Help~ Error Log - multiple attempts to access?

eyo · January 06, 2011, 06:06:46 AM

the most annoying thing about smf is this logout thing

1cor1313 · January 06, 2011, 06:59:59 AM

Quote from: Dermot on January 05, 2011, 08:35:04 PM

Well yeah i noticed it's not a bad issue if you have a decent strength password

However having a lot of users who play arcade which need sessions to stay before they finish game to score right, it's annoying.

you spend 15 mins playing a game to find some bot killed your session and you lose that big score, not good.

I've implemented some suggestions, we'll see how they go.

Recaptcha support
Spam poison hook
Safehop support
httpBL

Thanks folks

I agree this is very annoying. Is there anyway to stop them from attempting to or at least automating it? A captcha on the login form would be nice

gallitin · January 07, 2011, 04:50:00 PM

Anyway to mass ban those ip addresses? Or do I have to manually add each one?

willerby · January 07, 2011, 05:10:05 PM

One at a time as far as I can tell...

and here are some more (the thing just keeps chugging away)

93.104.215.8
89.77.213.43
212.42.236.140
199.48.147.37
174.36.199.203
18.246.0.69
144.85.24.218
92.241.190.168
80.81.183.178
173.48.174.212
66.230.230.230
66.96.16.32
79.120.86.20
204.152.222.140
77.54.97.144
81.169.155.246
87.236.199.73
89.253.97.235
85.235.31.248
188.124.19.114
94.251.75.55
24.106.191.235
50.22.180.2
173.193.221.27
203.174.87.18
78.107.237.16
98.113.149.36

gallitin · January 07, 2011, 05:24:10 PM

Just installed this I'll let you know if working.

http://custom.simplemachines.org/mods/index.php?mod=2728

willerby · January 07, 2011, 05:48:17 PM

This mod could be my saviour - emulate RC3 and installs fine. Forces members to log-in using email address which screws the bot as these are hidden on my forum...

(Now testing)

http://custom.simplemachines.org/mods/index.php?mod=1665

gallitin · January 07, 2011, 05:55:10 PM

Doesn't force me to login with my e-mail address, what are you talking about?

willerby · January 07, 2011, 06:02:44 PM

Sorry, forgot to add the mod link - added above and here

http://custom.simplemachines.org/mods/index.php?mod=1665

SilverLining · January 07, 2011, 06:10:50 PM

Quote from: laetabi on January 07, 2011, 06:02:44 PM
Sorry, forgot to add the mod link - added above and here

http://custom.simplemachines.org/mods/index.php?mod=1665

Too bad that's not availible for RC4

willerby · January 07, 2011, 06:14:31 PM

Works on RC4 - after download, click advanced tab on Installed Packages and emulate RC3 - will then appear in installed packages list with an Install option and works straight out of the box

And so far doing the job... fingers crossed...

gallitin · January 07, 2011, 07:04:29 PM

Quote from: gallitin on January 07, 2011, 05:24:10 PM
Just installed this I'll let you know if working.

http://custom.simplemachines.org/mods/index.php?mod=2728

Tested. This fixed mine.

AZMazda3 · January 08, 2011, 12:03:45 PM

We've recently had the same issue the last two days, I'm going to ignore it for now. The most annoying thing was the abrupt loggin out of users online.

Brettflan · January 09, 2011, 04:20:20 PM

I've seen this happening now on 2 forums I have administrator access to. Here is a sampling of access log data for the attempts, as best I can tell:

Code Select

204.8.156.142 - - [08/Jan/2011:03:14:22 -0800]  "GET /?action=login2 HTTP/1.1" 200 2670 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
204.8.156.142 - - [08/Jan/2011:03:14:18 -0800]  "POST /?action=login2 HTTP/1.1" 200 2692 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
92.241.190.168 - - [08/Jan/2011:03:35:40 -0800]  "GET /?action=login2 HTTP/1.1" 200 2671 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.39 - - [08/Jan/2011:03:25:03 -0800]  "POST /?action=login2 HTTP/1.1" 200 2704 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
199.48.147.39 - - [08/Jan/2011:03:25:12 -0800]  "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
92.241.190.168 - - [08/Jan/2011:03:35:36 -0800]  "POST /?action=login2 HTTP/1.1" 200 2694 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
173.45.245.140 - - [08/Jan/2011:03:46:10 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
173.45.245.140 - - [08/Jan/2011:03:46:16 -0800]  "GET /?action=login2 HTTP/1.1" 200 2672 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
80.62.217.18 - - [08/Jan/2011:03:57:35 -0800]  "POST /?action=login2 HTTP/1.1" 200 2705 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
80.62.217.18 - - [08/Jan/2011:03:57:39 -0800]  "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
192.251.226.205 - - [08/Jan/2011:04:08:29 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
192.251.226.205 - - [08/Jan/2011:04:08:31 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
192.251.226.206 - - [08/Jan/2011:04:19:38 -0800]  "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
71.7.104.192 - - [08/Jan/2011:04:30:45 -0800]  "GET /?action=login2 HTTP/1.1" 200 2454 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
192.251.226.206 - - [08/Jan/2011:04:19:44 -0800]  "GET /?action=login2 HTTP/1.1" 200 2681 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
71.7.104.192 - - [08/Jan/2011:04:30:43 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
89.253.97.235 - - [08/Jan/2011:04:42:19 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
89.253.97.235 - - [08/Jan/2011:04:42:14 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.36 - - [08/Jan/2011:04:53:29 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.36 - - [08/Jan/2011:04:53:25 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
174.36.199.202 - - [08/Jan/2011:05:04:28 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
174.36.199.202 - - [08/Jan/2011:05:04:34 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
199.48.147.42 - - [08/Jan/2011:05:16:53 -0800]  "POST /?action=login2 HTTP/1.1" 499 0 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
178.33.149.173 - - [08/Jan/2011:05:26:40 -0800]  "POST /?action=login2 HTTP/1.1" 200 2695 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
178.33.149.173 - - [08/Jan/2011:05:26:46 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
192.251.226.206 - - [08/Jan/2011:05:38:11 -0800]  "GET /?action=login2 HTTP/1.1" 200 2678 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
193.25.5.68 - - [08/Jan/2011:05:38:04 -0800]  "POST /?action=login2 HTTP/1.1" 200 2701 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
83.142.228.14 - - [08/Jan/2011:05:49:53 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
83.142.228.14 - - [08/Jan/2011:05:49:45 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
78.56.131.222 - - [08/Jan/2011:06:00:28 -0800]  "GET /?action=login2 HTTP/1.1" 200 2775 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
78.56.131.222 - - [08/Jan/2011:06:00:23 -0800]  "POST /?action=login2 HTTP/1.1" 200 2796 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
173.193.221.27 - - [08/Jan/2011:06:22:13 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.41 - - [08/Jan/2011:06:11:52 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
199.48.147.41 - - [08/Jan/2011:06:12:04 -0800]  "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
173.193.221.27 - - [08/Jan/2011:06:22:17 -0800]  "GET /?action=login2 HTTP/1.1" 200 2674 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.35 - - [08/Jan/2011:06:33:05 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.35 - - [08/Jan/2011:06:33:11 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
192.251.226.206 - - [08/Jan/2011:06:44:18 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
192.251.226.206 - - [08/Jan/2011:06:44:23 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.36 - - [08/Jan/2011:06:54:53 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.36 - - [08/Jan/2011:06:55:00 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
95.143.193.145 - - [08/Jan/2011:07:05:47 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
95.143.193.145 - - [08/Jan/2011:07:05:51 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.38 - - [08/Jan/2011:07:16:43 -0800]  "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
199.48.147.38 - - [08/Jan/2011:07:16:49 -0800]  "GET /?action=login2 HTTP/1.1" 200 2680 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
204.8.156.142 - - [08/Jan/2011:03:14:22 -0800]  "GET /?action=login2 HTTP/1.1" 200 2670 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
204.8.156.142 - - [08/Jan/2011:03:14:18 -0800]  "POST /?action=login2 HTTP/1.1" 200 2692 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
92.241.190.168 - - [08/Jan/2011:03:35:40 -0800]  "GET /?action=login2 HTTP/1.1" 200 2671 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.39 - - [08/Jan/2011:03:25:03 -0800]  "POST /?action=login2 HTTP/1.1" 200 2704 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
199.48.147.39 - - [08/Jan/2011:03:25:12 -0800]  "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)"
92.241.190.168 - - [08/Jan/2011:03:35:36 -0800]  "POST /?action=login2 HTTP/1.1" 200 2694 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
173.45.245.140 - - [08/Jan/2011:03:46:10 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
173.45.245.140 - - [08/Jan/2011:03:46:16 -0800]  "GET /?action=login2 HTTP/1.1" 200 2672 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
80.62.217.18 - - [08/Jan/2011:03:57:35 -0800]  "POST /?action=login2 HTTP/1.1" 200 2705 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
80.62.217.18 - - [08/Jan/2011:03:57:39 -0800]  "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
192.251.226.205 - - [08/Jan/2011:04:08:29 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
192.251.226.205 - - [08/Jan/2011:04:08:31 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
192.251.226.206 - - [08/Jan/2011:04:19:38 -0800]  "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
71.7.104.192 - - [08/Jan/2011:04:30:45 -0800]  "GET /?action=login2 HTTP/1.1" 200 2454 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
192.251.226.206 - - [08/Jan/2011:04:19:44 -0800]  "GET /?action=login2 HTTP/1.1" 200 2681 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
71.7.104.192 - - [08/Jan/2011:04:30:43 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
89.253.97.235 - - [08/Jan/2011:04:42:19 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
89.253.97.235 - - [08/Jan/2011:04:42:14 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.36 - - [08/Jan/2011:04:53:29 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.36 - - [08/Jan/2011:04:53:25 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
174.36.199.202 - - [08/Jan/2011:05:04:28 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
174.36.199.202 - - [08/Jan/2011:05:04:34 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
199.48.147.42 - - [08/Jan/2011:05:16:53 -0800]  "POST /?action=login2 HTTP/1.1" 499 0 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
178.33.149.173 - - [08/Jan/2011:05:26:40 -0800]  "POST /?action=login2 HTTP/1.1" 200 2695 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
178.33.149.173 - - [08/Jan/2011:05:26:46 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"
192.251.226.206 - - [08/Jan/2011:05:38:11 -0800]  "GET /?action=login2 HTTP/1.1" 200 2678 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
193.25.5.68 - - [08/Jan/2011:05:38:04 -0800]  "POST /?action=login2 HTTP/1.1" 200 2701 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)"
83.142.228.14 - - [08/Jan/2011:05:49:53 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
83.142.228.14 - - [08/Jan/2011:05:49:45 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
78.56.131.222 - - [08/Jan/2011:06:00:28 -0800]  "GET /?action=login2 HTTP/1.1" 200 2775 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
78.56.131.222 - - [08/Jan/2011:06:00:23 -0800]  "POST /?action=login2 HTTP/1.1" 200 2796 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
173.193.221.27 - - [08/Jan/2011:06:22:13 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.41 - - [08/Jan/2011:06:11:52 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
199.48.147.41 - - [08/Jan/2011:06:12:04 -0800]  "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)"
173.193.221.27 - - [08/Jan/2011:06:22:17 -0800]  "GET /?action=login2 HTTP/1.1" 200 2674 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.35 - - [08/Jan/2011:06:33:05 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
199.48.147.35 - - [08/Jan/2011:06:33:11 -0800]  "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
192.251.226.206 - - [08/Jan/2011:06:44:18 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
192.251.226.206 - - [08/Jan/2011:06:44:23 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.36 - - [08/Jan/2011:06:54:53 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.36 - - [08/Jan/2011:06:55:00 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
95.143.193.145 - - [08/Jan/2011:07:05:47 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
95.143.193.145 - - [08/Jan/2011:07:05:51 -0800]  "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)"
199.48.147.38 - - [08/Jan/2011:07:16:43 -0800]  "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
199.48.147.38 - - [08/Jan/2011:07:16:49 -0800]  "GET /?action=login2 HTTP/1.1" 200 2680 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
199.48.147.36 - - [08/Jan/2011:07:27:57 -0800]  "GET /?action=login2 HTTP/1.1" 200 2455 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
199.48.147.36 - - [08/Jan/2011:07:27:55 -0800]  "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8"
199.48.147.35 - - [08/Jan/2011:07:38:31 -0800]  "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
199.48.147.35 - - [08/Jan/2011:07:38:36 -0800]  "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
76.10.214.89 - - [08/Jan/2011:07:49:40 -0800]  "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
76.10.214.89 - - [08/Jan/2011:07:49:48 -0800]  "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9"
192.251.226.205 - - [08/Jan/2011:08:00:27 -0800]  "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

That "&bsa=check&member=1" bit seems out of place. I did a text search through the SMF source files and came up with 0 matches for "bsa". I think the full string ("&bsa=check&member=1") could potentially be an easy identifier for the bot in access log files. I notice otherwise it's providing a wide range of legitimate agent strings for a variety of real browsers, so the agent string isn't useful for identifying it.
Also, I notice it's consistently accessing "/?action=login2" on the forum in question, where apparently genuine login attempts are referring to "/index.php" rather than just "/", like so: "/index.php?action=login2" or "/index.php?PHPSESSID=[session_id]&action=login2". I wouldn't bet on that as a safe way to identify it, though.

I checked a few IPs from the full list of attempts and they were each on anonymizing proxies. I have no problem with blocking those, so I'll probably just go through the IPs and get a list of net ranges to block.

The way it's effectively logging users out is the annoying thing for me, as well. It doesn't look like a very effective brute-force method. Still, with their nets apparently spread so wide across a large number of forums, they'll probably get a few accounts out of it.

willerby · January 10, 2011, 02:51:43 AM

I've implemented the 'force email on login' mod referred to above and problem fixed in one hit with no need to block at IP address.

The bot uses the usernames of members to log-in. By switching to email address it can't log users off and eventually goes elsewhere.

mightygiants · January 19, 2011, 01:49:26 PM

Quote from: Brettflan on January 09, 2011, 04:20:20 PM
I've seen this happening now on 2 forums I have administrator access to. Here is a sampling of access log data for the attempts, as best I can tell:

Code Select Expand
204.8.156.142 - - [08/Jan/2011:03:14:22 -0800] "GET /?action=login2 HTTP/1.1" 200 2670 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 204.8.156.142 - - [08/Jan/2011:03:14:18 -0800] "POST /?action=login2 HTTP/1.1" 200 2692 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 92.241.190.168 - - [08/Jan/2011:03:35:40 -0800] "GET /?action=login2 HTTP/1.1" 200 2671 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.39 - - [08/Jan/2011:03:25:03 -0800] "POST /?action=login2 HTTP/1.1" 200 2704 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" 199.48.147.39 - - [08/Jan/2011:03:25:12 -0800] "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" 92.241.190.168 - - [08/Jan/2011:03:35:36 -0800] "POST /?action=login2 HTTP/1.1" 200 2694 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 173.45.245.140 - - [08/Jan/2011:03:46:10 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 173.45.245.140 - - [08/Jan/2011:03:46:16 -0800] "GET /?action=login2 HTTP/1.1" 200 2672 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 80.62.217.18 - - [08/Jan/2011:03:57:35 -0800] "POST /?action=login2 HTTP/1.1" 200 2705 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 80.62.217.18 - - [08/Jan/2011:03:57:39 -0800] "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 192.251.226.205 - - [08/Jan/2011:04:08:29 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 192.251.226.205 - - [08/Jan/2011:04:08:31 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 192.251.226.206 - - [08/Jan/2011:04:19:38 -0800] "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 71.7.104.192 - - [08/Jan/2011:04:30:45 -0800] "GET /?action=login2 HTTP/1.1" 200 2454 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 192.251.226.206 - - [08/Jan/2011:04:19:44 -0800] "GET /?action=login2 HTTP/1.1" 200 2681 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 71.7.104.192 - - [08/Jan/2011:04:30:43 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 89.253.97.235 - - [08/Jan/2011:04:42:19 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 89.253.97.235 - - [08/Jan/2011:04:42:14 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.36 - - [08/Jan/2011:04:53:29 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.36 - - [08/Jan/2011:04:53:25 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 174.36.199.202 - - [08/Jan/2011:05:04:28 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 174.36.199.202 - - [08/Jan/2011:05:04:34 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 199.48.147.42 - - [08/Jan/2011:05:16:53 -0800] "POST /?action=login2 HTTP/1.1" 499 0 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 178.33.149.173 - - [08/Jan/2011:05:26:40 -0800] "POST /?action=login2 HTTP/1.1" 200 2695 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 178.33.149.173 - - [08/Jan/2011:05:26:46 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 192.251.226.206 - - [08/Jan/2011:05:38:11 -0800] "GET /?action=login2 HTTP/1.1" 200 2678 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 193.25.5.68 - - [08/Jan/2011:05:38:04 -0800] "POST /?action=login2 HTTP/1.1" 200 2701 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 83.142.228.14 - - [08/Jan/2011:05:49:53 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 83.142.228.14 - - [08/Jan/2011:05:49:45 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 78.56.131.222 - - [08/Jan/2011:06:00:28 -0800] "GET /?action=login2 HTTP/1.1" 200 2775 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 78.56.131.222 - - [08/Jan/2011:06:00:23 -0800] "POST /?action=login2 HTTP/1.1" 200 2796 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 173.193.221.27 - - [08/Jan/2011:06:22:13 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.41 - - [08/Jan/2011:06:11:52 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 199.48.147.41 - - [08/Jan/2011:06:12:04 -0800] "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 173.193.221.27 - - [08/Jan/2011:06:22:17 -0800] "GET /?action=login2 HTTP/1.1" 200 2674 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.35 - - [08/Jan/2011:06:33:05 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.35 - - [08/Jan/2011:06:33:11 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 192.251.226.206 - - [08/Jan/2011:06:44:18 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 192.251.226.206 - - [08/Jan/2011:06:44:23 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.36 - - [08/Jan/2011:06:54:53 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.36 - - [08/Jan/2011:06:55:00 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 95.143.193.145 - - [08/Jan/2011:07:05:47 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 95.143.193.145 - - [08/Jan/2011:07:05:51 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.38 - - [08/Jan/2011:07:16:43 -0800] "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 199.48.147.38 - - [08/Jan/2011:07:16:49 -0800] "GET /?action=login2 HTTP/1.1" 200 2680 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 204.8.156.142 - - [08/Jan/2011:03:14:22 -0800] "GET /?action=login2 HTTP/1.1" 200 2670 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 204.8.156.142 - - [08/Jan/2011:03:14:18 -0800] "POST /?action=login2 HTTP/1.1" 200 2692 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 92.241.190.168 - - [08/Jan/2011:03:35:40 -0800] "GET /?action=login2 HTTP/1.1" 200 2671 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.39 - - [08/Jan/2011:03:25:03 -0800] "POST /?action=login2 HTTP/1.1" 200 2704 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" 199.48.147.39 - - [08/Jan/2011:03:25:12 -0800] "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" 92.241.190.168 - - [08/Jan/2011:03:35:36 -0800] "POST /?action=login2 HTTP/1.1" 200 2694 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 173.45.245.140 - - [08/Jan/2011:03:46:10 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 173.45.245.140 - - [08/Jan/2011:03:46:16 -0800] "GET /?action=login2 HTTP/1.1" 200 2672 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 80.62.217.18 - - [08/Jan/2011:03:57:35 -0800] "POST /?action=login2 HTTP/1.1" 200 2705 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 80.62.217.18 - - [08/Jan/2011:03:57:39 -0800] "GET /?action=login2 HTTP/1.1" 200 2682 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 192.251.226.205 - - [08/Jan/2011:04:08:29 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 192.251.226.205 - - [08/Jan/2011:04:08:31 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 192.251.226.206 - - [08/Jan/2011:04:19:38 -0800] "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 71.7.104.192 - - [08/Jan/2011:04:30:45 -0800] "GET /?action=login2 HTTP/1.1" 200 2454 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 192.251.226.206 - - [08/Jan/2011:04:19:44 -0800] "GET /?action=login2 HTTP/1.1" 200 2681 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 71.7.104.192 - - [08/Jan/2011:04:30:43 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 89.253.97.235 - - [08/Jan/2011:04:42:19 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 89.253.97.235 - - [08/Jan/2011:04:42:14 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.36 - - [08/Jan/2011:04:53:29 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.36 - - [08/Jan/2011:04:53:25 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 174.36.199.202 - - [08/Jan/2011:05:04:28 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 174.36.199.202 - - [08/Jan/2011:05:04:34 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 199.48.147.42 - - [08/Jan/2011:05:16:53 -0800] "POST /?action=login2 HTTP/1.1" 499 0 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 178.33.149.173 - - [08/Jan/2011:05:26:40 -0800] "POST /?action=login2 HTTP/1.1" 200 2695 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 178.33.149.173 - - [08/Jan/2011:05:26:46 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6" 192.251.226.206 - - [08/Jan/2011:05:38:11 -0800] "GET /?action=login2 HTTP/1.1" 200 2678 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 193.25.5.68 - - [08/Jan/2011:05:38:04 -0800] "POST /?action=login2 HTTP/1.1" 200 2701 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)" 83.142.228.14 - - [08/Jan/2011:05:49:53 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 83.142.228.14 - - [08/Jan/2011:05:49:45 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 78.56.131.222 - - [08/Jan/2011:06:00:28 -0800] "GET /?action=login2 HTTP/1.1" 200 2775 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 78.56.131.222 - - [08/Jan/2011:06:00:23 -0800] "POST /?action=login2 HTTP/1.1" 200 2796 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 173.193.221.27 - - [08/Jan/2011:06:22:13 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.41 - - [08/Jan/2011:06:11:52 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 199.48.147.41 - - [08/Jan/2011:06:12:04 -0800] "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)" 173.193.221.27 - - [08/Jan/2011:06:22:17 -0800] "GET /?action=login2 HTTP/1.1" 200 2674 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.35 - - [08/Jan/2011:06:33:05 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 199.48.147.35 - - [08/Jan/2011:06:33:11 -0800] "GET /?action=login2 HTTP/1.1" 200 2675 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 192.251.226.206 - - [08/Jan/2011:06:44:18 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 192.251.226.206 - - [08/Jan/2011:06:44:23 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.36 - - [08/Jan/2011:06:54:53 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.36 - - [08/Jan/2011:06:55:00 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 95.143.193.145 - - [08/Jan/2011:07:05:47 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 95.143.193.145 - - [08/Jan/2011:07:05:51 -0800] "GET /?action=login2 HTTP/1.1" 200 2676 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)" 199.48.147.38 - - [08/Jan/2011:07:16:43 -0800] "POST /?action=login2 HTTP/1.1" 200 2703 "http://forums.taleworlds.com/" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 199.48.147.38 - - [08/Jan/2011:07:16:49 -0800] "GET /?action=login2 HTTP/1.1" 200 2680 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 199.48.147.36 - - [08/Jan/2011:07:27:57 -0800] "GET /?action=login2 HTTP/1.1" 200 2455 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 199.48.147.36 - - [08/Jan/2011:07:27:55 -0800] "POST /?action=login2 HTTP/1.1" 200 2697 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ro; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8" 199.48.147.35 - - [08/Jan/2011:07:38:31 -0800] "POST /?action=login2 HTTP/1.1" 200 2699 "http://forums.taleworlds.com/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 199.48.147.35 - - [08/Jan/2011:07:38:36 -0800] "GET /?action=login2 HTTP/1.1" 200 2677 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)" 76.10.214.89 - - [08/Jan/2011:07:49:40 -0800] "POST /?action=login2 HTTP/1.1" 200 2696 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 76.10.214.89 - - [08/Jan/2011:07:49:48 -0800] "GET /?action=login2 HTTP/1.1" 200 2673 "http://forums.taleworlds.com/&bsa=check&member=1" "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9" 192.251.226.205 - - [08/Jan/2011:08:00:27 -0800] "POST /?action=login2 HTTP/1.1" 200 2698 "http://forums.taleworlds.com/" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6"

That "&bsa=check&member=1" bit seems out of place. I did a text search through the SMF source files and came up with 0 matches for "bsa". I think the full string ("&bsa=check&member=1") could potentially be an easy identifier for the bot in access log files. I notice otherwise it's providing a wide range of legitimate agent strings for a variety of real browsers, so the agent string isn't useful for identifying it.
Also, I notice it's consistently accessing "/?action=login2" on the forum in question, where apparently genuine login attempts are referring to "/index.php" rather than just "/", like so: "/index.php?action=login2" or "/index.php?PHPSESSID=[session_id]&action=login2". I wouldn't bet on that as a safe way to identify it, though.

I checked a few IPs from the full list of attempts and they were each on anonymizing proxies. I have no problem with blocking those, so I'll probably just go through the IPs and get a list of net ranges to block.

The way it's effectively logging users out is the annoying thing for me, as well. It doesn't look like a very effective brute-force method. Still, with their nets apparently spread so wide across a large number of forums, they'll probably get a few accounts out of it.

Is there a way to use this information to create a line in the .htaccess file to block them?

IchBin™ · January 19, 2011, 01:52:17 PM

Not just a line, but multiple lines yes. You just add it to an .htaccess file.

Code Select

order allow,deny
deny from 123.45.6.7
deny from 012.34.5.
allow from all

Just add each IP to a separate line in the same manner as above.

mightygiants · January 19, 2011, 02:02:04 PM

Quote from: IchBin™ on January 19, 2011, 01:52:17 PM
Not just a line, but multiple lines yes. You just add it to an .htaccess file.

Code Select Expand
order allow,deny deny from 123.45.6.7 deny from 012.34.5. allow from all

Just add each IP to a separate line in the same manner as above.

Thank you, I was hoping not to bog down the server with a long list of IP addresses to deny.

Blah blah · January 21, 2011, 02:57:04 PM

Anybody have the cb emaillogin 0.2 so I can fix this problem in 2.0rc 1.2?

roonekoos · February 16, 2011, 09:26:15 AM

I have a lot of attacks and block them in the .Htacces file but it is really getting crazy

News:

Help~ Error Log - multiple attempts to access?