Advertisement:

Author Topic: Being logged out by bots trying to log in  (Read 143207 times)

Offline laetabi

  • Full Member
  • ***
  • Posts: 428
  • Gender: Male
Re: Being logged out by bots trying to log in
« Reply #300 on: February 17, 2011, 05:04:29 PM »
According to this post on phpBB http://www.phpbb.com/community/viewtopic.php?t=1947925 they are obtained from memberlist having logged in as a member and are stored. That would explain why one or two of the usernames targeted for my forum were old and inactive users who had never posted and wouldn't appear anywhere else.
What type of washing machine is September?

An autumnatic. :)

Offline owg

  • Semi-Newbie
  • *
  • Posts: 29
Re: Being logged out by bots trying to log in
« Reply #301 on: February 17, 2011, 05:20:10 PM »
Yes, I too closed the door after the horse had escaped - Unfortunately, I did not visit this thread until after I started seeing the failed login attempts in the user error logs. 

Offline nend

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,755
  • 2 deep n2 the code
    • sicommnend on GitHub
    • SIComm.us
Re: Being logged out by bots trying to log in
« Reply #302 on: February 17, 2011, 05:31:23 PM »
Hmm strange, the bot behavior has ceased for a few hours already. I wonder what is going on. Anyone else notice the bot activity stop?

Offline Cal O'Shaw

  • Full Member
  • ***
  • Posts: 444
  • SMF 1.1.14 & 2.0 Sites
Re: Being logged out by bots trying to log in
« Reply #303 on: February 17, 2011, 05:39:24 PM »
We've been silent for 12 hours, however, some unlikely IPs (like 12.13.14.15) are trying to log into my site right now, so I think they may have just regrouped...

Offline owg

  • Semi-Newbie
  • *
  • Posts: 29
Re: Being logged out by bots trying to log in
« Reply #304 on: February 17, 2011, 06:43:50 PM »
Hmm strange, the bot behavior has ceased for a few hours already. I wonder what is going on. Anyone else notice the bot activity stop?
They're hitting my site as I write - their activity has not been more than about 6-12 per day for the past few days.

Offline butchs

  • SMF Hero
  • ******
  • Posts: 1,728
  • Lost 7GB bandwidth!
    • EastCoastRollingThunder
Re: Being logged out by bots trying to log in
« Reply #305 on: February 17, 2011, 07:10:00 PM »
Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.

Agreed.

It is impossible and a waste of time to try to block the ip addressees.  I believe it is a waste of time to make a new release of SMF for every attack.  If so SMF will never get finished.

I was getting tired of all the bots attacking me so I decided to fight back and create Forum Firewall for SMF only.  As an admin protecting your site requires some work.

To stop the attack with my mod you go to phpmyadmin and look at the visitors log.  Find the bad bot and look at what it is doing.  Note a key phrase it uses and add it to the "Injection List" and let the mod block them no matter how many ips they try to use.  To me protection is not sanitization, it is blocking!
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Offline szinski

  • Jr. Member
  • **
  • Posts: 114
  • Gender: Male
  • Programmer by day, photographer by night.
    • Pizza Making
Re: Being logged out by bots trying to log in
« Reply #306 on: February 17, 2011, 07:10:40 PM »
My two forums have been quiet since installing Spud's Tor blocker.  8)

Offline b4pjoe

  • Jr. Member
  • **
  • Posts: 395
  • Gender: Male
    • B4print.com
Re: Being logged out by bots trying to log in
« Reply #307 on: February 17, 2011, 07:46:19 PM »
Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.

Agreed.

It is impossible and a waste of time to try to block the ip addressees.  I believe it is a waste of time to make a new release of SMF for every attack.  If so SMF will never get finished.

I was getting tired of all the bots attacking me so I decided to fight back and create Forum Firewall for SMF only.  As an admin protecting your site requires some work.

To stop the attack with my mod you go to phpmyadmin and look at the visitors log.  Find the bad bot and look at what it is doing.  Note a key phrase it uses and add it to the "Injection List" and let the mod block them no matter how many ips they try to use.  To me protection is not sanitization, it is blocking!


Where is the "visitors log" in phpmyadmin?

Offline xrunner

  • Sophist Member
  • *****
  • Posts: 1,019
  • Gender: Male
  • Karma +584/-1
Re: Being logged out by bots trying to log in
« Reply #308 on: February 17, 2011, 08:40:50 PM »
My two forums have been quiet since installing Spud's Tor blocker.  8)

Same here. Not a peep out of the rascals. I love it!

Offline lllbob

  • Newbie
  • *
  • Posts: 7
Re: Being logged out by bots trying to log in
« Reply #309 on: February 17, 2011, 09:20:40 PM »
    Hey. Yeah.. I was just looking at my logs and noticed guests trying to log into members accounts.
    password incorrect - - index.php?action=login2 

    All with different ip's.   But haha my admin login is not my display name.

    Just installed that Tor Blocker. Hope that will help.

Offline Elysia

  • Semi-Newbie
  • *
  • Posts: 52
Re: Being logged out by bots trying to log in
« Reply #310 on: February 17, 2011, 09:35:13 PM »
It's been suggested that usernames and display names should be different, but I can't find a way of letting members change their usernames (only their display names). I know I can change them as admin, but even the Global Moderators on the Board can't change their own usernames, so is there a way that I'm missing please? Or do I need to use a Mod for this? (If so which one.) Or do I need to hack the code somewhere? (If so which one and to what?) I really don't want to have to change 5,000 usernames by myself! :)

Offline Clara Listensprechen

  • Jr. Member
  • **
  • Posts: 256
  • Gender: Female
  • Impossible Person
    • clara.listensprechen on Facebook
    • @ClaraListenspre on Twitter
    • Clara's Cranny blog
Re: Being logged out by bots trying to log in
« Reply #311 on: February 17, 2011, 09:44:49 PM »
Which is why I had put this together .... http://www.simplemachines.org/community/index.php?topic=422433.0  It updates that TOR list for you -hourly- so that only the current nodes are blocked and not the legit ones ... also uses the public TorDNSEL service as a check which is supposedly most current / accurate .... It needs work but as a tourniquet it seems to be working on my site where I went from 1000's per day to basically none (only 36 hours of testing though)

OK I installed it and will report back as to the effectiveness on the forum being affected.
A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Offline Clara Listensprechen

  • Jr. Member
  • **
  • Posts: 256
  • Gender: Female
  • Impossible Person
    • clara.listensprechen on Facebook
    • @ClaraListenspre on Twitter
    • Clara's Cranny blog
Re: Being logged out by bots trying to log in
« Reply #312 on: February 17, 2011, 09:45:46 PM »
My two forums have been quiet since installing Spud's Tor blocker.  8)

Same here. Not a peep out of the rascals. I love it!
Or legitimate people either, I'll wager. I got bounced by your board. :P
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Offline xrunner

  • Sophist Member
  • *****
  • Posts: 1,019
  • Gender: Male
  • Karma +584/-1
Re: Being logged out by bots trying to log in
« Reply #313 on: February 17, 2011, 09:54:13 PM »
A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.

Yea I see the error. Sorry - that was due to the Stop Forum Spam Mod, not the Tor blocker. I'd love to have you as a member though, I don't know why your IP is being blocked by Stop Forum Spam!

Offline nend

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 1,755
  • 2 deep n2 the code
    • sicommnend on GitHub
    • SIComm.us
Re: Being logged out by bots trying to log in
« Reply #314 on: February 17, 2011, 10:05:19 PM »
My two forums have been quiet since installing Spud's Tor blocker.  8)

Same here. Not a peep out of the rascals. I love it!

Still nothing, didn't install anything extra just the email login, I always had my custom watchdog script. O'well it wasn't like I wanted them to waste my cpu cycles anyways. I wonder if they are following this thread?

Offline Clara Listensprechen

  • Jr. Member
  • **
  • Posts: 256
  • Gender: Female
  • Impossible Person
    • clara.listensprechen on Facebook
    • @ClaraListenspre on Twitter
    • Clara's Cranny blog
Re: Being logged out by bots trying to log in
« Reply #315 on: February 17, 2011, 10:29:57 PM »
A little too effective. Your anti-spam measures have my registration on your board labeled Spam. I assure you I'm not a spammer--I'm just an atheist.
If there's a limit on tries for getting reCaptcha correct, maybe that was it because I had trouble making out what the characters were even after I clicked to get a different image.  Can I try again, or is the problem an automatic thingie?

Yea I see the error. Sorry - that was due to the Stop Forum Spam Mod, not the Tor blocker. I'd love to have you as a member though, I don't know why your IP is being blocked by Stop Forum Spam!
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Offline Leppie

  • Jr. Member
  • **
  • Posts: 108
Re: Being logged out by bots trying to log in
« Reply #316 on: February 18, 2011, 11:19:43 AM »
found this site which claims that the following code would block most aggressive bots without knowing the ip addresses used:
Code: [Select]
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]

am testing it now...

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,617
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Being logged out by bots trying to log in
« Reply #317 on: February 18, 2011, 11:25:47 AM »
I think that will not work against this I'm afraid, these bots are not the kind that tell you who they are.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,600
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #318 on: February 18, 2011, 11:31:45 AM »
Indeed, the current bots are all advertising themselves as IE versions.

EDIT: Or not, I've now got a few advertising themselves as Firefox.
« Last Edit: February 18, 2011, 12:15:18 PM by Arantor »
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline krick

  • Jr. Member
  • **
  • Posts: 173
    • tank + paladin = tankadin
Re: Being logged out by bots trying to log in
« Reply #319 on: February 18, 2011, 12:14:46 PM »
I'm running SMF 1.1.13 with the Anti-Spam Verification Questions for SMF mod.

What's the easiest way to add a validation question to the login screen?

Or probably better, add a two-step login process, where you type your username and password, and it takes you to a second screen that asks you a validation question.

Currently, my validation question is stopping 99% of the spam bots from REGISTERING at my forum, now I'd like to add the same question to each LOGIN attempt.

It would probably annoy some users, but I think they'd get over it.