Advertisement:

Author Topic: Being logged out by bots trying to log in  (Read 143532 times)

Offline Elysia

  • Semi-Newbie
  • *
  • Posts: 52
Re: Being logged out by bots trying to log in
« Reply #40 on: February 12, 2011, 01:22:01 PM »
I used the link provided earlier by The Brain to the Tor nodes list generator here https://check.torproject.org/cgi-bin/TorBulkExitList.py and entered the IP address of our server. The script then generated the list of IP addresses which I was then able to use to create my htaccess.txt list. Perhaps entering different server IP addresses into the list generator tool will result in a different result for other users?

I've just been and checked my forum error log and I've had only 5 new login attempts since I added the big list to the .htaccess file, so it's easy enough to update that now. And of those only 1 attempt wasn't a legit login failure! So if you add to the earlier list
deny from 84.46.12.102
on a new line that will update the .htaccess file.
« Last Edit: February 12, 2011, 01:38:10 PM by Elysia »

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,073
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Being logged out by bots trying to log in
« Reply #41 on: February 12, 2011, 01:33:01 PM »
Mods like those listed here might help with preventing or alleviating the attempts made by particular IPs, as these mods typically use online databases of spammers IPs. I should note there is a certain possibility that those databases are not always accurate, since they contain IPs accumulated by anonymous reports (and those reports could be wrong).

As a quick note, the Project Honeypot http:BL service is populated with confirmed spammers and harvesters. Outside reports aren't accepted. To get on the list, you must visit several of the hidden honeypots and either spam the special e-mail addresses hidden in the page source or spam using the hidden form in the page source. Even if you were curious and visited one of the pots in your browser (like the one hidden in my signature here), you wouldn't get flagged. There is also a very nicely documented removal policy and old entries are expired following a posted policy. It's one of the very few services that does it right and thus has over 90%+ accuracy.


The 1.1.13 patch fixed a problem mentioned here: logged in users could find themselves logged out due to the attempts on their account.

That's great to hear.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline b4pjoe

  • Jr. Member
  • **
  • Posts: 395
  • Gender: Male
    • B4print.com
Re: Being logged out by bots trying to log in
« Reply #42 on: February 12, 2011, 07:42:36 PM »
As a quick note, the Project Honeypot http:BL service is populated with confirmed spammers and harvesters. Outside reports aren't accepted. To get on the list, you must visit several of the hidden honeypots and either spam the special e-mail addresses hidden in the page source or spam using the hidden form in the page source. Even if you were curious and visited one of the pots in your browser (like the one hidden in my signature here), you wouldn't get flagged. There is also a very nicely documented removal policy and old entries are expired following a posted policy. It's one of the very few services that does it right and thus has over 90%+ accuracy.

I have the Honeypot BL mod installed and it does do what you say but these bots or whatever are different. The only thing it appears that they do is try to log in using existing members user name. I don't think I've ever had one to succeed but even if they did there is very little payload they could reap from being logged in as an existing member. It doesn't make much sense as they are trying very hard to accomplish something that won't do much for them if they succeed.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,982
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #43 on: February 12, 2011, 07:43:26 PM »
On the contrary, if they succeed, they have your password. How many users share passwords across one or more sites/services?
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline crash56

  • Jr. Member
  • **
  • Posts: 207
  • Test Dummy Extraordinaire
Re: Being logged out by bots trying to log in
« Reply #44 on: February 12, 2011, 07:45:05 PM »
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network. ...///... It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Thank you for this, Elysia.  One of the forums that I look after was getting hit.  Since adding your list to my .htaccess, the only login failure I've had show up in the error message was my own.   ;D  (I flubbed my login.) 


Offline b4pjoe

  • Jr. Member
  • **
  • Posts: 395
  • Gender: Male
    • B4print.com
Re: Being logged out by bots trying to log in
« Reply #45 on: February 12, 2011, 10:05:52 PM »
On the contrary, if they succeed, they have your password. How many users share passwords across one or more sites/services?

My password certainly is not the same as my banking account, credit card account, or PayPal account passwords. I don't use the same user name either. I would hope no one does this but you're right...probably some do.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,982
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #46 on: February 12, 2011, 10:14:32 PM »
Probably? Very definitely, the majority of users share passwords between two or more sites. Of course, most people will keep their banking stuff separate but I doubt most people keep their Facebook account separate to a general forum login.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline b4pjoe

  • Jr. Member
  • **
  • Posts: 395
  • Gender: Male
    • B4print.com
Re: Being logged out by bots trying to log in
« Reply #47 on: February 13, 2011, 01:26:47 AM »
Probably? Very definitely, the majority of users share passwords between two or more sites. Of course, most people will keep their banking stuff separate but I doubt most people keep their Facebook account separate to a general forum login.

I still think there are better targets to hit than forums. But maybe they are more successful than it appears. I only see the failed log in in attempts in the error log. If they successfully crack the password that won't be in the log.

Offline mecfs

  • Semi-Newbie
  • *
  • Posts: 11
Re: Being logged out by bots trying to log in
« Reply #48 on: February 13, 2011, 02:57:21 AM »
Using RC3. If I am logged in and someone else tries to log in as me and enters the wrong password, I am logged out. Is this what has changed in RC4-security and RC5? Attempts at bot-blocking is a bandaid on the problem; this "feature" should not exist.
« Last Edit: February 13, 2011, 03:00:46 AM by mecfs »

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,737
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Being logged out by bots trying to log in
« Reply #49 on: February 13, 2011, 03:07:29 AM »
This is what was supposed to be stopped with RC5, and the patch.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline mecfs

  • Semi-Newbie
  • *
  • Posts: 11
Re: Being logged out by bots trying to log in
« Reply #50 on: February 13, 2011, 03:14:36 AM »
This is what was supposed to be stopped with RC5, and the patch.
That is good to hear, thank you.

Offline RVD

  • Semi-Newbie
  • *
  • Posts: 58
Re: Being logged out by bots trying to log in
« Reply #51 on: February 13, 2011, 01:10:10 PM »
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Where exactly should this file be uploaded to? Thank you for your help.

Offline b4pjoe

  • Jr. Member
  • **
  • Posts: 395
  • Gender: Male
    • B4print.com
Re: Being logged out by bots trying to log in
« Reply #52 on: February 13, 2011, 01:38:14 PM »
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Where exactly should this file be uploaded to? Thank you for your help.


Copy and paste into the .htaccess file for your domain.

Offline PLAYBOY

  • SMF Hero
  • ******
  • Posts: 2,065
  • Livephotoshop.com & Lullabyabc.com
    • Lullabies and Us
Re: Being logged out by bots trying to log in
« Reply #53 on: February 13, 2011, 06:39:31 PM »
I have a very long list here also. But how can i add the words "Deny from" in front of every ip automatically?
My list is about 1000 ips also.

Offline Seo-luntan

  • Jr. Member
  • **
  • Posts: 117
  • Gender: Male
  • Peace
Re: Being logged out by bots trying to log in
« Reply #54 on: February 13, 2011, 06:46:18 PM »
 I got a question - if we ban/block/deny all these IPs (I have a lot too) , in the future we'll lose a lot of potential HUMAN users. Do you think that these IPs are only spambots' ? I wonder...

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,073
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Being logged out by bots trying to log in
« Reply #55 on: February 13, 2011, 07:07:23 PM »
I have a very long list here also. But how can i add the words "Deny from" in front of every ip automatically?
My list is about 1000 ips also.

If you have a text editor that handles regular expressions, set the find string to "^" and the replace to "Deny from ".


I got a question - if we ban/block/deny all these IPs (I have a lot too) , in the future we'll lose a lot of potential HUMAN users. Do you think that these IPs are only spambots' ? I wonder...

They are likely normal end-user computers that have been infected and are being used as bots. I'd suggest culling the list regularly.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline TDNY

  • Jr. Member
  • **
  • Posts: 330
Re: Being logged out by bots trying to log in
« Reply #56 on: February 13, 2011, 08:25:44 PM »
The behavior related to users being logged out has been investigated in SMF and solved, and the fix is currently available in the SMF 1.1.13 patch and the 2.0 RC4 security patch, as well as in RC5.
Thank you very much for the reports!

Thanks for all the work on this problem,
I Never had an issue with members being logged out OR an issue with log in errors until I updated from 1.1.12 to 1.1.13 last night. This morning I have 3 pages of log in errors. Does the patch just fix the "getting logged out" issue or is it also supposed to stop the log in attempts?

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,612
  • Gender: Male
    • Kindred-999 on GitHub
Re: Being logged out by bots trying to log in
« Reply #57 on: February 13, 2011, 09:04:40 PM »
there is no real way to stop the log in attempts.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline sheryltoo

  • Jr. Member
  • **
  • Posts: 295
    • Sheryl's Page
Re: Being logged out by bots trying to log in
« Reply #58 on: February 13, 2011, 09:07:02 PM »
This problem started in my forum yesterday so I upgraded to RC4 and added the security patch but it didn't help.
Also, I don't know if this is related but not one member has signed in or posted on my site since I did the upgrade. I keep seeing lots of guest viewing the site but no one signing in.
That's kind of unusal for my site so I don't know if my members are having problems because of the bots or the upgrade.

Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,150
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: Being logged out by bots trying to log in
« Reply #59 on: February 13, 2011, 09:10:32 PM »
You cannot stop the log in attempts with any means other than either blocking them in .htaccess, or by SMF's ban list.  The patch is meant to stop logged in users being logged out by the bots, but it does nothing to stop the attack itself.  If those IPs are listed in the Project Honeypot database as a threat, then they will get redirected away from the forum with no access, but most of these IPs are coming up clean. They are not listed there or in the Stop Forum Spam database. As was previously stated, they are probably innocent users who have been infected by the botnet.

The already suggested methods are pretty much all that can be done. This is a coordinated attack that will have to be ridden out. If these folks are smart enough to see that they are being stopped, they may even start a new botnet with new IPs. What they want to accomplish is anyone's guess, but it could just be some idiot script kiddies looking for kicks, and SMF forums are their present target.