News:

Wondering if this will always be free?  See why free is better.

Main Menu

Help~ Error Log - multiple attempts to access?

Started by willerby, January 04, 2011, 06:49:14 AM

Previous topic - Next topic

willerby

My error log shows a 70 year old member of my forum (known to me) trying to access his account multiple times every eight minutes and getting his password wrong. ???

I wrote to him and he wasn't even online. Checking again, the log-in IP addresses are all different! What is going on?


Guest
IP address 209.159.142.164
Today at 11:30 
session 6dfc5050bc113c1c707210ead9d36832
http://www.xxx.com/forum/index.php?action=login2
Password incorrect - T28trakgrip

Guest
IP address 192.251.226.205
Today at 11:22
session 105a0e649a593bc8df1dcfb3c5520529
http://www.xxx.com/forum/index.php?action=login2
Password incorrect - T28trakgrip
   
Guest
IP address 204.8.156.142 
Today at 11:14
df715b2ac5299b3e504d0c2f1699eee0
http://www.xxx.com/forum/index.php?action=login2
Password incorrect - T28trakgrip
   
Guest
IP address 109.169.29.56 
Today at 11:06
session 8c60ff88fda385ceaee4778883019407
http://www.xxx.com/forum/index.php?action=login2
Password incorrect - T28trakgrip


and so it goes on every eight minutes, all different IP addresses????

Help!
What type of washing machine is September?

An autumnatic. :)

Illori

looks like someone/something may be trying to hack into that account.

willerby

I can only imagine a spammer bot as its not an admin account. Do such things exist?

And why bother, I can block that username and reissue another even if it is successful.
What type of washing machine is September?

An autumnatic. :)

Illori

spammers will try whatever they can to get access to a forum and do their job. you could try giving that user a new name, in their profile and see if that helps. they dont need to be blocked and issued a new username.

willerby

Now that I am watching the error log, it is also happening to another member... again every eight minutes but this time a member who hasn't visited the site for a while...

Just been back in touch with Trakgrip, the member mentioned above and this activity is causing him grief as when he does log-in each time the spam-bot tries to log-in over the top of him and gets the password wrong the software disconnects him and he has to log-in legitimately again. Will switch his user ID and ban the current but others should be aware that this is potentially why error logs fill with incorrect password attempts...

F*&%£$g spammers

W
What type of washing machine is September?

An autumnatic. :)

willerby

Wait a minute... this doesn't make sense.

Why would a spam bot access a site every eight minutes and try and guess a password? It would take for ever.

Is it possibly a spoiling tactic for SMF forums eg. if the forum has limited password attempts set, that user would have to go through the process of regenerating a password? As differing IP addresses are used, is this some sort of replicable virus? I have no idea what is going on here, just guessing - can someone else throw any light on this?

W
What type of washing machine is September?

An autumnatic. :)

willerby

Having changed the user log-in names for two users affected, all incorrect password traffic has ceased and error log empty...
What type of washing machine is September?

An autumnatic. :)


willerby

Not sure you guys are taking this seriously  :-\

This bot thing is relentless. I have so far banned 50 IP addresses and still it comes back with more, always trying to login as an existing user every eight minutes. At one point I am sure it used the IP address of a valid member - I banned the IP and then a regular user got locked out nd I had to delete that ban trigger... is that technically possible? I have no idea

I have implemented vbgamers Account Protection mod which allows users to specify IP addresses they want to use and blocks all others but this is a major undertaking for 3,000 members and severely restricts access to the site for users travelling / using variable IP addresses. If the above is correct, not sure how the mod will fare anyway.

If this replicates onto other forums you may need a better solution guys. Sorry...
What type of washing machine is September?

An autumnatic. :)

Dermot

This is also happening to me.

Most of the time they're trying to get my password



Guest
192.251.226.205   
Today at 05:08:29 AM
8be39087360cb7fb4ce636834bec6efe
Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
Guest
192.251.226.205   
Today at 05:13:41 AM
aba7be3d46c9690578ca848fd78848a1
Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
Guest
199.48.147.44   
Today at 05:19:15 AM
8d907c3e694dbb30727a97d29909d4d4
Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
Guest
199.48.147.43   
Today at 05:24:44 AM
77095c324535426cacf00a766f510caf
Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
Guest
193.198.207.8   
Today at 05:29:56 AM
3f43ab408658a9d18a8aaa7445d3d59e
Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
Guest
81.218.219.122   
Today at 05:35:35 AM
2ad9636c356f62082ec3c1f3fa24a4e3
Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
Guest
86.61.72.185   
Today at 05:41:00 AM
cc138110dd76d2265ff938996ee67b0f
Type of error: User
http://www.irish-gaming.net/index.php?action=login2Password incorrect - Dermot
Guest
87.236.194.191   
Today at 05:46:20 AM
c6a8b09e9bd61eb8cb4501a7de34ec1d
Type of error: User


The IP keeps changing and it keeps cutting off my session, aka every fail they get i have to relogin.

It's annoying.

willemjan

Please don't spam the forum with all those posts. I think this is indeed serious, and gave a hint to the support crew.

kat

Could just be script-kiddies trying to hack in.

They're obviously failing, so why worry?

Anyone can see your member's usernames.

That's step one they have sorted.

All they need, is their password. That's why it's good to have a fairly complicated password.

So, they try a load and, when they've exhausted that, they try someone else.

I guess it would help, a bit, if members have different display names to their actual usernames.

Not sure about that, though.

willerby

It's not the hacking its the constant logging out of a member who is legitimately online that is the issue. Each time they fail, the member gets logged out - not a great user experience.

Apologies for the previous posts, just needed some sort of response that this was on the radar
What type of washing machine is September?

An autumnatic. :)

kat

You might solve that, by getting him to change his display name.

IchBin™

This really is nothing to worry about. The logout problem might be able to be dealt with, but there's no need to panic about a bot trying to login. These types of things literally happen thousands of times on my server and forum every day. As long as you have strong passwords you shouldn't have to worry about them getting in.
IchBin™        TinyPortal


Remorker

#16
1st Maybe he has a dynamic IP address, and accidentally logged every eight minutes.

2nd Maybe it comes to malicious bot?

-Remorker

willerby

Not sure if this is helpful, but after 24 hrs I seem to have stemmed the flow of log-out problems by banning each IP address as it appears. They appear to be limited in number and randomly used with some much more prevalent than others

For the benefit of others, they are:

81.218.219.122
199.48.147.35
208.66.135.190
109.169.29.56
82.228.252.20
213.112.111.205
199.48.147.45
199.48.147.41
192.251.226.206
80.62.217.18
213.239.192.229
174.36.199.202
95.143.193.145
83.226.245.207
92.9.221.213
192.251.226.205
199.48.147.42
174.36.199.200
195.71.226.87
74.106.17.110
173.193.221.28
155.239.155.200
92.241.184.106
68.71.46.138
199.48.147.39
174.138.169.218
178.63.246.164
178.78.255.254
199.48.147.43
83.170.92.9
174.36.199.201
94.75.253.73
89.208.237.70
89.253.105.39
204.8.156.142
83.142.228.14
78.42.9.166
71.244.55.170
62.141.53.224
199.48.147.36
199.48.147.38
209.159.142.164
188.40.51.2
199.48.147.40
91.213.50.235
83.220.133.86
24.247.220.16
193.198.207.8
79.136.50.205
87.126.133.230
217.19.50.77
83.168.210.55
71.198.26.88

At this point, the automated log-ins are no longer getting through despite repeated attempts. Hope this helps others facing this problem.

W
What type of washing machine is September?

An autumnatic. :)

kat

I just checked-out ten, or so, of those IPs, at http://www.projecthoneypot.org.

Every one is a confirmed Spamtard.

For what it's worth, I've found this to be useful in the fight against bots.

http://english-72682862726.spampoison.com/

Dermot


Well yeah i noticed it's not a bad issue if you have a decent strength password

However having a lot of users who play arcade which need sessions to stay before they finish game to score right, it's annoying.

you spend 15 mins playing a game to find some bot killed your session and you lose that big score, not good.

I've implemented some suggestions, we'll see how they go.

Recaptcha support
Spam poison hook
Safehop support
httpBL

Thanks folks :)

 

Advertisement: