Being logged out by bots trying to log in

b4pjoe · January 16, 2011, 06:30:18 PM

Quote from: 青山素子 on January 16, 2011, 12:42:35 AM
I just installed the httpBL modification recently on two of the boards I manage. It seems to work very well. You might want to try it out.

* 青山素子 is an active contributor to Project Honeypot with 6 HoneyPots and 5 MX records donated.

I've installed this and it is detecting some spam bots...but not the ones trying to log in with members user names.

bluecar1 · January 17, 2011, 10:31:04 AM

Quote from: ACAMS on January 15, 2011, 10:41:16 PM
Quote from: bluecar1 on January 14, 2011, 05:48:10 PM
acams,

could you clarify which ip's are the main causes of the logging out issues?

is it all in your HTACCESS list or just some?

thanks

BC1

Most of the ones in the bottom half of my list, I got the top half from Dermot

Here is my list now

acams,

keep an eye out for

62.24.222.132
62.24.222.131

it appears the TT bots are now using these addresses,

can you let me know if you see tham and if they cause the logging out issues thanks

Kindred · January 17, 2011, 11:33:04 AM

since installing the bad behavior, stop forum spammers and honeypot mods, I have cut my spammers to zero in the last 2 days. The mods have caught 50 of them at registration so far... and none of the newly registered users in that time has posted any spam, so it is looking successful.

And I have not had any logout problems either...

b4pjoe · January 18, 2011, 03:11:46 PM

Quote from: Kindred on January 17, 2011, 11:33:04 AM
since installing the bad behavior, stop forum spammers and honeypot mods, I have cut my spammers to zero in the last 2 days. The mods have caught 50 of them at registration so far... and none of the newly registered users in that time has posted any spam, so it is looking successful.

And I have not had any logout problems either...

Success! After installing all three it seems to have stopped the spammers dead in their tracks! Thanks for all of the help.

bork · February 09, 2011, 08:03:38 AM

I've installed the 3 mods as suggested (Mod http:BL, Stop Forum Spam and Bad Behaviour) and the three together are blocking a huge amount of malicious activity.

However, I'm still getting a lot of users being logged out.

Looking at the user log, a lot of the IPs involved are present on the Stop Forum Spam database, but the SFP mod only blocks them if they try to register, not if they try to login.

Can anyone suggest any other way to block these IPs or even a mod that makes banning them from the user log faster?

Kindred · February 09, 2011, 10:36:57 AM

unfortunately, the only way I've been able to handle those is by manually scanning the logs once a day and adding the obvious account attempts to the spammer-ban trigger. after about a week and 30 or so new IPs added to the ban, the hack-attempts have petered out.

bork · February 09, 2011, 10:54:35 AM

Quote from: Kindred on February 09, 2011, 10:36:57 AMadding the obvious account attempts to the spammer-ban trigger.

Do you mean adding them manually as bans using the forum admin "add new ban" page? Is there any easy way of adding them in bulk as it's very time-consuming adding them one at a time.

I'm currently getting my virtual host provider to firewall them.

Kindred · February 09, 2011, 11:22:27 AM

well, I add them all as new triggers to one ban group (I open two windows - one with the error log and one with the Ban trigger)

Unfortunately, I have not found a good way to do it in bulk...

Aleksi "Lex" Kilpinen · February 09, 2011, 11:37:38 AM

If it's IP addresses only that you are blocking, would probably be easier to block them on server level, before they ever get to SMF, so saving some resources and making it easier to block them multiple at a time.

willerby · February 09, 2011, 12:14:22 PM

The most effective mod for this particular attack is called something like 'force email log-in'.

By requiring users to use their (usually) hidden email address instead of their forum userId the spambot can't trigger a log-out.

Keep using the spambot / antispam software too as it just makes sense.

bork · February 09, 2011, 03:14:23 PM

Thanks, that mod does look excellent - it's just whether I can force the change on my users! I guess after a few days they'd be used to it and if it stops them getting logged out in the middle of posting then they'll probably be converted.

It's been interesting installing the Bad Behaviour/Mod http:BL/Stop Forum Spam mod combo - I've been shocked at the sheer amount of malicious activity on the forums - overnight nearly 1000 IPs were blocked by these mods; over a whole year the amount will be massive.

Kindred · February 09, 2011, 03:23:31 PM

well, the numbers will level out and die-down, as your logs get up to date with the Spammers and they start hitting a wall.

Roph · February 09, 2011, 04:52:18 PM

Hopefully in 2.0 final we could have an option to require a captcha for logins.

busterone · February 09, 2011, 05:07:22 PM

Bots have already broken captcha and reCaptcha. It is virtually worthless against the spammers these days.

Arantor · February 10, 2011, 06:00:03 AM

Quote from: Roph on February 09, 2011, 04:52:18 PM
Hopefully in 2.0 final we could have an option to require a captcha for logins.

Doubt it, 2.0 has been feature locked for years.

In any case, I think this behaviour's been altered slightly in SVN, not 100% sure on that though, so don't quote me on it.

Norv · February 11, 2011, 10:17:40 PM

The behavior related to users being logged out has been investigated in SMF and solved, and the fix is currently available in the SMF 1.1.13 patch and the 2.0 RC4 security patch, as well as in RC5.
Thank you very much for the reports!

Elysia · February 11, 2011, 10:22:34 PM

One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

b4pjoe · February 11, 2011, 11:19:45 PM

Thanks for the info Norv and Elysia. I will be adding that info to my .htaccess file right now.

djkimmel · February 12, 2011, 01:49:36 AM

I had about 30 IP addresses used that weren't on that list. But since I downloaded that list, 5 more attempts came in with IP addresses on the above list and only 1 not on it. So I added it since I had seen one was listed as a tor server earlier. httpBL is blocking a few more of them now too than it was earlier today so it has slowed down for me.

Not sure what 1.1.13 patch did? It had no impact on the number of login attempts anyway.

Norv · February 12, 2011, 02:45:35 AM

Mods like those listed here might help with preventing or alleviating the attempts made by particular IPs, as these mods typically use online databases of spammers IPs. I should note there is a certain possibility that those databases are not always accurate, since they contain IPs accumulated by anonymous reports (and those reports could be wrong).

The 1.1.13 patch fixed a problem mentioned here: logged in users could find themselves logged out due to the attempts on their account.

That said, we're keeping an eye on these issues and any information provided can be useful and is very appreciated.

News:

Being logged out by bots trying to log in