Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

TDNY

Quote from: Elysia on February 11, 2011, 10:22:34 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

This crashed my site, I don't know what went wrong. I uploaded it to the root, that was fine. re-named it .htaccess, clicked ok and the file disappeared from the list. I went to my site and all access was denied. Called support and they were able to see .htaccess it was a hidden file. They tried deleting it but that didn't work they had to do a back-up restore off the server.

xrunner

I have a forum I help out with being hit hard by this junk. The bots make accounts with spam ads in the signatures, but they don't make any posts for the members to see the ads. This part I don't understand. Why go to the trouble of making an account with an ad and not posting it for people to see? The membernames are of the form two words and some numbers -

riceticky06
jillskinny12

I also have hundreds of errors in the log for password incorrect errors.

busterone

Quote from: xrunner on February 13, 2011, 09:26:01 PM
I have a forum I help out with being hit hard by this junk. The bots make accounts with spam ads in the signatures, but they don't make any posts for the members to see the ads. This part I don't understand. Why go to the trouble of making an account with an ad and not posting it for people to see? The membernames are of the form two words and some numbers -

riceticky06
jillskinny12

I also have hundreds of errors in the log for password incorrect errors.
The two usernames you listed are probably just spammers not connected to the log in attack that has been going on. The spammers put their ads in profiles with the hope that if profiles are viewable by guests, they will be viewable and indexed by search engines. Most forum admins do not allow guest viewing of profiles, so it becomes a wasted effort by the spammers. Who ever said that spammers are smart though.  ;)

Norv

Quote from: sheryltoo on February 13, 2011, 09:07:02 PM
This problem started in my forum yesterday so I upgraded to RC4 and added the security patch but it didn't help.
Also, I don't know if this is related but not one member has signed in or posted on my site since I did the upgrade. I keep seeing lots of guest viewing the site but no one signing in.
That's kind of unusal for my site so I don't know if my members are having problems because of the bots or the upgrade.

You can log in, as I understand. You could make another account, a simple member account, and see if you can log in on that account and navigate normally around the forum.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

xrunner

Quote from: busterone on February 13, 2011, 09:33:38 PMThe two usernames you listed are probably just spammers not connected to the log in attack that has been going on. The spammers put their ads in profiles with the hope that if profiles are viewable by guests, they will be viewable and indexed by search engines. Most forum admins do not allow guest viewing of profiles, so it becomes a wasted effort by the spammers. Who ever said that spammers are smart though.  ;)

Ah OK, well the member's profiles can't be seen by guests so that's a waste of effort alright. Most of the time the spammer member name is exactly the same as the first part of the registration email they use, so I think I'll switch to account approval and see if I can't cull out some of these vile spam accounts.

nvcnvn

Can we just show a Verification Questions on login page!?

busterone

That will help deter them from actually getting the password by brute force, but it will not stop them from trying. The errors will still be in the error log.

nvcnvn

Ok.

But, my question is: why the true user was log-out when these bot enter the wrong password!?

I have update my forum to RC5 I hope this issue will be fix. just wait....

busterone

The upgrade fix is to stop logged in users from being logged out by the bot attacks.

nvcnvn

Ok, I see!
now keep discuss about how to stop them!

PLAYBOY

Quote from: nvcnvn on February 13, 2011, 10:08:35 PM
Can we just show a Verification Questions on login page!?

Cool idea, or a recaptcha would work perfect too.


QuoteIf you have a text editor that handles regular expressions, set the find string to "^" and the replace to "Deny from ".

but there is no ^ string. Its just single ips on each line.

青山 素子

Quote from: PLAYBOY on February 13, 2011, 11:23:44 PM
QuoteIf you have a text editor that handles regular expressions, set the find string to "^" and the replace to "Deny from ".

but there is no ^ string. Its just single ips on each line.

Right, which is why I mentioned regular expressions. In regex-speak, "^" is code for "beginning of the line".
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Ryan2320

Quote from: Elysia on February 11, 2011, 10:22:34 PM
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Thanks for that list this should at least slow them down more...
Ryan

krick

#73
Quote from: joec88 on February 13, 2011, 01:26:47 AM

I still think there are better targets to hit than forums.


I run a forum for World of Warcraft players.  If someone on my forum uses the same username and password as their user account on Warcraft, and my forum gets hacked by these bots, guess who is probably going to get their Warcraft account looted?   There's big money in Warcraft gold.

Aleksi "Lex" Kilpinen

The sad truth of it is that forums are pretty much the last place on internet where you can harvest accountnames, e-mail addresses, and passwords linked to both of those, easily from centralised locations - if you are succesfull at brute forcing your way in to those accounts. So, it kind of makes sense that bots like these  target forums. They are not after information kept on the forum, or your private messages, they are more probably after actual login data.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

willerby

#75
I posted previously in this topic having been an early target of the bot in question.

Denying IP addresses and installing anti-spam mods like httpBL are all good things to do but a simple secure fix for this attack is to hide all email addresses by default and force members to log-in using their email address.

Part of the vulnerability of forums to this type of attack is that one part of the log-in info is public domain (eg. Usernames can be seen all over the forum and can be harvested easily).

By logging in using email address the bots have to find out and hit an active email address to log-out a user.

There is a simple mod for this 'force email log-in' and this will stop all error log entries and make your forum much more secure to any future variants these script kiddies develop.

http://custom.simplemachines.org/mods/index.php?mod=1665
What type of washing machine is September?

An autumnatic. :)

Arantor

Funnily enough this discussion was had not that long ago in the beta board.

I wonder if Facebook will turn off the ability to login via username in that case... (because you can)
Perhaps it would have been better if I'd simply never bothered. Y'all clearly would be less unhappy that way.

willerby

I think it would make sense. Many users use the same password or variations of it on multiple sites. Once cracked I hate to think of the damage that could be done with just a little exploring.

If this bot is successful it effectively gives the owner your email address from your profile, perhaps your name or location or dob and a password. Off someone goes to Paypal or eBay or Amazon etc etc and has a ball.

Facebook is the same.
What type of washing machine is September?

An autumnatic. :)

Arantor

Well, Facebook allows login with a username, and getting access to FB would probably wreak more havoc than a forum, but you're entirely right.

My question still stands: do you think Facebook will turn that feature off? Do you think your users will tolerate the additional inconvenience of using an email instead of a username?
Perhaps it would have been better if I'd simply never bothered. Y'all clearly would be less unhappy that way.

willerby

Facebook will when they come under attack ;)

And my users have all tolerated it. If you've had this bot attack, they welcome it!
What type of washing machine is September?

An autumnatic. :)

Advertisement: