News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

robbie93

Quote from: Cal O'Shaw on February 16, 2011, 01:02:43 AM
@robbie93,

With your portal and all, you may not wish to do so.  But then you need to make your usernames different from your display names (either by telling your users to change them or to use something like the email login MOD).

But I would like to have the OPTION as there is no benefit in our case to displaying names.

As you noted, hiding the names will not stop THIS ATTACK.  But you can be sure someone will use the script and try again.  Wouldn't you like to stop THE NEXT ATTACK.  Because it's going to come.  You've been under attack for over a month you say.  You think they're just going to take their ball and go home?  This type of attack will come again.  It's sophisticated enough that it can't be stopped by IP, it doesn't blast you so you can halt it that way.  It runs so slow that you can't be sure it's not a regular user without checking the IP against where you know the user lives.

It seems the only way to reduce (I didn't say stop) is by cloaking your site (hide membernames) and/or making sure what names are displayed are not valid for logging in. 

We take additional precautions, limiting what boards are visible, and limiting guests to seeing only the first post (which may help explain why the target list used against our site is so small; there wasn't a lot to harvest).  We blocked the Info Center as we felt there was no valid reason for guests to see that information.  We figure if they want to see more they will register (and we review them before accepting them).

Sorry if I come off as a Johnny One-Note, but it seems to be a repeated need to point out some of the features of this attack and that what works for one site will not work for another (hence my saying that maybe robbie93 doesn't see a need to hide names, but we most assuredly do want to hide them).

Cal

Hi Cal, I don't really like bulking the site with mods, we only have about 5 ATM and that to me is more than enough, as for hiding names, if we did that then the site would look rather dull because we do use a portal and we also like names to be shown on the info center and I think members like to see there names also, so taking them away would be giving in to these bots, we only have about 12 active members on the site so what we did was send a newsletter to everyone, but to the active ones we also sent Pm's and went through the process of changing there display name to something different than there username because they was complaining that they kept getting logged off half way through playing a game, and that seemed to work as they haven't complained since. I think limiting boards and making them hidden and making your members names hidden is really giving into these bots and taking something away from your site - I look at this like this - your not gonna stop bots attacking any site - no matter what software you use - and in this case they have been attacking us since early Jan or before and I don't think they have been successful as yet - but it is annoying as they fill up your logs every day.

Arantor

You do realise that the mod I wrote only hides the names from guests, not to members, right? Hardly giving into anyone.

I should note, I've just started a much (much) more thorough logging of this spate of bots and already have a few ideas on how to block them until they get smarter again.

robbie93

Quote from: Arantor on February 16, 2011, 02:13:04 PM
You do realise that the mod I wrote only hides the names from guests, not to members, right? Hardly giving into anyone.

I should note, I've just started a much (much) more thorough logging of this spate of bots and already have a few ideas on how to block them until they get smarter again.

Yep I realise this, but hiding names to guests makes the site less appealing, also, as you just stated these bots will continue to out smart whatever you try to do to fix them so why bother? just use different pw's and make username different from display. I dont see this site hiding names from guests on info center isnt this site getting hit? and what have you guys done on this site to stop them?

Arantor

Quoteso why bother?

Why bother running a forum, then? The fact remains they will attack. As site owners we have a responsibility to minimise the risk to our users.

QuoteI dont see this site hiding names from guests on info center isnt this site getting hit? and what have you guys done on this site to stop them?

How do you know this site isn't being hit? There's no guarantee of that at all! (In my case I am immune here because I have a different login name to display name :P)

Aleksi "Lex" Kilpinen

For smf this is a new situation, that we are just getting to know - no reason to panic, since they are slow and "mostly harmless", but reasonable steps to discourage such attempts are a good idea. For example I just adviced my users to make sure they are using strong passwords, and that their contact info is up to date, and that using different login and screen names is a good idea. On top of this, I have been blocking IPs trying to log in to more than one account, and have installed HttpBL that seems to stop many of them.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

robbie93

@ Arantor

Quote from: Arantor on February 16, 2011, 02:30:49 PM
How do you know this site isn't being hit? There's no guarantee of that at all! (In my case I am immune here because I have a different login name to display name :P)

Theres your fix then, if making your login name different to your display name makes you immune from attack why do we need a mod to hide names and boards and so on?    8) and I didnt ask if this site was being hit I asked what you guys was doing about it if it was or is  ::) .

Kindred

so, tell you users to all change their display name. Done... no need to bother the devs at all...


Oh, wait... this won't stop the existing harvest...  (but then again, neither will releasing a new version of SMF that forces a difference between login and display)

And personally, I would lose track if I had a different display from login.   I have used Kindred since the early 90s.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

b4pjoe

If one doesn't want to use a different display name from their log in name or email address the next best option is force your users to use secure passwords but your error log is still going to fill up.

Elysia

My forum error logs are cleared regular too otherwise the database gets bulky. I'll leave it for a few days and filter out the rogue logins to a new file, but as we've applied the htaccess file with 1,359 IPs blocked we are seeing very few rogue signin attempts now - today there's been 3 or 4, whereas earlier this week we were drowning in them.

I'll go check the server logs and see if there's anything useful in them though as they will still be there.

Danny S.

Hey guys,

I wanted to give an update on my situation to hopefully shed some light on a few things I've read.

First, let's start with the history of my issues. About a week ago, I got a PM from a regular member that said he has to keep logging into the forum everytime he visits. My first thought (without knowing this was an issue) was to have to user clear his cookies in his browser and try again. Issue still persisted. Eventually, I found my way here and realized it was a widespread issue.

I took everyone's advice and upgraded the site from RC3 to RC5 and now the login issues have ceased. Of course the login attempts are still continuing.

This is where my situation gets weird. Some of the usernames it is using are some of my top posters. Well, you would think this would be expected because there's more of a chance for the bot to find the username (more posts = more instances).

BUT, some of the names it's using are of members who have NEVER posted. They signed up months ago, but have never actually made a post. Where could they have gotten the name from? If it's not on any post, the only other place would be the memberlist , correct? But I though only members could see that...


Another thing, I've noticed in the last two months that my "members awaiting activation" has skyrocketed. Typically, I would see maybe 1 or 2 a month on the list. The last two months, there is a total of 78. Could this be related? I only have ~320 members on my site... surely this can't just be from getting more visits...


Any of this happening to someone else?

Cal O'Shaw

@Danny,

Info Center -> Forum Stats -> "Latest Member:" XXX

That's one of the reasons we hid the Info Center.

Cal

Danny S.

That could definitely be causing it, but some of these users signed up months ago and the field was quickly overwritten with a new member (within a couple days).

Does is still store the "new user" info even after a new member signs up? If not, wouldn't this mean that they captured the usernames as far back as last July?

Kindred

Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Danny S.

Quote from: Kindredmemberlist.....

But isn't the memberlist only visible to members? By memberlist I'm referring to index.php?action=mlist.

Cal O'Shaw

You have to change the permission for guests.  I believe it is on by default (we switched it off years ago, so I could be quite wrong on default setting).

Cal

Danny S.

Quote from: Cal O'Shaw on February 16, 2011, 04:06:29 PM
You have to change the permission for guests.  I believe it is on by default (we switched it off years ago, so I could be quite wrong on default setting).

Cal


I'm not trying to say that you're wrong, but just for troubleshooting purposes, mine is turned off for guests, so I don't think this is where they are finding the information. Unless, that is, they've created a username and now have access to them all.



Also, do you guys think that my recent spike in "members awaiting activation" could be related? Do you think it's trying to create accounts (I have my site setup on email activation).

Has anyone else noticed a spike on their sites?

Norv

There were sites (a while ago, not only these days) that receive quite a number of spammers registering. They only put a spam link in their profile, and never come back again. (in these cases)
Perhaps you can check their IPs too, against online databases like project HoneyPot, to see if they're IPs of known spammers.

There are mods on the customize site you can install to check these, i.e. httpBL, stop forum spam.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

willerby

Quote from: Kindred on February 16, 2011, 04:03:04 PM
memberlist.....

Don't think so unless they register to get to it.

My site has never enabled guest access to the memberlist and the majority of targeted userIDs were prominent posters/long term members. 
What type of washing machine is September?

An autumnatic. :)

Elysia

Our Memberlist is not and never has been visible to Guests or Regular members, only to Global Mods and Admins. Profiles are visible to Regular Members though.

Arantor

They're not getting member names from the memberlist, they seem to be getting them from posts and threads visible to guests.

Advertisement: