It doesn'tmatter if I am installing V2 or 1.12

I can't get in to change or do anything.  Session verification failed. Please try logging out and back in again, and then try again.

What MODs do you have?  Do you have the Forum Firewall MOD installed?  We had to pull the firewall MOD because we got the same problem.  Delete your forum cookie and you should be able to get in.

Cal

Excuse me for sounding totally stupid DOH ?  where do I go to delete the forum cookie.

In your browsers options. It's different in IE and FF or whatever you are using.

THANKS FOR THE INFO:  I will report back shortly!!!  (fingers crossed) I hope I can resolve this issue. Again - thanks for taking the time to respond

Also you may want to change the name of your forums cookie. You can do that in the admin panel under server settings I do believe.

@PLAYBOY, but I do not want the names shown to guests.  Especially if that gives attackers a way to break in.

@laetabi, that's fine for you, but did you roll that in at the start, or after you had a couple of thousand members?  What kind of time did you have to spend educating your members to the change?  Did you lose members from the change?

I don't see having the ability to DECIDE to hide membernames from guests as a big technical problem.  The decision logic is extremely simple: If Guest, show XXX else show membername

Could we please get some indication from SMF Support that they are even READING this topic?  Maybe give some sign it's being addressed?  And if not SMF Support, some SMF Wizard who might take pity on us 1.1.x sites and write something we can use to plug this hole?

Cal

SMF support will be reading this you can be assured of that. :)

Thanks, Bigguy!

Just knowing that helps quite a bit out here in the trenches!

Cal

We are all here in the trenches. Sometimes things might seem a bit slow but there is a lot going on. Someone from the Support team or one of the other teams should be around soon. :)

Ok BigGuy:  I was able to access the board; finally; BUT I can't make a post; it says session timed out.  I can access admin (good).  but I cannot change anything. AND..I still can't log out ??

I tried to change my password that got me in there.  but it will not accept the changes

Session verification failed. Please try logging out and back in again, and then try again.
can't log out!

Do you have sessions on in the admin panel. Have you tried turning them off. ??? You'll probably get a session timeout error when doing that but they should still turn off. I do not know if that will solve the problem or not but it's worth a shot. :)

Majik, if you have another browser that you have NOT used to log into your forum, log on using that.  It should break it open.  That's how we got through when it happened to us (in our case, turned out to be the Forum Firewall MOD; after we uninstalled it we were able to log in properly).

Cal

I am in - making changes - I turned off caching - I am using safari !!!

Quote from: MajikImaje on February 14, 2011, 08:37:45 PM
I am faced with the same problem  sort of.  I run a new install;  eveyrthing is fine. I log in as admin - everything is fine. Now to access the admin section, I have to log in again.. this always fails I get this message :  Session verification failed. Please try logging out and back in again, and then try again.   I can't even log out.  I can't log in ?  I destroy the files and upload a new  copy and create a new data base.. This happens every time with a new install.  It doesn'tmatter if I am installing V2 or 1.12

I can't get in to change or do anything.  Session verification failed. Please try logging out and back in again, and then try again.

You have started a completely different topic starting with this post. While I sympathize with your problems, perhaps a moderator could create a new topic starting with this thread and including all the relevant posts below.

This would leave the original topic's posts in order so we can get our problem solved. Thanks in advance to any mod who does this.
Edit 2/15/11 10:40 am: I guess no one gives a s***!

Quote@laetabi, that's fine for you, but did you roll that in at the start, or after you had a couple of thousand members?  What kind of time did you have to spend educating your members to the change?  Did you lose members from the change?

Good questions but actually it was no hassle for 3,000 active members on a 2+ year old site.

I put a post up 24 hours in advance announcing the change, put a news item that guests could see and then launched the email log-in mod.

One or two members had not updated their email addresses to new ones and one or two had forgotten which email address they had originally registered with but they dropped the forum admin email address a note and were sorted quickly.

It really isn't a big issue although, like you, I thought it might be. The forum is as active as ever and if I've lost one or two that would be nothing compared to how many I would have lost if this bot had kept logging people out or worse, had damaged members faith in the forum security.

Personally, I think its the way to go. Denying IP addresses will go on forever as this thing seems to have infected genuine users and is probably continuing to do so at an increasing rate.

The suggestion that it is now affecting facebook makes upgrading to the latest fix and installing antispam software and increased security on your forum a must do. Email log-in makes sense as its part of the security measures you can take.

Personally, I think you can, and should, sell that to members. Its their personal info that you are trying to protect.

I'm discussing with the site owner and already started looking at how to implement it if I get concurrence.  At the same time I'm contacting the accounts that are being used for the attack and changing their login id so the bot hits "invalid username".  And as more and more sites use email addresses as userids it won't seem that different.  Probably tell the users to log in via email address for a few days and then install the MOD.

Still would like to hide membernames from guests, even if they won't be usable for log in attacks...

Cal

cb|Emailogin mod took care of the situation for now. I actually liked it a lot. I mean i would probably use it even before this problem.

Quote from: Cal O'Shaw on February 14, 2011, 08:42:33 PM
What MODs do you have?  Do you have the Forum Firewall MOD installed?

Forum Firewall has nothing to do with sessions.  In RC1x it uses it's own disk cache.  Try accepting the browser cookies for your site when you log in as admin.

The email login was also successful for me in shutting down the attack.  However, 3 hours later 'someone' attempted to download my database:

Guest   
Today at 02:34:12 AM 
64.124.203.71     
395a86116c950ca9a87287cf4e1aaeb5 
http://www.romborossodoc.com/forum/index.phpstruct=on&data=on&compress=gzip&action=dumpdb&sesc=b135cedfc47c06b8dfca8902e66f8bc9 Only administrators can make database backups!

My forum is set as Read-only for guests.  How was a guest level viewer able to attempt to download the database?  I thought you could only access that function from the admin panel which wouldn't be available to a read-only guest right?

He didn't. That is why it is in your error log. He simply tried. these bots use known actions and are pre-programmed to attempt them. I see quite a few that drop in using  index.php?action=admin, etc. They can't see the admin button, they just randomly try different combinations to attempt access.

Quote from: laetabi on February 15, 2011, 02:38:58 AMPersonally, I think its the way to go. Denying IP addresses will go on forever as this thing seems to have infected genuine users and is probably continuing to do so at an increasing rate.

I gave up on denying IP addresses.  It's futile and it's labor-intensive.

I installed the e-mail login mod this morning.  It installed without a problem, and seems to have done the trick.  This seems to be the best solution so far.

Quote from: busterone on February 15, 2011, 08:33:04 AM
He didn't. That is why it is in your error log. He simply tried. these bots use known actions and are pre-programmed to attempt them. I see quite a few that drop in using  index.php?action=admin, etc. They can't see the admin button, they just randomly try different combinations to attempt access.

Ah, thank you.  I knew I couldn't see any way to do that logged in as a guest but these guys are much smarter at this stuff than me.

This is driving me insane, I am waiting to have a couple of things
sorted on my forum, but will be installing the cb|Emailogin mod
asap following that.

I'll also be looking at the Hide membernames from guests at the
same time :)

Hope it works just as well for me as it appears to have for you
PLAYBOY.

I still wonder 'who' is reading all this stuff and are 'they' working
on getting around our actions or planned actions ?????

Quote from: squad on February 15, 2011, 01:06:51 PM

I still wonder 'who' is reading all this stuff and are 'they' working
on getting around our actions or planned actions ??? ??

I realize you're referring to the bad guys but It doesn't appear as if SMF support has been reading this or they would have at least said they were working on a solution. ??? :'(

I know Bigguy said they would, but hearing something from them that they're aware and maybe working on something (or that they're not) would let us know we're being heard.

Our attack has been underway for over a week now (a strike every 6 minutes on average).  I don't think they're going to wander away anytime soon.

Cal

if you read the similar thread here http://www.simplemachines.org/community/index.php?topic=416928.0 you will see there are some staff members adding comments

Quote from: catfished on February 15, 2011, 08:02:10 PM

Quote from: squad on February 15, 2011, 01:06:51 PM

I still wonder 'who' is reading all this stuff and are 'they' working
on getting around our actions or planned actions ??? ??

I realize you're referring to the bad guys but It doesn't appear as if SMF support has been reading this or they would have at least said they were working on a solution. ??? :'(

Yes I was, sorry for not making that clear *sigh*

Quote from: squad on February 17, 2011, 11:19:45 PM

Yes I was, sorry for not making that clear *sigh*

Not a problem, I think you made it very clear, I was the one that changed the subject. :-[

I had the same problem with bots trying to member accounts.

I'm running smf 1.1.13 and installed proxy blocker mod,

http://custom.simplemachines.org/mods/index.php?mod=2329

It seems to have stopped all incorrect login attempts for my site.

Proxy Blocker can quite easily block genuine users too.

http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115 contains a patch that should neutralise the current bots.

I found a new attack today. Could be the same attack you are talking about?

A user asked me to check out the log in a newly installed version of Forum Firewall a/k/a FF.  The visitor log literally had hundreds of blocked attacks in a single day from many different ip addresses.  Most likely the same bot.  FF blocked all the injection attacks using "action=register and some code". The code looks like some sort of automated password script dictionary attack. Maybe this is the same attack?

Here is what I saw:

1.  Obvious code injection attack EDITED.  Caught by FF.
2.  Many different really bad ip addresses being used directly and hidden in the proxy array.  Caught by FF.

The BB (now SMF 1.1.x compatible) & FF combo seems to take them down.   8)

No, that's a different attack; the bot attack I was referring to is using a dictionary of user ids it's already obtained, and is trying to slowly brute force the password, directly hitting action=login2.

That is the problem.  They never stop trying.  To make code for each specific attack is a waste.  This is why I went generic.

Does it start out with something like:

Quoteaction=Login2(EDITED)

if so FF will stop it cold.

No, it doesn't. It's literally just action=login2 in the URL.

Human attack?

If it is not, the bot will have to try to pass data somehow and BB/ FF should catch it either by the data passage or exceeding the speed limit.

The bot is trying to brute force passwords. Requests are from inconsistent IPs, and could theoretically be genuine requests due to a minor vulnerability in the login code, which has been tracked on Mantis.

I must correct myself since I accidently provided incomplete information.  I looked at the code assuming it was singular.  But did not notice, until after I took a break and looked at it with fresh eyes that, it was written specifically to attack four (4) methods of login, simultaneously (some more than once).  In fact the code in each uri was attacking via brute force via several ip addresses:

1) action=register
2) action=register2
3) action=login
4) action=login2

You may be seeing just the last injection?

As far as I can see FF is blocking all four (4) long before they can exploit the vulnerability that you plan to correct.
::)

You and I are seeing different bots then. The one everyone else is seeing doesn't touch anything but login2, AND there's nothing at all in the request on it's own that would hit FF that I'm aware of, it is even possible for a normal person to exhibit the signs but somewhat unlikely.

Ah, that is why there is a hit rate test.

Do you have the injection uri string?  If it is safe, want to trade injections via PM?
8)  :P

The URL was http://arantor.org/index.php?action=login2 submitted via POST. Nothing special, nothing suspicious. Requests are 4 to 8 minutes apart, from all different IPs.

My patch was very specific for the scenario generated by this bot.

Understood, you were looking at a log and were unable to capture the string.  Nevertheless, good work stopping it.

PM will be sent soon.

Yes, I was looking at some custom logs, which I'd written myself ;) Which included a lot more than normal, not least all of the contents of $_SERVER, apache_request_headers() and a few other things, though I gave limited logging to others.

Please see, for further information and options,
Simple Machines Forums attacks (http://www.simplemachines.org/community/index.php?topic=422954.0)

butchs, I appreciate any informations you could give about the specific pattern of the attack on your forum.

Pattern of attacks?  I covered all the ones I know with my mod.

lethal-danger can you please repost your questions over the Forum Firewall support board before I get into any more trouble with Norv?  His cat looks meaner than mine...   :-\

LOL, I can fix that. :D

Though for now, I like it!