Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

willerby

According to this post on phpBB http://www.phpbb.com/community/viewtopic.php?t=1947925 they are obtained from memberlist having logged in as a member and are stored. That would explain why one or two of the usernames targeted for my forum were old and inactive users who had never posted and wouldn't appear anywhere else.
What type of washing machine is September?

An autumnatic. :)

owg

Yes, I too closed the door after the horse had escaped - Unfortunately, I did not visit this thread until after I started seeing the failed login attempts in the user error logs. 

nend

Hmm strange, the bot behavior has ceased for a few hours already. I wonder what is going on. Anyone else notice the bot activity stop?

Cal O'Shaw

We've been silent for 12 hours, however, some unlikely IPs (like 12.13.14.15) are trying to log into my site right now, so I think they may have just regrouped...

owg

Quote from: nend on February 17, 2011, 05:31:23 PM
Hmm strange, the bot behavior has ceased for a few hours already. I wonder what is going on. Anyone else notice the bot activity stop?
They're hitting my site as I write - their activity has not been more than about 6-12 per day for the past few days.

butchs

Quote from: Arantor on February 17, 2011, 06:36:36 AM
Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.

Agreed.

It is impossible and a waste of time to try to block the ip addressees.  I believe it is a waste of time to make a new release of SMF for every attack.  If so SMF will never get finished.

I was getting tired of all the bots attacking me so I decided to fight back and create Forum Firewall for SMF only.  As an admin protecting your site requires some work.

To stop the attack with my mod you go to phpmyadmin and look at the visitors log.  Find the bad bot and look at what it is doing.  Note a key phrase it uses and add it to the "Injection List" and let the mod block them no matter how many ips they try to use.  To me protection is not sanitization, it is blocking!
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

szinski

My two forums have been quiet since installing Spud's Tor blocker.  8)

b4pjoe

Quote from: butchs on February 17, 2011, 07:10:00 PM
Quote from: Arantor on February 17, 2011, 06:36:36 AM
Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.

Agreed.

It is impossible and a waste of time to try to block the ip addressees.  I believe it is a waste of time to make a new release of SMF for every attack.  If so SMF will never get finished.

I was getting tired of all the bots attacking me so I decided to fight back and create Forum Firewall for SMF only.  As an admin protecting your site requires some work.

To stop the attack with my mod you go to phpmyadmin and look at the visitors log.  Find the bad bot and look at what it is doing.  Note a key phrase it uses and add it to the "Injection List" and let the mod block them no matter how many ips they try to use.  To me protection is not sanitization, it is blocking!


Where is the "visitors log" in phpmyadmin?

xrunner

Quote from: Blue Crab on February 17, 2011, 07:10:40 PM
My two forums have been quiet since installing Spud's Tor blocker.  8)

Same here. Not a peep out of the rascals. I love it!

lllbob

    Hey. Yeah.. I was just looking at my logs and noticed guests trying to log into members accounts.
    password incorrect - - index.php?action=login2 

    All with different ip's.   But haha my admin login is not my display name.

    Just installed that Tor Blocker. Hope that will help.

Elysia

It's been suggested that usernames and display names should be different, but I can't find a way of letting members change their usernames (only their display names). I know I can change them as admin, but even the Global Moderators on the Board can't change their own usernames, so is there a way that I'm missing please? Or do I need to use a Mod for this? (If so which one.) Or do I need to hack the code somewhere? (If so which one and to what?) I really don't want to have to change 5,000 usernames by myself! :)

Clara Listensprechen

Quote from: xrunner on February 17, 2011, 01:22:13 PM
Quote from: Spuds on February 17, 2011, 11:49:41 AM
Which is why I had put this together .... http://www.simplemachines.org/community/index.php?topic=422433.0  It updates that TOR list for you -hourly- so that only the current nodes are blocked and not the legit ones ... also uses the public TorDNSEL service as a check which is supposedly most current / accurate .... It needs work but as a tourniquet it seems to be working on my site where I went from 1000's per day to basically none (only 36 hours of testing though)

OK I installed it and will report back as to the effectiveness on the forum being affected.
A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Clara Listensprechen

Quote from: xrunner on February 17, 2011, 08:40:50 PM
Quote from: Blue Crab on February 17, 2011, 07:10:40 PM
My two forums have been quiet since installing Spud's Tor blocker.  8)

Same here. Not a peep out of the rascals. I love it!
Or legitimate people either, I'll wager. I got bounced by your board. :P
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

xrunner

Quote from: Clara Listensprechen on February 17, 2011, 09:44:49 PM
A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.

Yea I see the error. Sorry - that was due to the Stop Forum Spam Mod, not the Tor blocker. I'd love to have you as a member though, I don't know why your IP is being blocked by Stop Forum Spam!

nend

Quote from: xrunner on February 17, 2011, 08:40:50 PM
Quote from: Blue Crab on February 17, 2011, 07:10:40 PM
My two forums have been quiet since installing Spud's Tor blocker.  8)

Same here. Not a peep out of the rascals. I love it!

Still nothing, didn't install anything extra just the email login, I always had my custom watchdog script. O'well it wasn't like I wanted them to waste my cpu cycles anyways. I wonder if they are following this thread?

Clara Listensprechen

Quote from: xrunner on February 17, 2011, 09:54:13 PM
Quote from: Clara Listensprechen on February 17, 2011, 09:44:49 PM
A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.
If there's a limit on tries for getting reCaptcha correct, maybe that was it because I had trouble making out what the characters were even after I clicked to get a different image.  Can I try again, or is the problem an automatic thingie?

Yea I see the error. Sorry - that was due to the Stop Forum Spam Mod, not the Tor blocker. I'd love to have you as a member though, I don't know why your IP is being blocked by Stop Forum Spam!
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Leppie

found this site which claims that the following code would block most aggressive bots without knowing the ip addresses used:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:[email protected] [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]


am testing it now...

Aleksi "Lex" Kilpinen

I think that will not work against this I'm afraid, these bots are not the kind that tell you who they are.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

#318
Indeed, the current bots are all advertising themselves as IE versions.

EDIT: Or not, I've now got a few advertising themselves as Firefox.

krick

I'm running SMF 1.1.13 with the Anti-Spam Verification Questions for SMF mod.

What's the easiest way to add a validation question to the login screen?

Or probably better, add a two-step login process, where you type your username and password, and it takes you to a second screen that asks you a validation question.

Currently, my validation question is stopping 99% of the spam bots from REGISTERING at my forum, now I'd like to add the same question to each LOGIN attempt.

It would probably annoy some users, but I think they'd get over it.




Advertisement: