Simple Machines Community Forum

Simple Machines => News and Updates => Topic started by: Norv on February 19, 2011, 04:33:48 PM

Title: Simple Machines Forums attacks
Post by: Norv on February 19, 2011, 04:33:48 PM
What is happening
Lately, a number of forums have reported experiencing ongoing attacks by malicious users repeatedly hitting their pages, especially the login pages. There seem to be several different types of attacks ongoing, and SMF forums are not the only sites being attacked.

How to better protect your forum
If you're on SMF 2.0 RC4 or earlier version, you might have also reports of members being logged out when they shouldn't have been. This is a result of the bots trying a large number of random passwords for member accounts. If you have this problem, please install the SMF 2.0 RC4 Security Patch (http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip) or upgrade to SMF 2.0 RC5 (http://download.simplemachines.org/index.php?thanks;filename=smf_2-0-rc5_upgrade.zip) to fix this behavior. On a number of forums, bots attack the login pages, trying random passwords for your member accounts. If you see many more than the usual number of "invalid password" errors in your forum error log than usual, then it seems your forum may be experiencing one of these attacks. On other forums, you may see more requests to to action=login2 in your webserver error log, than you see "invalid passwords" in the SMF error log. If you see this, please let us know here, or feel free to contact me at norv@simplemachines.org.

Set the password strength to high in your Admin panel:
Security and Moderation > Required strength for user passwords.
Use strong passwords for your accounts, do not reuse your password at multiple sites. Advise your members to follow these rules, too.  A strong password has 8 or more characters, is not a dictionary word or common, easily-guessed combination of characters.

Additional protection for your members accounts
We have verified that several forums have gotten very good protection from these attacks by using httpBL or a forum spam stop mod combined with a Tor blocker.
1. Switch to email login instead of username
cb|Emailogin (http://custom.simplemachines.org/mods/index.php?mod=1665)
Because it requires members to use a secret value (their email address) to login, it helps protect your member accounts from being attacked by bots. This option may not be appropriate for all forums. It can be inconvenient on big boards. You know best if it is suitable for your forum or not.

2. Add verification to the login page
Login verification (http://custom.simplemachines.org/mods/index.php?mod=2956)
This mod enhances the login page, by adding security verification, just as can be done during registration. We strongly recommend to use custom questions, rather than Captcha. Questions that a human would answer easily, but a bot could not guess work well.  Once you install it, the settings in your forum admin panel
Security and Moderation > Anti-Spam:
> Require verification on registration and login pages
> Visual verification image to display
> Number of verification questions user must answer
> Verification Questions
will be applied to both registration and login pages.
In addition, the mod enhances logging in your SMF error log.

3. Blacklist IPs with a configurable number of attempts failures
Login Security (http://custom.simplemachines.org/mods/index.php?mod=2181)
Please see the mod's readme for the added features that it provides. This may cause problems for members who receive dynamic IPs from their ISPs, but it may help. You decide if this is a good choice for your forum.

Protect your forum from the attacking IPs
4. Install anti-spam mods (http://custom.simplemachines.org/mods/index.php?action=search;type=19;approved=1)
For example, httpBL (http://custom.simplemachines.org/mods/index.php?mod=2155) is an implementation of the Project Honeypot API (http://www.projecthoneypot.org). The project gathers reports about suspicious activities of IPs and the mod uses their online database to block the blacklisted IPs before doing anything on your forum. Since the project Honeypot seems to verify the reports from more sources before blacklisting IPs, their database has a good chance to be accurate.
There are many other mods fighting spammers, please see the Customize site (http://custom.simplemachines.org/mods/index.php?action=search;type=19;approved=1).

5. Temporarily block access to your forum through Tor
These mods have been tested and should work. The first has been more thouroughly tested.
Tor Blocker (http://www.simplemachines.org/community/index.php?topic=422433.0)
Tor access (http://www.simplemachines.org/community/index.php?action=dlattach;topic=422954.0;attach=169938)
The Tor service simply provides a proxy to users all over the world, and there is nothing wrong with that. Unfortunately, these days it has been heavily used by malicious users. Evidence of this use has shown up on quite a number of forums we have checked.

Other enhancements

Targeted at login bots:
Login detector mod (http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115). It works perfectly fine on many forums preventing successfully the invalid bot login attempts.

Helpful mods on these and related problems:
Bad Behavior mod (http://custom.simplemachines.org/mods/index.php?mod=2502), targeting spam and other malicious attempts against your site.
Forum Firewall (http://custom.simplemachines.org/mods/index.php?mod=2815), targeting a wide range of possible attempts to the security of your site.

We are monitoring a number of forums and working on enhancing the options presented above and more options. Please try what you think is appropriate for your forum.  Search this forum for problems similar to yours, to find out how other forum owners have solved them. Please let us know what works for you.

For support on any the mods listed above, please use the appropriate mod support thread.
Title: Re: Simple Machines Forums attacks
Post by: NanoSector on February 19, 2011, 04:40:34 PM
Nice guide, Norv! I'm sure to use it.
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 19, 2011, 04:45:05 PM
Interesting choice of mods to offer up, more importantly in the order. Yes, you can force email login, but personally I'd rather stop them at the door from trying to make the fake login in the first place ;)
Title: Re: Simple Machines Forums attacks
Post by: Kindred on February 19, 2011, 04:58:51 PM
I will note that, on a very large forum which I run, that was being hit constantly, items 4 and 5 were the only actions I took...   Which resulted in cutting the track hits almost entirely (I believe that the current log entries are normal users who forgot their passwords)

I encourage everyone to use the honeypot mod as well as either the tor blocker or arantor's mini-mod. Although steps 1, 2 and 3 will successfully mitigate the situation, they are not valid actions on established forums of any major size.
Title: Re: Simple Machines Forums attacks
Post by: kat on February 19, 2011, 04:59:18 PM
I liked the mod that shot 25KV A/C up the Spammers arm, myself... (https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fwww.katzy.dsl.pipex.com%2FSmileys%2Fevilgrin.gif&hash=2b46eff00e5f99f58997213e0c5c443e)
Title: Re: Simple Machines Forums attacks
Post by: Cal O'Shaw on February 19, 2011, 05:04:26 PM
Perhaps a silly question... we have password strength at mid.  If we go to High, does that do anything about existing passwords?  I'm assuming new members and members changing their passwords would be held to new level.

Any way to see which users are below specified password strength so we can PM them to change?
Is there a maximum password length (some of my users want to go to the max)?

Grazie,

Cal
Title: Re: Simple Machines Forums attacks
Post by: b4pjoe on February 19, 2011, 05:06:39 PM
I've cleared my .htaccess list of IP's and uninstalled the cb|Emailogin. As soon as I did that the attempted logins started immediately. Then I installed Arantor's mod, login_detector.zip (http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115) and so far I have had no entries in the SMF error log. It's been about 2 hours now and that mod is the only thing I am using to combat the attacks at present.
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 19, 2011, 05:08:22 PM
Perhaps a silly question... we have password strength at mid.  If we go to High, does that do anything about existing passwords?  I'm assuming new members and members changing their passwords would be held to new level.

Correct.

Quote
Any way to see which users are below specified password strength so we can PM them to change?

No. The passwords are hashed and there is no way to determine whether any given password is weak or not, unless you care to brute force their accounts, one by one.

Quote
Is there a maximum password length (some of my users want to go to the max)?

I don't believe there is. If there IS, it'll be something like 50 characters.
Title: Re: Simple Machines Forums attacks
Post by: Kindred on February 19, 2011, 05:10:02 PM
Changing the password strength requirement will not affect existing users...  And n, there is no w to anaphase the strength of existing users' passwords or force them to change passwords.
Title: Re: Simple Machines Forums attacks
Post by: Norv on February 19, 2011, 06:13:26 PM
Yes, you can force email login, but personally I'd rather stop them at the door from trying to make the fake login in the first place ;)

I completely agree actually. The particularity that your last mod targets and your report are under investigation and should definitely be addressed one way or another.
Thank you very much! :)
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 19, 2011, 06:35:31 PM
Thanks Norv - I have used option number two Add verification to the login  and set it to medium as high was to hard to read - seems the best way to stop this, hopefully.
Title: Re: Simple Machines Forums attacks
Post by: Antechinus on February 19, 2011, 06:37:45 PM
Cool. That will make it easier for the bots to read. ;D

(this is why I think captcha is not the best option)
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 19, 2011, 06:38:20 PM
Thanks Norv - I have used option number two Add verification to the login  and set it to medium as high was to hard to read - seems the best way to stop this, hopefully.

I'm now hours and hours without a single bot hit... with 2 lines of code and my users noticed nothing ;) And no, the login CAPTCHA is not the answer. Mind you, I have a custom CAPTCHA anyway ;)
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 19, 2011, 06:50:19 PM
Hmm well there is still errors in the logs now and they are still hitting the site but dont seem to be able to read the verification letters as i'm now getting these errors

Guest
83.142.228.14   
http://robbie93andhotchildxox.net/index.php?action=login2
This forum requires verification.

What code have you used Arantor and is it avaliable to test?
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 19, 2011, 06:51:23 PM
Quote
What code have you used Arantor and is it avaliable to test?

See 'Login detector' mod under 'Other enhancements' in this thread.
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 19, 2011, 06:53:50 PM
Quote
What code have you used Arantor and is it avaliable to test?

See 'Login detector' mod under 'Other enhancements' in this thread.

Ok thank you I'll upload it to the site and let you know how its going.
Title: Re: Simple Machines Forums attacks
Post by: Norv on February 19, 2011, 06:56:35 PM
Hmm well there is still errors in the logs now and they are still hitting the site but dont seem to be able to read the verification letters as i'm now getting these errors

Guest
83.142.228.14   
http://robbie93andhotchildxox.net/index.php?action=login2
This forum requires verification.

Nothing in SMF (or mods) will stop bots from hitting the site. Bots hit the site. To stop them to get to SMF at all, you need to block the IPs in .htaccess or at server level.

That log event means that someone tried to login without passing verification. Currently, that can happen to innocent users as well, as they will leave this trace in the log when they try to login from quick login or other means.

Arantor's mod is posted here: Login detector (http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115). (linked in the first post as well). Please feel free to let us know how it goes.

ETA: ninja-ed. :)
Title: Re: Simple Machines Forums attacks
Post by: DoctorMalboro on February 19, 2011, 06:59:21 PM
If it's a need of a captcha, it should be something like moving numbers to order it or something like that... something were a human is needed.
Title: Re: Simple Machines Forums attacks
Post by: catfished on February 19, 2011, 07:28:19 PM
Login detector mod (http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115) did the job for me. Now I can go into my forum error log without having to see all those login password errors. Thanks Arantor.
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 19, 2011, 07:39:48 PM
Login detector mod (http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115) did the job for me. Now I can go into my forum error log without having to see all those login password errors. Thanks Arantor.

Same here, thank you Arantor, I am error free :D it's been nearly an hour now since I used your mod and my error log is FREE for the first time in nearly three months!!  thanks again.
Title: Re: Simple Machines Forums attacks
Post by: b4pjoe on February 19, 2011, 08:31:46 PM
5+ hours using only Arantor's mod. ZERO errors.

And yes, thanks Arantor.
Title: Re: Simple Machines Forums attacks
Post by: ACAMS on February 19, 2011, 08:33:59 PM
Additional protection for your members accounts
2. Add verification to the login page
Login verification (http://www.simplemachines.org/community/index.php?action=dlattach;topic=422954.0;attach=169937)
This mod enhances the login page, by adding security verification, just as can be done during registration. We strongly recommend to use custom questions, rather than Captcha. Questions that a human would answer easily, but a bot could not guess work well.  Once you install it, the settings in your forum admin panel
Security and Moderation > Anti-Spam:
> Require verification on registration and login pages
> Visual verification image to display
> Number of verification questions user must answer
> Verification Questions
will be applied to both registration and login pages.
In addition, the mod enhances logging in your SMF error log.

I would like to have this Login verification mod, but it did not have an install option when I uploaded it to my 2.0 RC3 packages folder.
 
I searched mods in hopes of it being able to Parce to RC3 and it was not found.
 
That seems to be a MAJOR problem with SMF updating every two weeks here lately......simple updates screwes up the whole damn software and makes current mods not work. SMP is too plain and useless in my book without mods. I have had my modified theme for a year, and when I updated to RC3....IT GOT MESSED UP AND WOULD NOT WORK!!!!!!!.......took me two days to MAKE it work, and it does not look like it did at first!
 
If you guy's want to update every other day.....MAKE MODS BE COMPATIBLE!!!!!......there is no sense in changing it so much that my theme DOES NOT WORK!!!!
 
 
Is this mod planned for release so I can parse it to RC3?
 
 
EDIT:
 
I deleted the package from the folder and tried to upload through the forum (a trick that sometimes works) and I got this error.
 
The package you are trying to download or install is either corrupt or not compatible with this version of SMF.
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 19, 2011, 08:38:03 PM
The changes since 2.0 RC3 are all bug fixes, security enhancements and enhancements so that most mods don't need to make theme edits. Unfortunately something like this has to.
Title: Re: Simple Machines Forums attacks
Post by: ACAMS on February 19, 2011, 08:43:13 PM
I have LOTS of hand made and installed mods I don't want to lose, but the email login is causing trouble too, and I think this will fix the problem.
 
Can it be used on RC3?
 
Yes, it blocks totally on the bot's MO, and uncovered what I believe is a bug in SMF itself in the process - which the bot is actually exploiting, though indirectly. (I have documented the bug on the tracker, naturally)

I'm now happy that it's doing what it's supposed to, so I've removed the debugging log it did and provided a general error (English only, didn't see any point in doing that part properly)

Should install cleanly on all 1.1.x and current 2.0 versions.
Title: Re: Simple Machines Forums attacks
Post by: StarWars Fan on February 19, 2011, 08:43:53 PM
I'm now hours and hours without a single bot hit... with 2 lines of code and my users noticed nothing ;) And no, the login CAPTCHA is not the answer. Mind you, I have a custom CAPTCHA anyway ;)

Arantor's 2 lines of code solved my problem for over 2 hours now with no problems and no other mods... THANK YOU ARANTOR!
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 19, 2011, 08:46:52 PM
Quote
Can it be used on RC3?

Yes, it installs on 1.1.x plus RC3, RC4 and RC5.
Title: Re: Simple Machines Forums attacks
Post by: ACAMS on February 19, 2011, 08:59:26 PM
I guess I need to install it by hand.....where can I find the code?
 
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 19, 2011, 09:00:21 PM
No, I made the package info EXPRESSLY check for 1.1.x, 2.0 RC3, 2.0 RC4 and 2.0 RC5.
Title: Re: Simple Machines Forums attacks
Post by: Norv on February 19, 2011, 09:04:00 PM
Please find Arantor's Login detector attached here: Login Detector mod (http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115). You shouldn't need to install it by hand, installing through package manager should work.

I understand the problems you're facing with RCs, however I have to recommend that you take into account upgrading your forum, as RC4 and RC4 Security Patch (which is only a mod for it) have important security fixes.

ETA: ninja-ed again. I'm slow today. :D
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 19, 2011, 09:05:17 PM
Also it should be noted that if you're truly desperate, RC4's patch can be installed on RC3 with emulation. This is in no way a long term solution, though, it is a stop gap until you can properly upgrade.
Title: Re: Simple Machines Forums attacks
Post by: ACAMS on February 19, 2011, 09:16:03 PM
OK, Login detector installed, but I wanted Login verification (http://www.simplemachines.org/community/index.php?action=dlattach;topic=422954.0;attach=169937) to work and can't find anything on it.
 
Also, what does  Login detector do?
Where do I see it?
How do I control it?
 
Can I get Login verification to work with RC3?
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 19, 2011, 09:18:50 PM
Quote
Also, what does  Login detector do?
Where do I see it?
How do I control it?

It stops the current bot attacks dead.

There's nothing to see, it's a two line patch that traps the current attacks and just makes them fail quietly. No configuration options provided, none are necessary.

Quote
Can I get Login verification to work with RC3?

Doubtful.
Title: Re: Simple Machines Forums attacks
Post by: ACAMS on February 19, 2011, 09:23:54 PM
If I update to RC4 will I lose all my mods and themes?
Title: Re: Simple Machines Forums attacks
Post by: Joshua Dickerson on February 19, 2011, 09:34:14 PM
Check the mod's page to see if they install on your version or just try it. Use a backup.
Title: Re: Simple Machines Forums attacks
Post by: live627 on February 19, 2011, 11:41:34 PM
If I update to RC4 will I lose all my mods and themes?
Yes, just like when you upgraded to RC3. But why not go for RC5?
Title: Re: Simple Machines Forums attacks
Post by: Aleksi "Lex" Kilpinen on February 20, 2011, 12:45:56 AM
Disabling Tor Access (http://www.simplemachines.org/community/index.php?action=dlattach;topic=422954.0;attach=169938) and setting up a Honeypot (http://projecthoneypot.org/home.php) and installing httpBL (http://custom.simplemachines.org/mods/index.php?mod=2155) worked for very well for me, and I've also been able to keep other bots like spammers at bay with this setup very well.
Title: Re: Simple Machines Forums attacks
Post by: Robert. on February 20, 2011, 03:29:31 AM
Thanks for the tips, Norv and thanks Arantor for the mod. :)
Title: Re: Simple Machines Forums attacks
Post by: Aoife on February 20, 2011, 09:49:39 AM
Disabling Tor Access (http://www.simplemachines.org/community/index.php?action=dlattach;topic=422954.0;attach=169938) and setting up a Honeypot (http://projecthoneypot.org/home.php) and installing httpBL (http://custom.simplemachines.org/mods/index.php?mod=2155) worked for very well for me, and I've also been able to keep other bots like spammers at bay with this setup very well.

I'd love to be able to use httpBL but don't run my own server.  I've installed Arantor's patch and it's cut down the number of login attempts significantly but my main forums are still getting hit with registration attempts by bots that are blacklisted in the Project Honey Pot database. I closed registration several days ago so they can't get in, just fill up my error log.

Thanks to all who have been and are still working on these issues! I appreciate everyone's efforts!


Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 20, 2011, 09:50:28 AM
The registration attempts are a totally different vector of attack, almost certainly spammers trying it on, not the bots trying to break into accounts.
Title: Re: Simple Machines Forums attacks
Post by: Aoife on February 20, 2011, 09:56:21 AM
The registration attempts are a totally different vector of attack, almost certainly spammers trying it on, not the bots trying to break into accounts.

ya, I realize that. Just commenting on it is all, and just a minor annoyance compared to the hack attacks which aren't happening now, thanks to you and your mod.  :)
Title: Re: Simple Machines Forums attacks
Post by: b4pjoe on February 20, 2011, 10:53:49 AM
Disabling Tor Access (http://www.simplemachines.org/community/index.php?action=dlattach;topic=422954.0;attach=169938) and setting up a Honeypot (http://projecthoneypot.org/home.php) and installing httpBL (http://custom.simplemachines.org/mods/index.php?mod=2155) worked for very well for me, and I've also been able to keep other bots like spammers at bay with this setup very well.

I'd love to be able to use httpBL but don't run my own server.  I've installed Arantor's patch and it's cut down the number of login attempts significantly but my main forums are still getting hit with registration attempts by bots that are blacklisted in the Project Honey Pot database. I closed registration several days ago so they can't get in, just fill up my error log.

Thanks to all who have been and are still working on these issues! I appreciate everyone's efforts!

Check out QuickLinks at the HoneyPot site. It's for people that don't have server access.
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 20, 2011, 11:10:29 AM
I woke up to nine pages of errors today guys, it seems one set of errors have been replaced by another I'm now getting nine pages of these.

