Tidal wave of spambots attacks SMF 1.1.x - How to protect your forum

[dwd2000]

I also read that SMF 1.1.7 didn't address any security issues

Not sure of your source, but there were two important security issues patched in the 1.1.7 release.

http://www.simplemachines.org/community/index.php?topic=273816.msg1798854#msg1798854

NOTE:
My intention with my previous posts here was not intended to put down or degrade SMF in any way.
I know, understand, as well as appreciate all the work done here. My sole intention was to help.
If anyone misunderstands that, I am sorry.

I had never felt that was your intention.  I apoligize if i came across as such -- certainly was not my intention

Simply making sure misinformation doesn't creep around. 

My note was not directed at anyone in particular.
It just happened to be on that reply.
No apologies needed, but thanks anyway.
I think it's a full moon tonight, or close to it.

[junglecat]

Well, now I know why we've been getting hit so hard by spam bots for the last several days.

[Akyhne]

In recent days there has been a huge surge in the numbers of spambots attacking SMF 1.1.x forums. Some have suggested that this is due to the recent SMF 1.1.7 security upgrade, but in fact the attacks are unrelated to the functional changes in SMF 1.1.7. This is supported by the fact that SMF 1.1.6 and earlier versions are also subject to the attacks. The attacks have nothing to do with the SMF 1.1.7 upgrade.

Hmm, I got 5 SMF 1.1.7 forums running. None of them were ever attacked. Now 3 are within the last few days. The forums are on very different servers. And another forum I visit a lot was attacked this morning... for the first time ever!

Maybe it's a coincidence.. I think not.

Fourth forum attacked this morning

[Andreas4]

2.) At least for now SMF 2.0 has not been affected. The new version has improved spam defenses including the ability to ask any number of verification questions (what year is it? are you a bot?). Since most forums will pick different questions, these questions are very difficult for spambots to answer. If you have been considering upgrading to 2.0, now might be a good time to do so.

+

Note: As this is in early beta we do not suggest running SMF 2.0 Beta 4 Public on a production site.

(from http://download.simplemachines.org)
=

[Burke ♞ Knight]

2.) At least for now SMF 2.0 has not been affected. The new version has improved spam defenses including the ability to ask any number of verification questions (what year is it? are you a bot?). Since most forums will pick different questions, these questions are very difficult for spambots to answer. If you have been considering upgrading to 2.0, now might be a good time to do so.

+

Note: As this is in early beta we do not suggest running SMF 2.0 Beta 4 Public on a production site.

(from http://download.simplemachines.org)
=

I do believe what Deprecated is meaning, is if you had been considering upgrading, even though the download site has that message, then now might be a good time.

[ModelBoatMayhem]

I have played Whack-A-Mole (banning IPs, usernames, drinking beer). None of that made a difference. I am running 1.1.7 (and won't upgrade to 2.0 for a lot of reasons). Changing the "Complexity of visual verification image" to High stopped everything. I released all bans and continue to drink beer and am very satisfied with SMF. Rock on.

Yes 'HIGH' verification has worked for me too - no other mods either.

[rsmini]

High verification is working perfect for us as well as is member approval.....however ...

We have been subject to 3 hacker attacks this week. This time they have taken down our joomla website as well. In fact they have deleted the whole forum/smf website basically it has all gone for the second time this week.

And I am well cheesed off. and just off to contact the host.

We recently swapped the site from mmabo to joomla. We have never had a security problem with mambo. I wonder if could have anything to with the joomla/smf bridge we are using.

be carefull everyone if they can't get your smf site they may well get your joomla site

[wagtail]

They do seem to be attacking both joomla and smf.
I was getting about an equal number of spammers trying each.
Even though I don't use the bridge.

I used the are-you-human mod and put the age restriction on.
(Registering is now like filling a job application). 

Thanks for the mod advice in this thread btw Dep.

I also ban the miscreant's IP range from the server each time I spot one that checks out on hxxp:stopforumspam.com [nonactive]
Error logs are showing 1-2 failed attempts/hour since I implemented the brute force and ignorance IP ban approach.

On the plus side, I am down to the usual 'once every now and again' bot managing to register a moniker on joomla and none on SMF.

[rsmini]

unfortunatly I can't do anything as both the  joomla / smf sites have gone. As soon as it is back I will try and add even more security

[Muldoon]

I have played Whack-A-Mole (banning IPs, usernames, drinking beer). None of that made a difference. I am running 1.1.7 (and won't upgrade to 2.0 for a lot of reasons). Changing the "Complexity of visual verification image" to High stopped everything. I released all bans and continue to drink beer and am very satisfied with SMF. Rock on.

Yes 'HIGH' verification has worked for me too - no other mods either.

Same here for me,...I believe it was on the 7th page of this thread that I mentioned this as well.  It's nice to see it working for others as well!

[Storman™]

Came across this interesting thread in the forum on stopforumspam.com:

http://www.stopforumspam.com/forum/t142

Not sure if that mod is on the SMF site already but maybe helpful for some people ?

Also, one observation that I've made is that I have plenty of sites on version 1.1.5 and they are getting hammered at the moment. However I have one site on an old version 1.1.1 and I don't get any spam there whatsoever... bit strange really.. 

[jackregan]

I am running a forum on 1.1.7 and over the last week or so I have noticed a massive massive increase in spambots.

My solution was to add a field to the registration form using the custom profile fields mod. The field requires input and simply asks 'what day of the week is it?'

The point being that I'll know straight away if the 'user' is human or not. (I have 'member approval' as the registration method.)

But, funnily enough, since I've made this change, I've had no spambots whatsoever. Maybe they can't handle fields that require forced input, other than username, E-mail, Password.

Hope that helps.

[forumite]

Apologies if this is off-topic .....

This time they have taken down our joomla website as well. In fact they have deleted the whole forum/smf website basically it has all gone for the second time this week.

Do you by chance have FlashChat installed, either integrated with SMF or standalone? Reason I ask is that I had a hacker get in via a vulnerability in FC a year or so ago. Today I'm seeing lots of probes for the same vulnerability. I believe FC patched the problem but, in case you're running an old version, here's where they're probing:

/SMF_forum//inc/cmses/aedating4CMS.php
/cmses/aedating4CMS.php
/SMF_forum/chat//inc/cmses/aedating4CMS.php

That aedating4CMS.php script is used to integrate FlashChat with the aedating software package. If you're not running aedating (presumably not, since you're using SMF), remove that script. In fact, you can remove them all from the chat/inc/cmses/ folder except for the SMF ones and, if you're running FC standalone, you don't even need the SMF ones. If standalone, you need to keep the one that looks like statelessCMS.php.

One difference from prior attacks looking for this script is that some probes today show up in my logs as spiders, although the IP addresses don't resolve to any of the search engines.

Another previously reported vulnerability was in Coppermine Photo Gallery. These guys are also probing CPG today.

Apologies if this doesn't apply to you.

[andy_kim]

Just to share the experiences of the last days ...

Also got some bots on our forum. Because I live in a timezone with 8 hours difference to the server the first day of the attacks had been unnoticed for some time and so some bots registered successfully and only two of them activated and made one post each. All others were waiting for activation.

Changed captcha from medium to high and activation to approval. I also banned this about a dozen IP addresses - even some say it is useless.

But since then there had been only a few attempts to register from banned IPs, and only a handful of other banned ones are revisiting 2-3 times a days now; sometimes with login, sometimes with activation and sometimes with post action. Creates about 20 entries in the error logs per day, so not a big deal.
Seems in my case that these guys are not so flexible with using different IP addresses.

[Xarcell]

I have a different problem, but I wonder if it's related.

All of my sites on on dreamhost. I have extra web secruity enabled there(don't know what it is).

However, every single site(5 of them) with SMF installed, has a parse error on the "Subs-Auth.php" file. For some reason, the bottom half of the file is missing.  because it's the Subs-Auth.php file, I wonder if it's related?

I've had this problem for a month now.

BTW, this has happened on SMF versions: 1.1 and 2.0 beta

[青山 素子]

Not related, and quite strange. Post a new topic and one of our support team members will help you.

[jackregan]

I have now banned all E-mail addresses *@mail.ru

Okay, so I know it's a bit pointless banning individual addresses, but a whole domain might help, right?

[IngeJones]

But they still join up and clutter up your user database.

[jackregan]

I'm confused. How do they still join? I have set up a ban so that nobody with a *@mail.ru address can register

[IngeJones]

Banning allows them to register, but then be marked as banned.  Obviously that means they can't post, so from that point of view it works.

But I have found them using all sorts of email addresses and IPs, so I don't think it is the solution.