News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

HamishM

#320
Using 1.1.13

I have the Avatar Verification Mod as the first hurdle before getting to the registration page, that coupled with RECAPTCHA keeps the bots from trying to register.........

I have now installed the EMAIL login mod, works a treat and have removed the .htaccess from my server banning the offending IP's.
Now have a normal error log again......... ;D

Norv

Yes, the email login, if possible at all to use for your forum, really helps at this moment. It may not be appropriate for any forum though.
Thank you for letting us know.

Also, if your forum is currently targeted by Tor addresses (quite a number of forums are, though not all) you may want to try this: Tor Blocker, as a short term solution against them. Please note that Tor users can very well be legitimate, innocent users... unfortunately at this moment the malicious users are using it heavily, and if you want to identify and block them for now, this mod is useful.

We're working on a few more possibilities and we'll come back on this.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

CountryLady

Just a note to add a "Thank You~!" to all who are working on this issue.
I'm not a very knowledgeable forum owner, and I really depend on people like y'all to resolve these Technology problems.

What has worked well for me is the old-fashioned labor intensive research and ban IP Ranges. My members come mostly from just a couple of countries, so I can ban huge blocks of IPs with no problems for me. There are a few bots trying to crack passwords but they get banned now and can't get to the forum.

Still, it will be good to get a special mod to block all the attacks.

Thanks again folks. :D

xrunner

I turned off the Tor-blocker this morning to see what would happen, it had been running for a few days. Sure enough, the password errors started up immediately. I don't think the systems are looking at the fact their attempts to access the forum are being blocked.

Arantor

They're not, no.

I do have a patch that is two lines and nails the attempts dead in the water, without the hassle or risk of blocking genuine users that Tor might have - but I still want a little more proof that it's not hitting any genuine users. I've lost count of the hundreds of bot hits I had and so far still no false positives.

Spuds

QuoteI do have a patch that is two lines and nails the attempts dead in the water
Great news, thanks for continuing to work on this, be nice to have something other than a sledgehammer!  Does this do something similar to the block but based instead of on the IP its based on the whats and wheres MO of the bot?

Arantor

Yes, it blocks totally on the bot's MO, and uncovered what I believe is a bug in SMF itself in the process - which the bot is actually exploiting, though indirectly. (I have documented the bug on the tracker, naturally)

I'm now happy that it's doing what it's supposed to, so I've removed the debugging log it did and provided a general error (English only, didn't see any point in doing that part properly)

Should install cleanly on all 1.1.x and current 2.0 versions.

xrunner

Quote from: Arantor on February 19, 2011, 10:50:28 AM

Should install cleanly on all 1.1.x and current 2.0 versions.

Cool, I'm trying it now ...

butchs

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

busterone

I am curious about Arantor's idea as well.  This present attack may just be a precursor for another larger one later down the road.

Arantor

The attack has already occurred on other platforms, not just SMF.

Thing is, if the underlying login mechanism is altered to fix the issue I reported, this entire attack pattern just fails anyway.

青山 素子

Arantor, I think I found an issue with the way you are "fixing" the issue and sent you a PM about it.

For the public: This possible issue would likely impact less than 1% of legitimate users if any.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Arantor

I replied, but just for those following, this fix is not a broad solution to the issues that are involved, it's a *specific* bullet for this specific issue, based on the exact MO of the bots making these attempts, and won't solve any other issues.

busterone

Understood. I wondered if that were the case, considering you were studying their MO closely.

xrunner

I uninstalled the Tor blocker, and confirmed I was still getting bot login errors. I then installed Arantor's Mod. I can conform it does work on the forum I'm having a problem with.

nend

Still no activity from these bots on all my sites across different domains for the last couple days. I wonder if my host has done any blocking.  :-\

Arantor

Quote from: nend on February 19, 2011, 11:47:11 AM
Still no activity from these bots on all my sites across different domains for the last couple days. I wonder if my host has done any blocking.  :-\

Or they just didn't like you much :P Not all my forums got hit either, I should point out.

nend

Quote from: Arantor on February 19, 2011, 11:48:27 AM
Quote from: nend on February 19, 2011, 11:47:11 AM
Still no activity from these bots on all my sites across different domains for the last couple days. I wonder if my host has done any blocking.  :-\

Or they just didn't like you much :P Not all my forums got hit either, I should point out.

All my forums where getting hit hard by this bot a couple days ago. Just wondering.

Arantor


krick

I just installed Arantor's Mod and removed the giant list of "deny from" entries from my .htaccess.

It appears, at least for the time being, that Arantor's Mod is working against the bot tide.

Advertisement: