BOT attempting to gain access to accounts

xIsabel38 · January 04, 2011, 12:24:47 AM

Hello all,

Today, an idiot setup a bot which has been trying to login to user accounts on my forum pretty much for the last 18 hours. I've setup a lot of protection mods such as the IP Protection one by vbgamer which has helped, but the bot is still there and still trying. It uses multiple IP addresses so I cannot simply ban it.

Let me state that the BOT is not attempting to register accounts on my forum, but rather it is trying to login to member and administrator accounts by guessing the correct passwords. Obviously, password security has been addressed.

The person behind the BOT has attempted to access my server database as well. Is there anything I can do to remove this threat?

EDIT: My forum is located here [nofollow].

Ashley S · January 04, 2011, 03:22:03 AM

Remove the bot from inside the admin control panel?.
Ask for a backup from your web hosting company

.

Illori · January 04, 2011, 05:57:46 AM

is the bot using a specific ip scheme? if so you can do an ip ban from your cpanel to block that ip scheme and keep the bot away.

N3RVE · January 04, 2011, 06:19:02 AM

If the BOT is using a specific IP scheme, you can use a .htaccess to block its access to your website.

See this Article: How To Block Bots, Ban IP Addresses With .htaccess [Offsite]

-[n3rve]

xIsabel38 · January 04, 2011, 09:39:36 AM

Hello and thank you for the responses. However, I'm pretty idiotic when it comes to understanding this stuff. I mentioned the bot simply changes it's IP. We have banned over 15 different IPs it uses but it simply changes them all. I'm not sure what you mean by IP Scheme or how to determine this at all. A guide for dummies would be very helpful.

I'm not sure what asking for a backup from my webhost will do. I already have a backup. A backup will not get rid of the bot that has still been trying and is currently trying for over 24 hours now. It's not going to go away simply because I have a backup.

Reading that article, it says I can block bots by name. But how do I figure out what the name of it is? Any help in this situation would be really appreciated.

Masterd · January 04, 2011, 10:39:17 AM

Quote from: [n3rve] on January 04, 2011, 06:19:02 AM
See this Article: How To Block Bots, Ban IP Addresses With .htaccess [Offsite]

http://custom.simplemachines.org/mods/index.php?mod=2728

N3RVE · January 04, 2011, 01:00:57 PM

Quote from: xIsabel38 on January 04, 2011, 09:39:36 AM
Hello and thank you for the responses. However, I'm pretty idiotic when it comes to understanding this stuff. I mentioned the bot simply changes it's IP. We have banned over 15 different IPs it uses but it simply changes them all. I'm not sure what you mean by IP Scheme or how to determine this at all. A guide for dummies would be very helpful.

An IP address is made up of four different numbers ranging between 0 & 255 (an example is: 202.12.27.154), the four separate numbers are called "octets". By IP Scheme, I mean addresses that share the first 3 octets. For example, these addresses have the same scheme:

202.12.27.15
202.12.27.182
202.12.27.97
202.12.27.45

Quote from: xIsabel38 on January 04, 2011, 09:39:36 AM
I'm not sure what asking for a backup from my webhost will do. I already have a backup. A backup will not get rid of the bot that has still been trying and is currently trying for over 24 hours now. It's not going to go away simply because I have a backup.

I'm not sure why Ashley S. was talking about a backup as I don't see the relation.

Thanks for the link, Mastered

-[n3rve]

azun4i · January 05, 2011, 09:48:14 AM

Hi all,
i got that problem too...

i got ~5000 users and secure login enabled not a single acc got hacked for now, but its srsly harrassing to always reenable your account by using the securemail function...

afaik most of the attackers IP adresses are listed by TOR (torproject.org)
banning them is very successfull, sadly only for one or two days :/

atm i think about adding captchas to the login form, if anyone alrdy knows how, please post it

btw, i use SMF 2 RC4

greets

SilverLining · January 05, 2011, 12:00:22 PM

Probably a dumb question but: I'm having the same problem and was wondering if there's a way to stop it besides blocking IPs? I know there probably isn't, but blocking a bunch of IPs always makes me nervous that I'm shutting potential legit members as well.

azun4i · January 05, 2011, 12:03:46 PM

i know what you mean

well as i said above, someone could add an additional captcha to the smf login form

1cor1313 · January 06, 2011, 06:34:05 AM

Yeah, I've been having the same issue. Anyone know of a captcha for login forms?

Illori · January 06, 2011, 06:43:55 AM

there is no captcha for login, but you could always request one on the mod requests board.

SilverLining · January 07, 2011, 02:37:54 PM

I've been checking my logs and for me some of the attempted logins come from the same IP scheme but not at all all of them. Will the htaccess mod work for me or is there something else I can try?

gallitin · January 07, 2011, 04:44:18 PM

Same problem here, on RC4. Gotta be some resolution?

willerby · January 07, 2011, 05:14:30 PM

http://www.simplemachines.org/community/index.php?topic=415892.0

gallitin · January 07, 2011, 05:23:39 PM

Just installed this I'll let you know if working.

http://custom.simplemachines.org/mods/index.php?mod=2728

willerby · January 07, 2011, 06:48:55 PM

http://custom.simplemachines.org/mods/index.php?mod=1665

Forces log-in using email address - works on RC4, emulated for RC3 in package manager. Bot has no idea what email addresses of members are so can't log people out... yay!

gallitin · January 07, 2011, 07:05:25 PM

Quote from: gallitin on January 07, 2011, 05:23:39 PM
Just installed this I'll let you know if working.

http://custom.simplemachines.org/mods/index.php?mod=2728

Tested, fixed mine.

News:

BOT attempting to gain access to accounts