Simple Machines Community Forum

Customizing SMF => Building Your Community and other Forum Advice => Topic started by: ACAMS on January 11, 2011, 11:11:02 PM

Title: Being logged out by bots trying to log in
Post by: ACAMS on January 11, 2011, 11:11:02 PM
There seems to be IS a problem with being logged out by bots trying to log in with various user names.
This seems to be a unique SMF problem......any plans on blocking them as I have SEVERAL IP's blocked, and new ones try every day!
 
What is going to be done about it?
 
 
I have these blocked so far with .htacces, but getting tired of adding IP's every day!!!!!!
 
 
Code: [Select]
deny from 109.169.29.56
deny from 137.56.163
deny from 144.85.24.218
deny from 150.70
deny from 155.239.155.200
deny from 173.193.221
deny from 173.193.221.27
deny from 173.193.221.28
deny from 173.48.174.212
deny from 174.138.169.218
deny from 174.36.199
deny from 174.36.199.200
deny from 174.36.199.201
deny from 174.36.199.202
deny from 174.36.199.203
deny from 178.63.246.164
deny from 178.78.255.254
deny from 18.246.0.69
deny from 188.124.19.114
deny from 188.40.51.2
deny from 192.251.226
deny from 192.251.226.205
deny from 192.251.226.206
deny from 193.198.207
deny from 193.198.207.8
deny from 194.154.227
deny from 195.71.226.87
deny from 199.48.147
deny from 199.48.147.35
deny from 199.48.147.35
deny from 199.48.147.36
deny from 199.48.147.37
deny from 199.48.147.38
deny from 199.48.147.39
deny from 199.48.147.40
deny from 199.48.147.41
deny from 199.48.147.42
deny from 199.48.147.43
deny from 199.48.147.45
deny from 203.174.87.18
deny from 204.152.222
deny from 204.152.222.140
deny from 204.8.156.142
deny from 208.66.135
deny from 208.66.135.190
deny from 208.66.135.190
deny from 209.159.142.164
deny from 212.42.236.140
deny from 213.112.111.205
deny from 213.239.192.229
deny from 217.19.50.77
deny from 24.106.191.235
deny from 24.247.220.16
deny from 50.22.180.2
deny from 62.141.53.224
deny from 66.230.230.230
deny from 66.96.16
deny from 66.96.16.32
deny from 68.71.46.138
deny from 71.198.26.88
deny from 71.244.55
deny from 71.244.55.170
deny from 74.106.17.110
deny from 77.54.97.144
deny from 78.107.237.16
deny from 78.42.9.166
deny from 78.47.251
deny from 79.120.86.20
deny from 79.136.50.205
deny from 80.62.217.18
deny from 80.81.183.178
deny from 81.169.155.246
deny from 81.218.219
deny from 81.218.219.122
deny from 82.228.252.20
deny from 83.80.129.253
deny from 83.142.228
deny from 83.142.228.14
deny from 83.168.210
deny from 83.168.210.55
deny from 83.170.92
deny from 83.170.92.9
deny from 83.220.133.86
deny from 83.226.245.207
deny from 84.75.174
deny from 85.235.31.248
deny from 87.126.133.230
deny from 87.236.194
deny from 87.236.199
deny from 87.236.199.73
deny from 88.189.58
deny from 89.208.237.70
deny from 89.253.105.39
deny from 89.253.97.235
deny from 89.77.213.43
deny from 91.213.50
deny from 91.213.50.235
deny from 92.241.184
deny from 92.241.184.106
deny from 92.241.190.168
deny from 92.9.221.213
deny from 93.104.215.8
deny from 93.115.241
deny from 94.251.75.55
deny from 94.75.253.73
deny from 95.143.193.145
deny from 98.113.149.36
deny from 80.237.226.75
deny from 98.113.149.36
deny from 67.207.136.44
deny from 98.113.149.36
deny from 91.214.30.60
deny from 188.72.225.172
deny from 208.115.203.16
deny from 62.24.181.134
deny from 62.24.181.135
deny from 111.1.32.23
deny from 111.1.32.24
deny from 111.1.32.25
deny from 111.1.32.26
deny from 62.75.139.221
deny from 85.114.141.18
deny from 85.114.135.224
deny from 46.4.237.146
deny from 86.101.114.199

 
Title: Re: Being logged out by bots trying to log in
Post by: ACAMS on January 11, 2011, 11:23:09 PM
Just that quick I had to add this IP  88.80.29.99
 
This mod did not work for me
 
http://custom.simplemachines.org/mods/index.php?mod=2728 (http://custom.simplemachines.org/mods/index.php?mod=2728)
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on January 12, 2011, 12:32:22 AM
how are spambots and spamtards a unique smf problem?
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on January 12, 2011, 02:59:53 AM
how are spambots and spamtards a unique smf problem?

I think their specific problem is that login attempts against existing usernames are somehow causing existing user sessions to expire.
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on January 12, 2011, 03:05:22 AM
I believe this happens at the point where a bot reaches the limit for failed logins - I've seen this issue raised a couple of times now, never seen it myself though.
Title: Re: Being logged out by bots trying to log in
Post by: ACAMS on January 12, 2011, 08:44:11 PM
I just raised the Failed login threshold so maybe we won't be logged out before I can IP block the bots, BUT I wish something can be done to stop this.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on January 13, 2011, 02:48:57 AM
I'm seeing it every day but it only happens to each user for about 24 hours. If it's happening to a user that doesn't log in much you don't hear about it but if it's a regular user it annoying as heck.
Title: Re: Being logged out by bots trying to log in
Post by: ACAMS on January 13, 2011, 12:39:47 PM
I went into Configuration/Security and Moderation and raised the Failed login threshold to 99 so members wont be logged out, and I go to maintenance and check the error log (filter user) and ban all bots that don't have a regular member IP.
 
I add them to a .htacces in the root of my domain....they never make it to the forum after that.........BUT I should not have to, they should not be able to get to the member list!
 
Here is my Current .htaccess......I add about 20 IP's a day!
 
Code: [Select]
#--- DH-PHP handlers ---
AddHandler fastcgi-script fcg fcgi fpl
AddHandler php-fastcgi .php
Action php-fastcgi /cgi-bin/dispatch.fcgi
Options -Indexes
ErrorDocument 403 /403.html
ErrorDocument 404 /404.html
ErrorDocument 500 /500.html
<Limit GET HEAD POST>
order allow,deny
# ACAMS Pissed off
deny from 109.169.29.56
deny from 137.56.163
deny from 144.85.24.218
deny from 150.70
deny from 155.239.155.200
deny from 173.193.221
deny from 173.193.221.27
deny from 173.193.221.28
deny from 173.48.174.212
deny from 174.138.169.218
deny from 174.36.199
deny from 174.36.199.200
deny from 174.36.199.201
deny from 174.36.199.202
deny from 174.36.199.203
deny from 178.63.246.164
deny from 178.78.255.254
deny from 18.246.0.69
deny from 188.124.19.114
deny from 188.40.51.2
deny from 192.251.226
deny from 192.251.226.205
deny from 192.251.226.206
deny from 193.198.207
deny from 193.198.207.8
deny from 194.154.227
deny from 195.71.226.87
deny from 199.48.147
deny from 199.48.147.35
deny from 199.48.147.35
deny from 199.48.147.36
deny from 199.48.147.37
deny from 199.48.147.38
deny from 199.48.147.39
deny from 199.48.147.40
deny from 199.48.147.41
deny from 199.48.147.42
deny from 199.48.147.43
deny from 199.48.147.45
deny from 203.174.87.18
deny from 204.152.222
deny from 204.152.222.140
deny from 204.8.156.142
deny from 208.66.135
deny from 208.66.135.190
deny from 208.66.135.190
deny from 209.159.142.164
deny from 212.42.236.140
deny from 213.112.111.205
deny from 213.239.192.229
deny from 217.19.50.77
deny from 24.106.191.235
deny from 24.247.220.16
deny from 50.22.180.2
deny from 62.141.53.224
deny from 66.230.230.230
deny from 66.96.16
deny from 66.96.16.32
deny from 68.71.46.138
deny from 71.198.26.88
deny from 71.244.55
deny from 71.244.55.170
deny from 74.106.17.110
deny from 77.54.97.144
deny from 78.107.237.16
deny from 78.42.9.166
deny from 78.47.251
deny from 79.120.86.20
deny from 79.136.50.205
deny from 80.62.217.18
deny from 80.81.183.178
deny from 81.169.155.246
deny from 81.218.219
deny from 81.218.219.122
deny from 82.228.252.20
deny from 83.80.129.253
deny from 83.142.228
deny from 83.142.228.14
deny from 83.168.210
deny from 83.168.210.55
deny from 83.170.92
deny from 83.170.92.9
deny from 83.220.133.86
deny from 83.226.245.207
deny from 84.75.174
deny from 85.235.31.248
deny from 87.126.133.230
deny from 87.236.194
deny from 87.236.199
deny from 87.236.199.73
deny from 88.189.58
deny from 89.208.237.70
deny from 89.253.105.39
deny from 89.253.97.235
deny from 89.77.213.43
deny from 91.213.50
deny from 91.213.50.235
deny from 92.241.184
deny from 92.241.184.106
deny from 92.241.190.168
deny from 92.9.221.213
deny from 93.104.215.8
deny from 93.115.241
deny from 94.251.75.55
deny from 94.75.253.73
deny from 95.143.193.145
deny from 98.113.149.36
deny from 80.237.226.75
deny from 98.113.149.36
deny from 67.207.136.44
deny from 98.113.149.36
deny from 91.214.30.60
deny from 188.72.225.172
deny from 208.115.203.16
deny from 62.24.181.134
deny from 62.24.181.135
deny from 111.1.32.23
deny from 111.1.32.24
deny from 111.1.32.25
deny from 111.1.32.26
deny from 62.75.139.221
deny from 85.114.141.18
deny from 85.114.135.224
deny from 46.4.237.146
deny from 86.101.114.199
deny from 88.80.29.99
deny from 217.20.114.254
deny from 80.237.226.76
deny from 109.169.41.48
deny from 86.205.122.125
deny from 91.216.191.11
deny from 62.212.67.209
deny from 184.99.175.66
deny from 188.72.241.209
deny from 74.208.243.167
deny from 85.25.144.101
deny from 212.13.195.235
deny from 92.241.190.188
deny from 142.68.83.148
deny from 193.138.216.157
deny from 94.249.153.47
deny from 85.214.73.63
deny from 94.132.72.2
deny from 92.241.190.129
deny from 144.92.92.15
deny from 89.208.236.35
deny from 206.221.217.246
deny from 216.24.174.245
deny from 58.247.181.212
deny from 87.118.104.203
deny from 83.169.9.70
deny from 68.126.24.162
deny from 94.19.12.244
deny from 86.201.237.21
deny from 216.243.32.170
deny from 64.34.162.160
deny from 78.48.204.3
deny from 93.167.245.178
deny from 62.141.58.13
deny from 92.241.168.146
deny from 76.253.141.244
deny from 194.145.200.128
deny from 91.121.175.151
deny from 95.142.174.176
deny from 92.241.174.9
deny from 38.102.94.125
deny from 50.15.57.221
deny from 62.75.159.139
deny from 216.86.61.205
deny from 76.10.214.89
deny from 72.47.252.215
deny from 173.54.2.197
deny from 213.46.138.76
deny from 108.41.42.137
deny from 97.107.142.93
deny from 74.208.246.213
# bots be gone
allow from all
</LIMIT>
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on January 13, 2011, 12:50:59 PM
Here is my Current .htaccess......I add about 20 IP's a day!

You should consolidate and use subnets where possible. The WHOIS command is great for looking up allocations for blocks.

If you have server access, use iptables (Linux) or pf (BSD) to block the IPs at the system level.

Unless you need to, disable memberlist access for guests. You can't block member names in posts without blocking all guests, however.

You could see if you can add a referrer check to the login process to avoid direct submissions. Note that this will break logins for a very small percentage of users that block sending referrers or who use networks that do so.
Title: Re: Being logged out by bots trying to log in
Post by: ACAMS on January 13, 2011, 06:17:12 PM
You should consolidate and use subnets where possible. The WHOIS command is great for looking up allocations for blocks.

I have 2.0 RC3.....How would I do that?
 
 
If you have server access, use iptables (Linux) or pf (BSD) to block the IPs at the system level.

I do have server access, but you lost me....what do I need to do?
 
 
Unless you need to, disable memberlist access for guests.

I would love to, I have 2.0 RC3.....How would I do that?
 
 
You could see if you can add a referrer check to the login process to avoid direct submissions. Note that this will break logins for a very small percentage of users that block sending referrers or who use networks that do so.

I have 2.0 RC3.....How would I do that?
 
 
 
 
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on January 13, 2011, 10:20:53 PM
You should consolidate and use subnets where possible. The WHOIS command is great for looking up allocations for blocks.

I have 2.0 RC3.....How would I do that?

If you are using Linux or OS X as your desktop system, open up a terminal and simply run "whois ip address". If you're on Windows, you will probably want to download JWhois from GNUWin32 (http://gnuwin32.sourceforge.net/packages/jwhois.htm), then run that from the command prompt.

Reading WHOIS info on IPs takes some learning, and is a bit more involved than I will get into here. However, I will give an example from on of your above listed IPs.


$ whois 174.36.199.200
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 174.36.199.200"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=174.36.199.200?showDetails=true&showARIN=false
#

torservers.net NET-174-36-199-200 (NET-174-36-199-200-1) 174.36.199.200 - 174.36.199.207
SoftLayer Technologies Inc. SOFTLAYER-4-7 (NET-174-36-0-0-1) 174.36.0.0 - 174.37.255.255


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


From the above search, we see that the range that IP falls in is specifically "174.36.199.200 - 174.36.199.207". In SMF, you can add the IP ban as "174.36.199.200-207". Checking with an online subnet calculator, they are likely a /29. (In some notation it would be: 174.36.199.200/29). Some WHOIS servers will kindly provide the subnet mask bits (the number after the /)

Further, the range that service is in is owned by SoftLayer, a server provider. No humans should normally be browsing from that their range, so you can block 174.36.0.0 - 174.37.255.255. That's two /16 blocks, by the way (I am a sysadmin by trade, so I know the basic subnet masks).



If you have server access, use iptables (Linux) or pf (BSD) to block the IPs at the system level.

I do have server access, but you lost me....what do I need to do?

Using the IP ranges I looked up above, you can do the following using iptables.

For the most restrictive set (the /29 network), the following command will work.


iptables -I INPUT -s 174.36.199.200/29 -j DROP


For that whole block for SoftLayer, you'd use:


iptables -I INPUT -s 174.36.0.0/16 -j DROP
iptables -I INPUT -s 174.37.0.0/16 -j DROP


As a bonus with iptables, httpd doesn't even see the requests as they are being blocked before they ever go to it. If you don't want to figure out the mask bits (the number after the /) you can also use full ranges like show in the WHOIS output, just don't use spaces around the hyphen.

You'll need to look up the rules for pf if you're on BSD.

Also note that these will only stay applied until the firewall service is restarted, or a reboot. Different distributions store iptables information in different ways. Check documentation on how to save the rules so they persist.

 
 
Unless you need to, disable memberlist access for guests.

I would love to, I have 2.0 RC3.....How would I do that?

Admin -> Members -> Permissions

Modify the permisions for Guests. Uncheck "View profile summary and stats" and save.

 
 
You could see if you can add a referrer check to the login process to avoid direct submissions. Note that this will break logins for a very small percentage of users that block sending referrers or who use networks that do so.

I have 2.0 RC3.....How would I do that?

That would require code changes and I honestly don't have the time to dig into the code and find the best way to handle it. Honestly, it's a last-choice option, something that you should only do if all other efforts fail as it has the most chance of causing issues for real users.
Title: Re: Being logged out by bots trying to log in
Post by: ACAMS on January 14, 2011, 09:36:02 AM
Thanks, I Modified the permisions for Guests and hope that will stop them.
Title: Re: Being logged out by bots trying to log in
Post by: THE BRA1N on January 14, 2011, 12:33:01 PM
I'm having the exact same problem with many of those same IPs. Many are TOR proxy IP's so I used a TOR bulk list exporter to block them on .htaccess - https://check.torproject.org/cgi-bin/TorBulkExitList.py

The number of invalid logins have dropped significantly since I did that (as well as members getting logged out) but I am still getting a few attempts every day. I will also try the suggestion here to increase the invalid login threshold to see if that helps. The main problem I was having is that most members online were getting logged out every 3-5 mins.

Title: Re: Being logged out by bots trying to log in
Post by: laetabi on January 14, 2011, 01:16:10 PM
This issue was really annoying my users - reported in 2.0 Support board.

Best solution for me, to stop them dead, was to switch log-ins to email address rather userID - there is a mod for this called 'force email registration' I think.

I also installed Snoopy's httpBL Project Honeypot mod - follow his excellent instructions, a very worthwhile spambot blocker.

It'll scare you how many of these things are visiting your site every hour!

W
Title: Re: Being logged out by bots trying to log in
Post by: bluecar1 on January 14, 2011, 04:02:03 PM
There seems to be IS a problem with being logged out by bots trying to log in with various user names.
This seems to be a unique SMF problem......any plans on blocking them as I have SEVERAL IP's blocked, and new ones try every day!
 
What is going to be done about it?
 
 
I have these blocked so far with .htacces, but getting tired of adding IP's every day!!!!!!
 
 
Code: [Select]
deny from 62.24.181.134
deny from 62.24.181.135

those IP are related to a stalker bot from Talk Talk, there is a bit of controversy over it following TT users around the net supposedly for an antimalware product TT are supposed to be trialing

it has been breaking a few thing all over the web,

have alook at www. the-phoenix-broadband-advice-community .co. uk/index.php/topic,1828.0. html and https :// nodpi. org/forum/index.php/topic,2991.0. html

sorry both are long threads but have a lot of information in them

the owner of pheonix is taking legal action against talk talk over it
Title: Re: Being logged out by bots trying to log in
Post by: Hatari on January 14, 2011, 05:40:11 PM
I have made the link live for you bluecar1

http://www.the-phoenix-broadband-advice-community.co.uk/index.php/topic,1828.0. (http://www.the-phoenix-broadband-advice-community.co.uk/index.php/topic,1828.0.)

https://nodpi.org/forum/index.php/topic,2991.0.htm (https://nodpi.org/forum/index.php/topic,2991.0.htm)
Title: Re: Being logged out by bots trying to log in
Post by: bluecar1 on January 14, 2011, 05:48:10 PM
acams,

could you clarify which ip's are the main causes of the logging out issues?

is it all in your HTACCESS list or just some?

thanks

BC1
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on January 14, 2011, 07:53:29 PM
Since about 2:00 pm today USA time I've had to block these IP addresses for failed logins that do not match the IP's of any of my members.

18.246.0.69

46.4.237.146

66.230.230.230

74.3.165.39

78.46.39.228

78.47.251.152

80.81.183.178

80.237.226.76

81.169.155.246

82.243.137.200

83.170.92.9

85.235.31.248

89.13.19.86

92.241.190.168

92.241.190.188

95.143.193.145

96.57.72.219

96.226.189.3

109.169.29.56

137.56.163.46

140.180.130.93

142.68.83.148

173.54.2.133

174.36.199.200

174.36.199.201

178.33.149.173

188.72.225.172

188.120.245.249

192.251.226.205

192.251.226.206

209.44.114.178

213.46.88.109
Title: Re: Being logged out by bots trying to log in
Post by: ACAMS on January 15, 2011, 10:41:16 PM
acams,

could you clarify which ip's are the main causes of the logging out issues?

is it all in your HTACCESS list or just some?

thanks

BC1

Most of the ones in the bottom half of my list, I got the top half from Dermot
 
 
Here is my list now
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on January 16, 2011, 12:42:35 AM
I just installed the httpBL modification recently on two of the boards I manage. It seems to work very well. You might want to try it out.

/me is an active contributor to Project Honeypot with 6 HoneyPots and 5 MX records donated.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on January 16, 2011, 06:30:18 PM
I just installed the httpBL modification recently on two of the boards I manage. It seems to work very well. You might want to try it out.

/me is an active contributor to Project Honeypot with 6 HoneyPots and 5 MX records donated.

I've installed this and it is detecting some spam bots...but not the ones trying to log in with members user names.
Title: Re: Being logged out by bots trying to log in
Post by: bluecar1 on January 17, 2011, 10:31:04 AM
acams,

could you clarify which ip's are the main causes of the logging out issues?

is it all in your HTACCESS list or just some?

thanks

BC1

Most of the ones in the bottom half of my list, I got the top half from Dermot
 
 
Here is my list now
acams,

keep an eye out for

62.24.222.132
62.24.222.131

it appears the TT bots are now using these addresses,

can you let me know if you see tham and if they cause the logging out issues thanks
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on January 17, 2011, 11:33:04 AM
since installing the bad behavior, stop forum spammers and honeypot mods, I have cut my spammers to zero in the last 2 days. The mods have caught 50 of them at registration so far... and none of the newly registered users in that time has posted any spam, so it is looking successful.

And I have not had any logout problems either...
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on January 18, 2011, 03:11:46 PM
since installing the bad behavior, stop forum spammers and honeypot mods, I have cut my spammers to zero in the last 2 days. The mods have caught 50 of them at registration so far... and none of the newly registered users in that time has posted any spam, so it is looking successful.

And I have not had any logout problems either...

Success! After installing all three it seems to have stopped the spammers dead in their tracks! Thanks for all of the help.
Title: Re: Being logged out by bots trying to log in
Post by: bork on February 09, 2011, 08:03:38 AM
I've installed the 3 mods as suggested (Mod http:BL, Stop Forum Spam and Bad Behaviour) and the three together are blocking a huge amount of malicious activity.

However, I'm still getting a lot of users being logged out.

Looking at the user log, a lot of the IPs involved are present on the Stop Forum Spam database, but the SFP mod only blocks them if they try to register, not if they try to login.

Can anyone suggest any other way to block these IPs or even a mod that makes banning them from the user log faster?
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 09, 2011, 10:36:57 AM
unfortunately, the only way I've been able to handle those is by manually scanning the logs once a day and adding the obvious account attempts to the spammer-ban trigger.   after about a week and 30 or so new IPs added to the ban, the hack-attempts have petered out.
Title: Re: Being logged out by bots trying to log in
Post by: bork on February 09, 2011, 10:54:35 AM
adding the obvious account attempts to the spammer-ban trigger.
Do you mean adding them manually as bans using the forum admin "add new ban" page? Is there any easy way of adding them in bulk as it's very time-consuming adding them one at a time.

I'm currently getting my virtual host provider to firewall them.
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 09, 2011, 11:22:27 AM
well, I add them all as new triggers to one ban group (I open two windows - one with the error log and one with the Ban trigger)

Unfortunately, I have not found a good way to do it in bulk... 
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 09, 2011, 11:37:38 AM
If it's IP addresses only that you are blocking, would probably be easier to block them on server level, before they ever get to SMF, so saving some resources and making it easier to block them multiple at a time.
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 09, 2011, 12:14:22 PM
The most effective mod for this particular attack is called something like 'force email log-in'.

By requiring users to use their (usually) hidden email address instead of their forum userId the spambot can't trigger a log-out.

Keep using the spambot / antispam software too as it just makes sense.
Title: Re: Being logged out by bots trying to log in
Post by: bork on February 09, 2011, 03:14:23 PM

Thanks, that mod does look excellent - it's just whether I can force the change on my users! I guess after a few days they'd be used to it and if it stops them getting logged out in the middle of posting then they'll probably be converted.

It's been interesting installing the Bad Behaviour/Mod http:BL/Stop Forum Spam mod combo - I've been shocked at the sheer amount of malicious activity on the forums - overnight nearly 1000 IPs were blocked by these mods;  over a whole year the amount will be massive.
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 09, 2011, 03:23:31 PM
well, the numbers will level out and die-down, as your logs get up to date with the Spammers and they start hitting a wall.
Title: Re: Being logged out by bots trying to log in
Post by: Roph on February 09, 2011, 04:52:18 PM
Hopefully in 2.0 final we could have an option to require a captcha for logins.
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 09, 2011, 05:07:22 PM
Bots have already broken captcha and reCaptcha. It is virtually worthless against the spammers these days.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 10, 2011, 06:00:03 AM
Hopefully in 2.0 final we could have an option to require a captcha for logins.

Doubt it, 2.0 has been feature locked for years.

In any case, I think this behaviour's been altered slightly in SVN, not 100% sure on that though, so don't quote me on it.
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 11, 2011, 10:17:40 PM
The behavior related to users being logged out has been investigated in SMF and solved, and the fix is currently available in the SMF 1.1.13 patch and the 2.0 RC4 security patch, as well as in RC5.
Thank you very much for the reports!
Title: Re: Being logged out by bots trying to log in
Post by: Elysia on February 11, 2011, 10:22:34 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 11, 2011, 11:19:45 PM
Thanks for the info Norv and Elysia. I will be adding that info to my .htaccess file right now.
Title: Re: Being logged out by bots trying to log in
Post by: djkimmel on February 12, 2011, 01:49:36 AM
I had about 30 IP addresses used that weren't on that list. But since I downloaded that list, 5 more attempts came in with IP addresses on the above list and only 1 not on it. So I added it since I had seen one was listed as a tor server earlier. httpBL is blocking a few more of them now too than it was earlier today so it has slowed down for me.

Not sure what 1.1.13 patch did? It had no impact on the number of login attempts anyway.
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 12, 2011, 02:45:35 AM
Mods like those listed here might help with preventing or alleviating the attempts made by particular IPs, as these mods typically use online databases of spammers IPs. I should note there is a certain possibility that those databases are not always accurate, since they contain IPs accumulated by anonymous reports (and those reports could be wrong).

The 1.1.13 patch fixed a problem mentioned here: logged in users could find themselves logged out due to the attempts on their account.

That said, we're keeping an eye on these issues and any information provided can be useful and is very appreciated.
Title: Re: Being logged out by bots trying to log in
Post by: Elysia on February 12, 2011, 01:22:01 PM
I used the link provided earlier by The Brain to the Tor nodes list generator here https://check.torproject.org/cgi-bin/TorBulkExitList.py and entered the IP address of our server. The script then generated the list of IP addresses which I was then able to use to create my htaccess.txt list. Perhaps entering different server IP addresses into the list generator tool will result in a different result for other users?

I've just been and checked my forum error log and I've had only 5 new login attempts since I added the big list to the .htaccess file, so it's easy enough to update that now. And of those only 1 attempt wasn't a legit login failure! So if you add to the earlier list
deny from 84.46.12.102
on a new line that will update the .htaccess file.
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 12, 2011, 01:33:01 PM
Mods like those listed here might help with preventing or alleviating the attempts made by particular IPs, as these mods typically use online databases of spammers IPs. I should note there is a certain possibility that those databases are not always accurate, since they contain IPs accumulated by anonymous reports (and those reports could be wrong).

As a quick note, the Project Honeypot http:BL service is populated with confirmed spammers and harvesters. Outside reports aren't accepted. To get on the list, you must visit several of the hidden honeypots and either spam the special e-mail addresses hidden in the page source or spam using the hidden form in the page source. Even if you were curious and visited one of the pots in your browser (like the one hidden in my signature here), you wouldn't get flagged. There is also a very nicely documented removal policy and old entries are expired following a posted policy. It's one of the very few services that does it right and thus has over 90%+ accuracy.


The 1.1.13 patch fixed a problem mentioned here: logged in users could find themselves logged out due to the attempts on their account.

That's great to hear.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 12, 2011, 07:42:36 PM
As a quick note, the Project Honeypot http:BL service is populated with confirmed spammers and harvesters. Outside reports aren't accepted. To get on the list, you must visit several of the hidden honeypots and either spam the special e-mail addresses hidden in the page source or spam using the hidden form in the page source. Even if you were curious and visited one of the pots in your browser (like the one hidden in my signature here), you wouldn't get flagged. There is also a very nicely documented removal policy and old entries are expired following a posted policy. It's one of the very few services that does it right and thus has over 90%+ accuracy.

I have the Honeypot BL mod installed and it does do what you say but these bots or whatever are different. The only thing it appears that they do is try to log in using existing members user name. I don't think I've ever had one to succeed but even if they did there is very little payload they could reap from being logged in as an existing member. It doesn't make much sense as they are trying very hard to accomplish something that won't do much for them if they succeed.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 12, 2011, 07:43:26 PM
On the contrary, if they succeed, they have your password. How many users share passwords across one or more sites/services?
Title: Re: Being logged out by bots trying to log in
Post by: crash56 on February 12, 2011, 07:45:05 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network. ...///... It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Thank you for this, Elysia.  One of the forums that I look after was getting hit.  Since adding your list to my .htaccess, the only login failure I've had show up in the error message was my own.   ;D  (I flubbed my login.) 

Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 12, 2011, 10:05:52 PM
On the contrary, if they succeed, they have your password. How many users share passwords across one or more sites/services?

My password certainly is not the same as my banking account, credit card account, or PayPal account passwords. I don't use the same user name either. I would hope no one does this but you're right...probably some do.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 12, 2011, 10:14:32 PM
Probably? Very definitely, the majority of users share passwords between two or more sites. Of course, most people will keep their banking stuff separate but I doubt most people keep their Facebook account separate to a general forum login.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 13, 2011, 01:26:47 AM
Probably? Very definitely, the majority of users share passwords between two or more sites. Of course, most people will keep their banking stuff separate but I doubt most people keep their Facebook account separate to a general forum login.

I still think there are better targets to hit than forums. But maybe they are more successful than it appears. I only see the failed log in in attempts in the error log. If they successfully crack the password that won't be in the log.
Title: Re: Being logged out by bots trying to log in
Post by: mecfs on February 13, 2011, 02:57:21 AM
Using RC3. If I am logged in and someone else tries to log in as me and enters the wrong password, I am logged out. Is this what has changed in RC4-security and RC5? Attempts at bot-blocking is a bandaid on the problem; this "feature" should not exist.
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 13, 2011, 03:07:29 AM
This is what was supposed to be stopped with RC5, and the patch.
Title: Re: Being logged out by bots trying to log in
Post by: mecfs on February 13, 2011, 03:14:36 AM
This is what was supposed to be stopped with RC5, and the patch.
That is good to hear, thank you.
Title: Re: Being logged out by bots trying to log in
Post by: RVD on February 13, 2011, 01:10:10 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Where exactly should this file be uploaded to? Thank you for your help.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 13, 2011, 01:38:14 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Where exactly should this file be uploaded to? Thank you for your help.


Copy and paste into the .htaccess file for your domain.
Title: Re: Being logged out by bots trying to log in
Post by: PLAYBOY on February 13, 2011, 06:39:31 PM
I have a very long list here also. But how can i add the words "Deny from" in front of every ip automatically?
My list is about 1000 ips also.
Title: Re: Being logged out by bots trying to log in
Post by: Seo-luntan on February 13, 2011, 06:46:18 PM
 I got a question - if we ban/block/deny all these IPs (I have a lot too) , in the future we'll lose a lot of potential HUMAN users. Do you think that these IPs are only spambots' ? I wonder...
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 13, 2011, 07:07:23 PM
I have a very long list here also. But how can i add the words "Deny from" in front of every ip automatically?
My list is about 1000 ips also.

If you have a text editor that handles regular expressions, set the find string to "^" and the replace to "Deny from ".


I got a question - if we ban/block/deny all these IPs (I have a lot too) , in the future we'll lose a lot of potential HUMAN users. Do you think that these IPs are only spambots' ? I wonder...

They are likely normal end-user computers that have been infected and are being used as bots. I'd suggest culling the list regularly.
Title: Re: Being logged out by bots trying to log in
Post by: TDNY on February 13, 2011, 08:25:44 PM
The behavior related to users being logged out has been investigated in SMF and solved, and the fix is currently available in the SMF 1.1.13 patch and the 2.0 RC4 security patch, as well as in RC5.
Thank you very much for the reports!

Thanks for all the work on this problem,
I Never had an issue with members being logged out OR an issue with log in errors until I updated from 1.1.12 to 1.1.13 last night. This morning I have 3 pages of log in errors. Does the patch just fix the "getting logged out" issue or is it also supposed to stop the log in attempts?
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 13, 2011, 09:04:40 PM
there is no real way to stop the log in attempts.
Title: Re: Being logged out by bots trying to log in
Post by: sheryltoo on February 13, 2011, 09:07:02 PM
This problem started in my forum yesterday so I upgraded to RC4 and added the security patch but it didn't help.
Also, I don't know if this is related but not one member has signed in or posted on my site since I did the upgrade. I keep seeing lots of guest viewing the site but no one signing in.
That's kind of unusal for my site so I don't know if my members are having problems because of the bots or the upgrade.
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 13, 2011, 09:10:32 PM
You cannot stop the log in attempts with any means other than either blocking them in .htaccess, or by SMF's ban list.  The patch is meant to stop logged in users being logged out by the bots, but it does nothing to stop the attack itself.  If those IPs are listed in the Project Honeypot database as a threat, then they will get redirected away from the forum with no access, but most of these IPs are coming up clean. They are not listed there or in the Stop Forum Spam database. As was previously stated, they are probably innocent users who have been infected by the botnet.

The already suggested methods are pretty much all that can be done. This is a coordinated attack that will have to be ridden out. If these folks are smart enough to see that they are being stopped, they may even start a new botnet with new IPs. What they want to accomplish is anyone's guess, but it could just be some idiot script kiddies looking for kicks, and SMF forums are their present target.
Title: Re: Being logged out by bots trying to log in
Post by: TDNY on February 13, 2011, 09:25:32 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

This crashed my site, I don't know what went wrong. I uploaded it to the root, that was fine. re-named it .htaccess, clicked ok and the file disappeared from the list. I went to my site and all access was denied. Called support and they were able to see .htaccess it was a hidden file. They tried deleting it but that didn't work they had to do a back-up restore off the server.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 13, 2011, 09:26:01 PM
I have a forum I help out with being hit hard by this junk. The bots make accounts with spam ads in the signatures, but they don't make any posts for the members to see the ads. This part I don't understand. Why go to the trouble of making an account with an ad and not posting it for people to see? The membernames are of the form two words and some numbers -

riceticky06
jillskinny12

I also have hundreds of errors in the log for password incorrect errors.
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 13, 2011, 09:33:38 PM
I have a forum I help out with being hit hard by this junk. The bots make accounts with spam ads in the signatures, but they don't make any posts for the members to see the ads. This part I don't understand. Why go to the trouble of making an account with an ad and not posting it for people to see? The membernames are of the form two words and some numbers -

riceticky06
jillskinny12

I also have hundreds of errors in the log for password incorrect errors.
The two usernames you listed are probably just spammers not connected to the log in attack that has been going on. The spammers put their ads in profiles with the hope that if profiles are viewable by guests, they will be viewable and indexed by search engines. Most forum admins do not allow guest viewing of profiles, so it becomes a wasted effort by the spammers. Who ever said that spammers are smart though.  ;)
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 13, 2011, 09:33:56 PM
This problem started in my forum yesterday so I upgraded to RC4 and added the security patch but it didn't help.
Also, I don't know if this is related but not one member has signed in or posted on my site since I did the upgrade. I keep seeing lots of guest viewing the site but no one signing in.
That's kind of unusal for my site so I don't know if my members are having problems because of the bots or the upgrade.

You can log in, as I understand. You could make another account, a simple member account, and see if you can log in on that account and navigate normally around the forum.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 13, 2011, 09:39:48 PM
The two usernames you listed are probably just spammers not connected to the log in attack that has been going on. The spammers put their ads in profiles with the hope that if profiles are viewable by guests, they will be viewable and indexed by search engines. Most forum admins do not allow guest viewing of profiles, so it becomes a wasted effort by the spammers. Who ever said that spammers are smart though.  ;)

Ah OK, well the member's profiles can't be seen by guests so that's a waste of effort alright. Most of the time the spammer member name is exactly the same as the first part of the registration email they use, so I think I'll switch to account approval and see if I can't cull out some of these vile spam accounts.
Title: Re: Being logged out by bots trying to log in
Post by: nvcnvn on February 13, 2011, 10:08:35 PM
Can we just show a Verification Questions on login page!?
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 13, 2011, 10:11:57 PM
That will help deter them from actually getting the password by brute force, but it will not stop them from trying. The errors will still be in the error log.
Title: Re: Being logged out by bots trying to log in
Post by: nvcnvn on February 13, 2011, 10:22:25 PM
Ok.

But, my question is: why the true user was log-out when these bot enter the wrong password!?

I have update my forum to RC5 I hope this issue will be fix. just wait....
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 13, 2011, 10:24:18 PM
The upgrade fix is to stop logged in users from being logged out by the bot attacks.
Title: Re: Being logged out by bots trying to log in
Post by: nvcnvn on February 13, 2011, 10:30:34 PM
Ok, I see!
now keep discuss about how to stop them!
Title: Re: Being logged out by bots trying to log in
Post by: PLAYBOY on February 13, 2011, 11:23:44 PM
Can we just show a Verification Questions on login page!?

Cool idea, or a recaptcha would work perfect too.


Quote
If you have a text editor that handles regular expressions, set the find string to "^" and the replace to "Deny from ".

but there is no ^ string. Its just single ips on each line.
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 14, 2011, 12:04:11 AM
Quote
If you have a text editor that handles regular expressions, set the find string to "^" and the replace to "Deny from ".

but there is no ^ string. Its just single ips on each line.

Right, which is why I mentioned regular expressions. In regex-speak, "^" is code for "beginning of the line".
Title: Re: Being logged out by bots trying to log in
Post by: Ryan2320 on February 14, 2011, 12:12:51 AM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Thanks for that list this should at least slow them down more...
Ryan
Title: Re: Being logged out by bots trying to log in
Post by: krick on February 14, 2011, 12:26:06 AM

I still think there are better targets to hit than forums.


I run a forum for World of Warcraft players.  If someone on my forum uses the same username and password as their user account on Warcraft, and my forum gets hacked by these bots, guess who is probably going to get their Warcraft account looted?   There's big money in Warcraft gold.
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 14, 2011, 12:41:04 AM
The sad truth of it is that forums are pretty much the last place on internet where you can harvest accountnames, e-mail addresses, and passwords linked to both of those, easily from centralised locations - if you are succesfull at brute forcing your way in to those accounts. So, it kind of makes sense that bots like these  target forums. They are not after information kept on the forum, or your private messages, they are more probably after actual login data.
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 14, 2011, 02:23:37 AM
I posted previously in this topic having been an early target of the bot in question.

Denying IP addresses and installing anti-spam mods like httpBL are all good things to do but a simple secure fix for this attack is to hide all email addresses by default and force members to log-in using their email address.

Part of the vulnerability of forums to this type of attack is that one part of the log-in info is public domain (eg. Usernames can be seen all over the forum and can be harvested easily).

By logging in using email address the bots have to find out and hit an active email address to log-out a user.

There is a simple mod for this 'force email log-in' and this will stop all error log entries and make your forum much more secure to any future variants these script kiddies develop.

http://custom.simplemachines.org/mods/index.php?mod=1665
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 14, 2011, 03:14:46 AM
Funnily enough this discussion was had not that long ago in the beta board.

I wonder if Facebook will turn off the ability to login via username in that case... (because you can)
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 14, 2011, 03:28:48 AM
I think it would make sense. Many users use the same password or variations of it on multiple sites. Once cracked I hate to think of the damage that could be done with just a little exploring.

If this bot is successful it effectively gives the owner your email address from your profile, perhaps your name or location or dob and a password. Off someone goes to Paypal or eBay or Amazon etc etc and has a ball.

Facebook is the same.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 14, 2011, 03:44:09 AM
Well, Facebook allows login with a username, and getting access to FB would probably wreak more havoc than a forum, but you're entirely right.

My question still stands: do you think Facebook will turn that feature off? Do you think your users will tolerate the additional inconvenience of using an email instead of a username?
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 14, 2011, 04:12:52 AM
Facebook will when they come under attack ;)

And my users have all tolerated it. If you've had this bot attack, they welcome it!
Title: Re: Being logged out by bots trying to log in
Post by: Rik© on February 14, 2011, 04:17:57 AM
/me wonders if Arantor knows a quick fix for the 'always-unread bug' in the Hide Post Authors From Guests mod  :P
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 14, 2011, 04:22:53 AM
/me wonders if Arantor knows a quick fix for the 'always-unread bug' in the Hide Post Authors From Guests mod  :P

Nope, sorry. Haven't looked at it for a very long time.


Going back to the topic (:P) yes, that raises some interesting thoughts. Firstly, the convenience factor of username vs 'security' of email address, secondly it does actually make a case for removing the copyright since from what I can tell, the sites being attacked were found in Google based on searching for the footer. The sites of mine that haven't been attacked have a slightly modified wording in the footer (though, before anyone jumps on me, please note that it's done in accordance with the licence as the team have enforced it thus far: it only modifies the version number)
Title: Re: Being logged out by bots trying to log in
Post by: RVD on February 14, 2011, 10:56:51 AM
/me wonders if Arantor knows a quick fix for the 'always-unread bug' in the Hide Post Authors From Guests mod  :P

Nope, sorry. Haven't looked at it for a very long time.


Going back to the topic (:P) yes, that raises some interesting thoughts. Firstly, the convenience factor of username vs 'security' of email address, secondly it does actually make a case for removing the copyright since from what I can tell, the sites being attacked were found in Google based on searching for the footer. The sites of mine that haven't been attacked have a slightly modified wording in the footer (though, before anyone jumps on me, please note that it's done in accordance with the licence as the team have enforced it thus far: it only modifies the version number)

Could you share your footer mod?

Thank you.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 14, 2011, 11:05:47 AM
No, I can't.
Title: Re: Being logged out by bots trying to log in
Post by: Rik© on February 14, 2011, 11:20:48 AM
No, I can't.
lol  ;D
Title: Re: Being logged out by bots trying to log in
Post by: live627 on February 14, 2011, 04:14:19 PM
hadesflames has one for ya
Title: Re: Being logged out by bots trying to log in
Post by: krick on February 14, 2011, 10:15:19 PM
Here's some more IP addresses to add to the .htaccess ban list.  Incidentally, does anyone happen to know if it makes any difference performance-wise if the "deny from" entries are at the beginning or the end of your .htaccess file?

66.90.101.7
66.230.230.230
77.109.139.87
82.64.83.83
83.142.228.14
87.118.104.203
91.121.152.114
94.75.253.73
95.143.193.145
109.123.119.163
137.56.163.46
137.56.163.64
145.97.195.40
173.13.165.123
173.164.128.121
173.193.221.28
192.251.226.205
192.251.226.206
208.66.135.190
208.110.65.123
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 14, 2011, 11:55:03 PM
It shouldn't make a difference. Adding directly to the Apache config and disabling htaccess would have more improvement on performance.

If you have root access, adding the IPs as an iptables (or pf for BSD) deny would be the best choice.
Title: Re: Being logged out by bots trying to log in
Post by: _Ziggy_ on February 15, 2011, 04:28:11 AM
I posted previously in this topic having been an early target of the bot in question.

Denying IP addresses and installing anti-spam mods like httpBL are all good things to do but a simple secure fix for this attack is to hide all email addresses by default and force members to log-in using their email address.

Part of the vulnerability of forums to this type of attack is that one part of the log-in info is public domain (eg. Usernames can be seen all over the forum and can be harvested easily).

By logging in using email address the bots have to find out and hit an active email address to log-out a user.

There is a simple mod for this 'force email log-in' and this will stop all error log entries and make your forum much more secure to any future variants these script kiddies develop.

http://custom.simplemachines.org/mods/index.php?mod=1665


I agree.
The email login should be standard for SMF.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 05:00:19 AM
There is a simpler way to deal with it whilst keeping the convenience of a short login name: just use a different display name to username. I don't remember the last time I had to actually use a full email address anywhere.
Title: Re: Being logged out by bots trying to log in
Post by: _Ziggy_ on February 15, 2011, 05:17:31 AM
Yes, but how do you force members to choose a different display name to username?
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 05:22:35 AM
Prompt them to do so, then reset their name after a period of time if they haven't complied.
Title: Re: Being logged out by bots trying to log in
Post by: fiver on February 15, 2011, 06:21:56 AM
I'm receiving the same attack on a few forums. Now trying Proxy Blocker mod (http://custom.simplemachines.org/mods/index.php?mod=2329) since someone mentioned that the bots are going through tor - lets hope it works.


Will feedback here after an hour or 2 with the result.


Note: Stand by to modify your index.php. If you get blocked by this mod, you need to hide one of the lines of the installed code that blocked you out of your forum.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 07:15:15 AM
Note that using that mod will also very likely screw up any mobile users trying to get to your site.
Title: Re: Being logged out by bots trying to log in
Post by: Digharatta on February 15, 2011, 08:04:48 AM
Hello,

Since only few accounts were attacked, I specified the IP addresses for each of these accounts, with the help of Login Security mod, and it helped:

http://custom.simplemachines.org/mods/index.php?mod=2181

P.S. Let me also recommend Forum Firewall mod http://custom.simplemachines.org/mods/index.php?mod=2815 - it's incredible how often the forum gets attacked in small ways.
Title: Re: Being logged out by bots trying to log in
Post by: Elysia on February 15, 2011, 09:35:26 AM
I've updated the htaccess file with a raft of new IPs trying the logins against our large forum. The htaccess list has reduced the attempts to a trickle now rather than the flood of a fe days ago. But looking at the IPs I've added it looks like whatever is happening is spreading through more and more servers...  only one of the latest batch seems to be a tor servers connection.

Something else I've picked up is that the attempts are using usernames not displayed names, so whatever is doing this is able to read the usernames somewhere - and given that the Memberlist is not, and has never been, readable by guests, and the only other place these usernames are stored is in the database, how is this access being effected?
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 09:36:05 AM
Are profiles accessible to guests?
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 09:40:34 AM
A simple solution would be to create a mod that obfuscates (or simply hides) display names when a guest views the forum. Like the way eBay does it... instead of displaying "EagleMan" it'd display "E***n".
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 09:41:35 AM
You think it's simple to do that? If only it were, because it really isn't. You have to pretty much modify every file where usernames are loaded from the database.
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 09:43:17 AM
I meant "simple" as in easily thwarting the bots... not "simple" in design/coding. Sorry.
Title: Re: Being logged out by bots trying to log in
Post by: Elysia on February 15, 2011, 09:47:44 AM
Are profiles accessible to guests?
No absolutely not, and have never been.

A simple solution would be to create a mod that obfuscates (or simply hides) display names when a guest views the forum. Like the way eBay does it... instead of displaying "EagleMan" it'd display "E***n".
No that won't stop it, as the display name isn't the issue. The username is the issue and that does not appear on the board at all - it's the display name which shows in post and it's not that which is being used for the login attempts. I have an example where the login name is all capitals (e.g. FRED) and the username normal case (e.g. Fred) and the login failures are showing FRED not Fred.
Title: Re: Being logged out by bots trying to log in
Post by: crash56 on February 15, 2011, 09:53:31 AM
No that won't stop it, as the display name isn't the issue. The username is the issue and that does not appear on the board at all - it's the display name which shows in post and it's not that which is being used for the login attempts. I have an example where the login name is all capitals (e.g. FRED) and the username normal case (e.g. Fred) and the login failures are showing FRED not Fred.

This is really weird because my forums always show the display name on all the login attempts ... including my own when I simply botch my password.  I assumed it was the default set up by the SMF software, not something that relied on what the person (or bot) was using to login.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 09:55:12 AM
The error is misleading. When it's doing the lookup, it fetches the actual member name in the database, and THAT's what's in the error log, not what the user typed in.

See LogInOut.php around line 245. There's a query that fetches all the important details from the members row, stores them in $user_settings. Then it checks the hashes, upgrades passwords if they're using older hashes etc. But if it's wrong:
Code: [Select]
log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
That's where it's getting it from. It ISN'T what's being typed.
Title: Re: Being logged out by bots trying to log in
Post by: _Ziggy_ on February 15, 2011, 09:58:35 AM
So if you simply put an "!" (or something else) is will stop them?

Like "Ziggy!" or "Arantor!"
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 10:00:12 AM
That's where it's getting it from. It ISN'T what's being typed.

Thanks for explaining that one!

So, back to my original statement, if we had a mod that showed obfuscated display names to guests, then the bots would harvest that information which would render the bot benign.
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 10:03:14 AM
So if you simply put an "!" (or something else) is will stop them?

Like "Ziggy!" or "Arantor!"

Sure, that would work, but what if the bot were designed to simply strip off the ! ... then they'd have the username again. What I'm thinking is like the eay eBay does it for showing bids... Ziggy would be Z***y and Arantor would be A***r... there's no way the bot could reconstruct the actual name.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 10:04:03 AM
@Ziggy: It might, but I wouldn't hold your breath. Better would be a different display name entirely.

@szinski: Yes, in theory.


Or better, just have it say 'HIDDEN' for everyone ;D
Title: Re: Being logged out by bots trying to log in
Post by: Elysia on February 15, 2011, 10:06:20 AM
This is really weird because my forums always show the display name on all the login attempts ... including my own when I simply botch my password.  I assumed it was the default set up by the SMF software, not something that relied on what the person (or bot) was using to login.

Is that because most times the display name and the username are the same?

I only picked up on this as I have some users for who this isn't the case, as we have "allow users to edit their displayed name" set to yes in config and some have changed it - handy when we have users who signed up with their full name or an email address and then realise it wasn't such a good idea! I know admins can make changes but we try and encourage our members to do their own as they learn more that way.
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 10:06:43 AM
Or better, just have it say 'HIDDEN' for everyone ;D

I like that idea... that would also encourage lurkers to register for an account.
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 10:13:50 AM
I do not have profiles accessible to guests.

I have an htaccess list as long as my arrm though with banned ip's - yet these things keep coming...  Its like war of the worlds!!

Its possible that a few of our passwords have been compromised already as I have stuff about avatars and html_safe mainly in sources subs.php and language files yet I dont see anything suspicious on my custom theme forum. I now have a 80 page + error log.

I put the forum in maintenance mode overnight, but the errors still appeared. Anybody know why that should happen?

Does anybody know what the likely impact of this attack will be? as personlly I am a little fed up wasting my time combating it. I have just had to rebuild my forum 2 weeks ago following a spam email hack that apparently originated from my smf account (which was also blacklisted for a while)

Since then I have upgraded to RC4 with security patch.

I know no one can stop these attacks from taking place, but why are they targeting smf? Is there a vunerability within it?
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 10:16:49 AM
There's no vulnerability they're targetting as far as we know. What IS happening is that they're trying to get your password.
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 10:19:01 AM
I do not have profiles accessible to guests.

I don't think the bots are going through profiles, I suspect that the bots are simply crawling the forum picking up user names (display names) from the postings. Then, the bot is probably attempting to login as those people using easily-guessable passwords.

Does anyone have a log of what password(s) the bots are using?
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 15, 2011, 10:21:40 AM
I put the forum in maintenance mode overnight, but the errors still appeared. Anybody know why that should happen?

The login form still exists in standard maintenance mode to allow for admins to login, so that won't do a thing. Setting maintenance mode to 2 would as it turns off everything. Doing so is a manual edit.
Title: Re: Being logged out by bots trying to log in
Post by: Illori on February 15, 2011, 10:23:05 AM
Does anyone have a log of what password(s) the bots are using?

there is no way to tell the difference in valid users trying to log in and the bots, so if you did find a way to catch the passwords it would be a security breach for all your members.
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 10:26:40 AM
The login form still exists in standard maintenance mode to allow for admins to login, so that won't do a thing. Setting maintenance mode to 2 would as it turns off everything. Doing so is a manual edit.

Ah got it thank you.

So does anyone know the actual purpose of this attack, has anyone been affected by it yet and how?
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 10:29:55 AM
there is no way to tell the difference in valid users trying to log in and the bots, so if you did find a way to catch the passwords it would be a security breach for all your members.

No, just log the invalid (bad) password... not valid passwords. And I'm talking about a temporary thing, to be used for debugging this situation.

The way I see it, my forums are being "probed" from a LOT of different IP addresses. But they're not trying to login to the same account over-and-over (i.e., dictionary attack). No, the logins are somewhat random and a dictionary attack would take decades at that rate!

So, back to my original observation... I suspect that the bots are using a list of commonly-used passwords for their attack. Perhaps if we knew those passwords we'd have a bot "signature" or "footprint" to work with.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 10:33:01 AM
You almost never get the real password; it's invariably sent encrypted in the first place.

In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 10:38:04 AM
You almost never get the real password; it's invariably sent encrypted in the first place.

In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

Hey, I can't see your forum's usernames... dang... now I have to rethink my bot-tactics! LOL

Dude, you are quick! Nicely done!
Title: Re: Being logged out by bots trying to log in
Post by: Tanks on February 15, 2011, 10:39:41 AM
@ Arantor - Will your mod work with RC2 if I emulate RC4 ?

Yes i know I should be upgrading but with 50+ mods installed i have not gotten around to do it.
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 10:41:25 AM
In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

Thats very kind of you Arantor :) Thank you!!

Is it only downloadable from your site?
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 10:42:36 AM
Quote
Hey, I can't see your forum's usernames... dang... now I have to rethink my bot-tactics! LOL

I was sitting here writing it while having this conversation ;) That's what prompted the 'thinking it's easy' comment, since I'd already discovered it was a pain.

Quote
@ Arantor - Will your mod work with RC2 if I emulate RC4 ?

You can tell it to emulate RC3, RC4, RC5, RC6! or 2.0. Whether it'll work is another story, but the odds are reasonably good.

Quote
Is it only downloadable from your site?

Yes. I won't be uploading it here, not that it currently meets criteria (it doesn't - I wrote it for arantor.org first, then decided to share)



Oh, and heh, you can even see that it started out as just a Tor blocker if you look in install.xml...
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 10:42:46 AM
In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580 (http://arantor.org/index.php?topic=262.msg4580#msg4580)

Now your error log will have a zillion entries like "Invalid login from HIDDEN" LOL
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 10:45:48 AM
Quote
Is it only downloadable from your site?

Yes. I won't be uploading it here, not that it currently meets criteria (it doesn't - I wrote it for arantor.org first, then decided to share)

I can see you getting a few more forum members pretty fast ;D
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 10:46:44 AM
Quote
Now your error log will have a zillion entries like "Invalid login from HIDDEN" LOL

Nope. Username not existing doesn't log an error.

Note that it won't suddenly make it stop - the bots still have some usernames in their records, but it might hopefully slow it down over the next few days or so.

Quote
I can see you getting a few more forum members pretty fast

Heh, well, they'll see the other things I got going on that keep spam down like that funky custom CAPTCHA :D
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 11:06:24 AM
Thanks for the Anti-Abuse mod Arantor, installed like a dream :)

Very kind of you to share with the smf community.

PS - Yes that is a very smart captcha you have 8).
Title: Re: Being logged out by bots trying to log in
Post by: Rik© on February 15, 2011, 11:07:18 AM
In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

Thank you for sharing! (https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fwww.simplemachines.org%2Fcommunity%2FThemes%2Fdefault%2Fimages%2Fpost%2Fthumbup.gif&hash=7e340dcc7fb03ee7fe828bab3e4836ad)
Wanted to check it out but i can't download......
Forgot my pw, got the mail with the reset link, clicked it and..... nothing, just index.php  ???

-Rik©
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 11:08:54 AM
Quote
Forgot my pw, got the mail with the reset link, clicked it and..... nothing, just index.php

Odd, outbound email should work alright (I changed my account username earlier today, and promptly forgot my password after I changed them both at the same time... and it worked then)
Title: Re: Being logged out by bots trying to log in
Post by: Rik© on February 15, 2011, 11:26:23 AM
Quote
Forgot my pw, got the mail with the reset link, clicked it and..... nothing, just index.php

Odd, outbound email should work alright (I changed my account username earlier today, and promptly forgot my password after I changed them both at the same time... and it worked then)
Tried it again (this time copied the link) and it works, can choose a new pw now.
Must be gmail, when i just click the link it takes me to index.php...

Again, thanks for sharing, you're the best  :P

-Rik©
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 11:26:30 AM
If its any help, my Arantorhome registration mail came out just fine.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 11:27:32 AM
Quote
Must be gmail, when i just click the link it takes me to index.php...

That's been reported for GMail+IE, no other combination that I'm aware of.

Quote
Again, thanks for sharing, you're the best

*blush*
Title: Re: Being logged out by bots trying to log in
Post by: Tanks on February 15, 2011, 11:28:08 AM
Thanks Arantor :) It works on my heavy modded RC2 forum.

Only glitches is the portal blocks that shows recent topics, and the related topics mod, but I don't think the bots looks at those places.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 11:29:30 AM
Well, they'd have to be modified manually, I couldn't take into account all the possible variations like that. (If only there were a single common function that should be used to get member details... oh wait, there is one, just half of SMF doesn't use it!)
Title: Re: Being logged out by bots trying to log in
Post by: Tanks on February 15, 2011, 11:35:38 AM
Doesn't matter, I can just turn of the blocks for guests, and put something else there.

And regarding the related topics it almost only shows my name as I am the topic starter of 99% of all topics. And my display name is of course not the same as my login name.

Also i added HIDDEN to reserved name list :) came up with that one myself :D

So all in all I feel so much more protected against these stupid attacks now, and i want to THANK YOU for that. Big Time.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 11:39:01 AM
If your display name is different to your username, you're actually safe yourself from attack anyway (I am on my own site, for example)
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 11:48:53 AM
Names are still visable in Simple Portal and the Avea Media gallery too, but anything to help stop this attack is a good thing.

I've not had one error since I've installed Arantors mod whereas before they were coming in once every couple of minutes.

Well done that man!!
Title: Re: Being logged out by bots trying to log in
Post by: fiver on February 15, 2011, 12:40:49 PM
Hi Arantor,


Many thanks for antiabuse mod.


For those interested, there are 2 more areas with usernames exposed
1.  Latest Member: xxxxx
2. /index.php?action=sitemap;sa=topics (sitemap mod)


Proxy Blocker kept them off since installed a few hours back but 1 member did complain being blocked out. So I unstalled PB, installed antiabuse and in the last 30 mins they came back with usernames and password incorrect again.


Update: They didnt come back in the last 30 min.

Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 15, 2011, 12:45:30 PM
Congrats Arantor. Good work.

Will be interesting to see if the bot has stored the existing usernames or is harvesting them on the fly. From the activity I saw I suspect the latter which will make this mod pretty secure for those unwilling to force email log-in.

It occurs to me that all the authors have to do is register manually and log-in to see usernames. Can they automate that?

Earlier someone asked why SMF forums were under attack. Given this some thought over the last month or so since this hit my forum as I too couldn't understand why an attempt to guess a password was every 8 minutes. Led me to two conclusions:

1) A spoiler attack on SMF forums by forcing log-outs - every eight minutes on the same user for a period then try someone else.

2) A deliberately persistent but slow attack on multiple forums to obtain passwords without alerting too many people too quickly.

I don't buy the latter as it would make more sense to randomize the usernames on each log-in to avoid alerting admins or users that multiple attempts were taking place. But it is a risk and one I couldn't discount.

I haven't checked but are other forums (non-SMF) suffering similar attacks?   
Ultimately I guess the answer will be 'because they can'. As for other motivation, who knows. Warped minds.
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 15, 2011, 12:59:20 PM
I've monitored this activity on my forum, and it seems one IP will do one login attempt, to two different accounts, about 10 minutes apart and then go away for a couple of hours before coming back to do the same again. In between these visits, other IPs do the same, with similar intervals to different accounts. All together it adds up to tens, even hundreds of attempts a day - but it's really really hard totell apart legit attempts from the bots, other than the fact that it seems a notable portion of the bot IPs belong to TOR networks.

Most probably their only goal is to collect login+pw pairs, to be used elsewhere for more sinister purposes and targeted attacks.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 01:06:36 PM
Re the above post, yes the latest member is exposed, as are stats. I won't be adding any more though (and certainly not support for any mods)
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 01:08:46 PM
Most probably their only goal is to collect login+pw pairs, to be used elsewhere for more sinister purposes and targeted attacks.

I thought about that scenario myself... if the bot were able to guess a password, then a human could login as that person and access their profile. From the profile, they could glean the person's e-mail address. Now armed with an e-mail address and password, they might try accessing PayPal (etc.) with that email/password pair since a lot of people use the same password everywhere.

IDK, but it's a well orchestrated attack... I'm even seeing this activity on a couple of my tiny non-publicized "private" forums.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 15, 2011, 01:16:00 PM
I wonder if a better system of account access could be made. Like banks, where you have a "known" computer, like in your house. It has a fingerprint stored (don't know what they store though). You can even have 2 or 3 known computers stored. If you are not at a known computer, you have to answer personal security question before you can even enter a password. Since all these bots are not at the known computer, that would stop them from even getting to the password screen.
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 15, 2011, 01:19:02 PM
Something like that could be made I think, but then again I don't know if that would work with forums as well as it does with banks, people may use forums from countless computers, where as they might still avoid doing banking from outside home.
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 01:22:13 PM
I wonder if a better system of account access could be made. Like banks, where you have a "known" computer, like in your house. It has a fingerprint stored (don't know what they store though). You can even have 2 or 3 known computers stored. If you are not at a known computer, you have to answer personal security question before you can even enter a password. Since all these bots are not at the known computer, that would stop them from even getting to the password screen.

Instead of that, just count the number of failed login attempts. if more than 5 failures, then the next time you attempt to login you're presented with your security question.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 01:25:01 PM
I think you'd have to combine that with preventing login until security phrase is given, and/or preventing login until entering a code from email, much like the account activation deal.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 15, 2011, 01:25:36 PM
Instead of that, just count the number of failed login attempts. if more than 5 failures, then the next time you attempt to login you're presented with your security question.

Yes, very much simpler. If you are having so much trouble entering your password, you are either very drunk or you are up to no good. Either way, it's probably a good idea to challenge the person with a few security questions.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 01:27:35 PM
Or, you have a different password for every site but can't remember which one it was...
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 15, 2011, 01:30:35 PM
Thats me! :D My passwords are mostly different to each site, and I tend to forget which is which :P
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 01:31:49 PM
A couple more bots have just popped into say hello :( but a long .htaccess IP ban list combined with Arantors mod has got the errors down to a trickle now.

These are the banned IP's I've used. Copy and paste them into your htaccess if you like.

Code: [Select]
order allow,deny
deny from 108.41.42.137
deny from 109.123.119.163
deny from 109.169.29.56
deny from 109.169.41.48
deny from 111.1.32.23
deny from 111.1.32.24
deny from 111.1.32.25
deny from 111.1.32.26
deny from 137.56.163
deny from 137.56.163.46
deny from 137.56.163.64
deny from 142.68.83.148
deny from 144.85.24.218
deny from 144.92.92.15
deny from 150.70
deny from 155.239.155.200
deny from 173.193.221
deny from 173.193.221.27
deny from 173.193.221.28
deny from 173.48.174.212
deny from 173.54.2.197
deny from 174.138.169.218
deny from 174.36.199
deny from 174.36.199
deny from 174.36.199.200
deny from 174.36.199.200
deny from 174.36.199.201
deny from 174.36.199.202
deny from 174.36.199.203
deny from 178.63.246.164
deny from 178.78.255.254
deny from 18.246.0.69
deny from 184.99.175.66
deny from 188.124.19.114
deny from 188.40.51.2
deny from 188.72.225.172
deny from 188.72.241.209
deny from 192.251.226
deny from 192.251.226
deny from 192.251.226.205
deny from 193.138.216.157
deny from 193.198.207
deny from 193.198.207
deny from 193.198.207.8
deny from 194.0.229.54
deny from 194.145.200.128
deny from 194.154.227
deny from 195.43.157.85
deny from 195.71.226.87
deny from 199.48.147
deny from 199.48.147.35
deny from 199.48.147.35
deny from 199.48.147.36
deny from 199.48.147.37
deny from 199.48.147.38
deny from 199.48.147.39
deny from 199.48.147.40
deny from 199.48.147.41
deny from 199.48.147.42
deny from 199.48.147.43
deny from 199.48.147.45
deny from 203.174.87.18
deny from 204.152.222
deny from 204.152.222.140
deny from 204.8.156.142
deny from 208.115.203.16
deny from 208.66.135
deny from 208.66.135.190
deny from 209.159.142.164
deny from 209.159.143.130
deny from 209.44.114.178
deny from 212.13.195.235
deny from 212.42.236.140
deny from 212.78.238.92
deny from 213.112.111.205
deny from 213.220.233.230
deny from 213.239.192.229
deny from 213.46.138.76
deny from 216.24.174.245
deny from 216.243.32.170
deny from 216.86.61.205
deny from 217.114.211.20 
deny from 217.19.50.77
deny from 217.20.114.254
deny from 24.106.191.235
deny from 24.247.220.16
deny from 38.102.94.125
deny from 46.4.237.146
deny from 50.15.57.221
deny from 50.22.180.2
deny from 58.247.181.212
deny from 62.141.53.224
deny from 62.141.58.13
deny from 62.163.180.154
deny from 62.212.67.209
deny from 62.24.181.134
deny from 62.24.181.135
deny from 62.75.139.221
deny from 62.75.159.139
deny from 64.34.162.160
deny from 64.34.184.153
deny from 66.230.230.230
deny from 66.249.9.107   
deny from 66.96.16
deny from 66.96.16.32
deny from 67.207.136.44
deny from 68.126.24.162
deny from 68.71.46.138
deny from 71.165.245.158
deny from 71.198.26.88
deny from 71.244.55
deny from 71.244.55.170
deny from 72.47.252.215
deny from 74.106.17.110
deny from 74.120.12.135
deny from 74.120.15.150
deny from 74.208.243.167
deny from 74.208.246.213
deny from 76.10.214.53
deny from 76.10.214.89
deny from 76.253.141.244
deny from 76.73.56.7
deny from 77.109.139.87
deny from 77.171.107.207
deny from 77.54.97.144
deny from 78.107.233.68
deny from 78.107.237.16
deny from 78.42.9.166
deny from 78.47.251
deny from 78.47.251.152   
deny from 78.48.204.3
deny from 79.120.86.20
deny from 79.136.50.205
deny from 8.18.38.105
deny from 80.237.226.75
deny from 80.237.226.76
deny from 80.62.217.18
deny from 80.81.183.178
deny from 81.169.155.246
deny from 81.218.219
deny from 81.218.219
deny from 81.218.219.122
deny from 82.194.86.135
deny from 82.228.252.20
deny from 83.142.228
deny from 83.142.228.14
deny from 83.163.192.49
deny from 83.168.210
deny from 83.168.210.55
deny from 83.169.9.70
deny from 83.170.92
deny from 83.170.92.9
deny from 83.220.133.86
deny from 83.226.245.207
deny from 83.249.87.238
deny from 83.80.129.253
deny from 83.86.110.188
deny from 83.86.142.62
deny from 84.75.174
deny from 85.17.239.155
deny from 85.114.135.224
deny from 85.114.141.18
deny from 85.17.92.13
deny from 85.214.73.63
deny from 85.235.31.248
deny from 85.25.144.101
deny from 85.8.28.11
deny from 86.101.114.199
deny from 86.201.237.21
deny from 86.205.122.125
deny from 87.118.104.203
deny from 87.126.133.230
deny from 87.236.194
deny from 87.236.199
deny from 87.236.199
deny from 87.236.199.73
deny from 88.189.58
deny from 88.208.121.151
deny from 88.80.28.70
deny from 88.80.29.99
deny from 89.208.236.35
deny from 89.208.237.70
deny from 89.253.105.39
deny from 89.253.97.235
deny from 89.77.213.43
deny from 91.121.152.114
deny from 91.121.170.32
deny from 91.121.175.151
deny from 91.124.187.225
deny from 91.213.50
deny from 91.213.50.235
deny from 91.214.30.60
deny from 91.216.191.11
deny from 92.241.168.146
deny from 92.241.174.9
deny from 92.241.184
deny from 92.241.184.106
deny from 92.241.190.129
deny from 92.241.190.168
deny from 92.241.190.188
deny from 92.9.221.213
deny from 93.104.215.8
deny from 93.115.241
deny from 93.167.245.178
deny from 94.132.72.2
deny from 94.19.12.244
deny from 94.23.215.184
deny from 94.249.153.47
deny from 94.251.75.55
deny from 94.75.253.73
deny from 95.142.174.176
deny from 95.143.193.145
deny from 97.107.142.93
deny from 98.113.149.36
allow from all



edit - please learn to use code tags?

Code: [Select]
Ok, looks like I've worked it. Sorry about that


Title: Re: Being logged out by bots trying to log in
Post by: Tanks on February 15, 2011, 01:53:21 PM
The bots are saving the names that they already found.

After installing Arantor's mod i tried clearing my htaccess file and within minutes the bots where back trying out the names that they already grabbed before the mod.

Putting my htaccess file back in place stopped it instantly.

So they are NOT getting the names on the fly. These Bots have cache.
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 15, 2011, 01:54:05 PM
You know, instead of individual IPs, you should ban using masks. You'll have a lot fewer lines and it'll be more efficient.
Title: Re: Being logged out by bots trying to log in
Post by: Tanks on February 15, 2011, 02:01:16 PM
So having around 2000 "deny from" in htaccess is bad for performance ?

I'm not sure about masks - I'm afraid to block out normal human beings.
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 15, 2011, 02:11:10 PM
So having around 2000 "deny from" in htaccess is bad for performance ?

Yes.


I'm not sure about masks - I'm afraid to block out normal human beings.

Like you might not be already? It's obviously infected computers of end-users.

Looking at the above IPs, for example, the 111.1.32.* addresses could be replaced by a ban on 111.0.0.0/10 (111.0.0.0.0 - 111.63.0.0), which blocks the entire range those IPs are in. Unless you expect visitors who are customers of China Mobile, that should be safe.
Title: Re: Being logged out by bots trying to log in
Post by: Tanks on February 15, 2011, 02:19:42 PM
That makes no sense for me, sorry.

I just copied the IP's that other members posted here on SMF and also the list generated by that TOR generator thingy based on your servers IP

And that stopped all attacks, but yes i feel performance has dropped a lot.
Title: Re: Being logged out by bots trying to log in
Post by: iLCapo on February 15, 2011, 04:16:54 PM
It shouldn't make a difference. Adding directly to the Apache config and disabling htaccess would have more improvement on performance.

If you have root access, adding the IPs as an iptables (or pf for BSD) deny would be the best choice.

Adding the list of IPs posted earlier to my .htaccess, along with the email login mod, has stopped the attempts cold, but if an iptable is the best way to go about this how would I add one?  I'm using 1.1.13 and do have root access.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 04:18:02 PM
iptables is part of your server's configuration. If you're on shared hosting, you won't have access to it.
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 15, 2011, 04:44:53 PM
Install http://custom.simplemachines.org/mods/index.php?mod=1665 and stop trying to block something that is growing - it will drive you and your users mad trying to stop it by IP address blocking. It did me.

All that mod does is require your users to use an email address to log-in, and the bot can't. It just seems such a simple option compared with everything else proposed.
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 04:48:06 PM
Install http://custom.simplemachines.org/mods/index.php?mod=1665 and stop trying to block something that is growing - it will drive you and your users mad trying to stop it by IP address blocking. It did me.

All that mod does is require your users to use an email address to log-in, and the bot can't. It just seems such a simple option compared with everything else proposed.

I have 13,000 members. I can't do a knee-jerk reaction like that... half of my members probably don't even remember the e-mail address that they used to sign up with!
Title: Re: Being logged out by bots trying to log in
Post by: iLCapo on February 15, 2011, 04:53:12 PM
Oh, I thought we were talking about the website root file.  I don't have access to my server's root.  Sorry for my ignorance. 

I have already installed the email login mod and it stopped the password errors but the bots were still trying.  I'm a very small forum for a local club so I don't have any concern with accidentally blocking potential users.  I just want to try to lock the forum down against spammers/bots/etc. as much as possible.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 15, 2011, 05:12:18 PM
I have 13,000 members. I can't do a knee-jerk reaction like that... half of my members probably don't even remember the e-mail address that they used to sign up with!

I agree with this, it's unfortunate, but true. If I did that they'd run me out of town on a rail (if they managed to log in, that is).
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 05:42:08 PM
Install http://custom.simplemachines.org/mods/index.php?mod=1665 and stop trying to block something that is growing - it will drive you and your users mad trying to stop it by IP address blocking. It did me.

All that mod does is require your users to use an email address to log-in, and the bot can't. It just seems such a simple option compared with everything else proposed.

Agreed, it was doing my head in for a while and I dont think for a minute other PC's wont become infected and the attack will continue >:(

What I dont really get is the bots are not actually logging in so they must be finding an open door in smf that is allowing them to access usernames??

How does the email login mod actually stop this, as the bots are not logging on as such?
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 15, 2011, 05:58:55 PM
I have 13,000 members. I can't do a knee-jerk reaction like that... half of my members probably don't even remember the e-mail address that they used to sign up with!

 
 Apologies, my post sounded rather direct and I didn't mean it too.
 
 I'm concerned that some of the solutions proposed so far are only partial and continue to present a risk to the security of members personal data. In particular, they don't address the vulnerability in forum software that half the log-in security is public domain and can be easily harvested, leaving only the password to be cracked.
 
 When this hit my forum I had similar reactions to many who have posted - I posted over 100 IP addresses for others to block but still they came and now we are talking thousands. So I set about this logically and realised that there are two main threats here:
 
 1) User experience - getting logged out
 2) A potential security threat to members if the bots are successful and can access an account
 
 The SMF upgrade/patch fixes the logout issue but not the security vulnerability if indeed that is what is being targeted by the bots. Personally, I don't want to ignore this aspect as it could have serious implications for my members even if the chances of success do seem remote.
 
 Arantors mod is the first to try and hide the log-in userID from guests throughout the forum and is the right approach as long as the spam bot hasn't already harvested any usernames. I think there is some evidence that it is not harvesting on the fly.
 
 Another alternative would be to insist all members change their displaynames to something different to their userID but for a X,000 existing member forum that would be nigh on impossible to manage. Doing this for all members via MySQL is a possibility and I considered doing this but again it doesn't fix the issue if the bot has already harvested some forum userIDs.
 
 The email login is in my view a more secure approach as even a non-guest can't easily access this info. Indeed sites like facebook, paypal, amazon etc all use email log-in and don't display email addresses to the world. It is not ideal for large forums and I did worry about members not remembering what they registered with but in practice this is a minor issue to overcome compared to the alternatives.
 
 I'd also recommend stopspammer or httpBL mods (or both) as a failsafe to deny access to your site from suspect IP addresses. They are both good mods but they haven't proven completely successful in stopping attempts althoghn they reduce the risk considerably. In my experience they can also block genuine users so need to be managed sensitively.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 06:05:11 PM
Quote
Indeed sites like facebook, paypal, amazon etc all use email log-in and don't display email addresses to the world.

I guess I need to bash this again. I log into Facebook daily without using my email address. I use my username which is considerably shorter, and public, but I don't use it publicly, so you wouldn't notice, really.

Not all forums are vulnerable, four of the six forums I currently admin, all SMF, have not been targetted with this, and nor do I think they will be.


This same problem affects all forum software, really, it only became noticeable due to the logout aspect.
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 15, 2011, 06:19:01 PM
Apologies again, Arantor.

Facebook is email log-in by default but user name does work as you say. UserID is however different from display name and not easily harvested. 

I don't use it...  :-[
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 15, 2011, 06:20:15 PM
Quote
UserID is however different from display name

Not exactly, no. I don't know if you can log in with your display name, doubt it, but if you have a personalised URL, that's visible AND your login.

But you're right, it's not so easily harvested.
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 15, 2011, 06:22:04 PM
What I dont really get is the bots are not actually logging in so they must be finding an open door in smf that is allowing them to access usernames??

By default, the display name is the same as the username. There is no door, it's public information.


How does the email login mod actually stop this, as the bots are not logging on as such?

It requires the login ID to be the user's account e-mail address. It's not so much a stop as a way to make it much harder to get the credentials needed to login.


I'm concerned that some of the solutions proposed so far are only partial and continue to present a risk to the security of members personal data. In particular, they don't address the vulnerability in forum software that half the log-in security is public domain and can be easily harvested, leaving only the password to be cracked.

This affects other forum software as well, especially those that don't allow a different display name from the account username.

 
Arantors mod is the first to try and hide the log-in userID from guests throughout the forum and is the right approach as long as the spam bot hasn't already harvested any usernames. I think there is some evidence that it is not harvesting on the fly.

It's more than possible that many of the usernames are dictionary-generated as well.


This same problem affects all forum software, really, it only became noticeable due to the logout aspect.

Agreed on that. It probably wouldn't have been all that noticeable except for the side effect that the bruteforcing created.


I will note that bruteforcing attacks against SSH (a remote login for *NIX systems, such as Linux and the various BSDs) have been ongoing for years. There isn't really a good stop for this kind of stuff other than to try and break up the botnets doing the work.


I've thought about working on a mod that acts like a "fail2ban" for SMF. Basically, long temp-bans for too many login failures within a period. Unfortunately, I'm not sure when I could work on such a thing, especially as it could get somewhat complex and resource-hungry.

Potentially, it would be easier (for those on VPS or dedicated) to use the actual fail2ban application and have SMF write failure logs to a location it can scan.

Hmmmmm.
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 06:34:19 PM
I've been thinking about this and I feel that the "HIDDEN" mod is only a temporary solution.

What's eventually going to happen is that the harvester will simply apply for an account, then use that account to login and then harvest all the now-visible usernames... then we're back to square one.

I like the e-mail login option. It's hidden (or can be hidden) and there won't be a way for bots to know how you're logging in.

What I'll probably have to do is notify my members, give them a few weeks to get their e-mail addresses updated, then turn on that mod. That is, unless a better solution is found.
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 15, 2011, 06:39:08 PM
What I'll probably have to do is notify my members, give them a few weeks to get their e-mail addresses updated, then turn on that mod. That is, unless a better solution is found.

The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban. It's a little tricky, however, as members can easily lock themselves out of the forum if they fail login multiple times too quickly.

I mentioned such a solution above, but it is a bit complex and I don't have too much time to work on it.
Title: Re: Being logged out by bots trying to log in
Post by: iLCapo on February 15, 2011, 06:46:08 PM

I've thought about working on a mod that acts like a "fail2ban" for SMF. Basically, long temp-bans for too many login failures within a period.

Wouldn't this type of approach hose the actual user if they should try to log in during the lock-out period?  Based on what I was seeing in my error logs, the bots were hitting the same accounts so frequently that those users may never have been able to get back in. 

The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban.

Ideally it would be an auto ban on IPs that try unsuccessfully to login to multiple accounts.  My error logs were showing individual IPs attempting to crack as many as 6-7 different accounts.  It would be highly unlikely to have that many failed attempts across multiple accounts from one IP in real life.


Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 06:49:09 PM
The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban. It's a little tricky, however, as members can easily lock themselves out of the forum if they fail login multiple times too quickly.

I mentioned such a solution above, but it is a bit complex and I don't have too much time to work on it.

I'd rather have a couple of unhappy members (because they couldent remember their login details) than this ongoing threat.

A mod like you suggest would be great, just call it a hobby :) Go for it 青山 素子.. you know you want to ;D

Wouldn't this type of approach hose the actual user if they should try to log in during the lock-out period?  Based on what I was seeing in my error logs, the bots were hitting the same accounts so frequently that those users may never have been able to get back in.


Intersting point.




Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 15, 2011, 06:59:01 PM
I am curious if this attack has been hitting this forum here at SM.org too. Can anyone with access to the error logs confirm or deny that this one is being hit as well?
Title: Re: Being logged out by bots trying to log in
Post by: iLCapo on February 15, 2011, 07:01:12 PM
I just noticed something puzzling.  I've blocked all the IP ranges assigned to RIPE in .htaccess and at least one is still getting through and trying to log in.  I originally added this range to .htaccess with this notation:

deny from 46.*.*.*

but they got through.  So I thought maybe .htaccess doesn't like this notation so I switched it to:

deny from 46.0.0.0-46.255.255.255

and they're still getting through.  Am I doing something wrong?  They shouldn't even be able to get to the forum to try to login if they're blocked in .htaccess right?
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 15, 2011, 07:03:12 PM
deny from 46

no dot or asterisk afterward

examples-
deny from 77.92.88.25
deny from 77.92.88
deny from 77.92
deny from 46
Title: Re: Being logged out by bots trying to log in
Post by: iLCapo on February 15, 2011, 07:07:52 PM
So if I wanted to do a larger range such as:

109.0.0.0 - 126.255.255.255

would I simply type:

deny from 109-126

or would I need to do each range individually like:

deny from 109
deny from 110
deny from 111

etc.?
Title: Re: Being logged out by bots trying to log in
Post by: RustyBarnacle on February 15, 2011, 07:14:43 PM

The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban. It's a little tricky, however, as members can easily lock themselves out of the forum if they fail login multiple times too quickly.

I mentioned such a solution above, but it is a bit complex and I don't have too much time to work on it.

I like this idea coupled with a safe IP range(s).  That way if they login from work, home, friends etc they can set a safe DHCP set(s).  They would also be able to login from other places as long as they don't flub the password too many times.
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 15, 2011, 07:25:15 PM
Even better would be to get Project Honey Pot to add a trap for failed login attempts (single IP address trying multiple user names). Then the bot would get blocked automatically using MOD httpBL.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 15, 2011, 07:36:32 PM
The best workable fix, really, is to implement an automatic IP ban solution where too many attempts to login in a time period result in a ban. It's a little tricky, however, as members can easily lock themselves out of the forum if they fail login multiple times too quickly.

I mentioned such a solution above, but it is a bit complex and I don't have too much time to work on it.

The thing is though, I've seen as many as 24 hours between attempts on a single user name. At first I thought users were getting logged out after the bot reached the threshold of failed log in attempts but it seems that is not the case. Until the RC4 security fix and RC5 release, just one failed log in attempt would log off the user that was logged in so there was never a problem with multiple attempts within a certain time period.

The SMF fix is kind of misleading in that it didn't really fix anything (not that it could stop it). It's just hiding the fact that attempts are being made to crack user passwords. Unless an admin is diligently checking the error log no one will even know the attempts are being made after the security fix.

Users be damned. I have put the force email log in in place and posted a news item in big red letters as a link to a thread explaining the situation so everyone will know they have to log in using their email address and that it is for their own security. I haven't had any complaints yet. In fact most have thanked me for stopping the auto log outs they were experiencing.
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 15, 2011, 08:20:31 PM

I've thought about working on a mod that acts like a "fail2ban" for SMF. Basically, long temp-bans for too many login failures within a period.

Wouldn't this type of approach hose the actual user if they should try to log in during the lock-out period?  Based on what I was seeing in my error logs, the bots were hitting the same accounts so frequently that those users may never have been able to get back in. 

No, unless those users are trying to connect from the IPs being banned. It wouldn't be an account lock-out, but an IP one.


The thing is though, I've seen as many as 24 hours between attempts on a single user name.

That wouldn't be blocked. It's not abusive enough to be an immediate concern.
Title: Re: Being logged out by bots trying to log in
Post by: Cal O'Shaw on February 15, 2011, 08:36:54 PM
Hello,

Been busy with this problem in a similar topic (http://www.simplemachines.org/community/index.php?topic=419916.new;topicseen#new).  Reading this page I thought I'd clarify a bit of misunderstanding of what is happening, based on the attack on our site (started 8 Feb 2011, still running on 15 Feb 2011):

- names were harvested, appearing to be looking for 'last post' string on main index and topic indexes.
- set of names harvested are cycled, in order.
- attacker is persistent: our attacks occur about every 6 minutes on average, has been running for 7 days.
- attacker does not re-harvest, as the list has not changed.
- Hiding names from guests will do NOTHING for current attack, but will render harvesting impossible for future attack
- the only way to render attack impotent is to change the login ID, either by Admin changing target names or implementing the email login MOD.

We're a 1.1.13 site, fairly small, which made determining this possible.

Oh, need to use Depreciated's Hide Info Center MOD as unchecking "Show Info Center" permission is ignored.  We also hide most boards, and those visible only show the first post in the topic to guests.

Hope this helps.

Cal
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 15, 2011, 08:57:30 PM
The thing is though, I've seen as many as 24 hours between attempts on a single user name.

That wouldn't be blocked. It's not abusive enough to be an immediate concern.

Well, I don't know. It's still a hacking attempt and I think that is why they programmed it so it wouldn't trip any security features like too many attempts in a certain time period. When it first started on my forums it never tried the same user name for at least 9 minutes. I don't think that was an accident.
Title: Re: Being logged out by bots trying to log in
Post by: Cal O'Shaw on February 15, 2011, 09:46:55 PM
I think it's great that Arantor was able to create the Anti-Abuse MOD for 2.x sites.  Not going to ask him (I understand his POV, I think) for 1.1.x version, but is it possible for someone to pursue a 1.1.x version?  Even if 2.0 went gold in the morning a lot of us small sites wouldn't be able to convert for months (lot of reasons, no need to go OT listing them).

I'm thinking we need a number of tools to fight this kind of attack, now and in the future.  The Anti-Abuse (HIDDEN name) MOD, email address login MOD, various firewall and IP MODs. 

It just seems the easiest way to block future attacks is hiding names from guests.

Cal
Title: Re: Being logged out by bots trying to log in
Post by: Astra_200 on February 15, 2011, 09:54:39 PM
Seems good advice to me Cal.

Just checked out the latest IP to find its way into my incorrect password log and its 50.16.127.162 (Amazon.com) :o

Now, I'm no expert here but I wouldn’t have expected to see that IP trying to find its way into my forum??

Further searching reveals the IP is another culprit on the torproject.org list of  bad IP's.

Looking at Tors website, it appears to be all about protecting its users, there’s nothing about abusing its proxy service.

I have emailed them about this at tor-assistants@torproject.org They appear to be a voluntary organisation and don’t promise instant response but if enough people email maybe they will have to look into the problem.
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 15, 2011, 11:29:10 PM
Well, I don't know. It's still a hacking attempt and I think that is why they programmed it so it wouldn't trip any security features like too many attempts in a certain time period. When it first started on my forums it never tried the same user name for at least 9 minutes. I don't think that was an accident.

Did it only make one attempt every few minutes, or did it just switch among the usernames? The system I'm thinking of would still ban the IP for multiple failures, even across multiple usernames.


Just checked out the latest IP to find its way into my incorrect password log and its 50.16.127.162 (Amazon.com) :o

IP belongs to Amazon's Elastic Compute Cluster. It's a service where you can purchase virtual server capacity.


Looking at Tors website, it appears to be all about protecting its users, there’s nothing about abusing its proxy service.

I have emailed them about this at tor-assistants@torproject.org They appear to be a voluntary organisation and don’t promise instant response but if enough people email maybe they will have to look into the problem.

They probably won't help too much. It's just an exit node and the whole point of the network is offering a way to stay anonymous. It can be abused, but anything can be abused.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 15, 2011, 11:58:55 PM
Well, I don't know. It's still a hacking attempt and I think that is why they programmed it so it wouldn't trip any security features like too many attempts in a certain time period. When it first started on my forums it never tried the same user name for at least 9 minutes. I don't think that was an accident.

Did it only make one attempt every few minutes, or did it just switch among the usernames? The system I'm thinking of would still ban the IP for multiple failures, even across multiple usernames.

When it first started it would try one user name every 9 minutes for 24 hours. Then it would change to another user and do the same. This went on for...I would guess at least two weeks before anyone started mentioning to me that they were getting auto logged out and then I started tracking it. Then I installed the http bl mod, bad behavior mod, and the stop forum spam mod and it stopped the problems...I thought. About 2 weeks later it started back up and the IP's it was using were not in the honeypot database or the stop forum spam database. Then it became relentless where there were multiple IP's trying multiple user names and they weren't using the same user name until quite a bit later. Then I added the list of IP addresses posted here to my .htaccess file and that slowed it greatly but I was still getting a few so I was adding those to the .htaccess file as they came in but I soon realized that could go on forever. When I upgraded my forum to RC5 over the weekend I didn't bother installing the 3 anti-spam mods I listed above. I kept the .htaccess entries and installed the cb|Emailogin mod and that has put a stop to them so far.

I do like the idea of the "ban the IP for multiple failures across multiple usernames" but not so much a "ban the IP for multiple failures over a given time frame". Many of my members log in from multiple locations and it's not unusual to see errors for wrong password from an IP that I know is theirs.
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 16, 2011, 12:22:27 AM
Someone mentioned Honeypot + HttpBL as a solution, and after using those for a couple of days now - I can sadly say it is not. It will catch and stop some of them, but a large portion of the IPs used have no mentions in Honeypot DB at all, or only low risk scores if there is something, and these are mostly TOR addresses...
Title: Re: Being logged out by bots trying to log in
Post by: robbie93 on February 16, 2011, 12:41:58 AM
I first noticed these hitting our site on the 2nd of Jan, but they could have been around before that,  gave up for a day or so and then returned, I see about 30+ pages of errors from them every day  >:( and with no signs of stopping, best way to stop your users being logged off is to tell them to make there display name different to there username, but that doesn't stop the attacks, hiding users names on the site would also take away apart of SMF, if you hide all of the usernames from the info center, and also if you use a portal, all of the blocks, your site would look quiet plain, best thing is to make PW something you don't use anywhere else ( which you should do anyway  :-X ) and make display different from username, get your active members to do the same, at first I thought the site was getting hacked  :o . Nasty little spam bots trying to steal our pw's  ::) 8). No point banning the ip's because every one if different, can u imaging banning 30 pages of ip's every day for seven weeks  :( . WANTED - a nice safe home for nasty spam bots lurking on SMF forums. This is sooooo last year.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 16, 2011, 12:53:16 AM
Someone mentioned Honeypot + HttpBL as a solution, and after using those for a couple of days now - I can sadly say it is not. It will catch and stop some of them, but a large portion of the IPs used have no mentions in Honeypot DB at all, or only low risk scores if there is something, and these are mostly TOR addresses...

Yes, that is what I found also so I didn't re-install it into RC5. Of course I may re-visit it later for other types of spammers if the need arises.
Title: Re: Being logged out by bots trying to log in
Post by: Cal O'Shaw on February 16, 2011, 01:02:43 AM
@robbie93,

With your portal and all, you may not wish to do so.  But then you need to make your usernames different from your display names (either by telling your users to change them or to use something like the email login MOD).

But I would like to have the OPTION as there is no benefit in our case to displaying names.

As you noted, hiding the names will not stop THIS ATTACK.  But you can be sure someone will use the script and try again.  Wouldn't you like to stop THE NEXT ATTACK.  Because it's going to come.  You've been under attack for over a month you say.  You think they're just going to take their ball and go home?  This type of attack will come again.  It's sophisticated enough that it can't be stopped by IP, it doesn't blast you so you can halt it that way.  It runs so slow that you can't be sure it's not a regular user without checking the IP against where you know the user lives.

It seems the only way to reduce (I didn't say stop) is by cloaking your site (hide membernames) and/or making sure what names are displayed are not valid for logging in. 

We take additional precautions, limiting what boards are visible, and limiting guests to seeing only the first post (which may help explain why the target list used against our site is so small; there wasn't a lot to harvest).  We blocked the Info Center as we felt there was no valid reason for guests to see that information.  We figure if they want to see more they will register (and we review them before accepting them).

Sorry if I come off as a Johnny One-Note, but it seems to be a repeated need to point out some of the features of this attack and that what works for one site will not work for another (hence my saying that maybe robbie93 doesn't see a need to hide names, but we most assuredly do want to hide them).

Cal
Title: Re: Being logged out by bots trying to log in
Post by: squad on February 16, 2011, 05:16:21 AM


I'd love to use the 'hide authors' but it returns a corrupt reply. I am using
1.1.13. So now will have to wait for either an update or other such mod.
I have and will be using the email log-in, hopefully that will cut back the attacks
in the future.

I am so tired of this and I am only a very small forum,  I wish these bots would
just move on and get well & truly lost :)
Title: Re: Being logged out by bots trying to log in
Post by: BPLive on February 16, 2011, 06:54:01 AM
yes I am having a huge problem with this on a forum with 20k plus users.  I can see in my error log ip's tryiing to loggin to users.  Users are complaining like crazy. 
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 16, 2011, 07:16:39 AM
The actual problem of getting logged out because of these, should be fixed in the latest releases.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 08:36:45 AM


I'd love to use the 'hide authors' but it returns a corrupt reply. I am using
1.1.13. So now will have to wait for either an update or other such mod.
I have and will be using the email log-in, hopefully that will cut back the attacks
in the future.

I am so tired of this and I am only a very small forum,  I wish these bots would
just move on and get well & truly lost :)


If you're referring to my mod, it won't work on 1.1.x, it was written for 2.0 only.

@Cal and anyone else asking about porting it to 1.1.x, I won't be, partly because I haven't written mods for 1.1.x since 2009, and partly because it was bad enough writing it for 2.0, 1.1.x's structure lends itself even less to doing something like that.

That said, if someone else wants the job, they're welcome to reuse any code from my mod in doing it (I won't even complain if it ends up on the mod site here if it's a 1.1.x only version)
Title: Re: Being logged out by bots trying to log in
Post by: BPLive on February 16, 2011, 08:49:19 AM
The actual problem of getting logged out because of these, should be fixed in the latest releases.

this is good to hear.  Today I upgraded from 2.0 rc3 to rc5

I'll have to wait for feedback. However I do see in the errorlog IP's still trying to do so with 'users' failed password etc.  however I guess you guys did something to keep this from the log outs.  but the error log will continue to build I guess.   anyway Thanks!
I'll post back if Rc5 fixed the issue via feedback.
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 16, 2011, 10:15:35 AM
Sorry if I come off as a Johnny One-Note, but it seems to be a repeated need to point out some of the features of this attack and that what works for one site will not work for another (hence my saying that maybe robbie93 doesn't see a need to hide names, but we most assuredly do want to hide them).

Cal
I think there are common points, but yes, there are divergent points as well.

@ All,

We would very much appreciate if any of the affected forums admins agree to make us available your server access and error logs for the past days, as well as forum admin access. (for forum error logs)
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 10:21:05 AM
Quote
We would very much appreciate if any of the affected forums admins agree to make us available your server access and error logs for the past days, as well as forum admin access. (for forum error logs)

To what end, exactly? Give me a good reason and I'll provide said access since I'm affected by it too on some forums.
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 16, 2011, 10:27:26 AM
We need to analyze the logs, to see the commonalities and differences in what is happening. Both the pattern of the attacks as well as the IPs used does seem to have common points and different points according to what is reported in the community.
Moreover, it seems the attack itself has changed, a while ago there were a few forums it hit endlessly, including the login page, but they didn't try to login. Now they do. There are other aspects as well.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 10:37:10 AM
*shrug* I don't keep access logs out of space preservation, the error log is pruned fairly regularly and won't right now tell you anything you didn't already know, so I'm not giving out admin access at any point soon.

But I might write some better logging tools to see if there are any other patterns involved that we're not seeing right now.
Title: Re: Being logged out by bots trying to log in
Post by: StarWars Fan on February 16, 2011, 10:44:57 AM
This is a slow-motion Brute Force attack and should be patched as such by SimpleMachines...

Cpanel's brute force attack protection is an example SimpleMachines could use as a model...

Basically, if IP x.x.x.x already has a failed login in the Error Log then IP x.x.x.x. does not get any more log in attempts... Add a time limit (ala Cpanel if you wish)... Should not be that hard...

SMF admins should not be told to apply a MOD that may or may not work...
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 10:48:45 AM
But they use different IP addresses, that's part of the problem. Some of the lists of IP addresses are huge.

And what happens if a genuine user fails to type their password correctly? By that logic, they're booted straight off.
Title: Re: Being logged out by bots trying to log in
Post by: Maver!ck on February 16, 2011, 10:48:56 AM
The attack has changed in my case for sure.  It was attacking relentlessly hitting multiple users from the same ip in waves.  One big wave, and minutes later, another wave.  I had previously had some strange attacks back at the first of the year and consequently installed honeypot and stopspammer.  So when the most recent attacks of login attempts the only thing i changed was upgrading from rc3 to rc5, which didn't seem to make a difference.  But after banning several of the ip addresses(by ranges as it was not anything close to current member ips) and being now about a week after the main relentless attack, I'm seeing a completely different pattern -
Now, you see one user login attempt every few minutes, but the next attack will be from a different ip and attempting login using a different name.  It does seem to be cycling only about 5-6 usernames, but again, every time it tries(spaced out time frames) it is from a completely different ip, and the ip may be from arin one time, then from ripe network the next. After an hour or so, you might see an ip address used the last hour now attempting a different name than before, but again still pulling from what seems to be a very short list of about 5-6 or so names.
 
I am still receiving some attacks from the original group of ip address seen in the first wave which have been banned(up to 100 or so attempts getting the 'sorry u are banned' msg) but nothing compared to the close to the several hundred attempts per day i was receiving before)

Hope this info helps in the fight to find an answer,
Maver!ck
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 16, 2011, 10:50:37 AM
StarWars Fan, some mods worked for some forums, and don't for others. That's (part of) the problem, it doesn't seem the same set of IPs or attack, or it changed meanwhile. We need to gather as much information as possible.

But I think you're right, something along those lines should help.

Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 16, 2011, 10:56:45 AM
I disagree, actually...   At this point, the attacks are distributed and I rarely see concurrent attempts on a single account from any individual IP, or even the same IP hitting multiple accounts.

I've added the .htaccess denies (will eventually convert this to the server side IP list) and the attempts have dropped off precipitously. RThe ones that are still coming through (about 95 in the last 2 days) use one IP to hit one account, a minute or two later, there is another hit on a different account from a new IP.

They cycle... I can usually find 1-2 attempts from a single IP over a 2 day period, but they appear to have a LARGE block of IPs to work from.
Title: Re: Being logged out by bots trying to log in
Post by: StarWars Fan on February 16, 2011, 10:58:39 AM
But they use different IP addresses, that's part of the problem. Some of the lists of IP addresses are huge.

Not always - in the Error Log, if you click the IP, you will often see they have attempt to break into multiple accounts...

If SMF would simply check the Error Log, admins won't have to play with IP denying, htaccess, etc...

Quote
And what happens if a genuine user fails to type their password correctly? By that logic, they're booted straight off.

I'm not suggesting booting the IP, merely deny another login attempt especially to another account... And/or SimpleMachines could add the time limit thing (ala Cpanel, etc)
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 16, 2011, 11:02:01 AM
But they use different IP addresses, that's part of the problem. Some of the lists of IP addresses are huge.

Not always - in the Error Log, if you click the IP, you will often see they have attempt to break into multiple accounts...

If SMF would simply check the Error Log, admins won't have to play with IP denying, htaccess, etc...


I disagree, actually...   At this point, the attacks are distributed and I rarely see concurrent attempts on a single account from any individual IP, or even the same IP hitting multiple accounts.

...

They cycle... I can usually find 1-2 attempts from a single IP over a 2 day period, but they appear to have a LARGE block of IPs to work from.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 11:04:53 AM
Quote
Not always - in the Error Log, if you click the IP, you will often see they have attempt to break into multiple accounts...

Not always. On my own sites, the list is a rather large list of IPs being hit, and it's often more than a day between two occurances of a single IP being used in this way. And see Kindred's comment.

Quote
I'm not suggesting booting the IP, merely deny another login attempt especially to another account...

Still affects legitimate users though - if a user typos their password, their IP is now restricted from another login attempt. What happens if, say, the user is in somewhere like a university with a smallish pool of IP addresses, just for example?

The time limit thing would help, provided that it's not going to interfere with legitimate users - but even then, all that happens is the bots will adapt their pattern.


This type of attack has been happening for decades across so many other systems and environments, and there isn't a single way of dealing with it.
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 16, 2011, 11:06:00 AM
for the love of gods...   don't you read?   This is not actually an SMF issue.   You could see the same behavior on Facebook, Hotmail, google, etc.

it's the nature of the internet... as long as people use stupid, insecure passwords, other (bad) people will try to break them.
Title: Re: Being logged out by bots trying to log in
Post by: StarWars Fan on February 16, 2011, 11:18:08 AM
for the love of gods...   don't you read?   This is not actually an SMF issue.

Well, sorry guys, I tried - they don't want to do anything about it... I'm out...
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 16, 2011, 11:21:57 AM
My watchdog script I like to call it that I use on SI Community is handling these attacks pretty good IMHO. It tracks errors, logs them in a separate database to be compared to its definitions.

My dictionary bot definition checks to see if a ip address has tried to log in with at least three different usernames with incorrect passwords.

I can't say it is blocking them entirely because there are quite a bit of ips, but I have notice most ip ranges are real close together.
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 16, 2011, 11:27:27 AM
There seems to be a misunderstanding here. That bots are trying, is not a SMF issue. Bots are trying. Everywhere and anywhere, at various times.
However, whether we can do something to alleviate the problems the attacks might bring, is something we see about, with YOUR help.  All of you. Any information, logs, observations, solutions tried and their result on your particular situation, anything you wish to share can be useful and are under analysis.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 11:30:05 AM
Btw, this particular set of bots is finding forums based on searching for the copyright string. They're not finding certain forums that have customised SMF versions, e.g. one of mine that has 'Powered by a modified SMF' (where $forum_version = 'a modified SMF'), and naturally forums that aren't browsable by guest aren't hit.
Title: Re: Being logged out by bots trying to log in
Post by: spottedhog on February 16, 2011, 11:36:14 AM
Going back to Arantor's mod...

Instead of having each user name displayed as "HIDDEN", couldn't they be obfuscated something like this?

Code: [Select]
$obfuscatedName = "";
     for ($i=0; $i<strlen($memberContext[$id_member]['name']); $i++){
         $obfuscatedName .= "&#" . ord($memberContext[$id_member]['name'][$i]) . ";";
     }
   echo $obfuscatedName;

... so Character Entities still show the user name to real humans?

Just thinking out loud...

Edit: I realize this would not stop already harvested user names...

Edit2: It doesn't work with "linked" user names... sooo, may not be good for SMF, but could be used for external pages to still display a user name for whatever reason.
Title: Re: Being logged out by bots trying to log in
Post by: squad on February 16, 2011, 12:04:43 PM


I'd love to use the 'hide authors' but it returns a corrupt reply. I am using
1.1.13. So now will have to wait for either an update or other such mod.
I have and will be using the email log-in, hopefully that will cut back the attacks
in the future.

I am so tired of this and I am only a very small forum,  I wish these bots would
just move on and get well & truly lost :)


If you're referring to my mod, it won't work on 1.1.x, it was written for 2.0 only.



This was what I was referring too, sorry. My head is spinning, I don't think I have
read so much in the past twenty years as I have read in the last week  :o I think
I have finally lost the plot  :P

http://custom.simplemachines.org/mods/index.php?mod=1892 (http://custom.simplemachines.org/mods/index.php?mod=1892)

Hide Post Authors From Guests

Written by: Labradoodle-360
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 16, 2011, 12:13:49 PM
Btw, this particular set of bots is finding forums based on searching for the copyright string. They're not finding certain forums that have customised SMF versions, e.g. one of mine that has 'Powered by a modified SMF' (where $forum_version = 'a modified SMF'), and naturally forums that aren't browsable by guest aren't hit.

Be nice if that where true, but not true. My SMF copyright is not the original either and the site is still getting hit.

There seems to be a misunderstanding here. That bots are trying, is not a SMF issue. Bots are trying. Everywhere and anywhere, at various times.
However, whether we can do something to alleviate the problems the attacks might bring, is something we see about, with YOUR help.  All of you. Any information, logs, observations, solutions tried and their result on your particular situation, anything you wish to share can be useful and are under analysis.

The 3 hits your out method I defined works pretty good, but it takes a while before the bot hits 3 times with different usernames. This still gives the bot 3 chances and you times that by the amount of IPs they have, will they still get allot of tries and can possibly IMHO get through a weak password.

But Arantors method sparked a idea, what if we seed a fake username for the bot and have them try to log in with that. At least we will know they are a bot right off the back.  ;D

Here are my ips being banned and watched at this moment. The ones that say Reason:password are the ones in this case. If you see any other ones ignore them as they pertain to other security code bits I have installed elsewhere in the forum. ;)

http://www.sicomm.us/siforum/watchdog/watchdog.php
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 16, 2011, 12:13:57 PM
Since installing the email login mod on Sunday I have not had any errors in my log for failed logins for an IP address that was not that users...until this morning. But that user is using his email address as his user name. sigh
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 16, 2011, 12:17:30 PM
I'm not suggesting booting the IP, merely deny another login attempt especially to another account... And/or SimpleMachines could add the time limit thing (ala Cpanel, etc)

Oops, I mis-typed my account name, now I can't login to my correct account for two hours! Real user friendly, there. (I have about three different user names across six forums, so the chances are medium I'd get denied based on your description.)


I'm also concerned that if SMF does not do something to thwart this, that regular, non-hacker people will just start trying to log into accounts (maybe at a rival forum, or enemies, etc) knowing full well that SMF is unable to stop this...

Look, fake login attempts are going to happen. It's an internet-wide issue. It pre-dates the Internet, even. Way back when, you'd get people doing war dialing (http://en.wikipedia.org/wiki/War_dialing), the phone equivalent of finding a way into the system.

Your situation is rather silly. If someone starts trying to make some login attempts at a rival forum, it would be noticed by the admins if they checked their logs and that user would be banned fairly quickly. Direct attempts by a single person are easy to stop if you notice they are happening.

The situation here is much like the wide-spread SSH and FTP login attempts that have been going on for several years. You have a wide spread of IPs from infected end-user machines attempting logins. You can't easily ban all the IPs because of the collateral damage if you are not careful. You also can't do something like lock accounts after failed attempts because then you turn the attempts into a nice denial of service as your forum members find their accounts locked.

The only real solution that can be handled on the server's end is detecting and temporarily blocking the attempts. Tools like fail2ban were built for this exact scenario. Having a modification for SMF that behaves in a similar way would be worthwhile. Potentially, if these attacks turn into long-term things, integrating such functionality would be a good thing. However, it's not going to happen for 1.1, and 2.0 is too far along for such a large feature addition.

As for slow attacks, they aren't dangerous enough to concern oneself over unless you are allowing simple password complexity and users are using dictionary passwords.
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 16, 2011, 12:18:43 PM
Since installing the email login mod on Sunday I have not had any errors in my log for failed logins for an IP address that was not that users...until this morning. But that user is using his email address as his user name. sigh

Change his display name and it will eventually leave him alone...
Title: Re: Being logged out by bots trying to log in
Post by: RustyBarnacle on February 16, 2011, 12:23:07 PM
Currently my error log is clean as my host had issues last night but if more get past the defenses I put in I'll leave them and let you know.
Title: Re: Being logged out by bots trying to log in
Post by: trebul on February 16, 2011, 12:25:46 PM
I haven't read this whole thread but I want to say that my site has been hit with these bots too. I cleared my error log last night and I'm already up to 96 login errors. It picked 12 members and just keeps cycling through trying to log in from different ips. It tries to login with each individual every 1hr 45mins.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 16, 2011, 12:29:21 PM
Since installing the email login mod on Sunday I have not had any errors in my log for failed logins for an IP address that was not that users...until this morning. But that user is using his email address as his user name. sigh

Change his display name and it will eventually leave him alone...

Yes, I've let him know he needs a new display name and a new email address since the bots already have his current email address.
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 16, 2011, 12:31:53 PM
Since installing the email login mod on Sunday I have not had any errors in my log for failed logins for an IP address that was not that users...until this morning. But that user is using his email address as his user name. sigh
I have been thinking about changing the log in to email also, just haven't got around into coding it.  :-\
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 16, 2011, 12:35:36 PM
There is a mod for it that I use. cb|Emailogin 0.5 (http://custom.simplemachines.org/mods/index.php?mod=1665). Compatible With: 1.1.13, 2.0 RC5
Title: Re: Being logged out by bots trying to log in
Post by: robbie93 on February 16, 2011, 02:04:46 PM
@robbie93,

With your portal and all, you may not wish to do so.  But then you need to make your usernames different from your display names (either by telling your users to change them or to use something like the email login MOD).

But I would like to have the OPTION as there is no benefit in our case to displaying names.

As you noted, hiding the names will not stop THIS ATTACK.  But you can be sure someone will use the script and try again.  Wouldn't you like to stop THE NEXT ATTACK.  Because it's going to come.  You've been under attack for over a month you say.  You think they're just going to take their ball and go home?  This type of attack will come again.  It's sophisticated enough that it can't be stopped by IP, it doesn't blast you so you can halt it that way.  It runs so slow that you can't be sure it's not a regular user without checking the IP against where you know the user lives.

It seems the only way to reduce (I didn't say stop) is by cloaking your site (hide membernames) and/or making sure what names are displayed are not valid for logging in. 

We take additional precautions, limiting what boards are visible, and limiting guests to seeing only the first post (which may help explain why the target list used against our site is so small; there wasn't a lot to harvest).  We blocked the Info Center as we felt there was no valid reason for guests to see that information.  We figure if they want to see more they will register (and we review them before accepting them).

Sorry if I come off as a Johnny One-Note, but it seems to be a repeated need to point out some of the features of this attack and that what works for one site will not work for another (hence my saying that maybe robbie93 doesn't see a need to hide names, but we most assuredly do want to hide them).

Cal

Hi Cal, I don't really like bulking the site with mods, we only have about 5 ATM and that to me is more than enough, as for hiding names, if we did that then the site would look rather dull because we do use a portal and we also like names to be shown on the info center and I think members like to see there names also, so taking them away would be giving in to these bots, we only have about 12 active members on the site so what we did was send a newsletter to everyone, but to the active ones we also sent Pm's and went through the process of changing there display name to something different than there username because they was complaining that they kept getting logged off half way through playing a game, and that seemed to work as they haven't complained since. I think limiting boards and making them hidden and making your members names hidden is really giving into these bots and taking something away from your site - I look at this like this - your not gonna stop bots attacking any site - no matter what software you use - and in this case they have been attacking us since early Jan or before and I don't think they have been successful as yet - but it is annoying as they fill up your logs every day.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 02:13:04 PM
You do realise that the mod I wrote only hides the names from guests, not to members, right? Hardly giving into anyone.

I should note, I've just started a much (much) more thorough logging of this spate of bots and already have a few ideas on how to block them until they get smarter again.
Title: Re: Being logged out by bots trying to log in
Post by: robbie93 on February 16, 2011, 02:26:38 PM
You do realise that the mod I wrote only hides the names from guests, not to members, right? Hardly giving into anyone.

I should note, I've just started a much (much) more thorough logging of this spate of bots and already have a few ideas on how to block them until they get smarter again.

Yep I realise this, but hiding names to guests makes the site less appealing, also, as you just stated these bots will continue to out smart whatever you try to do to fix them so why bother? just use different pw's and make username different from display. I dont see this site hiding names from guests on info center isnt this site getting hit? and what have you guys done on this site to stop them?
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 02:30:49 PM
Quote
so why bother?

Why bother running a forum, then? The fact remains they will attack. As site owners we have a responsibility to minimise the risk to our users.

Quote
I dont see this site hiding names from guests on info center isnt this site getting hit? and what have you guys done on this site to stop them?

How do you know this site isn't being hit? There's no guarantee of that at all! (In my case I am immune here because I have a different login name to display name :P)
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 16, 2011, 02:30:58 PM
For smf this is a new situation, that we are just getting to know - no reason to panic, since they are slow and "mostly harmless", but reasonable steps to discourage such attempts are a good idea. For example I just adviced my users to make sure they are using strong passwords, and that their contact info is up to date, and that using different login and screen names is a good idea. On top of this, I have been blocking IPs trying to log in to more than one account, and have installed HttpBL that seems to stop many of them.
Title: Re: Being logged out by bots trying to log in
Post by: robbie93 on February 16, 2011, 02:41:14 PM
@ Arantor

How do you know this site isn't being hit? There's no guarantee of that at all! (In my case I am immune here because I have a different login name to display name :P)

Theres your fix then, if making your login name different to your display name makes you immune from attack why do we need a mod to hide names and boards and so on?    8) and I didnt ask if this site was being hit I asked what you guys was doing about it if it was or is  ::) .
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 16, 2011, 02:53:14 PM
so, tell you users to all change their display name. Done... no need to bother the devs at all...


Oh, wait... this won't stop the existing harvest...  (but then again, neither will releasing a new version of SMF that forces a difference between login and display)

And personally, I would lose track if I had a different display from login.   I have used Kindred since the early 90s.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 16, 2011, 03:23:09 PM
If one doesn't want to use a different display name from their log in name or email address the next best option is force your users to use secure passwords but your error log is still going to fill up.
Title: Re: Being logged out by bots trying to log in
Post by: Elysia on February 16, 2011, 03:33:04 PM
My forum error logs are cleared regular too otherwise the database gets bulky. I'll leave it for a few days and filter out the rogue logins to a new file, but as we've applied the htaccess file with 1,359 IPs blocked we are seeing very few rogue signin attempts now - today there's been 3 or 4, whereas earlier this week we were drowning in them.

I'll go check the server logs and see if there's anything useful in them though as they will still be there.
Title: Re: Being logged out by bots trying to log in
Post by: Danny S. on February 16, 2011, 03:51:02 PM
Hey guys,

I wanted to give an update on my situation to hopefully shed some light on a few things I've read.

First, let's start with the history of my issues. About a week ago, I got a PM from a regular member that said he has to keep logging into the forum everytime he visits. My first thought (without knowing this was an issue) was to have to user clear his cookies in his browser and try again. Issue still persisted. Eventually, I found my way here and realized it was a widespread issue.

I took everyone's advice and upgraded the site from RC3 to RC5 and now the login issues have ceased. Of course the login attempts are still continuing.

This is where my situation gets weird. Some of the usernames it is using are some of my top posters. Well, you would think this would be expected because there's more of a chance for the bot to find the username (more posts = more instances).

BUT, some of the names it's using are of members who have NEVER posted. They signed up months ago, but have never actually made a post. Where could they have gotten the name from? If it's not on any post, the only other place would be the memberlist , correct? But I though only members could see that...


Another thing, I've noticed in the last two months that my "members awaiting activation" has skyrocketed. Typically, I would see maybe 1 or 2 a month on the list. The last two months, there is a total of 78. Could this be related? I only have ~320 members on my site... surely this can't just be from getting more visits...


Any of this happening to someone else?
Title: Re: Being logged out by bots trying to log in
Post by: Cal O'Shaw on February 16, 2011, 03:58:36 PM
@Danny,

Info Center -> Forum Stats -> "Latest Member:" XXX

That's one of the reasons we hid the Info Center.

Cal
Title: Re: Being logged out by bots trying to log in
Post by: Danny S. on February 16, 2011, 04:00:50 PM
That could definitely be causing it, but some of these users signed up months ago and the field was quickly overwritten with a new member (within a couple days).

Does is still store the "new user" info even after a new member signs up? If not, wouldn't this mean that they captured the usernames as far back as last July?
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 16, 2011, 04:03:04 PM
memberlist.....
Title: Re: Being logged out by bots trying to log in
Post by: Danny S. on February 16, 2011, 04:04:47 PM
Quote from: Kindred
memberlist.....

But isn't the memberlist only visible to members? By memberlist I'm referring to index.php?action=mlist.
Title: Re: Being logged out by bots trying to log in
Post by: Cal O'Shaw on February 16, 2011, 04:06:29 PM
You have to change the permission for guests.  I believe it is on by default (we switched it off years ago, so I could be quite wrong on default setting).

Cal
Title: Re: Being logged out by bots trying to log in
Post by: Danny S. on February 16, 2011, 04:11:05 PM
You have to change the permission for guests.  I believe it is on by default (we switched it off years ago, so I could be quite wrong on default setting).

Cal


I'm not trying to say that you're wrong, but just for troubleshooting purposes, mine is turned off for guests, so I don't think this is where they are finding the information. Unless, that is, they've created a username and now have access to them all.



Also, do you guys think that my recent spike in "members awaiting activation" could be related? Do you think it's trying to create accounts (I have my site setup on email activation).

Has anyone else noticed a spike on their sites?
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 16, 2011, 04:17:39 PM
There were sites (a while ago, not only these days) that receive quite a number of spammers registering. They only put a spam link in their profile, and never come back again. (in these cases)
Perhaps you can check their IPs too, against online databases like project HoneyPot, to see if they're IPs of known spammers.

There are mods on the customize site you can install to check these, i.e. httpBL, stop forum spam.
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 16, 2011, 04:44:05 PM
memberlist.....

Don't think so unless they register to get to it.

My site has never enabled guest access to the memberlist and the majority of targeted userIDs were prominent posters/long term members. 
Title: Re: Being logged out by bots trying to log in
Post by: Elysia on February 16, 2011, 05:26:46 PM
Our Memberlist is not and never has been visible to Guests or Regular members, only to Global Mods and Admins. Profiles are visible to Regular Members though.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 05:35:10 PM
They're not getting member names from the memberlist, they seem to be getting them from posts and threads visible to guests.
Title: Re: Being logged out by bots trying to log in
Post by: RustyBarnacle on February 16, 2011, 05:38:59 PM
Don't forget to uncheck view profile!

By default this is left on for guests in permissions and so a bot can just go:

forum/index.php?action=profile;u=1
forum/index.php?action=profile;u=2
forum/index.php?action=profile;u=3
etc...
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 05:47:04 PM
Yup, that's true - but there's no evidence that's happening either. The list of accounts the bots are hitting is consistent, and it's not based on the order of users on the memberlist. I still bet it's fed the same way I'd feed it were I writing such a bot: the threads, all of which contain nice juicy links to the profile in a consistent format, just ripe for regex-ing out of a page. Crude bot, fed a forum, all it needs to do is start hitting up a board, munching its way through the links and looking for profile links.
Title: Re: Being logged out by bots trying to log in
Post by: Elysia on February 16, 2011, 05:47:39 PM
That's been locked down forever too. Reg Members can see other members profiles, guests can't see anything other than posts.
Title: Re: Being logged out by bots trying to log in
Post by: RustyBarnacle on February 16, 2011, 05:49:49 PM
I just installed a new out of the box SMF2 RC4 forum, made a couple profiles and guests could view profiles until I unchecked that.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 05:52:48 PM
Yup, that's the default, but all the evidence points to not doing that.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 16, 2011, 06:11:20 PM
I have seen them try user names of members that have never posted also. And my member list is not visible to guests but it is to members so it would be easy enough for a human spammer to capture the lists.
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 16, 2011, 06:15:22 PM
It is remotely possible that a human spammer made it past registration and then harvested the names. I did notice a huge increase in attempted spammer regs for about 2 weeks, and then it went quiet. About a week after that, these attacks started getting reported.  I guess I am still lucky. My error log is still clean. They haven't hit me at all.
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 16, 2011, 07:13:33 PM
There is a mod for it that I use. cb|Emailogin 0.5 (http://custom.simplemachines.org/mods/index.php?mod=1665). Compatible With: 1.1.13, 2.0 RC5

I can't use it, I still have to design my own. It isn't the mods fault, it is just because the forum code is so heavily modified that I can no longer use packages from SMF. Even upgrades, I have to figure out what has changed and work them into my SMF installation. No big deal, like I said just got to find the time to do it.

And personally, I would lose track if I had a different display from login.   I have used Kindred since the early 90s.

Debate going on in my head about using email addresses. It seems to be the fad though with other websites.

But I am like you, I rather use my old login, but in this case I would choose security over personal preference. I doubt too many users will be too upset about using their email address that they linked to the forum, unless it is one they hardly use. :D
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 16, 2011, 07:21:15 PM
Will I was just thinking, I can probably satisfy both ends. If they want to use their email address to login they can or if they want to use their username they can do that too, also they can use both if they wanted too. Maybe make it optional in the user profile which login method they prefer and explanations on why one is better than the other, etc.

This will give the user options instead of saying you have to use this method.
Title: Re: Being logged out by bots trying to log in
Post by: Cal O'Shaw on February 16, 2011, 07:27:46 PM
And if we could hide member names from guests then they could go either way.  The reason you can use the email addresses is because they are never displayed to guests.  If membernames were the same way you could use those safely as well.

Which is why I keep pushing to have that option, why it's great Arantor wrote his (even if it's 2.0 only), and now wish we could get the same feature for 1.1.x sites.

Cal 
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 07:31:31 PM
To be honest, though, to a point it's now locking the door after the horse has bolted.

Methods to block the attack entirely are being investigated as we speak.
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 16, 2011, 07:57:10 PM
We must consider who's responsibility it is to secure their account. Right now we are trying to play the role of the user but it is their responsibility to secure their account with a strong password. All that we can do is give options IMHO.

Email addresses on the other hand are displayed to members if the user wants to display them to members. Bots don't only have to be guest but can actually be registered members and view these email addresses.

Methods to block the attack entirely do not exist, you and I both know that. Best we can do IMO is to educate our users to make sure they don't leave their accounts vulnerable to these type of attacks.

I am not however saying that we can not help. We can run temp bans to reduce the impact and like I said just give the user options to protect their account.

Login by email address is a great idea, but I am not going to penalize my members who have a strong password. I just finished coding up a optional system for my site. Members can pick if they want to use their email and username, email only or username only to login.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 08:01:13 PM
Quote
Methods to block the attack entirely do not exist, you and I both know that.

This attack, I happen to disagree, because I've been doing some research into the mechanics of this specific attack. There is one notable feature that is rather consistent in the attack pattern. I won't disclose it publicly, naturally, but I'm currently working on a way to neutralise it.

Sure, we can and should be educating users. But we can't make them do anything, and nor should we.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 16, 2011, 08:23:32 PM
We must consider who's responsibility it is to secure their account. Right now we are trying to play the role of the user but it is their responsibility to secure their account with a strong password. All that we can do is give options IMHO.

Email addresses on the other hand are displayed to members if the user wants to display them to members. Bots don't only have to be guest but can actually be registered members and view these email addresses.

Methods to block the attack entirely do not exist, you and I both know that. Best we can do IMO is to educate our users to make sure they don't leave their accounts vulnerable to these type of attacks.

I am not however saying that we can not help. We can run temp bans to reduce the impact and like I said just give the user options to protect their account.

Login by email address is a great idea, but I am not going to penalize my members who have a strong password. I just finished coding up a optional system for my site. Members can pick if they want to use their email and username, email only or username only to login.

In SMF 2.0 if you set it in the Admin panel to not allow viewable email addresses then the users cannot see the email address of other members. If a member has the option checked to "Allow users to email me" they still can't see other users email address as the email goes through the forum software. Of course if they reply you will then see their email address.

Also if they can log in with either their email address or their user name the bot can still continue to use the user name to try and guess the password so that really doesn't help.
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 16, 2011, 08:35:21 PM
In SMF 2.0 if you set it in the Admin panel to not allow viewable email addresses then the users cannot see the email address of other members. If a member has the option checked to "Allow users to email me" they still can't see other users email address as the email goes through the forum software. Of course if they reply you will then see their email address.

A user still can show their email address to registered members, check it out it is in your account settings.

Also if they can log in with either their email address or their user name the bot can still continue to use the user name to try and guess the password so that really doesn't help.

I think you didn't get me on this one. I made it optional, the user has three options in their control panel. Will a picture says a thousand words. Screen shot attached.

Also I would like to note, SMF default is both email and username. ;)
Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 16, 2011, 08:42:41 PM
Humm...  I have not seen it either.  May be stopping it unknowingly.  Still, I hope it comes my way.
 O:)
Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 16, 2011, 08:48:53 PM
Mods like those listed here might help with preventing or alleviating the attempts made by particular IPs, as these mods typically use online databases of spammers IPs. I should note there is a certain possibility that those databases are not always accurate, since they contain IPs accumulated by anonymous reports (and those reports could be wrong).

Bad Behavior is all php baby!  No lookups.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 08:53:14 PM
I take it you're not counting the variety of hostname queries it makes to validate that if a spider identifies itself as Google or Bing, that it comes from that hostname, as lookups (I guess they're to external DBs but not ones that are anonymous reports etc.)

And the behaviour with DNS lookups is also questionable anyway, which is why it was disabled in recent BB versions...
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 16, 2011, 08:55:37 PM
In SMF 2.0 if you set it in the Admin panel to not allow viewable email addresses then the users cannot see the email address of other members. If a member has the option checked to "Allow users to email me" they still can't see other users email address as the email goes through the forum software. Of course if they reply you will then see their email address.

A user still can show their email address to registered members, check it out it is in your account settings.

Also if they can log in with either their email address or their user name the bot can still continue to use the user name to try and guess the password so that really doesn't help.

I think you didn't get me on this one. I made it optional, the user has three options in their control panel. Will a picture says a thousand words. Screen shot attached.

Also I would like to note, SMF default is both email and username. ;)

Are you on 2.0 because I don't see those settings anywhere in SMF 2.0 unless I'm overlooking them.

Also if email addresses being viewable is disabled in the admin panel and a user checks the option to "Allow users to email me " the other users can still not see that email address. They can email them through the forum software and that will expose that persons email address but not the persons email address they are emailing. At least that is how it is on my 2.0 forum.
Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 16, 2011, 09:32:42 PM
I take it you're not counting the variety of hostname queries it makes to validate that if a spider identifies itself as Google or Bing, that it comes from that hostname, as lookups (I guess they're to external DBs but not ones that are anonymous reports etc.)

Not the same as searching a database such as project honeypot and etc.  Only one "gethostbynamel" per cache run for only the Big 3 bots which if set 20+ seconds covers most bot runs.

And the behaviour with DNS lookups is also questionable anyway, which is why it was disabled in recent BB versions...

That is only an issue with Ubuntu 10+ servers using the BB code which is not the same as the mod.  The mod's latest code, in testing now at SMF helper, has been proven reliable as long as you use the mods built in disk cache.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 16, 2011, 09:38:58 PM
Quote
Not the same as searching a database such as project honeypot and etc.  Only one "gethostbynamel" per cache run for only the Big 3 bots which if set 20+ seconds covers most bot runs.

Hence "I take it that you're not counting..." - just clarifying the situation.

Quote
That is only an issue with Ubuntu 10+ servers using the BB code which is not the same as the mod.

No, it's a PHP issue generally, actually, where the DNS lookup returned false somewhat ambiguously, which is why all the tests were subsequently commented out in BB, even in 2.1.11 - roundtripdns.inc.php:
Code: [Select]
# FIXME: Returns false on DNS server failure; PHP provides no distinction
# between no records and error condition

(I've been following BB's code fairly closely for a while, trying to engineer IPv6 support into it, and into SMF generally, is no small task.)
Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 16, 2011, 10:06:44 PM
Hence "I take it that you're not counting..." - just clarifying the situation.

That is not a database look-up per-say, it is using a built in php function.  Do some diligence and you will find a lookup at project honey pot et al takes longer.  EDIT:  Besides the test will be a option in the final BB 1.4.0 mod version.

No, it's a PHP issue generally, actually, where the DNS lookup returned false somewhat ambiguously, which is why all the tests were subsequently commented out in BB, even in 2.1.11 - roundtripdns.inc.php:

I have been following it too since I wrote the SMF mod for BB and I wrote the last "roundtripdns.inc.php" for BB.  Put your dollar store reading glasses on and look closely.  ;)  You will discover that it is a Ubuntu issue and note the issue is for a function that is NOT used in the mod.  I have been running my version of "roundtripdns.inc.php" for over 6 months with zero issues.  Every now and then I block a fake google that others may believe is real.  Good for me...   O:)

(I've been following BB's code fairly closely for a while, trying to engineer IPv6 support into it, and into SMF generally, is no small task.)

Why????  BB works mostly with ipv6.   BB does not care about the ip's since it is all about looking at other things.  The mod uses adjusted ip's for cache which accept ipv6 addresses and that is all she wrote.  8)

ipv6 is not difficult.  I have already written some code for ipv6 compatibility with FF mod.  The only known (at its creation) with ipv6 protection against what would otherwise be a vulnerability.  I have some beta code prepared for BB.  But honestly, further ipv6 development for both mods for the roundtrip test is a waste of time until ipv6 becomes more popular.  Maybe next winter.

EDIT:  I believe SMF needs to standardize the long ipv6 address DB storage issue first.
Title: Re: Being logged out by bots trying to log in
Post by: krick on February 17, 2011, 01:06:33 AM
I've discovered something interesting by looking at the search queries that resulted in hits on my site using Google Webmaster tools:
http://www.google.com/webmasters/tools/

Below are some of the things that people (bots) are searching for that lead them to my site.  Usually, the search string has some other random word at the beginning and/or a timestamp, presumably to "randomize" the search to prevent you and/or google from blocking them.

The other disturbing thing was that my site is a world of warcraft related site and many of the bot queries actually had keywords that are specific to warcraft and other MMOs, so it appears that at least some of the bots are targeting specific types of sites.

"/index.php?topic="
"always stay logged in"
"always stay logged in:"
"forum stats"
"hot topic (more than"
"locked topic"
"login (forgot your password?)"
"login with username, password and session length"
"members - latest member:"
"minutes to stay logged in"
"minutes to stay logged in:"
"no new posts"
"normal topic"
"posts"
"powered by smf 1.1.12"
"powered by smf"
"signature"
"simple machines llc"
"smf 1.1"
"smf 1.1.12"
"sticky topic"
"summary"
"topic you have posted in"
"users online"
"very hot topic (more than"
"view the most recent posts on the forum"
"view the most recent posts on the forum."
"welcome, guest. please login or register"
"welcome,"
.index.php action=
.member.php u=
/entry.php
/forum
/forums
/index.php/topic
/index.php?topic=
/member.php?
/read.php?
/suggest.php?action=
/thread
/thread-
/topic
/view-last-messages.html
/viewforum.php?f=
/viewtopic.php?f=
/viewtopic.php?t=
add message
add reply
add topic
forum
forums/index.php s=
forums/member.php
forums/members
message/member.php u=
new topic
phorum
posting
smf
username: password: minutes to stay logged in:
viewprofile
viewtopic.php
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 17, 2011, 01:21:40 AM
Some of those have nothing to do with SMF, which basically proves what has been said before - this is not an SMF specific issue.
Still, we are working on it, to see if there is something we can do about it.
Title: Re: Being logged out by bots trying to log in
Post by: Cal O'Shaw on February 17, 2011, 01:26:06 AM
LexArma,

Are you considering having the ability to block display of names to guests (you had to know I'd ask)?  Again, does zip for current attack, but renders future account harvesting nearly impossible.

Will any solution cover 1.1.13 sites?

Grazie,

Cal
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 17, 2011, 01:27:20 AM
At the moment we are mostly brainstorming about this, so can't really answer that one yet...
Title: Re: Being logged out by bots trying to log in
Post by: Cal O'Shaw on February 17, 2011, 01:30:20 AM
No worries.  But as my Mum always said, you don't know if you don't ask... ;)

Grazie mille,

Cal
Title: Re: Being logged out by bots trying to log in
Post by: Clara Listensprechen on February 17, 2011, 01:32:14 AM
Quote
Methods to block the attack entirely do not exist, you and I both know that.

This attack, I happen to disagree, because I've been doing some research into the mechanics of this specific attack. There is one notable feature that is rather consistent in the attack pattern. I won't disclose it publicly, naturally, but I'm currently working on a way to neutralise it.

Sure, we can and should be educating users. But we can't make them do anything, and nor should we.
You certainly got my curiosity up, because I've noticed a peculiar pattern in the attacks I've been getting--they're not using everybody's username, just 4 (on both my boards). They're not all admin or mod people, either (2 admin, 1 mod, one regular). It's something that makes me go "hmmmm."

=============

Oh yeah--none of the 4 are the latest member, either. Hmmmm.
Title: Re: Being logged out by bots trying to log in
Post by: Tanks on February 17, 2011, 03:29:11 AM
I did two things to my RC2 forum and I now have a clean error log.

First I installed Arantor's abuse mod to hide all user names from guests. Seriously guest have no need for user names to find the content of a board interesting.

Secondly I installed Codebirth's EmailLogin mod and warned all my users 12 hours in advance. Now users must log on with their email and so far that has not given me any objections from my members.

I have now cleared my htaccess file and I still have a clean error log. I know the bots are still attacking, but they are not able to log my members out, and they are not filling up my error log.

I feel satisfied, and just wanted to share what I did to stop this pain in the a** attack.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 17, 2011, 03:34:47 AM
Quote
That is not a database look-up per-say, it is using a built in php function.  Do some diligence and you will find a lookup at project honey pot et al takes longer.

Now you're just being facetious. Yes, a lookup to an external site will take longer, which is why I was clarifying that you weren't referring to anything additional there. Though if you're behind a slow RDNS, even the DNS roundtrip can be slow.

Quote
You will discover that it is a Ubuntu issue and note the issue is for a function that is NOT used in the mod.

It's not used because it was commented out following that issue. Oh, and I get the same behaviour on Windows, which kind of blows that theory out of the water. But as all the comments for http://php.net/gethostbyaddr show, it can lag pretty hard anyway...

Quote
Why?

I think you misunderstand me. There are parts of the code that do use IPv4 blocks for checking (some of the search engine checks, mainly). IPv4 is exhausted at the most coarse level, several of the RIRs are talking about exhaustion by them within 3-6 months, so it only makes sense to have IPv6 support - and if you're using in SMF, you kind of need to get your checks in very, very early (I can't remember how early you added them) because cleanRequest() will nuke the IPv6 address because it doesn't understand IPv6.

Oh, and if you're trying to tell me your implementation of BB into SMF is solid, I really hope you're not trying to store binary compressed IP addresses into a 16 byte character field, since there will typically be some invalid code points in there.

And roundtripdns.inc.php even says itself that it's not IPv6 safe.

Quote
But honestly, further ipv6 development for both mods for the roundtrip test is a waste of time until ipv6 becomes more popular.  Maybe next winter.

Actually in all honesty it's a waste of time until SMF supports IPv6. Fortunately, I don't have that problem, since I do have IPv6 support in the core in my development files.


Quote
The other disturbing thing was that my site is a world of warcraft related site and many of the bot queries actually had keywords that are specific to warcraft and other MMOs, so it appears that at least some of the bots are targeting specific types of sites.

WoW is a big enough presence even in fan forums that it's worth spending some effort targetting them. But yeah, mostly they're finding forums through search engines. But I will echo what Lex said, some of those search terms are vBulletin or phpBB specific - but they will show up in *links* between forums too.

Quote
You certainly got my curiosity up, because I've noticed a peculiar pattern in the attacks I've been getting--they're not using everybody's username, just 4 (on both my boards). They're not all admin or mod people, either (2 admin, 1 mod, one regular). It's something that makes me go "hmmmm."

That's not the only commonality, either.
Title: Re: Being logged out by bots trying to log in
Post by: BPLive on February 17, 2011, 04:33:15 AM
The actual problem of getting logged out because of these, should be fixed in the latest releases.

this is good to hear.  Today I upgraded from 2.0 rc3 to rc5

I'll have to wait for feedback. However I do see in the errorlog IP's still trying to do so with 'users' failed password etc.  however I guess you guys did something to keep this from the log outs.  but the error log will continue to build I guess.   anyway Thanks!
I'll post back if Rc5 fixed the issue via feedback.

So far after doing the rc5 upgrade I got feedback from a couple users that the loggin issue is fixed.  however I have 174 new entries since I cleared my user log yesterday.  and yes 1 IP does attack multiple usernames, other times its only one ip per user.

I don't know why you want access to my server, but if you want admin access still to the forum or both, please let me know if that will help you.  I'd like to give something back to SMF if this helps.
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 17, 2011, 04:45:49 AM
The actual problem of getting logged out because of these, should be fixed in the latest releases.

this is good to hear.  Today I upgraded from 2.0 rc3 to rc5

I'll have to wait for feedback. However I do see in the errorlog IP's still trying to do so with 'users' failed password etc.  however I guess you guys did something to keep this from the log outs.  but the error log will continue to build I guess.   anyway Thanks!
I'll post back if Rc5 fixed the issue via feedback.

So far after doing the rc5 upgrade I got feedback from a couple users that the loggin issue is fixed.  however I have 174 new entries since I cleared my user log yesterday.  and yes 1 IP does attack multiple usernames, other times its only one ip per user.

I don't know why you want access to my server, but if you want admin access still to the forum or both, please let me know if that will help you.  I'd like to give something back to SMF if this helps.
If you'd PM Norv (http://www.simplemachines.org/community/index.php?action=profile;u=211029) about this, would probably be best ;)
Title: Re: Being logged out by bots trying to log in
Post by: BPLive on February 17, 2011, 05:17:16 AM
The actual problem of getting logged out because of these, should be fixed in the latest releases.

this is good to hear.  Today I upgraded from 2.0 rc3 to rc5

I'll have to wait for feedback. However I do see in the errorlog IP's still trying to do so with 'users' failed password etc.  however I guess you guys did something to keep this from the log outs.  but the error log will continue to build I guess.   anyway Thanks!
I'll post back if Rc5 fixed the issue via feedback.

So far after doing the rc5 upgrade I got feedback from a couple users that the loggin issue is fixed.  however I have 174 new entries since I cleared my user log yesterday.  and yes 1 IP does attack multiple usernames, other times its only one ip per user.

I don't know why you want access to my server, but if you want admin access still to the forum or both, please let me know if that will help you.  I'd like to give something back to SMF if this helps.
If you'd PM Norv (http://www.simplemachines.org/community/index.php?action=profile;u=211029) about this, would probably be best ;)

done and made him an account.  cheers!
Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 17, 2011, 05:28:27 AM
...

The other disturbing thing was that my site is a world of warcraft related site and many of the bot queries actually had keywords that are specific to warcraft and other MMOs, so it appears that at least some of the bots are targeting specific types of sites.

"hot topic (more than"
"locked topic"
"login (forgot your password?)"
.member.php u=
/entry.php
/read.php?
/suggest.php?action=
/thread
/thread-
/view-last-messages.html
/viewforum.php?f=
/viewtopic.php?f=
/viewtopic.php?t=
phorum
username: password: minutes to stay logged in:
viewprofile
viewtopic.php

No need for SMF to add more code just to slow down the package.  They have more important things to do like functional improvements and bugs.

My solution is simple, look at the list and pick a couple non-SMF phrases from the bot attack and add them to the Forum Firewall (http://www.simplemachines.org/community/index.php?topic=417490.0) mod "Injection List" in the admin panel.  Problem solved, the bot will get blocked and give up.  The only question is which is the best phrase to pick.  I think I will start with "phorum".  I added "phorum|" to the front of my list.
 :o
Title: Re: Being logged out by bots trying to log in
Post by: DJPlamen on February 17, 2011, 06:00:50 AM
What if we arm our LOIC and fight back to the most imprudent bot ip?   ::)  ;D
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 17, 2011, 06:20:57 AM
What if we arm our LOIC and fight back to the most imprudent bot ip?   ::)  ;D

Hahaha, if only it weren't legally questionable, and likely to be someone random that gets hit rather than the orchestration of this attack.
Title: Re: Being logged out by bots trying to log in
Post by: DJPlamen on February 17, 2011, 06:32:03 AM
Ahm, It's not an attack, it's more like "active self-defense" ::) 
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 17, 2011, 06:36:36 AM
Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.
Title: Re: Being logged out by bots trying to log in
Post by: DJPlamen on February 17, 2011, 06:58:49 AM
One dumb question then... my site was attacked via ..smf/index.php?action=login2...
Will help to change the link and function name to login3 (in LogInOut.php and index.php)??
Title: Re: Being logged out by bots trying to log in
Post by: DarkBlizz on February 17, 2011, 07:42:30 AM
I had that happen once, but my account wasn't locked out, even though I have do have a failed pw attempt limit.  Try using Login Security Mod (http://custom.simplemachines.org/mods/index.php?mod=2181), it will prevent anyone logging into your account that's not on your IP.
Title: Re: Being logged out by bots trying to log in
Post by: DJPlamen on February 17, 2011, 07:46:13 AM
Thanks... I'm using SMF as forum within another application, so registrations are closed - I even can disable or remove all login links, since I create my smf-cookies externally (from my other application)... but I prefer to not "step back" with that fight...
Title: Re: Being logged out by bots trying to log in
Post by: DarkBlizz on February 17, 2011, 07:51:59 AM
Best offense is a good defense.  You could as mentioned before just use Forum Firewall and it would auto-ban that IP and any other IP which constantly hammers those urls.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 17, 2011, 08:37:02 AM
You certainly got my curiosity up, because I've noticed a peculiar pattern in the attacks I've been getting--they're not using everybody's username, just 4 (on both my boards). They're not all admin or mod people, either (2 admin, 1 mod, one regular). It's something that makes me go "hmmmm."

We're still getting the login attempts at one forum. But I noticed something weird. I'm an Administrator, and when I make a mistake in the password for my account it generates a critical error in the error log. I've seen my admin account name in the error log too, when the bot attack tries to guess the password.

But it doesn't generate a critical error when the bot tries the wrong password, just a normal user error. Why is that?

Also, I installed Arantor's Hidden mod, and it's been in for a few days, but the bots keep using a list of names they already have, so I suppose it was a day late and a dollar short for that forum. I wonder if the bots will ever stop?

Title: Re: Being logged out by bots trying to log in
Post by: Danny S. on February 17, 2011, 08:56:43 AM
I wonder if the bots will ever stop?

It's hard to tell. If the creators aren't having success, then maybe it will stop until they think of something else...

But to show that it's really NOT an SMF-only issue, here is an article on phpBB's website:

http://www.phpbb.com/community/viewtopic.php?t=1947925


Sound familiar?  ::)
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 17, 2011, 09:12:53 AM
Indeed it is. A friend of mine admins 2 phpbb forums and he has confirmed that one of them has been hard in the last few weeks by the same tactic.
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 17, 2011, 09:23:06 AM
Has anyone run a sniffer or packet capture during an attack?
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 17, 2011, 11:11:53 AM
I bet any password login error due to the bot attacks is in this list I made. It looks to all be tor nodes. But I bet you, check your error logs and the ips will match this list. No solve though since I am more than sure they will get more ips once these ones are blocked.  ;)

This list is comprised of IP's that I have gotten then some software to check which exit nodes where available for each ip I gave it. Sad part though is some legit traffic can travel through these IP's also.  :-\

Code: [Select]
109.100.130.9
109.107.35.128
109.107.35.154
109.123.119.163
109.123.119.163
109.130.6.4
109.153.56.236
109.169.29.56
109.169.41.48
109.169.46.53
109.170.148.206
109.170.46.74
109.185.18.203
109.192.249.178
109.207.118.121
109.208.230.9
109.210.0.49
109.213.177.226
109.228.186.78
109.235.50.234
109.68.174.18
109.71.88.237
109.72.199.26
109.74.196.114
109.74.196.149
109.74.199.157
109.74.200.171
109.74.202.238
109.87.138.140
109.91.194.169
110.174.220.132
110.174.43.136
112.213.105.78
112.213.98.152
113.212.97.156
114.142.154.166
114.39.205.34
114.43.131.44
114.76.153.138
115.64.76.83
115.70.140.118
115.84.182.227
116.49.204.117
117.18.75.235
118.71.23.148
120.50.40.184
120.75.30.110
121.135.98.62
121.44.113.109
122.155.3.145
122.172.216.73
123.108.108.147
124.10.227.226
124.149.99.2
124.171.52.111
124.217.248.251
124.217.253.204
125.255.2.30
128.233.94.137
128.6.224.107
128.61.30.34
129.194.100.45
129.194.8.73
129.78.250.255
130.15.190.144
130.206.163.43
130.215.171.167
132.248.30.12
137.56.163.46
137.56.163.64
137.56.163.64
138.100.10.206
140.115.8.178
140.121.130.67
140.180.130.93
146.82.18.75
151.48.238.215
157.88.36.111
157.88.36.9
158.64.32.134
160.36.209.79
166.70.54.100
168.144.48.133
171.66.178.166
173.0.1.144
173.0.52.172
173.10.122.205
173.13.165.123
173.164.128.121
173.165.171.139
173.180.170.145
173.193.221.28
173.193.226.35
173.195.5.114
173.203.105.144
173.212.200.141
173.230.148.150
173.245.85.77
173.246.5.96
173.255.210.205
173.255.211.187
173.255.212.184
173.255.213.207
173.255.221.44
173.255.238.178
173.255.238.238
173.31.167.209
173.35.191.109
173.35.44.72
173.45.226.116
173.45.245.140
173.57.173.13
173.57.58.38
173.60.219.110
173.63.71.17
173.71.216.44
173.74.155.146
173.76.67.21
173.81.176.233
174.101.28.75
174.109.19.254
174.116.227.91
174.123.110.50
174.129.115.225
174.138.169.218
174.142.75.26
174.143.241.198
174.31.227.83
174.45.181.206
174.52.23.21
174.95.12.184
175.107.141.116
175.116.237.6
178.117.118.116
178.122.61.196
178.124.7.123
178.127.9.211
178.140.42.216
178.16.45.90
178.178.243.75
178.2.68.157
178.202.149.2
178.202.229.160
178.202.59.102
178.202.89.86
178.233.29.241
178.239.55.32
178.24.184.11
178.26.41.163
178.32.95.23
178.33.149.173
178.63.198.71
178.63.246.164
178.63.95.70
178.65.65.116
178.73.211.16
178.75.94.78
178.79.131.123
178.79.133.103
178.79.136.230
178.79.138.128
178.79.146.242
178.83.132.121
18.238.0.122
180.149.96.69
182.167.122.30
182.169.255.89
182.233.198.76
183.182.114.65
184.105.231.11
184.99.182.72
186.136.130.61
186.85.9.132
187.112.119.219
187.134.120.91
187.153.220.246
187.37.146.74
187.59.116.199
187.67.114.126
188.103.70.242
188.108.229.208
188.120.245.249
188.124.19.114
188.126.68.60
188.134.24.234
188.134.4.177
188.134.74.183
188.134.74.77
188.134.76.222
188.134.9.75
188.138.32.144
188.141.50.6
188.142.63.148
188.152.22.78
188.165.45.229
188.165.47.11
188.192.17.115
188.192.251.199
188.223.23.252
188.223.31.61
188.24.215.102
188.241.114.161
188.26.225.32
188.40.20.202
188.40.67.212
188.40.77.107
188.72.214.44
188.72.230.49
189.13.135.133
189.15.194.34
189.170.60.128
189.172.24.53
189.230.7.40
190.162.185.132
190.183.221.175
190.227.139.161
190.247.199.125
190.31.141.52
192.251.226.205
192.251.226.205
192.251.226.206
192.251.226.206
193.107.100.151
193.11.208.139
193.110.157.151
193.138.216.157
193.198.207.8
194.0.229.54
194.105.102.71
194.110.192.161
194.145.200.128
194.154.227.109
194.187.212.195
194.190.107.131
194.190.16.51
195.10.205.33
195.16.252.196
195.198.194.214
195.234.10.45
195.36.201.163
195.43.157.85
195.64.140.190
196.203.159.77
196.31.4.72
198.202.25.251
199.126.198.223
199.48.147.2
199.48.147.35
199.48.147.36
199.48.147.37
199.48.147.38
199.48.147.39
199.48.147.4
199.48.147.40
199.48.147.41
199.48.147.42
199.48.147.44
199.48.147.45
2.0.183.79
2.144.113.119
2.36.56.198
200.121.2.247
200.122.160.25
200.58.118.143
200.74.193.170
200.88.210.221
201.159.131.195
201.213.201.117
201.218.218.198
201.23.201.205
201.255.118.141
201.27.216.135
201.34.54.185
201.35.2.10
202.46.142.84
202.55.54.183
202.71.111.247
203.179.254.218
203.217.173.146
204.109.59.162
204.145.90.189
204.152.222.140
204.174.99.221
204.8.156.142
205.168.84.133
205.185.113.178
205.185.120.222
205.185.123.101
205.185.127.170
205.186.158.235
205.186.165.138
205.211.201.178
206.126.125.128
206.188.71.8
206.217.137.183
206.217.219.28
206.74.246.192
207.161.178.220
207.47.160.118
208.110.65.123
208.115.59.147
208.127.169.122
208.131.128.47
208.53.113.214
208.66.135.190
208.74.35.108
208.75.57.100
208.75.88.34
209.159.142.164
209.159.143.130
209.168.212.122
209.17.190.142
209.2.234.10
209.20.84.99
209.221.206.114
209.25.231.61
209.44.114.178
209.6.141.74
210.106.12.234
210.6.195.123
210.6.20.185
212.13.195.157
212.13.195.235
212.13.195.44
212.159.95.115
212.186.195.69
212.220.105.156
212.28.16.250
212.28.72.39
212.42.236.140
212.74.233.43
212.78.238.92
213.100.97.49
213.112.111.205
213.112.66.171
213.114.146.46
213.128.138.201
213.151.89.102
213.152.40.41
213.184.241.53
213.191.105.54
213.211.234.27
213.211.249.36
213.220.233.230
213.239.192.229
213.245.172.109
213.245.186.165
213.247.98.204
213.37.129.220
213.37.30.155
213.46.138.76
213.49.109.133
213.80.107.115
213.89.56.26
213.9.93.174
213.93.80.150
213.95.21.48
216.115.3.26
216.152.134.214
216.165.183.182
216.218.193.164
216.24.174.245
216.24.192.119
216.254.121.30
216.66.129.86
216.66.132.242
216.66.81.36
216.86.61.205
217.114.211.20
217.115.137.221
217.116.195.24
217.12.251.27
217.129.163.201
217.148.84.179
217.15.23.215
217.160.215.244
217.160.221.7
217.162.255.237
217.170.112.210
217.20.114.254
217.20.182.193
217.211.78.184
217.218.242.82
217.253.22.12
217.78.4.88
218.186.9.247
218.253.106.49
219.111.2.91
220.233.36.109
220.235.36.58
220.244.147.190
220.244.8.102
222.166.181.118
222.166.181.131
222.166.181.149
222.166.181.208
222.166.181.59
222.6.21.49
24.101.136.222
24.11.223.152
24.119.92.63
24.122.237.161
24.176.58.86
24.180.24.254
24.183.137.208
24.19.250.159
24.192.171.225
24.205.227.216
24.207.44.76
24.211.35.37
24.220.1.134
24.236.202.221
24.3.133.203
24.31.135.152
24.5.142.192
24.77.137.142
24.88.88.35
24.89.84.147
24.90.242.78
38.102.94.125
38.126.74.50
38.99.171.105
41.203.22.108
41.206.83.205
41.223.52.203
41.238.111.60
46.102.240.250
46.118.226.241
46.134.222.129
46.162.71.94
46.182.126.126
46.19.138.242
46.20.179.221
46.28.108.24
46.4.237.146
46.42.27.80
46.5.173.147
46.73.62.103
50.11.105.20
50.16.127.162
58.120.227.83
58.182.239.21
59.148.241.231
59.177.66.34
59.21.190.52
60.241.245.242
60.241.45.202
60.242.34.204
61.47.35.34
62.107.252.144
62.141.42.186
62.141.53.224
62.141.58.13
62.163.180.154
62.178.103.91
62.178.203.158
62.193.228.18
62.194.254.155
62.197.40.154
62.2.182.82
62.201.92.91
62.202.96.192
62.212.67.209
62.249.179.181
62.34.148.82
62.34.165.216
62.75.159.139
62.75.163.127
62.75.185.133
62.94.88.47
64.120.209.40
64.27.17.140
64.34.162.160
64.34.184.153
64.34.218.21
64.81.60.124
64.81.64.46
65.103.202.228
65.183.151.13
65.31.42.18
65.40.42.74
65.41.197.71
65.48.168.170
65.60.165.112
65.96.17.119
66.134.16.186
66.135.38.164
66.146.193.31
66.175.73.169
66.18.196.228
66.180.193.219
66.215.42.157
66.230.230.230
66.245.120.164
66.249.7.253
66.249.9.107
66.35.48.58
66.58.179.188
66.8.120.130
66.8.152.121
66.90.125.194
66.90.140.125
66.93.100.253
66.96.16.32
67.164.73.39
67.165.178.112
67.166.97.1
67.174.182.171
67.181.159.45
67.182.135.23
67.188.208.137
67.190.205.152
67.194.85.61
67.207.133.125
67.222.189.59
67.233.103.9
67.234.134.223
67.255.58.42
67.43.140.152
67.49.163.34
67.84.137.250
68.10.132.34
68.11.52.79
68.111.248.243
68.157.34.88
68.169.143.126
68.170.181.33
68.174.51.136
68.189.106.46
68.191.44.98
68.204.34.66
68.205.247.105
68.206.36.124
68.233.14.37
68.28.105.225
68.41.26.216
68.52.34.71
68.68.176.77
68.70.5.246
68.71.46.138
68.9.230.85
69.138.58.3
69.141.134.60
69.148.188.100
69.163.34.69
69.164.195.171
69.181.146.73
69.181.9.32
69.204.105.56
69.204.126.19
69.204.222.61
69.208.13.148
69.243.225.36
69.254.78.92
69.39.49.199
69.47.211.192
69.71.222.187
70.112.1.221
70.112.5.220
70.114.142.159
70.115.241.84
70.167.198.167
70.176.189.73
70.184.237.31
70.188.3.196
70.232.166.92
70.27.7.121
70.36.134.54
70.36.140.84
70.81.143.170
70.88.10.212
71.105.29.170
71.114.23.178
71.12.0.39
71.165.245.158
71.181.70.241
71.181.70.241
71.184.65.42
71.184.65.42
71.184.65.42
71.192.98.40
71.197.38.32
71.198.174.233
71.198.26.88
71.204.180.243
71.236.11.56
71.238.149.111
71.255.170.233
71.52.240.164
71.64.8.236
71.7.168.98
71.83.110.34
71.84.251.115
71.91.200.114
72.130.191.156
72.14.177.164
72.14.179.10
72.14.189.49
72.197.222.197
72.199.17.251
72.201.207.16
72.219.145.226
72.234.20.77
72.43.123.225
72.47.15.219
72.47.252.215
72.55.174.112
72.67.93.111
72.77.28.224
74.106.13.137
74.115.0.37
74.115.1.52
74.117.159.204
74.120.12.135
74.120.15.150
74.193.15.208
74.195.36.85
74.196.25.245
74.207.231.152
74.207.248.241
74.207.254.235
74.208.231.162
74.208.243.167
74.208.246.213
74.208.246.222
74.211.218.2
74.3.165.39
74.58.14.4
74.65.254.17
74.74.91.147
74.82.57.7
75.100.58.166
75.101.62.112
75.119.219.205
75.140.81.12
75.141.252.141
75.149.102.241
75.158.21.67
75.2.141.48
75.30.97.142
75.65.52.6
75.71.148.104
75.71.29.76
75.84.222.110
75.91.61.99
76.10.190.194
76.10.214.53
76.10.214.89
76.169.41.82
76.175.129.115
76.177.23.254
76.27.236.64
76.28.240.54
76.30.87.187
76.99.72.87
77.104.221.3
77.109.137.140
77.109.139.87
77.109.74.125
77.123.5.242
77.162.90.164
77.171.107.207
77.176.231.118
77.190.207.226
77.193.220.170
77.195.184.14
77.197.196.200
77.197.197.121
77.20.187.218
77.20.220.211
77.20.53.245
77.203.143.244
77.205.25.207
77.205.49.130
77.220.41.47
77.223.93.221
77.232.135.67
77.244.247.245
77.249.72.104
77.250.229.78
77.27.96.107
77.37.136.160
77.41.78.126
77.65.144.81
77.74.54.25
77.9.0.198
77.91.200.27
77.99.119.106
77.99.17.158
78.102.92.225
78.105.113.59
78.107.233.68
78.107.237.16
78.111.125.36
78.115.225.186
78.119.198.198
78.121.23.47
78.121.91.156
78.124.147.247
78.126.254.161
78.137.33.2
78.142.175.70
78.143.197.55
78.144.157.102
78.147.47.203
78.153.153.8
78.20.149.140
78.20.44.159
78.224.56.170
78.23.102.153
78.230.4.96
78.232.224.94
78.239.51.235
78.239.56.126
78.249.170.116
78.249.214.37
78.25.19.181
78.250.239.154
78.251.79.228
78.31.56.105
78.31.67.155
78.45.70.26
78.46.36.42
78.46.39.228
78.47.240.52
78.47.244.106
78.48.207.143
78.50.91.204
78.51.102.45
78.53.7.92
78.55.101.79
78.73.71.88
78.85.183.93
79.11.222.73
79.120.86.20
79.123.71.180
79.132.163.205
79.136.121.242
79.136.30.122
79.136.48.241
79.136.77.47
79.19.116.110
79.251.95.196
79.255.97.145
79.30.200.32
79.34.61.85
79.80.130.74
79.83.72.151
79.86.150.136
79.88.169.23
79.90.18.36
79.91.121.211
79.92.11.127
79.92.110.130
79.95.152.65
79.99.236.2
8.18.38.105
80.101.129.109
80.119.132.28
80.119.169.151
80.177.246.35
80.177.3.76
80.181.76.60
80.203.34.16
80.213.87.159
80.213.87.7
80.229.150.242
80.232.240.249
80.243.100.17
80.56.238.201
80.57.179.197
80.60.142.42
80.62.217.18
80.65.247.74
80.67.176.111
80.73.242.130
80.79.113.178
80.79.125.131
80.79.126.30
80.79.23.27
80.79.23.7
80.81.183.172
80.86.57.168
80.90.43.159
81.10.194.165
81.134.134.100
81.135.25.19
81.168.73.40
81.169.155.246
81.169.173.120
81.169.181.93
81.174.162.24
81.187.207.115
81.2.197.33
81.205.179.52
81.210.173.245
81.216.148.87
81.218.219.122
81.220.20.23
81.220.218.149
81.226.218.187
81.248.48.202
81.48.14.227
81.50.225.76
81.53.235.204
81.56.210.20
81.56.77.47
81.9.176.139
81.90.234.64
81.97.87.103
81.97.97.142
82.101.244.149
82.122.186.221
82.125.242.183
82.139.123.47
82.146.27.209
82.149.225.171
82.161.41.100
82.165.138.129
82.168.225.145
82.183.140.104
82.194.86.135
82.197.198.66
82.198.33.178
82.209.175.58
82.225.117.127
82.225.190.193
82.226.243.59
82.227.12.18
82.227.184.3
82.227.205.75
82.228.252.20
82.229.219.5
82.234.240.212
82.237.54.30
82.238.44.140
82.239.20.174
82.240.188.36
82.243.121.39
82.243.137.200
82.245.131.230
82.245.146.63
82.245.41.171
82.247.118.177
82.250.67.167
82.255.71.212
82.43.130.58
82.65.8.209
82.66.140.126
82.66.226.18
82.67.72.34
82.95.213.227
82.95.232.40
82.95.249.168
83.101.84.33
83.142.228.14
83.152.61.30
83.153.144.53
83.154.144.175
83.158.127.140
83.160.235.10
83.169.2.184
83.169.33.85
83.170.92.9
83.171.156.87
83.171.190.99
83.217.134.143
83.222.17.18
83.226.245.207
83.237.112.191
83.238.0.42
83.240.116.79
83.246.244.106
83.249.195.77
83.249.87.238
83.250.124.235
83.250.202.109
83.33.223.66
83.55.255.161
83.80.129.253
83.81.5.95
83.86.110.188
83.86.142.62
83.87.66.24
83.91.86.27
83.92.176.158
83.94.210.19
84.100.207.99
84.100.218.66
84.101.216.184
84.101.26.109
84.102.189.120
84.112.251.132
84.114.175.62
84.133.98.234
84.145.34.6
84.167.13.168
84.191.155.122
84.208.116.39
84.208.229.89
84.215.160.82
84.215.39.188
84.22.122.5
84.221.197.120
84.221.209.11
84.234.79.249
84.242.103.140
84.25.163.46
84.25.173.164
84.3.184.38
84.47.246.196
84.48.102.177
84.48.216.189
84.55.110.45
84.97.124.253
85.113.141.247
85.113.154.148
85.114.135.224
85.12.193.162
85.125.222.141
85.125.223.198
85.126.48.3
85.126.48.6
85.14.198.50
85.140.0.80
85.140.155.0
85.15.23.143
85.166.136.18
85.169.186.118
85.17.146.75
85.17.177.73
85.17.239.155
85.17.45.85
85.17.92.13
85.17.97.6
85.170.217.92
85.182.78.79
85.202.106.99
85.214.73.63
85.217.22.226
85.219.187.102
85.224.105.166
85.226.142.107
85.235.23.133
85.235.31.248
85.24.236.80
85.248.124.60
85.8.28.11
85.89.21.42
85.94.221.18
86.100.144.159
86.105.127.29
86.111.82.60
86.136.138.26
86.139.6.165
86.14.20.237
86.158.166.186
86.158.74.165
86.16.21.99
86.192.246.32
86.193.111.64
86.202.253.213
86.206.192.45
86.206.192.45
86.206.68.203
86.207.65.212
86.208.133.172
86.209.124.203
86.24.36.239
86.57.57.65
86.59.21.163
86.61.72.185
86.68.63.42
86.69.154.205
86.69.25.238
86.70.190.76
86.72.144.158
86.72.167.204
86.72.45.15
86.76.193.163
86.86.58.199
86.93.165.82
86.94.200.149
87.103.243.46
87.106.138.84
87.106.82.46
87.111.213.197
87.118.101.175
87.118.103.142
87.118.104.203
87.118.84.181
87.118.93.143
87.119.168.161
87.139.208.105
87.160.157.113
87.171.111.205
87.194.120.170
87.194.125.162
87.194.19.206
87.205.83.178
87.212.155.61
87.220.59.210
87.223.108.174
87.227.67.75
87.227.76.45
87.227.83.103
87.231.165.23
87.236.194.191
87.236.194.97
87.236.199.73
87.236.44.228
87.241.92.191
87.50.6.10
87.79.48.112
87.8.56.95
87.91.71.12
88.110.130.216
88.112.2.94
88.149.158.70
88.149.194.210
88.149.194.94
88.149.196.206
88.161.137.71
88.161.229.26
88.163.179.165
88.168.212.99
88.168.84.68
88.169.166.11
88.169.75.55
88.169.83.13
88.173.172.143
88.173.216.203
88.174.165.61
88.174.196.244
88.177.202.125
88.178.63.212
88.180.37.208
88.181.132.181
88.181.27.75
88.182.124.157
88.185.112.128
88.185.145.199
88.196.63.57
88.198.102.115
88.198.107.171
88.198.109.35
88.198.2.173
88.198.56.140
88.198.57.247
88.208.121.151
88.217.96.121
88.64.82.220
88.80.25.223
88.80.28.3
88.80.28.70
88.80.6.237
88.86.122.153
89.103.138.5
89.104.115.107
89.110.156.159
89.130.107.90
89.130.252.230
89.131.1.88
89.145.121.180
89.150.70.78
89.156.14.242
89.16.173.11
89.16.175.194
89.163.107.134
89.176.229.34
89.176.88.245
89.188.9.62
89.2.122.27
89.203.190.171
89.204.67.214
89.229.37.242
89.241.180.50
89.253.105.39
89.253.97.235
89.29.157.203
89.31.100.230
89.77.137.143
89.79.64.98
89.81.215.222
89.86.164.210
90.137.149.111
90.15.132.2
90.153.128.18
90.153.128.19
90.153.209.251
90.164.183.147
90.178.67.68
90.191.77.130
90.22.210.239
90.224.229.55
90.227.188.191
90.231.132.220
90.39.79.173
90.42.167.103
90.47.75.73
90.5.146.184
90.53.127.211
90.53.213.239
90.57.104.7
90.57.141.193
90.60.248.178
90.61.166.171
91.102.152.236
91.118.67.60
91.121.152.114
91.121.170.32
91.121.175.151
91.121.198.83
91.121.249.246
91.121.88.203
91.123.195.92
91.124.137.187
91.124.47.124
91.146.56.109
91.146.60.101
91.190.10.95
91.202.105.9
91.203.170.121
91.211.116.155
91.213.50.235
91.216.191.11
91.64.165.174
91.64.204.4
91.64.34.158
91.66.115.133
91.66.195.7
91.66.229.210
91.66.3.127
91.89.83.110
91.96.152.170
92.100.132.149
92.103.12.150
92.104.140.33
92.113.28.200
92.134.222.99
92.134.34.155
92.141.26.138
92.149.239.229
92.150.58.192
92.155.219.84
92.155.41.197
92.156.199.225
92.157.114.6
92.227.16.30
92.229.28.29
92.231.162.127
92.234.133.224
92.239.134.190
92.241.129.117
92.241.168.146
92.241.174.9
92.241.184.106
92.242.70.188
92.243.9.166
92.247.192.176
92.26.173.104
92.58.40.76
92.72.215.147
92.73.95.20
92.74.51.233
92.81.173.133
93.0.11.12
93.115.241.2
93.12.79.7
93.125.241.54
93.128.59.122
93.13.10.110
93.130.40.157
93.135.94.176
93.14.199.206
93.14.60.199
93.156.74.25
93.157.46.163
93.157.46.57
93.167.245.178
93.181.255.229
93.182.151.22
93.182.164.28
93.182.189.65
93.185.109.191
93.186.179.119
93.202.140.94
93.206.63.104
93.21.223.52
93.22.109.60
93.26.157.216
93.26.248.40
93.29.254.164
93.31.155.175
93.7.54.149
93.74.124.162
93.75.134.89
93.75.60.54
93.80.2.129
93.91.228.121
93.91.6.81
94.137.206.247
94.140.84.3
94.19.12.244
94.192.229.248
94.193.106.84
94.212.105.230
94.23.215.184
94.23.215.185
94.231.71.59
94.242.206.17
94.244.144.164
94.245.90.28
94.249.153.47
94.71.85.222
94.75.253.73
94.75.255.70
95.103.212.25
95.105.224.155
95.105.4.183
95.108.74.6
95.109.103.113
95.128.241.80
95.129.163.102
95.132.149.61
95.138.113.134
95.142.162.117
95.142.174.183
95.143.193.145
95.154.255.44
95.157.8.60
95.157.8.60
95.157.9.154
95.166.48.196
95.167.128.3
95.208.177.127
95.208.60.156
95.209.136.69
95.211.134.98
95.222.124.208
95.222.246.68
95.25.141.144
95.251.54.170
95.26.41.60
95.27.170.82
95.49.173.233
95.65.58.105
95.75.197.122
95.82.38.129
95.88.112.9
95.89.241.71
95.89.78.123
95.90.178.225
95.96.89.19
96.20.13.6
96.229.229.50
96.250.251.95
96.252.123.157
96.255.188.180
96.54.53.6
96.57.72.219
97.101.143.169
97.107.130.159
97.107.140.53
97.107.142.93
97.83.65.187
97.93.87.127
98.101.237.167
98.113.149.36
98.116.24.254
98.117.120.37
98.126.68.58
98.126.68.59
98.126.68.60
98.126.68.61
98.14.86.27
98.148.178.87
98.148.183.103
98.157.178.36
98.165.234.213
98.168.153.134
98.171.186.109
98.176.123.64
98.176.127.96
98.202.246.218
98.207.110.144
98.208.68.225
98.210.22.31
98.212.204.40
98.213.36.143
98.245.167.182
98.251.60.237
98.27.178.151
98.30.46.48
99.104.38.248
99.117.67.13
99.125.226.81
99.164.104.100
99.168.109.197
99.172.51.47
99.180.71.6
99.183.241.222
99.248.159.47
99.28.216.104
99.31.233.7
99.52.176.41
99.6.251.113

--edit - for the love of gods man, use code tags!
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 17, 2011, 11:19:15 AM
I bet any password login error due to the bot attacks is in this list I made. It looks to all be tor nodes. But I bet you, check your error logs and the ips will match this list. No solve though since I am more than sure they will get more ips once these ones are blocked.  ;)

Yep, first one I checked came up in your list!

199.48.147.41
Title: Re: Being logged out by bots trying to log in
Post by: DJPlamen on February 17, 2011, 11:21:40 AM
 :o wow... I'll compare with mine tonight...
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 17, 2011, 12:05:24 PM
Which is why I had put this together .... http://www.simplemachines.org/community/index.php?topic=422433.0  It updates that TOR list for you -hourly- so that only the current nodes are blocked and not the legit ones ... also uses the public TorDNSEL service as a check which is supposedly most current / accurate .... It needs work but as a tourniquet it seems to be working on my site where I went from 1000's per day to basically none (only 36 hours of testing though)

Unfortunately a lot of us are not running the 2.0 beta in our production environments. I'd love to run your Tor blocker on my 1.1.13 forum.
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 17, 2011, 12:30:46 PM
You certainly got my curiosity up, because I've noticed a peculiar pattern in the attacks I've been getting--they're not using everybody's username, just 4 (on both my boards). They're not all admin or mod people, either (2 admin, 1 mod, one regular). It's something that makes me go "hmmmm."

We're still getting the login attempts at one forum. But I noticed something weird. I'm an Administrator, and when I make a mistake in the password for my account it generates a critical error in the error log. I've seen my admin account name in the error log too, when the bot attack tries to guess the password.

But it doesn't generate a critical error when the bot tries the wrong password, just a normal user error. Why is that?

Also, I installed Arantor's Hidden mod, and it's been in for a few days, but the bots keep using a list of names they already have, so I suppose it was a day late and a dollar short for that forum. I wonder if the bots will ever stop?



I think the critical error is only generated at a failed attempt to login to the admin panel and not a failed attempt to login to the forum.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 17, 2011, 01:22:13 PM
Which is why I had put this together .... http://www.simplemachines.org/community/index.php?topic=422433.0  It updates that TOR list for you -hourly- so that only the current nodes are blocked and not the legit ones ... also uses the public TorDNSEL service as a check which is supposedly most current / accurate .... It needs work but as a tourniquet it seems to be working on my site where I went from 1000's per day to basically none (only 36 hours of testing though)

OK I installed it and will report back as to the effectiveness on the forum being affected.
Title: Re: Being logged out by bots trying to log in
Post by: DJPlamen on February 17, 2011, 01:43:34 PM
I've updated the list with some more IPs which I had...
Code: [Select]
109.100.130.9
109.107.35.128
109.107.35.154
109.123.119.163
109.130.6.4
109.153.56.236
109.169.29.56
109.169.41.48
109.169.46.53
109.170.148.206
109.170.46.74
109.185.18.203
109.192.249.178
109.207.118.121
109.208.230.9
109.210.0.49
109.213.177.226
109.228.186.78
109.235.50.234
109.68.174.18
109.71.88.237
109.72.199.26
109.74.196.114
109.74.196.149
109.74.199.157
109.74.200.171
109.74.202.238
109.87.138.140
109.91.194.169
110.174.220.132
110.174.43.136
111.1.32.23
111.1.32.24
111.1.32.25
111.1.32.26
112.213.105.78
112.213.98.152
113.212.97.156
114.142.154.166
114.39.205.34
114.43.131.44
114.76.153.138
115.64.76.83
115.70.140.118
115.84.182.227
116.49.204.117
117.18.75.235
118.71.23.148
120.50.40.184
120.75.30.110
121.135.98.62
121.44.113.109
122.155.3.145
122.172.216.73
123.108.108.147
124.10.227.226
124.149.99.2
124.171.52.111
124.217.248.251
124.217.253.204
125.255.2.30
128.233.94.137
128.6.224.107
128.61.30.34
129.194.100.45
129.194.8.73
129.78.250.255
130.15.190.144
130.206.163.43
130.215.171.167
132.248.30.12
137.56.163.46
137.56.163.64
138.100.10.206
140.115.8.178
140.121.130.67
140.180.130.93
144.85.24.218
146.82.18.75
151.48.238.215
155.239.155.200
157.88.36.111
157.88.36.9
158.64.32.134
160.36.209.79
166.70.54.100
168.144.48.133
171.66.178.166
173.0.1.144
173.0.52.172
173.10.122.205
173.13.165.123
173.164.128.121
173.165.171.139
173.180.170.145
173.193.221.27
173.193.221.28
173.193.226.35
173.195.5.114
173.203.105.144
173.212.200.141
173.230.148.150
173.245.85.77
173.246.5.96
173.255.210.205
173.255.211.187
173.255.212.184
173.255.213.207
173.255.221.44
173.255.238.178
173.255.238.238
173.31.167.209
173.35.191.109
173.35.44.72
173.45.226.116
173.45.245.140
173.48.174.212
173.57.173.13
173.57.58.38
173.60.219.110
173.63.71.17
173.71.216.44
173.74.155.146
173.76.67.21
173.81.176.233
174.36.199.*
174.36.199.200
174.36.199.201
174.36.199.202
174.36.199.203
174.101.28.75
174.109.19.254
174.116.227.91
174.123.110.50
174.129.115.225
174.138.169.218
174.142.75.26
174.143.241.198
174.31.227.83
174.45.181.206
174.52.23.21
174.95.12.184
175.107.141.116
175.116.237.6
178.117.118.116
178.122.61.196
178.124.7.123
178.127.9.211
178.140.42.216
178.16.45.90
178.162.181.24
178.178.243.75
178.2.68.157
178.202.149.2
178.202.229.160
178.202.59.102
178.202.89.86
178.233.29.241
178.239.55.32
178.24.184.11
178.26.41.163
178.32.95.23
178.33.149.173
178.63.198.71
178.63.246.164
178.63.95.70
178.65.65.116
178.73.211.16
178.75.94.78
178.78.255.254
178.79.131.123
178.79.133.103
178.79.136.230
178.79.138.128
178.79.146.242
178.83.132.121
18.238.0.122
18.246.0.69
180.149.96.69
182.167.122.30
182.169.255.89
182.233.198.76
183.182.114.65
184.105.231.11
184.99.182.72
186.136.130.61
186.85.9.132
187.112.119.219
187.134.120.91
187.153.220.246
187.37.146.74
187.59.116.199
187.67.114.126
188.103.70.242
188.108.229.208
188.120.245.249
188.124.19.114
188.126.68.60
188.134.24.234
188.134.4.177
188.134.74.183
188.134.74.77
188.134.76.222
188.134.9.75
188.138.32.144
188.141.50.6
188.142.63.148
188.152.22.78
188.165.45.229
188.165.47.11
188.192.17.115
188.192.251.199
188.223.23.252
188.223.31.61
188.24.215.102
188.241.114.161
188.26.225.32
188.40.20.202
188.40.51.2
188.40.67.212
188.40.77.107
188.72.214.44
188.72.225.172
188.72.230.49
189.13.135.133
189.15.194.34
189.170.60.128
189.172.24.53
189.230.7.40
190.162.185.132
190.183.221.175
190.227.139.161
190.247.199.125
190.31.141.52
192.251.226.205
192.251.226.206
193.107.100.151
193.11.208.139
193.110.157.151
193.138.216.157
193.198.207.8
194.0.229.54
194.105.102.71
194.110.192.161
194.145.200.128
194.154.227.109
194.187.212.195
194.190.107.131
194.190.16.51
195.10.205.33
195.16.252.196
195.198.194.214
195.234.10.45
195.36.201.163
195.43.157.85
195.64.140.190
195.71.226.87
196.203.159.77
196.31.4.72
198.202.25.251
199.126.198.223
199.48.147.2
199.48.147.35
199.48.147.36
199.48.147.37
199.48.147.38
199.48.147.39
199.48.147.4
199.48.147.40
199.48.147.41
199.48.147.42
199.48.147.43
199.48.147.44
199.48.147.45
2.0.183.79
2.144.113.119
2.36.56.198
200.121.2.247
200.122.160.25
200.58.118.143
200.74.193.170
200.88.210.221
201.159.131.195
201.213.201.117
201.218.218.198
201.23.201.205
201.255.118.141
201.27.216.135
201.34.54.185
201.35.2.10
202.46.142.84
202.55.54.183
202.71.111.247
203.174.87.18
203.179.254.218
203.217.173.146
204.109.59.162
204.145.90.189
204.152.222.140
204.174.99.221
204.8.156.142
205.168.84.133
205.185.113.178
205.185.120.222
205.185.123.101
205.185.127.170
205.186.158.235
205.186.165.138
205.211.201.178
206.126.125.128
206.188.71.8
206.217.137.183
206.217.219.28
206.74.246.192
207.161.178.220
207.47.160.118
208.110.65.123
208.115.59.147
208.115.203.16
208.127.169.122
208.131.128.47
208.53.113.214
208.66.135.190
208.74.35.108
208.75.57.100
208.75.88.34
209.159.142.164
209.159.143.130
209.168.212.122
209.17.190.142
209.2.234.10
209.20.84.99
209.221.206.114
209.25.231.61
209.44.114.178
209.6.141.74
210.106.12.234
210.6.195.123
210.6.20.185
212.13.195.157
212.13.195.235
212.13.195.44
212.159.95.115
212.186.195.69
212.220.105.156
212.28.16.250
212.28.72.39
212.42.236.140
212.74.233.43
212.78.238.92
213.100.97.49
213.112.111.205
213.112.66.171
213.114.146.46
213.128.138.201
213.151.89.102
213.152.40.41
213.184.241.53
213.191.105.54
213.211.234.27
213.211.249.36
213.220.233.230
213.239.192.229
213.245.172.109
213.245.186.165
213.247.98.204
213.37.129.220
213.37.30.155
213.46.138.76
213.49.109.133
213.80.107.115
213.89.56.26
213.9.93.174
213.93.80.150
213.95.21.48
216.115.3.26
216.152.134.214
216.165.183.182
216.218.193.164
216.24.174.245
216.24.192.119
216.254.121.30
216.66.129.86
216.66.132.242
216.66.81.36
216.86.61.205
217.19.50.77
217.114.211.20
217.115.137.221
217.116.195.24
217.12.251.27
217.129.163.201
217.148.84.179
217.15.23.215
217.160.215.244
217.160.221.7
217.162.255.237
217.170.112.210
217.20.114.254
217.20.182.193
217.211.78.184
217.218.242.82
217.253.22.12
217.78.4.88
218.186.9.247
218.253.106.49
219.111.2.91
220.233.36.109
220.235.36.58
220.244.147.190
220.244.8.102
222.166.181.118
222.166.181.131
222.166.181.149
222.166.181.208
222.166.181.59
222.6.21.49
24.101.136.222
24.106.191.235
24.11.223.152
24.119.92.63
24.122.237.161
24.176.58.86
24.180.24.254
24.183.137.208
24.19.250.159
24.192.171.225
24.205.227.216
24.207.44.76
24.211.35.37
24.220.1.134
24.236.202.221
24.247.220.16
24.3.133.203
24.31.135.152
24.5.142.192
24.77.137.142
24.88.88.35
24.89.84.147
24.90.242.78
38.102.94.125
38.126.74.50
38.99.171.105
41.203.22.108
41.206.83.205
41.223.52.203
41.238.111.60
46.102.240.250
46.118.226.241
46.134.222.129
46.162.71.94
46.182.126.126
46.19.138.242
46.20.179.221
46.28.108.24
46.4.237.146
46.42.27.80
46.5.173.147
46.73.62.103
50.11.105.20
50.16.127.162
50.22.180.2
58.120.227.83
58.182.239.21
59.148.241.231
59.177.66.34
59.21.190.52
60.241.245.242
60.241.45.202
60.242.34.204
61.47.35.34
62.24.181.134
62.24.181.135
62.75.139.221
62.107.252.144
62.141.42.186
62.141.53.224
62.141.58.13
62.163.180.154
62.178.103.91
62.178.203.158
62.193.228.18
62.194.254.155
62.197.40.154
62.2.182.82
62.201.92.91
62.202.96.192
62.212.67.209
62.249.179.181
62.34.148.82
62.34.165.216
62.75.159.139
62.75.163.127
62.75.185.133
62.94.88.47
64.120.209.40
64.27.17.140
64.34.162.160
64.34.184.153
64.34.218.21
64.81.60.124
64.81.64.46
65.103.202.228
65.183.151.13
65.31.42.18
65.40.42.74
65.41.197.71
65.48.168.170
65.60.165.112
65.96.17.119
66.134.16.186
66.135.38.164
66.146.193.31
66.175.73.169
66.18.196.228
66.180.193.219
66.215.42.157
66.230.230.230
66.245.120.164
66.249.7.253
66.249.9.107
66.35.48.58
66.58.179.188
66.8.120.130
66.8.152.121
66.90.125.194
66.90.140.125
66.93.100.253
66.96.16.32
67.164.73.39
67.165.178.112
67.166.97.1
67.174.182.171
67.181.159.45
67.182.135.23
67.188.208.137
67.190.205.152
67.194.85.61
67.207.133.125
67.207.136.44
67.222.189.59
67.233.103.9
67.234.134.223
67.255.58.42
67.43.140.152
67.49.163.34
67.84.137.250
68.10.132.34
68.11.52.79
68.111.248.243
68.157.34.88
68.169.143.126
68.170.181.33
68.174.51.136
68.189.106.46
68.191.44.98
68.204.34.66
68.205.247.105
68.206.36.124
68.233.14.37
68.28.105.225
68.41.26.216
68.52.34.71
68.68.176.77
68.70.5.246
68.71.46.138
68.9.230.85
69.138.58.3
69.141.134.60
69.148.188.100
69.163.34.69
69.164.195.171
69.181.146.73
69.181.9.32
69.204.105.56
69.204.126.19
69.204.222.61
69.208.13.148
69.243.225.36
69.254.78.92
69.39.49.199
69.47.211.192
69.71.222.187
70.112.1.221
70.112.5.220
70.114.142.159
70.115.241.84
70.167.198.167
70.176.189.73
70.184.237.31
70.188.3.196
70.232.166.92
70.27.7.121
70.36.134.54
70.36.140.84
70.81.143.170
70.88.10.212
71.105.29.170
71.114.23.178
71.12.0.39
71.165.245.158
71.181.70.241
71.184.65.42
71.192.98.40
71.197.38.32
71.198.174.233
71.198.26.88
71.204.180.243
71.236.11.56
71.238.149.111
71.255.170.233
71.52.240.164
71.64.8.236
71.7.168.98
71.83.110.34
71.84.251.115
71.91.200.114
71.244.55.170
72.130.191.156
72.14.177.164
72.14.179.10
72.14.189.49
72.197.222.197
72.199.17.251
72.201.207.16
72.219.145.226
72.234.20.77
72.43.123.225
72.47.15.219
72.47.252.215
72.55.174.112
72.67.93.111
72.77.28.224
74.106.13.137
74.106.17.110
74.115.0.37
74.115.1.52
74.117.159.204
74.120.12.135
74.120.15.150
74.193.15.208
74.195.36.85
74.196.25.245
74.207.231.152
74.207.248.241
74.207.254.235
74.208.231.162
74.208.243.167
74.208.246.213
74.208.246.222
74.211.218.2
74.3.165.39
74.58.14.4
74.65.254.17
74.74.91.147
74.82.57.7
75.100.58.166
75.101.62.112
75.119.219.205
75.140.81.12
75.141.252.141
75.149.102.241
75.158.21.67
75.2.141.48
75.30.97.142
75.65.52.6
75.71.148.104
75.71.29.76
75.84.222.110
75.91.61.99
76.10.190.194
76.10.214.53
76.10.214.89
76.169.41.82
76.175.129.115
76.177.23.254
76.27.236.64
76.28.240.54
76.30.87.187
76.99.72.87
77.104.221.3
77.109.137.140
77.109.139.87
77.109.74.125
77.123.5.242
77.162.90.164
77.171.107.207
77.176.231.118
77.190.207.226
77.193.220.170
77.195.184.14
77.197.196.200
77.197.197.121
77.20.187.218
77.20.220.211
77.20.53.245
77.203.143.244
77.205.25.207
77.205.49.130
77.220.41.47
77.223.93.221
77.232.135.67
77.244.247.245
77.249.72.104
77.250.229.78
77.27.96.107
77.37.136.160
77.41.78.126
77.54.97.144
77.65.144.81
77.74.54.25
77.9.0.198
77.91.200.27
77.99.119.106
77.99.17.158
78.102.92.225
78.105.113.59
78.107.233.68
78.107.237.16
78.111.125.36
78.115.225.186
78.119.198.198
78.121.23.47
78.121.91.156
78.124.147.247
78.126.254.161
78.137.33.2
78.142.175.70
78.143.197.55
78.144.157.102
78.147.47.203
78.153.153.8
78.20.149.140
78.20.44.159
78.224.56.170
78.23.102.153
78.230.4.96
78.232.224.94
78.239.51.235
78.239.56.126
78.249.170.116
78.249.214.37
78.25.19.181
78.250.239.154
78.251.79.228
78.31.56.105
78.31.67.155
78.42.9.166
78.45.70.26
78.46.36.42
78.46.39.228
78.47.240.52
78.47.244.106
78.48.207.143
78.50.91.204
78.51.102.45
78.53.7.92
78.55.101.79
78.73.71.88
78.85.183.93
79.11.222.73
79.120.86.20
79.123.71.180
79.132.163.205
79.136.121.242
79.136.30.122
79.136.48.241
79.136.50.205
79.136.77.47
79.19.116.110
79.251.95.196
79.255.97.145
79.30.200.32
79.34.61.85
79.80.130.74
79.83.72.151
79.86.150.136
79.88.169.23
79.90.18.36
79.91.121.211
79.92.11.127
79.92.110.130
79.95.152.65
79.99.236.2
8.18.38.105
80.101.129.109
80.119.132.28
80.119.169.151
80.177.246.35
80.177.3.76
80.181.76.60
80.203.34.16
80.213.87.159
80.213.87.7
80.229.150.242
80.232.240.249
80.237.226.75
80.243.100.17
80.56.238.201
80.57.179.197
80.60.142.42
80.62.217.18
80.65.247.74
80.67.176.111
80.73.242.130
80.79.113.178
80.79.125.131
80.79.126.30
80.79.23.27
80.79.23.7
80.81.183.172
80.81.183.178
80.86.57.168
80.90.43.159
81.10.194.165
81.134.134.100
81.135.25.19
81.168.73.40
81.169.155.246
81.169.173.120
81.169.181.93
81.174.162.24
81.187.207.115
81.2.197.33
81.205.179.52
81.210.173.245
81.216.148.87
81.218.219.122
81.220.20.23
81.220.218.149
81.226.218.187
81.248.48.202
81.48.14.227
81.50.225.76
81.53.235.204
81.56.210.20
81.56.77.47
81.9.176.139
81.90.234.64
81.97.87.103
81.97.97.142
82.101.244.149
82.122.186.221
82.125.242.183
82.139.123.47
82.146.27.209
82.149.225.171
82.161.41.100
82.165.138.129
82.168.225.145
82.183.140.104
82.194.86.135
82.197.198.66
82.198.33.178
82.209.175.58
82.225.117.127
82.225.190.193
82.226.243.59
82.227.12.18
82.227.184.3
82.227.205.75
82.228.252.20
82.229.219.5
82.234.240.212
82.237.54.30
82.238.44.140
82.239.20.174
82.240.188.36
82.243.121.39
82.243.137.200
82.245.131.230
82.245.146.63
82.245.41.171
82.247.118.177
82.250.67.167
82.255.71.212
82.43.130.58
82.65.8.209
82.66.140.126
82.66.226.18
82.67.72.34
82.95.213.227
82.95.232.40
82.95.249.168
83.101.84.33
83.142.228.14
83.152.61.30
83.153.144.53
83.154.144.175
83.158.127.140
83.160.235.10
83.168.210.55
83.169.2.184
83.169.33.85
83.170.92.9
83.171.156.87
83.171.190.99
83.217.134.143
83.220.133.86
83.222.17.18
83.226.245.207
83.237.112.191
83.238.0.42
83.240.116.79
83.246.244.106
83.249.195.77
83.249.87.238
83.250.124.235
83.250.202.109
83.33.223.66
83.55.255.161
83.80.129.253
83.81.5.95
83.86.110.188
83.86.142.62
83.87.66.24
83.91.86.27
83.92.176.158
83.94.210.19
84.100.207.99
84.100.218.66
84.101.216.184
84.101.26.109
84.102.189.120
84.112.251.132
84.114.175.62
84.133.98.234
84.145.34.6
84.167.13.168
84.191.155.122
84.208.116.39
84.208.229.89
84.215.160.82
84.215.39.188
84.22.122.5
84.221.197.120
84.221.209.11
84.234.79.249
84.242.103.140
84.25.163.46
84.25.173.164
84.3.184.38
84.47.246.196
84.48.102.177
84.48.216.189
84.55.110.45
84.97.124.253
85.113.141.247
85.113.154.148
85.114.135.224
85.114.141.18
85.12.193.162
85.125.222.141
85.125.223.198
85.126.48.3
85.126.48.6
85.14.198.50
85.140.0.80
85.140.155.0
85.15.23.143
85.166.136.18
85.169.186.118
85.17.146.75
85.17.177.73
85.17.239.155
85.17.45.85
85.17.92.13
85.17.97.6
85.170.217.92
85.182.78.79
85.202.106.99
85.214.73.63
85.217.22.226
85.219.187.102
85.224.105.166
85.226.142.107
85.235.23.133
85.235.31.248
85.24.236.80
85.248.124.60
85.8.28.11
85.89.21.42
85.94.221.18
86.100.144.159
86.105.127.29
86.111.82.60
86.136.138.26
86.139.6.165
86.14.20.237
86.158.166.186
86.158.74.165
86.16.21.99
86.192.246.32
86.193.111.64
86.202.253.213
86.206.192.45
86.206.68.203
86.207.65.212
86.208.133.172
86.209.124.203
86.24.36.239
86.57.57.65
86.59.21.163
86.61.72.185
86.68.63.42
86.69.154.205
86.69.25.238
86.70.190.76
86.72.144.158
86.72.167.204
86.72.45.15
86.76.193.163
86.86.58.199
86.93.165.82
86.94.200.149
86.101.114.199
87.103.243.46
87.106.138.84
87.106.82.46
87.111.213.197
87.118.101.175
87.118.103.142
87.118.104.203
87.118.84.181
87.118.93.143
87.119.168.161
87.126.133.230
87.139.208.105
87.160.157.113
87.171.111.205
87.194.120.170
87.194.125.162
87.194.19.206
87.205.83.178
87.212.155.61
87.220.59.210
87.223.108.174
87.227.67.75
87.227.76.45
87.227.83.103
87.231.165.23
87.236.194.191
87.236.194.97
87.236.199.73
87.236.44.228
87.241.92.191
87.50.6.10
87.79.48.112
87.8.56.95
87.91.71.12
88.110.130.216
88.112.2.94
88.149.158.70
88.149.194.210
88.149.194.94
88.149.196.206
88.161.137.71
88.161.229.26
88.163.179.165
88.168.212.99
88.168.84.68
88.169.166.11
88.169.75.55
88.169.83.13
88.173.172.143
88.173.216.203
88.174.165.61
88.174.196.244
88.177.202.125
88.178.63.212
88.180.37.208
88.181.132.181
88.181.27.75
88.182.124.157
88.185.112.128
88.185.145.199
88.196.63.57
88.198.102.115
88.198.107.171
88.198.109.35
88.198.2.173
88.198.56.140
88.198.57.247
88.208.121.151
88.217.96.121
88.40.67.212
88.64.82.220
88.80.25.223
88.80.28.3
88.80.28.70
88.80.6.237
88.86.122.153
89.103.138.5
89.104.115.107
89.110.156.159
89.130.107.90
89.130.252.230
89.131.1.88
89.145.121.180
89.150.70.78
89.156.14.242
89.16.173.11
89.16.175.194
89.163.107.134
89.176.229.34
89.176.88.245
89.188.9.62
89.2.122.27
89.203.190.171
89.204.67.214
89.208.237.70
89.229.37.242
89.241.180.50
89.253.105.39
89.253.97.235
89.29.157.203
89.31.100.230
89.77.137.143
89.77.213.43
89.79.64.98
89.81.215.222
89.86.164.210
90.137.149.111
90.15.132.2
90.153.128.18
90.153.128.19
90.153.209.251
90.164.183.147
90.178.67.68
90.191.77.130
90.22.210.239
90.224.229.55
90.227.188.191
90.231.132.220
90.39.79.173
90.42.167.103
90.47.75.73
90.5.146.184
90.53.127.211
90.53.213.239
90.57.104.7
90.57.141.193
90.60.248.178
90.61.166.171
91.102.152.236
91.118.67.60
91.121.152.114
91.121.170.32
91.121.175.151
91.121.198.83
91.121.249.246
91.121.88.203
91.123.195.92
91.124.137.187
91.124.47.124
91.146.56.109
91.146.60.101
91.190.10.95
91.202.105.9
91.203.170.121
91.211.116.155
91.213.50.235
91.214.30.60
91.216.191.11
91.64.165.174
91.64.204.4
91.64.34.158
91.66.115.133
91.66.195.7
91.66.229.210
91.66.3.127
91.89.83.110
91.96.152.170
92.100.132.149
92.103.12.150
92.104.140.33
92.113.28.200
92.134.222.99
92.134.34.155
92.141.26.138
92.149.239.229
92.150.58.192
92.155.219.84
92.155.41.197
92.156.199.225
92.157.114.6
92.227.16.30
92.229.28.29
92.231.162.127
92.234.133.224
92.239.134.190
92.241.129.117
92.241.168.146
92.241.174.9
92.241.184.106
92.241.190.168
92.242.70.188
92.243.9.166
92.247.192.176
92.26.173.104
92.58.40.76
92.72.215.147
92.73.95.20
92.74.51.233
92.81.173.133
92.9.221.213
93.0.11.12
93.115.241.2
93.12.79.7
93.125.241.54
93.128.59.122
93.13.10.110
93.130.40.157
93.135.94.176
93.14.199.206
93.14.60.199
93.156.74.25
93.157.46.163
93.157.46.57
93.167.245.178
93.181.255.229
93.182.151.22
93.182.164.28
93.182.189.65
93.185.109.191
93.186.179.119
93.202.140.94
93.206.63.104
93.21.223.52
93.22.109.60
93.26.157.216
93.26.248.40
93.29.254.164
93.31.155.175
93.7.54.149
93.74.124.162
93.75.134.89
93.75.60.54
93.80.2.129
93.91.228.121
93.91.6.81
94.137.206.247
94.140.84.3
94.19.12.244
94.192.229.248
94.193.106.84
94.212.105.230
94.23.215.184
94.23.215.185
94.231.71.59
94.242.206.17
94.244.144.164
94.245.90.28
94.249.153.47
94.251.75.55
94.65.249.196
94.71.85.222
94.75.253.73
94.75.255.70
95.103.212.25
95.105.224.155
95.105.4.183
95.108.74.6
95.109.103.113
95.128.241.80
95.129.163.102
95.132.149.61
95.138.113.134
95.142.162.117
95.142.174.183
95.143.193.145
95.154.255.44
95.157.8.60
95.157.9.154
95.166.48.196
95.167.128.3
95.208.177.127
95.208.60.156
95.209.136.69
95.211.134.98
95.222.124.208
95.222.246.68
95.25.141.144
95.251.54.170
95.26.41.60
95.27.170.82
95.49.173.233
95.65.58.105
95.75.197.122
95.82.38.129
95.88.112.9
95.89.241.71
95.89.78.123
95.90.178.225
95.96.89.19
96.20.13.6
96.229.229.50
96.250.251.95
96.252.123.157
96.255.188.180
96.54.53.6
96.57.72.219
97.101.143.169
97.107.130.159
97.107.140.53
97.107.142.93
97.83.65.187
97.93.87.127
98.101.237.167
98.113.149.36
98.116.24.254
98.117.120.37
98.126.68.58
98.126.68.59
98.126.68.60
98.126.68.61
98.14.86.27
98.148.178.87
98.148.183.103
98.157.178.36
98.165.234.213
98.168.153.134
98.171.186.109
98.176.123.64
98.176.127.96
98.202.246.218
98.207.110.144
98.208.68.225
98.210.22.31
98.212.204.40
98.213.36.143
98.245.167.182
98.251.60.237
98.27.178.151
98.30.46.48
99.104.38.248
99.117.67.13
99.125.226.81
99.164.104.100
99.168.109.197
99.172.51.47
99.180.71.6
99.183.241.222
99.248.159.47
99.28.216.104
99.31.233.7
99.52.176.41
99.6.251.113
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 17, 2011, 01:51:02 PM
Aren't we just listing users of the web? Nice project but hardly practical.

?
Title: Re: Being logged out by bots trying to log in
Post by: DJPlamen on February 17, 2011, 01:59:11 PM
Well, I was just thinking the same, but amazingly the list that nend posted is 99% the same as mine... I had only 10-15 additional IPs, but always from the same networks... Is it coincidence? I think it will be rare occasion to have another IPs except these... For users (like me) that do not have enough skills to run TorDNSEL service or was unable to install the suggested hacks like Login with Email or blocking... this will be the last hope, just to block IPs from htaccess or iptables, right?
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 17, 2011, 03:22:23 PM
I put a version for 1.1.13 as well ... its requires that your host not have file_get_contents blocked, there are ways around that but I wanted to provide something quick to test. 

Thanks! So far, so good!
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 17, 2011, 03:30:50 PM
Yes, it's working for me too! Sweet!
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 17, 2011, 03:48:46 PM
(and I just changed my display name here) LOL
Title: Re: Being logged out by bots trying to log in
Post by: owg on February 17, 2011, 04:26:46 PM
They're not getting member names from the memberlist, they seem to be getting them from posts and threads visible to guests.
Just as a general observation on this bot's behavior, one of my admins has a regular member account in which he had never made a post on our forum except in the shout box.  This username was successfully harvested and is being hit by the login bot
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 17, 2011, 04:31:04 PM
Shout box visible to guests? If so, the bot could have found the username from there the same way it gets it from browsing threads.
Title: Re: Being logged out by bots trying to log in
Post by: laetabi on February 17, 2011, 05:04:29 PM
According to this post on phpBB http://www.phpbb.com/community/viewtopic.php?t=1947925 they are obtained from memberlist having logged in as a member and are stored. That would explain why one or two of the usernames targeted for my forum were old and inactive users who had never posted and wouldn't appear anywhere else.
Title: Re: Being logged out by bots trying to log in
Post by: owg on February 17, 2011, 05:20:10 PM
Yes, I too closed the door after the horse had escaped - Unfortunately, I did not visit this thread until after I started seeing the failed login attempts in the user error logs. 
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 17, 2011, 05:31:23 PM
Hmm strange, the bot behavior has ceased for a few hours already. I wonder what is going on. Anyone else notice the bot activity stop?
Title: Re: Being logged out by bots trying to log in
Post by: Cal O'Shaw on February 17, 2011, 05:39:24 PM
We've been silent for 12 hours, however, some unlikely IPs (like 12.13.14.15) are trying to log into my site right now, so I think they may have just regrouped...
Title: Re: Being logged out by bots trying to log in
Post by: owg on February 17, 2011, 06:43:50 PM
Hmm strange, the bot behavior has ceased for a few hours already. I wonder what is going on. Anyone else notice the bot activity stop?
They're hitting my site as I write - their activity has not been more than about 6-12 per day for the past few days.
Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 17, 2011, 07:10:00 PM
Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.

Agreed.

It is impossible and a waste of time to try to block the ip addressees.  I believe it is a waste of time to make a new release of SMF for every attack.  If so SMF will never get finished.

I was getting tired of all the bots attacking me so I decided to fight back and create Forum Firewall for SMF only.  As an admin protecting your site requires some work.

To stop the attack with my mod you go to phpmyadmin and look at the visitors log.  Find the bad bot and look at what it is doing.  Note a key phrase it uses and add it to the "Injection List" and let the mod block them no matter how many ips they try to use.  To me protection is not sanitization, it is blocking!
Title: Re: Being logged out by bots trying to log in
Post by: szinski on February 17, 2011, 07:10:40 PM
My two forums have been quiet since installing Spud's Tor blocker.  8)
Title: Re: Being logged out by bots trying to log in
Post by: b4pjoe on February 17, 2011, 07:46:19 PM
Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.

Agreed.

It is impossible and a waste of time to try to block the ip addressees.  I believe it is a waste of time to make a new release of SMF for every attack.  If so SMF will never get finished.

I was getting tired of all the bots attacking me so I decided to fight back and create Forum Firewall for SMF only.  As an admin protecting your site requires some work.

To stop the attack with my mod you go to phpmyadmin and look at the visitors log.  Find the bad bot and look at what it is doing.  Note a key phrase it uses and add it to the "Injection List" and let the mod block them no matter how many ips they try to use.  To me protection is not sanitization, it is blocking!


Where is the "visitors log" in phpmyadmin?
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 17, 2011, 08:40:50 PM
My two forums have been quiet since installing Spud's Tor blocker.  8)

Same here. Not a peep out of the rascals. I love it!
Title: Re: Being logged out by bots trying to log in
Post by: lllbob on February 17, 2011, 09:20:40 PM
    Hey. Yeah.. I was just looking at my logs and noticed guests trying to log into members accounts.
    password incorrect - - index.php?action=login2 

    All with different ip's.   But haha my admin login is not my display name.

    Just installed that Tor Blocker. Hope that will help.
Title: Re: Being logged out by bots trying to log in
Post by: Elysia on February 17, 2011, 09:35:13 PM
It's been suggested that usernames and display names should be different, but I can't find a way of letting members change their usernames (only their display names). I know I can change them as admin, but even the Global Moderators on the Board can't change their own usernames, so is there a way that I'm missing please? Or do I need to use a Mod for this? (If so which one.) Or do I need to hack the code somewhere? (If so which one and to what?) I really don't want to have to change 5,000 usernames by myself! :)
Title: Re: Being logged out by bots trying to log in
Post by: Clara Listensprechen on February 17, 2011, 09:44:49 PM
Which is why I had put this together .... http://www.simplemachines.org/community/index.php?topic=422433.0  It updates that TOR list for you -hourly- so that only the current nodes are blocked and not the legit ones ... also uses the public TorDNSEL service as a check which is supposedly most current / accurate .... It needs work but as a tourniquet it seems to be working on my site where I went from 1000's per day to basically none (only 36 hours of testing though)

OK I installed it and will report back as to the effectiveness on the forum being affected.
A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.
Title: Re: Being logged out by bots trying to log in
Post by: Clara Listensprechen on February 17, 2011, 09:45:46 PM
My two forums have been quiet since installing Spud's Tor blocker.  8)

Same here. Not a peep out of the rascals. I love it!
Or legitimate people either, I'll wager. I got bounced by your board. :P
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 17, 2011, 09:54:13 PM
A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.

Yea I see the error. Sorry - that was due to the Stop Forum Spam Mod, not the Tor blocker. I'd love to have you as a member though, I don't know why your IP is being blocked by Stop Forum Spam!
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 17, 2011, 10:05:19 PM
My two forums have been quiet since installing Spud's Tor blocker.  8)

Same here. Not a peep out of the rascals. I love it!

Still nothing, didn't install anything extra just the email login, I always had my custom watchdog script. O'well it wasn't like I wanted them to waste my cpu cycles anyways. I wonder if they are following this thread?
Title: Re: Being logged out by bots trying to log in
Post by: Clara Listensprechen on February 17, 2011, 10:29:57 PM
A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.
If there's a limit on tries for getting reCaptcha correct, maybe that was it because I had trouble making out what the characters were even after I clicked to get a different image.  Can I try again, or is the problem an automatic thingie?

Yea I see the error. Sorry - that was due to the Stop Forum Spam Mod, not the Tor blocker. I'd love to have you as a member though, I don't know why your IP is being blocked by Stop Forum Spam!
Title: Re: Being logged out by bots trying to log in
Post by: Leppie on February 18, 2011, 11:19:43 AM
found this site (http://www.javascriptkit.com/howto/htaccess13.shtml) which claims that the following code would block most aggressive bots without knowing the ip addresses used:
Code: [Select]
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]

am testing it now...
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 18, 2011, 11:25:47 AM
I think that will not work against this I'm afraid, these bots are not the kind that tell you who they are.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 18, 2011, 11:31:45 AM
Indeed, the current bots are all advertising themselves as IE versions.

EDIT: Or not, I've now got a few advertising themselves as Firefox.
Title: Re: Being logged out by bots trying to log in
Post by: krick on February 18, 2011, 12:14:46 PM
I'm running SMF 1.1.13 with the Anti-Spam Verification Questions for SMF (http://custom.simplemachines.org/mods/index.php?mod=1516) mod.

What's the easiest way to add a validation question to the login screen?

Or probably better, add a two-step login process, where you type your username and password, and it takes you to a second screen that asks you a validation question.

Currently, my validation question is stopping 99% of the spam bots from REGISTERING at my forum, now I'd like to add the same question to each LOGIN attempt.

It would probably annoy some users, but I think they'd get over it.



Title: Re: Being logged out by bots trying to log in
Post by: HamishM on February 18, 2011, 10:34:22 PM
Using 1.1.13

I have the Avatar Verification Mod as the first hurdle before getting to the registration page, that coupled with RECAPTCHA keeps the bots from trying to register.........

I have now installed the EMAIL login mod, works a treat and have removed the .htaccess from my server banning the offending IP's.
Now have a normal error log again......... ;D
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 18, 2011, 11:18:01 PM
Yes, the email login, if possible at all to use for your forum, really helps at this moment. It may not be appropriate for any forum though.
Thank you for letting us know.

Also, if your forum is currently targeted by Tor addresses (quite a number of forums are, though not all) you may want to try this: Tor Blocker (http://www.simplemachines.org/community/index.php?topic=422433.0), as a short term solution against them. Please note that Tor users can very well be legitimate, innocent users... unfortunately at this moment the malicious users are using it heavily, and if you want to identify and block them for now, this mod is useful.

We're working on a few more possibilities and we'll come back on this.
Title: Re: Being logged out by bots trying to log in
Post by: CountryLady on February 19, 2011, 02:14:58 AM
Just a note to add a "Thank You~!" to all who are working on this issue.
I'm not a very knowledgeable forum owner, and I really depend on people like y'all to resolve these Technology problems.

What has worked well for me is the old-fashioned labor intensive research and ban IP Ranges. My members come mostly from just a couple of countries, so I can ban huge blocks of IPs with no problems for me. There are a few bots trying to crack passwords but they get banned now and can't get to the forum.

Still, it will be good to get a special mod to block all the attacks.

Thanks again folks. :D
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 19, 2011, 09:03:09 AM
I turned off the Tor-blocker this morning to see what would happen, it had been running for a few days. Sure enough, the password errors started up immediately. I don't think the systems are looking at the fact their attempts to access the forum are being blocked.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 19, 2011, 09:05:09 AM
They're not, no.

I do have a patch that is two lines and nails the attempts dead in the water, without the hassle or risk of blocking genuine users that Tor might have - but I still want a little more proof that it's not hitting any genuine users. I've lost count of the hundreds of bot hits I had and so far still no false positives.
Title: Re: Being logged out by bots trying to log in
Post by: Spuds on February 19, 2011, 10:39:18 AM
Quote
I do have a patch that is two lines and nails the attempts dead in the water
Great news, thanks for continuing to work on this, be nice to have something other than a sledgehammer!  Does this do something similar to the block but based instead of on the IP its based on the whats and wheres MO of the bot?
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 19, 2011, 10:50:28 AM
Yes, it blocks totally on the bot's MO, and uncovered what I believe is a bug in SMF itself in the process - which the bot is actually exploiting, though indirectly. (I have documented the bug on the tracker, naturally)

I'm now happy that it's doing what it's supposed to, so I've removed the debugging log it did and provided a general error (English only, didn't see any point in doing that part properly)

Should install cleanly on all 1.1.x and current 2.0 versions.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 19, 2011, 10:59:04 AM

Should install cleanly on all 1.1.x and current 2.0 versions.

Cool, I'm trying it now ...
Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 19, 2011, 10:59:53 AM
Interesting.  :)
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 19, 2011, 11:11:54 AM
I am curious about Arantor's idea as well.  This present attack may just be a precursor for another larger one later down the road.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 19, 2011, 11:19:03 AM
The attack has already occurred on other platforms, not just SMF.

Thing is, if the underlying login mechanism is altered to fix the issue I reported, this entire attack pattern just fails anyway.
Title: Re: Being logged out by bots trying to log in
Post by: 青山 素子 on February 19, 2011, 11:27:01 AM
Arantor, I think I found an issue with the way you are "fixing" the issue and sent you a PM about it.

For the public: This possible issue would likely impact less than 1% of legitimate users if any.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 19, 2011, 11:31:49 AM
I replied, but just for those following, this fix is not a broad solution to the issues that are involved, it's a *specific* bullet for this specific issue, based on the exact MO of the bots making these attempts, and won't solve any other issues.
Title: Re: Being logged out by bots trying to log in
Post by: busterone on February 19, 2011, 11:33:19 AM
Understood. I wondered if that were the case, considering you were studying their MO closely.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 19, 2011, 11:37:44 AM
I uninstalled the Tor blocker, and confirmed I was still getting bot login errors. I then installed Arantor's Mod. I can conform it does work on the forum I'm having a problem with.
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 19, 2011, 11:47:11 AM
Still no activity from these bots on all my sites across different domains for the last couple days. I wonder if my host has done any blocking.  :-\
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 19, 2011, 11:48:27 AM
Still no activity from these bots on all my sites across different domains for the last couple days. I wonder if my host has done any blocking.  :-\

Or they just didn't like you much :P Not all my forums got hit either, I should point out.
Title: Re: Being logged out by bots trying to log in
Post by: nend on February 19, 2011, 12:03:35 PM
Still no activity from these bots on all my sites across different domains for the last couple days. I wonder if my host has done any blocking.  :-\

Or they just didn't like you much :P Not all my forums got hit either, I should point out.

All my forums where getting hit hard by this bot a couple days ago. Just wondering.
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 19, 2011, 12:05:55 PM
I'm still getting the bots trying it on.
Title: Re: Being logged out by bots trying to log in
Post by: krick on February 19, 2011, 12:12:10 PM
I just installed Arantor's Mod and removed the giant list of "deny from" entries from my .htaccess.

It appears, at least for the time being, that Arantor's Mod is working against the bot tide.
Title: Re: Being logged out by bots trying to log in
Post by: Vincent Volmer on February 19, 2011, 04:15:36 PM
Thanks Arantor!
Title: Re: Being logged out by bots trying to log in
Post by: kat on February 19, 2011, 04:42:43 PM
Just had a thought...

My v1.1.13 forum's not having any hassles, with this.

Been trying to figure out why...

Could it be because I have this?

http://english-72682862726.spampoison.com
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 19, 2011, 04:43:33 PM
It's possible but it doesn't fit the MO of the current bots we've seen thus far.
Title: Re: Being logged out by bots trying to log in
Post by: kat on February 19, 2011, 04:46:20 PM
Only one error, in my logs:

8: Undefined variable: modSettings
File: /home/tlakoco/public_html/Themes/BlueMarble/index.template.php
Line: 511

Dunnowhat that's about and I don't give a poodle, coz everything works OK, so... ;)
Title: Re: Being logged out by bots trying to log in
Post by: owg on February 19, 2011, 05:34:00 PM
Over 24 hours now, and not a single failed login attempt - this a first for me in at least a week or more.  :)
Title: Re: Being logged out by bots trying to log in
Post by: Norv on February 19, 2011, 05:41:05 PM
Please see also
Simple Machines Forums attacks (http://www.simplemachines.org/community/index.php?topic=422954.0)

ETA: owg, can you please tell how did you protect your forum? :)
Title: Re: Being logged out by bots trying to log in
Post by: catfished on February 19, 2011, 06:15:03 PM
Thanks a bunch Arantor, I just installed it so we'll see. I was getting hit every 2 to 5 minutes so I'll know soon and will report here either way.

Title: Re: Being logged out by bots trying to log in
Post by: owg on February 19, 2011, 06:17:58 PM
ETA: owg, can you please tell how did you protect your forum? :)
Very little actually, and it is probably just a coincidence, but here it is:

The login bot attacks started about a week or so ago.  At the time, I had http:BL and Stop Forum Spam installed.  About 4 days ago I installed CrawlProtect and Forum Firewall - I also had the list of the Tor IP addresses that someone posted in .htaccess.  None of these measures halted the login bot.  The pattern seemed to be more hits at night, and periodically during the day.  Coincident with the attacks, I was being crawled by the GoogleBot in the address range 66.249.71.* in a way that I never have before.  Typically Google visits my site during the day with only a single crawler IP, but now it was sometimes 20-25 simultaneous connections continuously during the day.

Because I thought it was possible that someone was spoofing Google, I went into Webmaster controls and reduced the number of times GoogleBots should visit, but there was no change in activity.  Finally in desperation, I added that particular IP range (66.249.71.*) to .htaccess and the I watched as the failed login attempts dropped off one by one.  This was yesterday morning, and not a peep since.  I had even removed all of the Tor IP addresses that I had in .htaccess, which now contains only a single IP range: 66.249.71.*. 

What is interesting is that Forum Firewall visitor logs reported a hack attempt by 66.249.85.3 within moments of my adding the 66.249.71.* range to .htaccess.

I don't know anything about security, and all of this is probably just a huge coincidence (the login bot probably just went away), but I'm just happy that my forum activity is back to normal.
Title: Re: Being logged out by bots trying to log in
Post by: krick on February 19, 2011, 07:04:25 PM
The only errors I've gotten since I installed Arantor's patch are a few of these, which are odd because that board most certainly exists.  It's always board 5 too for some reason.

Guest    Today at 04:46:02 PM
67.195.112.226      29c60c63ff1003e691be5a5c4328aaa8
http://www.tankadin.com/forum/index.php?board=5
The board you specified doesn't exist
Title: Re: Being logged out by bots trying to log in
Post by: catfished on February 19, 2011, 07:25:05 PM
Thanks a bunch Arantor, I just installed it so we'll see. I was getting hit every 2 to 5 minutes so I'll know soon and will report here either way.

Well, it's been over an hour now and no login password errors so apparently the mod is working fine.

 Thanks again Arantor, I realize this is not a permanent fix against these bots but it's sure nice to get rid of them for awhile. ;D
Title: Re: Being logged out by bots trying to log in
Post by: trebul on February 19, 2011, 11:22:19 PM
I haven't taken any actions yet i.e. installing additional mods. Today there was no bot activity to report. It's kind of odd but nice at the same time.
Title: Re: Being logged out by bots trying to log in
Post by: Aleksi "Lex" Kilpinen on February 20, 2011, 01:07:02 AM
Disabling Tor Access (http://www.simplemachines.org/community/index.php?action=dlattach;topic=422954.0;attach=169938) and setting up a Honeypot (http://projecthoneypot.org/home.php) and installing httpBL (http://custom.simplemachines.org/mods/index.php?mod=2155) worked for very well for me, and I've also been able to keep other bots like spammers at bay with this setup very well.
Title: Re: Being logged out by bots trying to log in
Post by: rillani on February 20, 2011, 03:08:12 AM
I, too, have been having frequent visits from a possibly fake google address:  66.249.67.243 .  This guest only shows up as doing "Nothing, or nothing you can see..."  I have never noticed it prior to these attacks (which I only noticed a couple days ago, so take that with a grain of salt).

Update: Since banning that IP, I'm now getting error logs of it trying to view member profiles and the recent posts page.
Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 20, 2011, 08:43:59 AM
I, too, have been having frequent visits from a possibly fake google address:  66.249.67.243 .  This guest only shows up as doing "Nothing, or nothing you can see..."  I have never noticed it prior to these attacks (which I only noticed a couple days ago, so take that with a grain of salt).

Update: Since banning that IP, I'm now getting error logs of it trying to view member profiles and the recent posts page.

Do not block Google!  Doing so will decrease real membership.  I have been blocking fake Googles for over a year.  Here are some solutions that work:
1) The new and improved Bad Behavior (http://custom.simplemachines.org/mods/index.php?mod=2502) mod detects fake Googles.  Selecting "Search Engine DNS", if you do not have an Ubuntu 10x server, will do a reverse DNS test on the suspected Google bot.
2) The Optimus Brave (http://www.simplemachines.org/community/index.php?topic=422210.0), Forum Firewall (http://custom.simplemachines.org/mods/index.php?mod=2815) Combo can be used to detect and block fake Googles that hit faster than specified.
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on February 20, 2011, 08:57:52 AM
Thanks a bunch Arantor, I just installed it so we'll see. I was getting hit every 2 to 5 minutes so I'll know soon and will report here either way.

So was I, but not a single error since yesterday since the mod was installed.
Title: Re: Being logged out by bots trying to log in
Post by: owg on February 20, 2011, 03:29:06 PM
Do not block Google!  Doing so will decrease real membership.  I have been blocking fake Googles for over a year.  Here are some solutions that work:
1) The new and improved Bad Behavior (http://custom.simplemachines.org/mods/index.php?mod=2502) mod detects fake Googles.  Selecting "Search Engine DNS", if you do not have an Ubuntu 10x server, will do a reverse DNS test on the suspected Google bot.
2) The Optimus Brave (http://www.simplemachines.org/community/index.php?topic=422210.0), Forum Firewall (http://custom.simplemachines.org/mods/index.php?mod=2815) Combo can be used to detect and block fake Googles that hit faster than specified.
Thanks for the tip on Bad Behavior - I've not installed that mod yet. Might give it a go this afternoon.  In the mean time, not a single bad login since I blocked that particular IP range, yet other Google bots are still doing their normal thing on my site.  Even though it is not a great idea to block Google, I'd rather do away with this subset of bad IPs until a complete solution is found rather than having my site constantly bombarded.

As of nearly a day and a half, my site is operating as it did before all this started - not a single bot login attempt..
Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 20, 2011, 04:43:05 PM
Well...  The solution I gave you is tried and tested.   O:)

They hit you because you are now on a list.  Once they start they will not stop unless you block them back.  You must fight back and force them to remove you from the list. 

I too was attacked hard last year.  They hit me so hard my bandwidth was over 8GB a month and I was almost forced to get a dedicated server.  Instead, I fought back with my brain and created these mods with a few other measures.  The end result was zero spam for a year and my traffic was reduced drastically.  Many agree, my solution works!

One could say that I am the Jared of spam.  I lost 7GB of spam in one (1) month!  I can help you loose the excess spam too...
  8)
Title: Re: Being logged out by bots trying to log in
Post by: Vincent Volmer on February 21, 2011, 11:03:52 AM
I installed :

httpBL, Honeypot, Disabling Tor Access , Forum Firewall, Bad Behavior + the fix of Arantor and it killed my VPS. The whole server crashed 2 times after reboot.

When removing Forum Firewall and Bad Behavior all is working fine.....

What could be the reason?


This is/was not the reason. I removed the FF and BB but still having the same issue yesterday.

Thanks
Vincent

Title: Re: Being logged out by bots trying to log in
Post by: butchs on February 21, 2011, 09:56:16 PM
Both mods are totally different in what they do and how they load.  Neither will cause a crash if you follow instructions.  Nevertheless, if you want support and/ or come up with more info I can chew on, by all means please come to the support boards, ask away and I will gladly try to solve your problems.
Title: Re: Being logged out by bots trying to log in
Post by: Vincent Volmer on February 22, 2011, 06:48:18 AM
Okay, thanks!

I'll come over to the support boards next week.

Vincent
Title: Re: Being logged out by bots trying to log in
Post by: SergeantAsh on February 22, 2011, 05:14:02 PM
I've implemented the login_detector mod but I'm still getting password login hacks  :(
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 22, 2011, 05:15:15 PM
Different bot - the bot I wrote the mod for has slowed down, and I'm now seeing random brute force attacks on my site - for which none of the users even exist.
Title: Re: Being logged out by bots trying to log in
Post by: SergeantAsh on February 22, 2011, 05:18:19 PM
Different bot - the bot I wrote the mod for has slowed down, and I'm now seeing random brute force attacks on my site - for which none of the users even exist.

Ahh ok - I've implemented the new Login Security mod so hopefully that'll slow down the attacks...b*stards!
Title: Re: Being logged out by bots trying to log in
Post by: searchgr on February 23, 2011, 03:47:10 PM
Code: [Select]
<install for="1.1.*, 2.0 RC3, 2.0 RC4, 2.0 RC5">
<modification type="file">install.xml</modification>
</install>

<uninstall for="1.1.*, 2.0 RC3, 2.0 RC4, 2.0 RC5">
<modification type="file" reverse="true">install.xml</modification>
</uninstall>

Login Detector
Is it compatible to 2.0 RC2? Can i add 2.0 RC2 to the above code?
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on February 23, 2011, 03:54:25 PM
It is not supported, nor recommended for RC2. the code is only tested for RC3 and up. But if you're still using RC2, you have bigger problems to worry about than this bot.
Title: Re: Being logged out by bots trying to log in
Post by: searchgr on February 23, 2011, 04:04:14 PM
I'm waiting for the final. I have many custom mods that i cannot update them for every RC version .....
Title: Re: Being logged out by bots trying to log in
Post by: Kindred on February 23, 2011, 04:52:11 PM
 and yet.... RC2 is distinctly UNSAFE with some fairly major known issues and bugs. If you have security issues with RC2, the ONLY thing we can say, at this point, is UPGRADE.


At the very least, you should be running RC3, although even that is not really a good choice.
If you upgrade to RC5, mods which install on RC3 should install on RC4, 5 and final... and mods for RC5 will almost definitely install in final with minimal, if any edits.
Title: Re: Being logged out by bots trying to log in
Post by: Storman™ on February 24, 2011, 02:51:06 PM
Quote
I'm waiting for the final. I have many custom mods that i cannot update them for every RC version .....

I was like you, but there comes a time when you have to bite the bullet, take the pain, and upgrade  ;)
Title: Re: Being logged out by bots trying to log in
Post by: Danny S. on February 24, 2011, 03:17:33 PM
I use to have about 12 mods installed when I ran RC2, but when I upgraded, I realized alot of them were frivolous and rarely used.

After upgrading to RC3, I only had 7 left.

Now after the recent update to RC5, I only have 4 that are used on a regular basis (and I could probably do without 2 of them).


Moral of the story: upgrading is a good time to check to see if the mod is even being put to good use...
Title: Re: Being logged out by bots trying to log in
Post by: stog on February 24, 2011, 05:04:21 PM
thx everyone -- 1.1.13 heavily modded forums with TP, many forums were troubled. applied Arantor's code and installed suggested mods (httpBL,Bad behaviour, forum firewall and -notified membership to improve their passwords and keep them unique to differring sites etc -- all much better...cheers all
Title: Re: Being logged out by bots trying to log in
Post by: The QE2 Story Forum on March 04, 2011, 10:01:12 AM
Just to say thank you very much indeed.  My forum was being hammered with failed logins, and now there are only real ones.  Absolutely brilliant.  I think you are right and that this could should be built into the next versions of SMF.

I couldn't get the package to install though (1.1.13) - in fact it got stuck and put thousands of entries in my error log! - so I added the code manually, and all was well.

Title: Re: Being logged out by bots trying to log in
Post by: nutn2lewz on March 05, 2011, 06:06:10 PM
I installed Arantor's mod (http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115) on 1.1.12 without installing any other mods and it really helped. It's a simple method to deny access without having to add hundreds of ip's to my htaccess file. Thank you! The bots still make their attempts, and the errors still appear in my error log, but at least I know that the bots are not gaining access to my forum and making guessing attempts at passwords.

On a side note, the bot activity has really slowed down in the past two or three days. I expect round two any day now ...

nutN2Lewz
Title: Re: Being logged out by bots trying to log in
Post by: xrunner on March 06, 2011, 09:01:09 PM
I uninstalled the Mod just to see what would happen and the attacks have ceased (for the time being).
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on March 06, 2011, 09:03:09 PM
They appear to have slowed done/stopped against forums that saw them coming, but oddly I know a few forums that didn't bother - and are still being hit.
Title: Re: Being logged out by bots trying to log in
Post by: Vincent Volmer on March 07, 2011, 03:36:22 AM
Both mods are totally different in what they do and how they load.  Neither will cause a crash if you follow instructions.  Nevertheless, if you want support and/ or come up with more info I can chew on, by all means please come to the support boards, ask away and I will gladly try to solve your problems.


I edited my previous message. FF and BB are not the reason of the problems I had 2 weeks ago because yesterday I had the same issue without FF and BB. A very high Disk I/O (7200 blocks) and about 700 ~ 800 processes.  See attachment.

It could be a sort of attack but I can't find anything in the log. For my webhost is was also not possible to see what or who is causing this traffic.

And yes.... I'm running RC3  :-[ but will update asap. I need to do a lot of translations.... :( Could this be related to RC3?

Thanks for any help on this...

Digiscrap.nl
Vincent
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on March 07, 2011, 03:38:19 AM
And when did the optimize tables scheduled task run, out of interest?
Title: Re: Being logged out by bots trying to log in
Post by: Vincent Volmer on March 07, 2011, 03:49:17 AM
It runs every week (7 day's interval) starting at 1:00 AM.

I did this manually now without any problem...

If this is what you mean  ;)
Title: Re: Being logged out by bots trying to log in
Post by: Arantor on March 07, 2011, 03:51:18 AM
Well, that particular task is one that will create a LOT of I/O which is why I asked about when it was last run...
Title: Re: Being logged out by bots trying to log in
Post by: Vincent Volmer on March 07, 2011, 04:07:13 AM
Ah, okay. I checked the VPS and there's only a small peak around 1:00 but not alarming.
Title: Re: Being logged out by bots trying to log in
Post by: butchs on March 07, 2011, 07:25:57 PM
My guess is a bot or several are hitting you hard and fast.  Checking the latest visitor log in cpanel at that time range should confirm it is a bot.  If so FF with just DOS protection, 1 hr ban and cache will stop it in a few weeks.
Title: Re: Being logged out by bots trying to log in
Post by: Vincent Volmer on March 08, 2011, 05:28:55 AM
I don't want to blame a mod...again...  so I'll say this very carefully.....

When disabling the httpBL mod the VPS didn't stress at all.... so this mod could be the reason but I don't know for sure. With this mod enabled the VPS went very oft into STALE or WARN status but the status is (since yesterday 7 march19:02): OK.......

Maybe the mod 'eats' to many memory from our VPS (2Gb RAM)? I run only 4 websites: 1 big and 2 small websites and a X-Cart webstore

We'll see what is going to happen the upcoming days..... we also upgraded the VPS with 512MB RAM this morning

SPAM/bot protection is now (only): Stop Spammer, Login Detector and Disable Tor access to forum

I hope this is enough for now.

Vincent

 
Title: Re: Being logged out by bots trying to log in
Post by: Vincent Volmer on March 08, 2011, 05:39:09 AM
My guess is a bot or several are hitting you hard and fast.  Checking the latest visitor log in cpanel at that time range should confirm it is a bot.  If so FF with just DOS protection, 1 hr ban and cache will stop it in a few weeks.

We're using DirectAdmin but I can't view user logs when the VPS is DEAD. To get it working again we needed to reboot the VPS and all logs are deleted after that. So I can't see what or who is causing it.

But maybe we found the reason (previous post....). Of course a bot can make httpBL very busy and that will definitely take some memory... So I don't blame the httpBL/Honey pot mod but it could be the reason for the VPS to crash in our case.

Maybe I should blame the VPS......  :-\

Title: Re: Being logged out by bots trying to log in
Post by: Vincent Volmer on March 08, 2011, 01:24:25 PM
An hour ago I had the same issue again. The server didn't crash this time but the database connection was lost. X-Cart couldn't also not connect to the database because of to many connections.....

I'm starting to get a bit crazy about this. My webhoster told me that it must be an SMF issue...... in that case I need to finish the translation and update ASAP so I can start with new files and install all mods again.

But is it an SMF issue? I removed LD and DT ..... to see if these do something wrong in my case. These are also the last 2 protection mods... help  :'(

Title: Re: Being logged out by bots trying to log in
Post by: MarkLeevE on May 16, 2011, 04:45:38 PM
How to block IP address?  ???