Topic: Being logged out by bots trying to log in

[willerby]

According to this post on phpBB http://www.phpbb.com/community/viewtopic.php?t=1947925 they are obtained from memberlist having logged in as a member and are stored. That would explain why one or two of the usernames targeted for my forum were old and inactive users who had never posted and wouldn't appear anywhere else.

[owg]

Yes, I too closed the door after the horse had escaped - Unfortunately, I did not visit this thread until after I started seeing the failed login attempts in the user error logs. 

[nend]

Hmm strange, the bot behavior has ceased for a few hours already. I wonder what is going on. Anyone else notice the bot activity stop?

[Cal O'Shaw]

We've been silent for 12 hours, however, some unlikely IPs (like 12.13.14.15) are trying to log into my site right now, so I think they may have just regrouped...

[owg]

Hmm strange, the bot behavior has ceased for a few hours already. I wonder what is going on. Anyone else notice the bot activity stop?

They're hitting my site as I write - their activity has not been more than about 6-12 per day for the past few days.

[butchs]

Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.

Agreed.

It is impossible and a waste of time to try to block the ip addressees.  I believe it is a waste of time to make a new release of SMF for every attack.  If so SMF will never get finished.

I was getting tired of all the bots attacking me so I decided to fight back and create Forum Firewall for SMF only.  As an admin protecting your site requires some work.

To stop the attack with my mod you go to phpmyadmin and look at the visitors log.  Find the bad bot and look at what it is doing.  Note a key phrase it uses and add it to the "Injection List" and let the mod block them no matter how many ips they try to use.  To me protection is not sanitization, it is blocking!

[szinski]

My two forums have been quiet since installing Spud's Tor blocker. 

[b4pjoe]

Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.

Agreed.

It is impossible and a waste of time to try to block the ip addressees.  I believe it is a waste of time to make a new release of SMF for every attack.  If so SMF will never get finished.

I was getting tired of all the bots attacking me so I decided to fight back and create Forum Firewall for SMF only.  As an admin protecting your site requires some work.

To stop the attack with my mod you go to phpmyadmin and look at the visitors log.  Find the bad bot and look at what it is doing.  Note a key phrase it uses and add it to the "Injection List" and let the mod block them no matter how many ips they try to use.  To me protection is not sanitization, it is blocking!

Where is the "visitors log" in phpmyadmin?

[xrunner]

My two forums have been quiet since installing Spud's Tor blocker. 

Same here. Not a peep out of the rascals. I love it!

[lllbob]

    Hey. Yeah.. I was just looking at my logs and noticed guests trying to log into members accounts.
    password incorrect - - index.php?action=login2 

    All with different ip's.   But haha my admin login is not my display name.

    Just installed that Tor Blocker. Hope that will help.

[Elysia]

It's been suggested that usernames and display names should be different, but I can't find a way of letting members change their usernames (only their display names). I know I can change them as admin, but even the Global Moderators on the Board can't change their own usernames, so is there a way that I'm missing please? Or do I need to use a Mod for this? (If so which one.) Or do I need to hack the code somewhere? (If so which one and to what?) I really don't want to have to change 5,000 usernames by myself!

[Clara Listensprechen]

Which is why I had put this together .... http://www.simplemachines.org/community/index.php?topic=422433.0  It updates that TOR list for you -hourly- so that only the current nodes are blocked and not the legit ones ... also uses the public TorDNSEL service as a check which is supposedly most current / accurate .... It needs work but as a tourniquet it seems to be working on my site where I went from 1000's per day to basically none (only 36 hours of testing though)

OK I installed it and will report back as to the effectiveness on the forum being affected.

A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.

[Clara Listensprechen]

My two forums have been quiet since installing Spud's Tor blocker. 

Same here. Not a peep out of the rascals. I love it!

Or legitimate people either, I'll wager. I got bounced by your board.

[xrunner]

A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.

Yea I see the error. Sorry - that was due to the Stop Forum Spam Mod, not the Tor blocker. I'd love to have you as a member though, I don't know why your IP is being blocked by Stop Forum Spam!

[nend]

My two forums have been quiet since installing Spud's Tor blocker. 

Same here. Not a peep out of the rascals. I love it!

Still nothing, didn't install anything extra just the email login, I always had my custom watchdog script. O'well it wasn't like I wanted them to waste my cpu cycles anyways. I wonder if they are following this thread?

[Clara Listensprechen]

A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.

If there's a limit on tries for getting reCaptcha correct, maybe that was it because I had trouble making out what the characters were even after I clicked to get a different image.  Can I try again, or is the problem an automatic thingie?

Yea I see the error. Sorry - that was due to the Stop Forum Spam Mod, not the Tor blocker. I'd love to have you as a member though, I don't know why your IP is being blocked by Stop Forum Spam!

[Leppie]

found this site which claims that the following code would block most aggressive bots without knowing the ip addresses used:

Code: [Select]

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
am testing it now...

[Aleksi "Lex" Kilpinen]

I think that will not work against this I'm afraid, these bots are not the kind that tell you who they are.

[Arantor]

Indeed, the current bots are all advertising themselves as IE versions.

EDIT: Or not, I've now got a few advertising themselves as Firefox.

[krick]

I'm running SMF 1.1.13 with the Anti-Spam Verification Questions for SMF mod.

What's the easiest way to add a validation question to the login screen?

Or probably better, add a two-step login process, where you type your username and password, and it takes you to a second screen that asks you a validation question.

Currently, my validation question is stopping 99% of the spam bots from REGISTERING at my forum, now I'd like to add the same question to each LOGIN attempt.

It would probably annoy some users, but I think they'd get over it.