Guest
195.191.54.64   
Type of error: User 
http://robbie93andhotchildxox.net/index.php?action=login2
The letters you typed don't match the letters that were shown in the picture
Title: Re: Simple Machines Forums attacks
Post by: busterone on February 20, 2011, 11:20:21 AM
I'd love to be able to use httpBL but don't run my own server.  I've installed Arantor's patch and it's cut down the number of login attempts significantly but my main forums are still getting hit with registration attempts by bots that are blacklisted in the Project Honey Pot database. I closed registration several days ago so they can't get in, just fill up my error log.

Thanks to all who have been and are still working on these issues! I appreciate everyone's efforts!
You don't need to have server level access to use the httpBL mod or install a honeypot. As long as you have ftp access and Cpanel(or whatever control panel your host uses), the mod works. See the documentation at http://www.projecthoneypot.org (http://www.projecthoneypot.org) In short, install the honeypot within your webspace directory structure somewhere, get an API key, install httpBL, and enter the honeypot's url and your API key in the admin section of the mod. Hide your links in your forum and any other site you may have running and you are done. 
Title: Re: Simple Machines Forums attacks
Post by: Aoife on February 20, 2011, 11:33:18 AM
I'd love to be able to use httpBL but don't run my own server.  I've installed Arantor's patch and it's cut down the number of login attempts significantly but my main forums are still getting hit with registration attempts by bots that are blacklisted in the Project Honey Pot database. I closed registration several days ago so they can't get in, just fill up my error log.

Thanks to all who have been and are still working on these issues! I appreciate everyone's efforts!
You don't need to have server level access to use the httpBL mod or install a honeypot. As long as you have ftp access and Cpanel(or whatever control panel your host uses), the mod works. See the documentation at http://www.projecthoneypot.org (http://www.projecthoneypot.org) In short, install the honeypot within your webspace directory structure somewhere, get an API key, install httpBL, and enter the honeypot's url and your API key in the admin section of the mod. Hide your links in your forum and any other site you may have running and you are done.

oh ok, kewl! I'll do that!  I do have a QuickLink installed too, btw - on all my sites and forums.  Thank you for the info!

Title: Re: Simple Machines Forums attacks
Post by: busterone on February 20, 2011, 11:45:36 AM
Quite welcome.  :)
Title: Re: Simple Machines Forums attacks
Post by: Norv on February 20, 2011, 11:50:48 AM
I woke up to nine pages of errors today guys, it seems one set of errors have been replaced by another I'm now getting nine pages of these.

Guest
195.191.54.64   
Type of error: User 
http://robbie93andhotchildxox.net/index.php?action=login2
The letters you typed don't match the letters that were shown in the picture


None of these mods can STOP the bots from trying. Bots are trying. It's a fact of the internet.
Some of the mods log the attempts in SMF's error log (which IMHO it's useful for the admin to know that the attempts are happening on their forum), some don't, but they enhance protection nonetheless.
If you installed a mod that doesn't log anything, I would recommend to take a look in your webserver access log, to see if there are many requests to login2 or register2. You might find there are, meaning bots are still trying.

So what you see means probably that bots are trying, but they're stopped by Captcha on the login page. I strongly recommend activating a custom question too. Even a simple question like "3 + 2 = ?" would be useful.
Title: Re: Simple Machines Forums attacks
Post by: codenaught on February 20, 2011, 01:25:34 PM
I assume that this is going to be addressed in the final release of 2.0. :)

Good luck continuing to handle all this nonsense. It's a shame how bad people force us to spend time on malicious prevention instead of on innovation at times.
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 20, 2011, 01:28:07 PM


None of these mods can STOP the bots from trying. Bots are trying. It's a fact of the internet.
Some of the mods log the attempts in SMF's error log (which IMHO it's useful for the admin to know that the attempts are happening on their forum), some don't, but they enhance protection nonetheless.
If you installed a mod that doesn't log anything, I would recommend to take a look in your webserver access log, to see if there are many requests to login2 or register2. You might find there are, meaning bots are still trying.

So what you see means probably that bots are trying, but they're stopped by Captcha on the login page. I strongly recommend activating a custom question too. Even a simple question like "3 + 2 = ?" would be useful.

Ok, I added the question to the login page also, I'm not very good at mathematics so I used your example.  :D
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 20, 2011, 01:32:08 PM
Quote
I assume that this is going to be addressed in the final release of 2.0.

This specific bot with this specific hack, I doubt it. It's not elegant enough nor broad enough to catch the entire set of bad behaviours. It just targets the MO of this specific bot.

I should note that there is discussion underway about nailing down the entire subsystem that the bot uses to try getting in, which would make it a general strengthening rather than something specific.
Title: Re: Simple Machines Forums attacks
Post by: Norv on February 20, 2011, 01:44:23 PM
I assume that this is going to be addressed in the final release of 2.0. :)

Good luck continuing to handle all this nonsense. It's a shame how bad people force us to spend time on malicious prevention instead of on innovation at times.

There will be improvements allowing to strengthen security. Thank you. :)
Title: Re: Simple Machines Forums attacks
Post by: butchs on February 20, 2011, 02:00:38 PM
As far as bots go, I have been battling them over a year with Bad Behavior (recently re-written) and Forum Firewall and quite frankly they are no longer a issue for me.  The American way:  Block first, ask questions later works great.  Every now and then I will see a straggler.   That is it!

I believe SMF should concentrate on the things that cause the errors in the error logs.  Because bugs are a favorite target of bots.
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 20, 2011, 02:09:15 PM
The matter I refer to is something I consider a bug ;)
Title: Re: Simple Machines Forums attacks
Post by: Masterd on February 20, 2011, 03:30:44 PM
Thanks for the tips, Norv!
Title: Re: Simple Machines Forums attacks
Post by: SomaliDoc on February 21, 2011, 11:51:21 AM
Login detector worked for me as well but still there is a problem that members can't login to the forums in the first try, they have to enter the password again to log in.

When they first log in, the login2 page show up with the message "Password Incorrect". but when they put the same correct password again they are in.

Is this problem related to the bot issue & How I can solve it?

Thanks
Title: Re: Simple Machines Forums attacks
Post by: Aoife on February 21, 2011, 12:02:21 PM
Login detector worked for me as well but still there is a problem that members can't login to the forums in the first try, they have to enter the password again to log in.

When they first log in, the login2 page show up with the message "Password Incorrect". but when they put the same correct password again they are in.

Is this problem related to the bot issue & How I can solve it?

Thanks

I've had issues with this as well, without having any of the mods listed in this thread installed. It seems to happen after the members have requested a password reminder and change their passwords.


Title: Re: Simple Machines Forums attacks
Post by: b4pjoe on February 21, 2011, 12:46:17 PM
I have the login detector and httpBL installed and have not seen this issue on RC5.
Title: Re: Simple Machines Forums attacks
Post by: SomaliDoc on February 22, 2011, 08:50:22 AM
Login detector worked for me as well but still there is a problem that members can't login to the forums in the first try, they have to enter the password again to log in.

When they first log in, the login2 page show up with the message "Password Incorrect". but when they put the same correct password again they are in.

Is this problem related to the bot issue & How I can solve it?

Thanks

I've had issues with this as well, without having any of the mods listed in this thread installed. It seems to happen after the members have requested a password reminder and change their passwords.




This is happening all the time even without requesting password reminder?
Anyone knows what it's going in my forum?
Title: Re: Simple Machines Forums attacks
Post by: ethankcvds on February 22, 2011, 11:29:40 PM
Quote
Is there a maximum password length (some of my users want to go to the max)?

I don't believe there is. If there IS, it'll be something like 50 characters.

You'll laugh but it is true (On SMF 2.0 at least) that you can use a 99 + character password.
Title: Re: Simple Machines Forums attacks
Post by: RustyBarnacle on February 22, 2011, 11:57:20 PM
I got a lot of these and various guest parameter errors yesterday:

http://www.localwateringhole.ca/index.php?action=search2;params=eJwtzMEKgCAQBNB_6dLFg9KlvxFdFyxMY7Ui2I9vDW8zb2BcuF0GDDyz5ok99WTUooxWq0CN5bFQjjNhQ5k6XX5HaLbk9A4p1CQRJvzfBtmwkXDACl3QEUTpH7bdLBc.
8: Undefined index: title

Is this a sign of things to come?
Title: Re: Simple Machines Forums attacks
Post by: Joshua Dickerson on February 23, 2011, 01:40:18 AM
Looks like your theme or a mod is broken.
Title: Re: Simple Machines Forums attacks
Post by: Masterd on February 23, 2011, 06:45:15 AM
I think that a mod is causing that rather than a theme.
Title: Re: Simple Machines Forums attacks
Post by: GravuTrad on February 23, 2011, 10:13:01 AM
Like has excellently discovered TE, we are not alone on this hit:

http://www.phpbb.com/community/viewtopic.php?t=1947925

And thanks arantor for your patch.
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 23, 2011, 11:08:46 AM
Woke up today and have 60 pages of errors in my logs mostly with these errors

Guest
91.201.67.4 
Today at 09:15:23 AM
http://robbie93andhotchildxox.net/index.php?action=login2
This forum requires verification.

I have Arantors mod and verification on login - both havent stopped the attack because although they are not getting through the verification at login they are still attacking the site at an alarming rate and causing an error log as long as your arm.
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 23, 2011, 11:12:27 AM
No-one said that either mod would *stop* the attack - they still keep coming. The difference is, my mod stopped them getting too close, Norv's mod provides a different layer of protection - but it's not making the attack go away, it just neutralises its potency.

Though I think it's a bit much that it's sending errors to the log when there's no need for it.
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 23, 2011, 11:22:56 AM
Yeah I know theres nothing to stop the attack as such, when I installed your mod it seemed to work for an hour or so with no errors in the logs but then the next morning it started again, but with different errors showing "user" verification errors that show it was still the bots attacking, IDK how you guys are gonna fix it but they seem very persistant and have been trying every day for nearly three months now and they seem to be getting worse looking at the amount of errors in the logs, 60 errors today alone has been the most yet.
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 23, 2011, 11:54:59 AM
I was getting hundreds of errors per hour before.

I guess I have to say it again: we can't magically fix this. We can't stop bots hitting forums, it's not actually possible. They will keep coming. All we can do is prevent them doing anything when they get to the forum - and so far they haven't achieved anything on my site...
Title: Re: Simple Machines Forums attacks
Post by: 青山 素子 on February 23, 2011, 12:09:07 PM
Yeah I know theres nothing to stop the attack as such, when I installed your mod it seemed to work for an hour or so with no errors in the logs but then the next morning it started again, but with different errors showing "user" verification errors that show it was still the bots attacking, IDK how you guys are gonna fix it but they seem very persistant and have been trying every day for nearly three months now and they seem to be getting worse looking at the amount of errors in the logs, 60 errors today alone has been the most yet.

There is no way to "fix" it short of arresting every botnet master and every client who pays them for services. That, or disconnecting your website from the Internet. Maybe even cleaning and properly securing every zombie under their control (nearly all running Windows) The first solution isn't really practical, nor is the second. The third wouldn't work too well either.

Your errors show that the fixes are at least working. They can't get past the "verification" part of the login form to which they are blindly posting (by posting, I mean the HTTP POST method).

Arantor's mod was developed to stop a very specific feature of the attack. It will not try to detect and stop all attempts, nor should it. Doing so would see many valid users blocked.

If you want the error message to go away, contact the author of that modification and ask that they update to stop spewing notices into the error log, or at least help you to turn off that portion for your site.
Title: Re: Simple Machines Forums attacks
Post by: StarWars Fan on February 23, 2011, 12:27:02 PM
For Me, Arantor's mod stopped it completely on my forum... It's been a happy 4 days - Thanks again Arantor... :)
Title: Re: Simple Machines Forums attacks
Post by: RustyBarnacle on February 23, 2011, 12:35:34 PM
Sorry, just thought it was odd.  I haven't added any new mods since Arantor's and it didn't cause that error right away so I thought with the params thing they were trying something new.  I don't think its his mod either actually so I'll look for updates on some of the other mods I have.
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 23, 2011, 01:17:02 PM
I have taken off the verification mod and left just Arantors - lets see if the errors decrease.
Title: Re: Simple Machines Forums attacks
Post by: Masterd on February 23, 2011, 01:21:39 PM
If you still have Arantor's mods then you should really install Arantor Captcha. That's the best captcha system that I ever saw.
Title: Re: Simple Machines Forums attacks
Post by: SomaliDoc on February 23, 2011, 01:35:41 PM
Hey Guys,

Logindetector is the best mod so far.
I am no longer see the bot attempts to log in to the site but 2 another problems come up

1- Real members can't log in to the forum except for the next try. (They have to put their passwords twice to log in)
2- Another different log error showed up: bots trying to use the Quickmod2 funtion?!!!!

Any one knows what these problems are & how to solve it?

This is high priority folks.

Thanks
Title: Re: Simple Machines Forums attacks
Post by: Kindred on February 23, 2011, 01:51:14 PM
this thread is not for support.   Please ask support questions in the support board.
Title: Re: Simple Machines Forums attacks
Post by: live627 on February 23, 2011, 02:45:57 PM
If you still have Arantor's mods then you should really install Arantor Captcha. That's the best captcha system that I ever saw.
But here's the catch - that mod is not being distributed anywhere by anybody.
Title: Re: Simple Machines Forums attacks
Post by: Masterd on February 23, 2011, 04:23:48 PM
But here's the catch - that mod is not being distributed anywhere by anybody.


Yes, but he can use it if he has it on his HDD like me.
Title: Re: Simple Machines Forums attacks
Post by: live627 on February 23, 2011, 07:13:13 PM
But I suspect he hasn't it -- thus explaining why it's not available, y'know?
Title: Re: Simple Machines Forums attacks
Post by: Dzonny on February 24, 2011, 11:55:33 AM
I have about 10 pages per day of wrong passwords for now, but it is standard number for past few months, so i guess theres no need to worry yet.
From where all the bots suddenly came? :/
Title: Re: Simple Machines Forums attacks
Post by: NanoSector on February 24, 2011, 12:29:12 PM
I have about 10 pages per day of wrong passwords for now, but it is standard number for past few months, so i guess theres no need to worry yet.
From where all the bots suddenly came? :/
From here could be one thing, I guess.

They find our site links, follow them and start trying.
Title: Re: Simple Machines Forums attacks
Post by: Illori on February 24, 2011, 12:32:16 PM
i would not agree, my site for example is not posted anywhere on this forum, they can easily find it on google though along with many others.
Title: Re: Simple Machines Forums attacks
Post by: NanoSector on February 24, 2011, 12:45:09 PM
i would not agree, my site for example is not posted anywhere on this forum, they can easily find it on google though along with many others.
Quote
could be one thing, I guess
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 24, 2011, 12:59:59 PM
They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)
Title: Re: Simple Machines Forums attacks
Post by: NanoSector on February 24, 2011, 01:05:25 PM
They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)
Then...that is good for you, I guess ???

Mine has no errors at all since it's down :P
Title: Re: Simple Machines Forums attacks
Post by: Arantor on February 24, 2011, 01:27:46 PM
Quote
Then...that is good for you, I guess

And I have my two line patch on the others, which negated them being an issue too ;D
Title: Re: Simple Machines Forums attacks
Post by: demagpie on February 24, 2011, 05:20:57 PM
I own a very tiny forum.  I recently discovered a ton of unactivated accounts so I beefed up password requirements and lowered permissions for new members with no posts and suddenly my "guest" list overfloweth.  At the very same time (maybe coincidence) a new "runtime generated ap" was installed on my database: "load.php."  This seems to have been done under my account with my IP address (?)

Can anyone tell me if this is just an automatic patch sent through when my site did its daily smf updating?  I can't read computer-ese except that it seems to be setting up a "phantom" site for (?), with all sorts of scary searches for info and caches (which might also be phantom read) and mentions hackers and spiders repeatedly.  It's a very long package with a lot of technical data that (if I read it correctly) actually looks like it's a guardian angel for me and my users.  But then, what if it's lying? :o

I might never have noticed it, except it's generating unspecified errors in my log and seems to have wiped some of the icons in my drop down menu (simple portal).  Is this SMF's helping hand for the little folks who don't have the time to install the Big Guns?  Or something more sinister?  I can't find any references in the news, here.  Please advise.
Title: Re: Simple Machines Forums attacks
Post by: IchBin™ on February 24, 2011, 05:26:54 PM
Perhaps you would get better support if you posted in the support boards for your problem, instead of in the news and updates for SMF board. I'd suggest you start a topic here:

For SMF1.x
http://www.simplemachines.org/community/index.php?board=9.0

For SMF2.x
http://www.simplemachines.org/community/index.php?board=147.0
Title: Re: Simple Machines Forums attacks
Post by: Kindred on February 24, 2011, 06:10:52 PM
do note that SMF *NEVER* pushes anything automatically (except news)
Title: Re: Simple Machines Forums attacks
Post by: 青山 素子 on February 24, 2011, 06:25:16 PM
do note that SMF *NEVER* pushes anything automatically (except news)

Not even news. It's requested automatically when you load the main admin page of the site in 1.1 and below, or by scheduled job in 2.0 (to speed up loading time).
Title: Re: Simple Machines Forums attacks
Post by: robbie93 on February 24, 2011, 10:03:23 PM
Arantors patch has seemed to work, it's been over 24hrs now and no errors are showing from the bots although they are still hitting the site but because of the patch the error log isnt been filled up with error after error, I uninstalled the verification on log - in mod, because it filled my logs up with unnecessary errors.
Title: Re: Simple Machines Forums attacks
Post by: eyeseven on February 25, 2011, 08:27:41 PM
just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt" :(
Title: Re: Simple Machines Forums attacks
Post by: Road Rash Jr. on February 25, 2011, 08:30:59 PM
just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt" :(

So it is working great then  ;D
Title: Re: Simple Machines Forums attacks
Post by: Clara Listensprechen on February 26, 2011, 12:50:01 AM
He's getting more traffic than my fresh install of rc5! :P

Title: Re: Simple Machines Forums attacks
Post by: Aleksi "Lex" Kilpinen on February 26, 2011, 01:12:30 AM
just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt" :(

So it is working great then  ;D

EDIT: I should be sleeping still, I could have sworn this was about the RC and not the login verification - Proceed, nevermind me :P

Title: Re: Simple Machines Forums attacks
Post by: billy2 on February 26, 2011, 07:39:42 AM
over 1000 login attempts by brute force script kiddies- multitude of harvested proxies.

High visual verification and 3 random questions sorted them.

Well done SMF !!

Cheers
Billy
Title: Re: Simple Machines Forums attacks
Post by: Clara Listensprechen on March 01, 2011, 12:02:44 AM
"Script kiddies"--good thing to call 'em because I've got the impression they don't personally visit a site to do what they're doing.

I started up 2 different RC5 boards just to test-drive the machinery and I'm the only member on these boards. The hackbots found my free board on SMFNEW first, and they still haven't found my subforum on my paid host yet, at this point.  I get this curious error on the SMFNEW board, and I suspect it's because I'm the only member there:

Quote
8: Undefined index: latestRealName
?http://xxx.xxxxxxx.smfnew.com/

Now, on my 1.1.13 board I get bogus registrations like..

fabiaxnoxie456
IP: xxx.xxx.xxx.xxx
Hostname: yadda.yadda.com
email: youknowtheroutine@blahbla.info
Last active: Never.

Yup--Last active: Never. "Script kiddies" indeed. I t hink I'll borrow that expression, it's so apt.
Title: Re: Simple Machines Forums attacks
Post by: Kenniee on March 01, 2011, 02:37:01 AM
Does anyone tell me that what is this forum all abut/
i am totally blank even after reading the previous posts.. :P
Title: Re: Simple Machines Forums attacks
Post by: Arantor on March 01, 2011, 07:45:30 AM
@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.

@Kenniee: Recently there have been waves of automated account hacking going on - bots swiping a bunch of usernames from publicly visible threads, and trying to force themselves into those accounts by going through a list of the 50 or so most popular passwords.

In an attempt to combat it, several methods have been proposed, some very specific (like my patch) and some quite broad.
Title: Re: Simple Machines Forums attacks
Post by: billy2 on March 01, 2011, 09:19:59 AM
/me thinks Arantor should be knighted for his efforts
Title: Re: Simple Machines Forums attacks
Post by: catfished on March 01, 2011, 02:32:02 PM
/me thinks Arantor should be knighted for his efforts
+1
Title: Re: Simple Machines Forums attacks
Post by: Clara Listensprechen on March 01, 2011, 08:17:12 PM
@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.
...
I find that even I generate that error and one other--me and every Guest triggers those same two errors. Thanks.
Title: Re: Simple Machines Forums attacks
Post by: Arantor on March 01, 2011, 08:21:43 PM
It's because the two values aren't being added to $modSettings as they should be; a fresh install should be setting those two values, and a new registration should reset them again (to the details of the new registration)
Title: Re: Simple Machines Forums attacks
Post by: Clara Listensprechen on March 01, 2011, 10:22:33 PM
I see. Part of the problem is that I'm the only member and have no new registrants. Not really seeking any, I was just test-driving the service and version is all. :D
Title: Re: Simple Machines Forums attacks
Post by: petabyte on March 02, 2011, 01:03:24 AM
/me thinks Arantor should be knighted for his efforts
+1


plus another one!
Title: Re: Simple Machines Forums attacks
Post by: Aoife on March 02, 2011, 06:33:31 AM
/me thinks Arantor should be knighted for his efforts
+1


plus another one!

(following the system used on wow gaming addon dev sites)
+3


Title: Re: Simple Machines Forums attacks
Post by: ACAMS on March 02, 2011, 08:16:28 AM
Actually Arantor is the only one here that consistently helps, and only 2-3 more that sporadically offer help.
Unfortunately, there are only 3-4 people left around here that actually can help with "real" problems.
I am too old to learn, and it seems every time I learn something it makes me forget something else, and unfortunately sometimes it is something important........ so I doubt I will ever be of much help.
Title: Re: Simple Machines Forums attacks
Post by: Road Rash Jr. on March 02, 2011, 10:28:06 AM
I am too old to learn, and it seems every time I learn something it makes me forget something else, and unfortunately sometimes it is something important........ so I doubt I will ever be of much help.

I have that issue, in fact the other day I was at the doctors suspecting I have alzimers because I keep forgetting to pull my zipper up. He tells me not to worry, alzimers is forgetting to pull it down. :o
Title: Re: Simple Machines Forums attacks
Post by: Aoife on March 03, 2011, 09:54:45 PM
Sudden massive increase in numbers of IP addresses we've banned and/or are coming up as blocked by httpBL or Bad Behavior mods. They can't get thru our defenses but the sudden jump in numbers is kinda scary. Anyone else experiencing this on their forums?  This just started happening in the last hour or less....
Title: Re: Simple Machines Forums attacks
Post by: busterone on March 03, 2011, 10:00:32 PM
I have had 56 bots turned away today by httpBL, but they were all mainly just viewing /index.php. They were not attempting to log in or register. That is just a small number higher than normal. I usually see 2 to 3 dozen a day anyway.
Title: Re: Simple Machines Forums attacks
Post by: butchs on March 05, 2011, 08:39:03 AM
They have been doing it for over a year now.  Every now and then they will increase their efforts.  You never noticed them before.  Nothing to worry about.   8)
Title: Re: Simple Machines Forums attacks
Post by: busterone on March 05, 2011, 08:58:08 AM
Indeed. they have been knocking at the front door (and looking for a back door) for a very long time.  :)
Title: Re: Simple Machines Forums attacks
Post by: qtime on March 05, 2011, 01:29:30 PM
I like to see such scripts, to brute force, it will help us to make a protection.

Please send me a PM to communicate about that.

It's smart to not try 1 user with many passes, because that is blocked fast with security login, using all kind of membernames and using many proxies is not easy to block.

For now we use proxy blocker, that will help us out, but some faithful members cannot enter our community now
Title: Re: Simple Machines Forums attacks
Post by: CapadY on March 06, 2011, 11:55:50 AM
Actually Arantor is the only one here that consistently helps, and only 2-3 more that sporadically offer help.
Unfortunately, there are only 3-4 people left around here that actually can help with "real" problems.
I am too old to learn, and it seems every time I learn something it makes me forget something else, and unfortunately sometimes it is something important........ so I doubt I will ever be of much help.

As a matter of fact, some support members have a full time job, a family, have to do a household, have to shop some times and yes, sometimes there is even a family member in the hospital.
Though, the very little time left for this people is spend to help others on the SMF forum.

If you can only appreciate helpers that are fulltime available to you, just tell it and I will leave the support team.
Title: Re: Simple Machines Forums attacks
Post by: qtime on March 06, 2011, 05:38:19 PM
Actually Arantor is the only one here that consistently helps, and only 2-3 more that sporadically offer help.
Unfortunately, there are only 3-4 people left around here that actually can help with "real" problems.
I am too old to learn, and it seems every time I learn something it makes me forget something else, and unfortunately sometimes it is something important........ so I doubt I will ever be of much help.

As a matter of fact, some support members have a full time job, a family, have to do a household, have to shop some times and yes, sometimes there is even a family member in the hospital.
Though, the very little time left for this people is spend to help others on the SMF forum.

If you can only appreciate helpers that are fulltime available to you, just tell it and I will leave the support team.

I only read an opinion from ACAMS, I wish you strength with your family who is in hospital.
Title: Re: Simple Machines Forums attacks
Post by: Arantor on March 06, 2011, 05:48:56 PM
What you should be aware, though, is that the team thoroughly encourages taking time out for real life, putting real life first, and one of the many things I've been party to in the past is the simple fact that: if you don't have time to help out under a team position, you probably should hand that badge in. That way there's no false expectations, no misunderstandings and so on. There are more than a few people I have previously pointed in that direction, too - if you're so busy you can't commit a reasonable amount of time to the responsibility you've taken, you probably should stop. Life's hectic, it gets on top of us, and even if I hadn't quit last year due to the frustration of people not doing their fair share, I would have quit shortly after due to personal circumstances changing.

There is a point here, amid the frustrations on both sides, though, specifically relating to the fact that there are too precious few people that help out with the skills to fix some of the problems that come along. Yes, there will always be the general level problems, and I think I can speak for the team in recognising and thanking those that contribute their time in fixing those problems, under the sorts of categories of 'where's option x' or 'how do I...'

What ACAMS is getting at is that for anything more advanced than that, there is a real shortage of people with the technical skills, the time, energy etc to sit and get involved in helping people. I'm doing that mostly to assess whether things are bugs or not.
Title: Re: Simple Machines Forums attacks
Post by: Suki on March 06, 2011, 07:38:14 PM
Actually Arantor is the only one here that consistently helps, and only 2-3 more that sporadically offer help.
Unfortunately, there are only 3-4 people left around here that actually can help with "real" problems.
I am too old to learn, and it seems every time I learn something it makes me forget something else, and unfortunately sometimes it is something important........ so I doubt I will ever be of much help.


yay for another user complaining...


instead of finger pointing   you should really see the efforts  of some users who actually wanna learn in order to provide quality support...


to say "there's only a few people  who can actually help"   is very demotivating for me,  why should I keep spending quite a few hours learning the inners of SMF, learning php and such  if people doesn't give a damn about it...   if people think only a few can help and the others are just a mere accessory  or something...   this really piss me off...   here Am I, trying to help as much as I can, given my best and constantly trying to exceed my limits... and for what?  just for be dismiss...   hey! bring the guy with a programming background over here,  he's the only guy who can help me  with my "real issue"...


some of us haven't studied a  computer science career or similar,  some of us are just regular people with jobs and lives that aren't remotely related to coding or programming...  yet we do our best...   I guest that's  just  isn't enough for some people...


lastly,  and this is just me ;)  when I  see something  wrong, instead of complaining  I go ahead and do something about it...
Title: Re: Simple Machines Forums attacks
Post by: Arantor on March 06, 2011, 07:42:50 PM
Quote
to say "there's only a few people  who can actually help"   is very demotivating for me

It's not meant to be demotivating, it's actually a badly attempted goad to get more people to help. Except that what it ends up being is an observation that there is a skills shortage. You're one of the few people who I've consistently noticed trying to help and learning from the experience.

Quote
if people think only a few can help

The problem that occurs here is some people have issues that do require specific knowledge to fix, and most people don't. So sometimes it needs someone with much more experience to get involved. Trouble is, ACAMS seems to have been one of those unfortunate cases where more specialist knowledge was needed, where not many people could solve the problem, regardless of anything else.

Quote
hey! bring the guy with a programming background over here,  he's the only guy who can help me  with my "real issue"...

Yeah, there are some issues like that. They are the exception rather than the rule, though.

Quote
I guest that's  just  isn't enough for some people...

That's the sad fact, though, for a number of people here, it's not good enough, it seems, because they seem to expect professional (paid) quality dedicated support, because they forget that the people here are volunteers doing it in their spare time.
Title: Re: Simple Machines Forums attacks
Post by: Bolt™ on March 07, 2011, 02:08:21 AM
I had a problem like this one time, all I did about it was place a solid IP range ban on IP's starting with 222 for a week then after that week I did not have a problem.

But I do have Forum Firewall and Bad Behavior which block a lot of spamer's, bots, fake IP's and hackers.

Thanks anyway for this post.
Title: Re: Simple Machines Forums attacks
Post by: LibertyPrime on March 07, 2011, 08:01:31 PM
The attackers have managed to pretty much knock a forum I'm a member on out completely.  I get the following message when I try to access the site:

Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later.

The site: neoncafe.co.cc
Title: Re: Simple Machines Forums attacks
Post by: Arantor on March 07, 2011, 08:02:24 PM
There are all sorts of reasons why that message can come up, and not entirely related to being attacked. Probably should open a support topic in the relevant support board for further help.
Title: Re: Simple Machines Forums attacks
Post by: xrunner on March 07, 2011, 08:06:09 PM
Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later.


I get that message from time to time over the years, I don't consider it a big problem (but an annoyance though).
Title: Re: Simple Machines Forums attacks
Post by: LibertyPrime on March 07, 2011, 08:12:03 PM
I'm beginning to think it may be connected to the attacks because it has almost never happened before to the forum that I'm a member on, and now it's happening.
Title: Re: Simple Machines Forums attacks
Post by: busterone on March 07, 2011, 08:17:06 PM
I get a server not found error for that site. There is something else going on there it seems.
Title: Re: Simple Machines Forums attacks
Post by: LibertyPrime on March 07, 2011, 09:06:44 PM
It just came back online.
Title: Re: Simple Machines Forums attacks
Post by: ACAMS on March 08, 2011, 10:41:14 PM

yay for another user complaining...


instead of finger pointing   you should really see the efforts  of some users who actually wanna learn in order to provide quality support...


to say "there's only a few people  who can actually help"   is very demotivating for me,  why should I keep spending quite a few hours learning the inners of SMF, learning php and such  if people doesn't give a damn about it...   if people think only a few can help and the others are just a mere accessory  or something...   this really piss me off...   here Am I, trying to help as much as I can, given my best and constantly trying to exceed my limits... and for what?  just for be dismiss...   hey! bring the guy with a programming background over here,  he's the only guy who can help me  with my "real issue"...


some of us haven't studied a  computer science career or similar,  some of us are just regular people with jobs and lives that aren't remotely related to coding or programming...  yet we do our best...   I guest that's  just  isn't enough for some people...


lastly,  and this is just me ;)  when I  see something  wrong, instead of complaining  I go ahead and do something about it...


Actually, you and K@ are one of the few, and as Arantor mentioned.....
It's not meant to be demotivating, it's actually a badly attempted goad to get more people to help. Except that what it ends up being is an observation that there is a skills shortage. You're one of the few people who I've consistently noticed trying to help and learning from the experience.


This is the first time I have seen capady.......and I realize people have a life.




When I first came here there were lots of people here that KNEW the ins & outs of SMF and questions were answered, then POOF!!!!!  they were gone!
Title: Re: Simple Machines Forums attacks
Post by: LibertyPrime on March 08, 2011, 10:58:05 PM
I'm not sure what keeps knocking the forum that I'm on offline.
Title: Re: Simple Machines Forums attacks
Post by: busterone on March 08, 2011, 11:06:25 PM
Crappy host most likely. It is a co.cc domain.
Title: Re: Simple Machines Forums attacks
Post by: rugrat on March 10, 2011, 05:17:54 AM
The login attempts seem to be way down on my forum now. Thanks for the Login Verification  8)
Title: Re: Simple Machines Forums attacks
Post by: gisfreak on March 11, 2011, 09:54:33 AM
SMF really slow today as i try to login

Title: Re: Simple Machines Forums attacks
Post by: Illori on March 11, 2011, 10:07:44 AM
SMF really slow today as i try to login

your forum? this forum? who's smf install?
Title: Re: Simple Machines Forums attacks
Post by: gisfreak on March 12, 2011, 09:32:15 AM
your forum? this forum? who's smf install?

sorry, i mean this forum (http://www.simplemachines.org)  :o ;D

i dunno, but its super slow right now
Title: Re: Simple Machines Forums attacks
Post by: Illori on March 12, 2011, 10:50:28 AM
more then likely caused by http://www.simplemachines.org/community/index.php?topic=417010.0
Title: Re: Simple Machines Forums attacks
Post by: Clara Listensprechen on March 12, 2011, 09:28:28 PM
...

What ACAMS is getting at is that for anything more advanced than that, there is a real shortage of people with the technical skills, the time, energy etc to sit and get involved in helping people. I'm doing that mostly to assess whether things are bugs or not.
I've been looking to pick up such skills, and I was wondering if you could recommend a good online self-study step-by-step website for MySQL, php, Java and suchlike.  Working with SMF code has been a learning experience to be sure, but I know only just enough code language to get my face slapped.
Title: Re: Simple Machines Forums attacks
Post by: ACAMS on March 12, 2011, 10:27:36 PM
This is a good place to start


http://www.w3schools.com/ (http://www.w3schools.com/)
Title: Re: Simple Machines Forums attacks
Post by: Clara Listensprechen on March 13, 2011, 12:26:13 AM
Thanks!
Title: Re: Simple Machines Forums attacks
Post by: Cassiel on March 13, 2011, 12:43:17 PM
This is a good place to start


http://www.w3schools.com/ (http://www.w3schools.com/)

http://w3fools.com/

Thanks!

Lifehacker has a good bit of the Night School series that they do for learning how to code here: http://lifehacker.com/#!5736011/learn-how-to-code-part-i-variables-and-basic-data-types

Also this might be helpful:
http://lifehacker.com/#!5733449/learn-how-to-code-this-weekend
Title: Re: Simple Machines Forums attacks
Post by: Clara Listensprechen on March 13, 2011, 07:01:29 PM
Bookmarked!  With many thanks!

================

Ummmm, about the "w3fools" issue, I've found that employment certification is a racket, having already been down that road via Cisco training.  I'm just interested in basic how-tos and structure as opposed to certification. The certification racket can be a dead-end too.  Been there, done that.

Quote
    We do not warrant the correctness of [W3Schools] content. The risk from using it lies entirely with the user.

We couldn't put it much better ourselves.

Although we haven't heard from W3Schools directly, we have noticed that W3Schools has started to correct errors we've spotted. These have been noted here with strikethrough. Although we'd appreciate some communication, we're elated they've taken steps to improve their information. Despite these attempts, we are not confident that W3Schools can be reliable as an accurate reference in the future. We think the resources we've recommended are superior.

If I learn code and the code I learn works, that's all the correctness I need. Proof of the pudding, as it were. If it works, it works.  If it doesn't, I'll look elsewhere. After all, I've successfully decoded Gri and I think I have earned some respect for code reading. ;)
Title: Re: Simple Machines Forums attacks
Post by: TheCollisionVision on March 21, 2011, 11:25:36 PM
Found a problem with tor blocker, I was logged in on my cell mobile hotspot when I installed it..... got completely locked out, I had to call another of my admins to remove it, and I could get on no problem.
Title: Re: Simple Machines Forums attacks
Post by: IchBin™ on March 22, 2011, 03:09:00 PM
Found a problem with tor blocker, I was logged in on my cell mobile hotspot when I installed it..... got completely locked out, I had to call another of my admins to remove it, and I could get on no problem.

You should probably post in the support topic for that mod instead.
Title: Re: Simple Machines Forums attacks
Post by: TheCollisionVision on March 22, 2011, 07:57:36 PM
Thanks for the guide!

I'm not asking for support, just making a point known to potentials downloaders.
Title: Re: Simple Machines Forums attacks
Post by: IchBin™ on March 23, 2011, 10:13:17 AM
Thanks for the guide!

I'm not asking for support, just making a point known to potentials downloaders.

I wasn't saying you were asking for support. But it's still a good idea to post in the mod topics so that the mod author has a chance to check it out, and so that it's documented in the topic for future users.
Title: Re: Simple Machines Forums attacks
Post by: FinsandFur on March 23, 2011, 05:25:38 PM
The attackers have managed to pretty much knock a forum I'm a member on out completely.  I get the following message when I try to access the site:

Connection Problems
Sorry, SMF was unable to connect to the database. This may be caused by the server being busy. Please try again later.

The site: neoncafe.co.cc

Hey Liberty~
If thats your forum maybe you should consider updating it. If not tell your friend that his forum is outdated. SMF 1.1.11 has been replaced twice so far since November.
Title: Re: Simple Machines Forums attacks
Post by: eattheword on April 06, 2011, 04:00:29 AM
I just installed Arrantor's login detector. The installation seemed to go smoothly with no reported errors, but when I checked the log immediately afterwards I saw these entries:

Code: [Select]
http://www.myforumname/forum/index.php?action=packages;sa=install2;package=login_detector.zip

512: package_flush_cache(): some files are still not writable
File: /hsphere/local/home/username/myforumname/forum/Sources/Subs-Package.php
Line: 1905

http://www.myforumname/forum/index.php?action=packages;sa=install2;package=login_detector.zip

2: fopen(/hsphere/local/home/username/myforumname/forum/Sources/LogInOut.php): failed to open stream: Permission denied
File: /hsphere/local/home/username/myforumname/forum/Sources/Subs-Package.php
Line: 1901

http://www.myforumname/forum/index.php?action=packages;sa=install;package=login_detector.zip;sesc

2: fclose(): supplied argument is not a valid stream resource
File: /hsphere/local/home/username/myforumname/forum/Sources/Subs-Package.php
Line: 1908

http://www.myforumname/forum/index.php?action=packages;sa=install;package=login_detector.zip;sesc

2: fopen(/hsphere/local/home/username/myforumname/forum/Sources/LogInOut.php): failed to open stream: Permission denied
File: /hsphere/local/home/username/myforumname/forum/Sources/Subs-Package.php
Line: 1901

Not knowing much about how the error logs work, is there anything here that I need to take action on?

I'm running SMF 1.1.11

Title: Re: Simple Machines Forums attacks
Post by: Illori on April 06, 2011, 06:06:26 AM
please do not post support requests in any thread in this board. please post the request in the proper support board. although i dont know if arantor is providing support for that mod.
Title: Re: Simple Machines Forums attacks
Post by: Arantor on April 06, 2011, 06:18:05 AM
Firstly, it's not a mod published officially, so there's no support thread for it. It is, however, an SMF bug combined with insufficient permissions.
Title: Re: Simple Machines Forums attacks
Post by: eattheword on April 06, 2011, 06:27:58 AM
Not sure whether I can post a follow up question here then...  :-\

Should I PM Arrantor?

As far as permissions go, the Sources directory is 777 and the files are 755.
Title: Re: Simple Machines Forums attacks
Post by: Illori on April 06, 2011, 06:36:33 AM
as i said before please open up a support thread in the proper board this is not the place for this discussion.
Title: Re: Simple Machines Forums attacks
Post by: kat on April 08, 2011, 06:24:13 AM
Actually, for the reasons that Arantor's pointed-out, it was me that directed eattheword to this topic.

Under the circumstances, it seemed the best place.
Title: Re: Simple Machines Forums attacks
Post by: Dream Portal on April 29, 2011, 02:44:47 PM
Forum Firewall seems to help best. In My opinion.
Title: Re: Simple Machines Forums attacks
Post by: Kindred on April 29, 2011, 02:52:04 PM
you are a month out of date...
Title: Re: Simple Machines Forums attacks
Post by: live627 on April 29, 2011, 03:09:51 PM
Elaborate... how is forum firewall out of date, exactly?
Title: Re: Simple Machines Forums attacks
Post by: Kindred on April 29, 2011, 03:12:40 PM
no, the comment on the attacks is a month out of date (and was made to hit a post count)
Title: Re: Simple Machines Forums attacks
Post by: live627 on April 29, 2011, 03:30:15 PM
See, that wasn't so hard, was it? To post a bit more details in the first place.
Title: Re: Simple Machines Forums attacks
Post by: butchs on April 29, 2011, 08:42:28 PM
Ah come on, maybe he was simply posting an opinion.  Only when I created Forum Firewall did my bot bandwidth problem disappear.  I decided to share it with the SMF community.  I tested it for months before doing so.
Title: Re: Simple Machines Forums attacks
Post by: live627 on April 29, 2011, 08:52:02 PM
Maybe. But as has been said a few replies up the person behind that duplicate team account made eleven posts and vanished. Sensible, yes. Such is what happens when one posts to get rid of the profile limitations.
Title: Re: Simple Machines Forums attacks
Post by: Sarah Jo on May 02, 2011, 03:02:23 AM
Thanks for the inforamtion
Title: Re: Simple Machines Forums attacks
Post by: sharks on May 09, 2011, 07:41:41 PM
I have to say this is piss poor effort to just warn users and in this process force all of us to upgrade to 2.0 RC5. I am using 1.1.13 on all my forums and i definitely do NOT want to upgrade as i have too many custom paid mods and manual edits. Most of these mods are not available for RC5, along with all the custom themes and manual edits which i have no idea how to work out on 2.0 RC5. Why not make the process easier for all of us still on the 1.1.x line by providing a fix in 1.1.14? That would definitely help to make me believe again in SMF. I am currently at the tipping point of moving to IPB, permanently.
The fix would provide a hard-coded method of blocking the most obvious pathways used by spammers. Spam affects all forums, not just SMF, so i believe it should be a default protection provided in the basic install package when setting up a brand new forum. Since it appears not to affect RC5, then we should not leave all the thousands of SMF 1.1.x users hanging in distress and uncertainty.

BTW, when i saw the new look on this site's homepage, i thought for half a second "could it be...." and then i went back to my normal self, seeing that 2.0 final was not released. I then read the spam article to feel even more disappointed. Thanks SMF for ruining my day, twice!
Title: Re: Simple Machines Forums attacks
Post by: Matthew K. on May 09, 2011, 07:53:49 PM
Dev Blog Post (http://www.simplemachines.org/community/index.php?topic=432988.msg3036668#msg3036668)
I have to say this is piss poor effort to just warn users and in this process force all of us to upgrade to 2.0 RC5. I am using 1.1.13 on all my forums and i definitely do NOT want to upgrade as i have too many custom paid mods and manual edits. Most of these mods are not available for RC5, along with all the custom themes and manual edits which i have no idea how to work out on 2.0 RC5. Why not make the process easier for all of us still on the 1.1.x line by providing a fix in 1.1.14? That would definitely help to make me believe again in SMF. I am currently at the tipping point of moving to IPB, permanently.
The fix would provide a hard-coded method of blocking the most obvious pathways used by spammers. Spam affects all forums, not just SMF, so i believe it should be a default protection provided in the basic install package when setting up a brand new forum. Since it appears not to affect RC5, then we should not leave all the thousands of SMF 1.1.x users hanging in distress and uncertainty.

BTW, when i saw the new look on this site's homepage, i thought for half a second "could it be...." and then i went back to my normal self, seeing that 2.0 final was not released. I then read the spam article to feel even more disappointed. Thanks SMF for ruining my day, twice!
Title: Re: Simple Machines Forums attacks
Post by: Illori on May 09, 2011, 09:13:32 PM
I have to say this is piss poor effort to just warn users and in this process force all of us to upgrade to 2.0 RC5. I am using 1.1.13 on all my forums and i definitely do NOT want to upgrade as i have too many custom paid mods and manual edits.

if you took the time to read, you would see that the same patch that is in RC5 for this attack is in 1.1.13 upgrade, so you dont need to upgrade to RC5 at all to get this patch.
Title: Re: Simple Machines Forums attacks
Post by: Crip on May 11, 2011, 01:49:25 PM
SMF must be on steroid's today .. loading pages is super Quick ATM! ;D
Title: Re: Simple Machines Forums attacks
Post by: flapjack on May 11, 2011, 05:59:21 PM
I have to say this is piss poor effort to just warn users and in this process force all of us to upgrade to 2.0 RC5. I am using 1.1.13 on all my forums and i definitely do NOT want to upgrade as i have too many custom paid mods and manual edits.

if you took the time to read, you would see that the same patch that is in RC5 for this attack is in 1.1.13 upgrade, so you dont need to upgrade to RC5 at all to get this patch.
don't feed the troll
Title: Re: Simple Machines Forums attacks
Post by: live627 on May 11, 2011, 08:02:54 PM
Oh? He can't feed himself?
Title: Re: Simple Machines Forums attacks
Post by: DJ-X on May 14, 2011, 07:01:22 AM
Robots are stupid - do not forget about it!
You can make a fake page to login and registration.

Code: [Select]
/index.php?action=login3
/index.php?action=login4
/index.php?action=login5

/index.php?action=register3
/index.php?action=register4
/index.php?action=register5


<!--  Robots are here fill the login form  -->
Pass on such links.
<a href="http://dj-x.info/index.php?action=register" style="display: none;">Register</a>

At me robots open yourhoneypot.php on the  pages for an input and registration.
After that MOD httpBL robots any more doesn't admits.
Robots any more don't want to select passwords.
Title: Re: Simple Machines Forums attacks
Post by: Ricky000 on May 23, 2011, 05:42:52 AM
can the bots restore the database 20 days ago????? because it happened to my forum...
Title: Re: Simple Machines Forums attacks
Post by: Illori on May 23, 2011, 05:46:15 AM
this is not the place to ask for support. please open a separate topic in the correct board if you require help on this issue.
Title: Re: Simple Machines Forums attacks
Post by: CoreISP on May 23, 2011, 10:36:37 AM
can the bots restore the database 20 days ago????? because it happened to my forum...

No. Contact your host to ask why that happened or, as Illori suggested, open a new topic.
Title: Re: Simple Machines Forums attacks
Post by: george54 on June 01, 2011, 08:13:49 PM
I tried these two simple approaches to stop unwanted spam on my site:
Seems to have worked for the hour. (now over 24 hours, looking good)
Have banned bad IPs in the past, but the bad actors are always getting new IPs.
Title: Re: Simple Machines Forums attacks
Post by: tomicko on June 04, 2011, 01:20:45 AM
Some  more words about point 1. robots.txt please or how to do this for Dummies  :laugh:

I tried these two simple approaches to stop unwanted spam on my site:
  • robots.txt-> disallow
  • disabled landing page registration.
Seems to have worked for the hour. (now over 24 hours, looking good)
Have banned bad IPs in the past, but the bad actors are always getting new IPs.
Title: Re: Simple Machines Forums attacks
Post by: busterone on June 04, 2011, 09:49:02 AM
You can google robots.txt (http://lmgtfy.com/?q=robots.txt) to learn how to use it for any site, not just SMF.
That will not stop the type of attacks in this topic either. These type of bots pay no attention to a robots.txt file. Only well behaved search engine bots will obey it.
Title: Re: Simple Machines Forums attacks
Post by: agentstaobao on June 09, 2011, 10:20:35 AM
Interesting choice of mods to offer up, more importantly in the order. Yes, you can force email login, but personally I'd rather stop them at the door from trying to make the fake login in the first place
Title: Re: Simple Machines Forums attacks
Post by: NGinuity on June 13, 2011, 01:51:50 PM
Any chance you guys can certify the Login Verification mod for 2.0 Gold?
Title: Re: Simple Machines Forums attacks
Post by: NanoSector on June 13, 2011, 02:24:26 PM
Aren't the attacks ceased? *sighs* Those damn internet terrors.

Interesting choice of mods to offer up, more importantly in the order. Yes, you can force email login, but personally I'd rather stop them at the door from trying to make the fake login in the first place
Ain't that Arantor's words? :P

Any chance you guys can certify the Login Verification mod for 2.0 Gold?
You tried emulating the version the mod was written in?
Title: Re: Simple Machines Forums attacks
Post by: NGinuity on June 13, 2011, 02:40:50 PM
Aren't the attacks ceased? *sighs* Those damn internet terrors.

I've been getting hit relentlessly since Friday.

You tried emulating the version the mod was written in?

No I haven't tried anything.  Having to install mods is somewhat of a new thing to me in SMF, and it said it was only built for 2.0 RC5, so it gave me an unhappy message when I tried to grab the 2.0 install instructions.
Title: Re: Simple Machines Forums attacks
Post by: NanoSector on June 13, 2011, 02:56:39 PM
Aren't the attacks ceased? *sighs* Those damn internet terrors.

I've been getting hit relentlessly since Friday.

You tried emulating the version the mod was written in?

No I haven't tried anything.  Having to install mods is somewhat of a new thing to me in SMF, and it said it was only built for 2.0 RC5, so it gave me an unhappy message when I tried to grab the 2.0 install instructions.
If you look at the bottom of the page, there is a link that says "Advanced". Click it.

A textbox will pop up. Type in the version of SMF the mod works on, and save. Then, happily install the mod :)
Title: Re: Simple Machines Forums attacks
Post by: NGinuity on June 13, 2011, 05:15:03 PM
A textbox will pop up. Type in the version of SMF the mod works on, and save. Then, happily install the mod :)

Ok, so I can just type in SMF 2.0 RC5 where it currently says SMF 2.0?  Does it run a transaction test to make sure the mod will install properly, and also, how hard is it to fail it back if it doesn't?  Sorry for all the questions, but SMF has always worked fine as is and I haven't had to address this until now.
Title: Re: Simple Machines Forums attacks
Post by: b4pjoe on June 13, 2011, 06:06:08 PM
A textbox will pop up. Type in the version of SMF the mod works on, and save. Then, happily install the mod :)

Ok, so I can just type in SMF 2.0 RC5 where it currently says SMF 2.0?  Does it run a transaction test to make sure the mod will install properly, and also, how hard is it to fail it back if it doesn't?  Sorry for all the questions, but SMF has always worked fine as is and I haven't had to address this until now.

Yes and yes, it will run the test.
Title: Re: Simple Machines Forums attacks
Post by: 青山 素子 on June 13, 2011, 07:38:15 PM
Note that that specific modification was designed only for one certain type of attempt. If the current flood doesn't match that exact signature, it'll be useless.
Title: Re: Simple Machines Forums attacks
Post by: NGinuity on June 13, 2011, 07:42:57 PM
Note that that specific modification was designed only for one certain type of attempt. If the current flood doesn't match that exact signature, it'll be useless.

Yeah I got ya.  I just put in some verification questions that only my users would know.
Title: Re: Simple Machines Forums attacks
Post by: midweb on June 19, 2011, 03:30:30 PM
I was having problems with 50 to 100 new members per day joining, that were not relevent to the forum, so I set up guest approval,  but now I am having to sift through the list of sometimes 100 plus looking for bona fida people wanting to join, is there a way around this.
Mick
Title: Re: Simple Machines Forums attacks
Post by: Illori on June 19, 2011, 03:43:20 PM
please start a separate thread in the proper support board, this place is not the correct location.
Title: Re: Simple Machines Forums attacks
Post by: midweb on June 20, 2011, 12:31:03 PM
sorry first post, thought unwanted registrations was attacks of one kind or another, have disabled registration untill I find an answer.
Mick
Title: Re: Simple Machines Forums attacks
Post by: HecKel on June 21, 2011, 04:04:37 PM
Why did you stop sending "newsletters"? This kind of information would be really useful for me if I was notified on time... I never noticed this topic before, and this kind of information should have been broadcasted to the whole community.

Please, restart sending newsletters again.
Title: Re: Simple Machines Forums attacks
Post by: IchBin™ on June 21, 2011, 05:06:01 PM
We typically only send news letters on announcements. I'd suggest you hit the "notify" button at the top of the news board here. :)
Title: Re: Simple Machines Forums attacks
Post by: HecKel on June 21, 2011, 07:27:06 PM
I am not talking just about myself.

 Ok, I can do that and since I am quite often here it was a huge lack of attention from my side, but even though, this was a security warning regarding your software. At least, you should have warned your members about this safety warning.
Title: Re: Simple Machines Forums attacks
Post by: Kindred on June 21, 2011, 08:43:58 PM
We did...  We posted in this announcements board.

We don't send out email announcements formal that much these days.
Title: Re: Simple Machines Forums attacks
Post by: MacGig on June 28, 2011, 08:29:02 AM
id like to see smf incorporate more anti spam/bot measures into smf itself. not everyone feels comfortable editing files and adding mods. it would be nice to have more security features built in, ready to go when smf is downloaded. just a thought.
Title: Re: Simple Machines Forums attacks
Post by: Illori on June 28, 2011, 08:32:14 AM
if you are suggesting a feature please post it in the proper board, but keep in mind that no features are being added to any of the versions of smf that are released as they are feature locked.
Title: Re: Simple Machines Forums attacks
Post by: Kindred on June 28, 2011, 08:33:10 AM
the mods that we suggest for general spam prevention depend on third party interfaces with third part signup, etc.   We don't distribute things like that with the core forum product...
Title: Re: Simple Machines Forums attacks
Post by: catfished on June 28, 2011, 02:41:38 PM
the mods that we suggest for general spam prevention depend on third party interfaces with third part signup, etc.   We don't distribute things like that with the core forum product...

Makes sense to me.(https://www.simplemachines.org/community/proxy.php?request=http%3A%2F%2Fcatfished.com%2Frock.gif&hash=fb0f8a90c88d8acdbf0a27196a13b554)
Title: Re: Simple Machines Forums attacks
Post by: Knabberbrot on July 08, 2011, 09:59:11 AM
id like to see smf incorporate more anti spam/bot measures into smf itself. not everyone feels comfortable editing files and adding mods. it would be nice to have more security features built in, ready to go when smf is downloaded. just a thought.

Yes, please! I like the SMF. I selected SMF because it is simple & because the forum is just a bonus on my site. My time is reserved for the main project, not for the forum. Currenty I can't use registration at all because of this §$%$% link & virus spammers. Some days ago I had to switch to "if you want to register, please write an email to me..." If this goes on, I'm forced to either have no forum or switching to another forum with better protection... sorry to say.
Title: Re: Simple Machines Forums attacks
Post by: Kindred on July 08, 2011, 10:10:36 AM
the mods that we suggest for general spam prevention depend on third party interfaces with third part signup, etc.   We don't distribute things like that with the core forum product...
Title: Re: Simple Machines Forums attacks
Post by: IchBin™ on July 08, 2011, 10:44:16 AM
The other issue with including anti-spam bot stuff in SMF IMO, is that people will specifically write software to get around what is included because it's included in every install. If people customize their anti-spam software they stand a better chance to thwart spammers.
Title: Re: Simple Machines Forums attacks
Post by: Dejv on July 10, 2011, 04:06:24 PM
I tried these two simple approaches to stop unwanted spam on my site:
  • robots.txt-> disallow
  • disabled landing page registration.
Seems to have worked for the hour. (now over 24 hours, looking good)
Have banned bad IPs in the past, but the bad actors are always getting new IPs.

Hi,

did it help? I think the main problem is the registration. How to change the registration url to something else?

Thanks a lot!
Title: Re: Simple Machines Forums attacks
Post by: ~ Phåråoh ~ on July 10, 2011, 07:21:16 PM
So many people expect so much from automated programs these days.  They think they are always going to do everything for them, without fail or error so they never have to think about lifting a finger and applying one ounce of their own efforts to do anything.

In the over 2 years I've been using SMF, I've hand NO spammers get through.  None.  And, all I've ever used is the smf program... as it is.   First and foremost, I don't auto-approve ANY registrations.  I will take the time review them.  Along with that, I added custom registration fields.   Bots will invariably enter the same info into some or all of them (usually, it's their source e-mail) so they stand out like a sore thumb and then, I add them to the ban list. 

So long as computer generated methods of confounding bots are used, I don't know if they ever will or even can be foolproof.  For every security measure created, a way around it is found.  The one thing bots can't be programmed to do is to figure out answers to questions which require human reasoning when the bot programmer has no idea what the human answer is because they have no idea what the question is going to be. 

IMO - Bottom line is, if you value a spam-free forum, take the time to review your registrations manually.  I realize this requires effort on your part but, a 100% track record and a community which has enjoyed years of spam-free use of the forum and site is well worth it... to me, at least.
Title: Re: Simple Machines Forums attacks
Post by: Dejv on July 10, 2011, 08:38:56 PM
Well I had NO spammers and almost no bans for 5 years ... but in only the last few weeks I made a few hundred bans, not only to the not-approved profiles but also to some new registrations.

Thanks, I will have a look in the custom registration fields. ... I guess this is not in the 1.1.14 core


Title: Re: Simple Machines Forums attacks
Post by: Kindred on July 10, 2011, 09:56:23 PM
2.0 is much better ;)
Title: Re: Simple Machines Forums attacks
Post by: 青山 素子 on July 10, 2011, 10:27:57 PM
IMO - Bottom line is, if you value a spam-free forum, take the time to review your registrations manually.  I realize this requires effort on your part but, a 100% track record and a community which has enjoyed years of spam-free use of the forum and site is well worth it... to me, at least.

Indeed. It's important to exercise some effort to monitor the forum. However, adding automated measures will help reduce the effort needed and even eliminate the most obvious spam bots so you can focus on the more devious accounts.

However, as you say, you'll never get a 100% elimination rate (not without a lot of false-positives) on automation alone. If it can be coded, it can be coded around.
Title: Re: Simple Machines Forums attacks
Post by: InfoStrides on July 14, 2011, 04:34:00 AM
The hints itemised in the first post are really helpful. Thanks guys.
Title: Re: Simple Machines Forums attacks
Post by: Dejv on July 15, 2011, 03:18:06 PM
How could a user/bot register if there is an IP-ban on that IP already? Why does this happen?
I click on a new registered user (not verified yet) but its been blocked already. Shouldnt the access to the forum be blocked by that IP-ban already?
Title: Re: Simple Machines Forums attacks
Post by: 青山 素子 on July 15, 2011, 06:20:13 PM
How are you banning the IP? Firewall, Apache, or SMF?
Title: Re: Simple Machines Forums attacks
Post by: Dejv on July 15, 2011, 10:02:41 PM
By .htacess and the new bad-users by SMF
Title: Re: Simple Machines Forums attacks
Post by: imconfused on July 16, 2011, 11:01:45 PM
If you implement more than one mod will they interfere with each other???
Title: Re: Simple Machines Forums attacks
Post by: twig/al on July 17, 2011, 12:10:00 AM
It depends on the mods... Example: hittBL and Stop Spammer, both work together... One checks registrants information against one service and the other checks registrant's information against a different service. Hope that helps...
Title: Re: Simple Machines Forums attacks
Post by: 青山 素子 on July 17, 2011, 02:59:32 AM
By .htacess and the new bad-users by SMF

It is possible that the htaccess blocks aren't being parsed and used. I've seen that happen.


If you implement more than one mod will they interfere with each other???

It depends. Many will not. A few that try to touch the exact same area probably will.
Title: Re: Simple Machines Forums attacks
Post by: impreza on August 03, 2011, 07:01:48 AM
Good written and very helpful information - thank you