Topic: Being logged out by bots trying to log in

[Arantor]

Hey, I can't see your forum's usernames... dang... now I have to rethink my bot-tactics! LOL

I was sitting here writing it while having this conversation That's what prompted the 'thinking it's easy' comment, since I'd already discovered it was a pain.

@ Arantor - Will your mod work with RC2 if I emulate RC4 ?

You can tell it to emulate RC3, RC4, RC5, RC6! or 2.0. Whether it'll work is another story, but the odds are reasonably good.

Is it only downloadable from your site?

Yes. I won't be uploading it here, not that it currently meets criteria (it doesn't - I wrote it for arantor.org first, then decided to share)



Oh, and heh, you can even see that it started out as just a Tor blocker if you look in install.xml...

[szinski]

In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

Now your error log will have a zillion entries like "Invalid login from HIDDEN" LOL

[Astra_200]

Is it only downloadable from your site?

Yes. I won't be uploading it here, not that it currently meets criteria (it doesn't - I wrote it for arantor.org first, then decided to share)

I can see you getting a few more forum members pretty fast

[Arantor]

Now your error log will have a zillion entries like "Invalid login from HIDDEN" LOL

Nope. Username not existing doesn't log an error.

Note that it won't suddenly make it stop - the bots still have some usernames in their records, but it might hopefully slow it down over the next few days or so.

I can see you getting a few more forum members pretty fast

Heh, well, they'll see the other things I got going on that keep spam down like that funky custom CAPTCHA

[Astra_200]

Thanks for the Anti-Abuse mod Arantor, installed like a dream

Very kind of you to share with the smf community.

PS - Yes that is a very smart captcha you have .

[Rik©]

In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

Thank you for sharing!
Wanted to check it out but i can't download......
Forgot my pw, got the mail with the reset link, clicked it and..... nothing, just index.php 

-Rik©

[Arantor]

Forgot my pw, got the mail with the reset link, clicked it and..... nothing, just index.php

Odd, outbound email should work alright (I changed my account username earlier today, and promptly forgot my password after I changed them both at the same time... and it worked then)

[Rik©]

Forgot my pw, got the mail with the reset link, clicked it and..... nothing, just index.php

Odd, outbound email should work alright (I changed my account username earlier today, and promptly forgot my password after I changed them both at the same time... and it worked then)

Tried it again (this time copied the link) and it works, can choose a new pw now.
Must be gmail, when i just click the link it takes me to index.php...

Again, thanks for sharing, you're the best 

-Rik©

[Astra_200]

If its any help, my Arantorhome registration mail came out just fine.

[Arantor]

Must be gmail, when i just click the link it takes me to index.php...

That's been reported for GMail+IE, no other combination that I'm aware of.

Again, thanks for sharing, you're the best

*blush*

[Tanks]

Thanks Arantor It works on my heavy modded RC2 forum.

Only glitches is the portal blocks that shows recent topics, and the related topics mod, but I don't think the bots looks at those places.

[Arantor]

Well, they'd have to be modified manually, I couldn't take into account all the possible variations like that. (If only there were a single common function that should be used to get member details... oh wait, there is one, just half of SMF doesn't use it!)

[Tanks]

Doesn't matter, I can just turn of the blocks for guests, and put something else there.

And regarding the related topics it almost only shows my name as I am the topic starter of 99% of all topics. And my display name is of course not the same as my login name.

Also i added HIDDEN to reserved name list came up with that one myself

So all in all I feel so much more protected against these stupid attacks now, and i want to THANK YOU for that. Big Time.

[Arantor]

If your display name is different to your username, you're actually safe yourself from attack anyway (I am on my own site, for example)

[Astra_200]

Names are still visable in Simple Portal and the Avea Media gallery too, but anything to help stop this attack is a good thing.

I've not had one error since I've installed Arantors mod whereas before they were coming in once every couple of minutes.

Well done that man!!

[fiver]

Hi Arantor,


Many thanks for antiabuse mod.


For those interested, there are 2 more areas with usernames exposed
1. Latest Member: xxxxx
2. /index.php?action=sitemap;sa=topics (sitemap mod)


Proxy Blocker kept them off since installed a few hours back but 1 member did complain being blocked out. So I unstalled PB, installed antiabuse and in the last 30 mins they came back with usernames and password incorrect again.


Update: They didnt come back in the last 30 min.

[willerby]

Congrats Arantor. Good work.

Will be interesting to see if the bot has stored the existing usernames or is harvesting them on the fly. From the activity I saw I suspect the latter which will make this mod pretty secure for those unwilling to force email log-in.

It occurs to me that all the authors have to do is register manually and log-in to see usernames. Can they automate that?

Earlier someone asked why SMF forums were under attack. Given this some thought over the last month or so since this hit my forum as I too couldn't understand why an attempt to guess a password was every 8 minutes. Led me to two conclusions:

1) A spoiler attack on SMF forums by forcing log-outs - every eight minutes on the same user for a period then try someone else.

2) A deliberately persistent but slow attack on multiple forums to obtain passwords without alerting too many people too quickly.

I don't buy the latter as it would make more sense to randomize the usernames on each log-in to avoid alerting admins or users that multiple attempts were taking place. But it is a risk and one I couldn't discount.

I haven't checked but are other forums (non-SMF) suffering similar attacks?   
Ultimately I guess the answer will be 'because they can'. As for other motivation, who knows. Warped minds.

[Aleksi "Lex" Kilpinen]

I've monitored this activity on my forum, and it seems one IP will do one login attempt, to two different accounts, about 10 minutes apart and then go away for a couple of hours before coming back to do the same again. In between these visits, other IPs do the same, with similar intervals to different accounts. All together it adds up to tens, even hundreds of attempts a day - but it's really really hard totell apart legit attempts from the bots, other than the fact that it seems a notable portion of the bot IPs belong to TOR networks.

Most probably their only goal is to collect login+pw pairs, to be used elsewhere for more sinister purposes and targeted attacks.

[Arantor]

Re the above post, yes the latest member is exposed, as are stats. I won't be adding any more though (and certainly not support for any mods)

[szinski]

Most probably their only goal is to collect login+pw pairs, to be used elsewhere for more sinister purposes and targeted attacks.

I thought about that scenario myself... if the bot were able to guess a password, then a human could login as that person and access their profile. From the profile, they could glean the person's e-mail address. Now armed with an e-mail address and password, they might try accessing PayPal (etc.) with that email/password pair since a lot of people use the same password everywhere.

IDK, but it's a well orchestrated attack... I'm even seeing this activity on a couple of my tiny non-publicized "private" forums.