Advertisement:

Author Topic: Being logged out by bots trying to log in  (Read 143370 times)

Offline TDNY

  • Jr. Member
  • **
  • Posts: 330
Re: Being logged out by bots trying to log in
« Reply #60 on: February 13, 2011, 09:25:32 PM »
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

This crashed my site, I don't know what went wrong. I uploaded it to the root, that was fine. re-named it .htaccess, clicked ok and the file disappeared from the list. I went to my site and all access was denied. Called support and they were able to see .htaccess it was a hidden file. They tried deleting it but that didn't work they had to do a back-up restore off the server.

Offline xrunner

  • Sophist Member
  • *****
  • Posts: 1,019
  • Gender: Male
  • Karma +584/-1
Re: Being logged out by bots trying to log in
« Reply #61 on: February 13, 2011, 09:26:01 PM »
I have a forum I help out with being hit hard by this junk. The bots make accounts with spam ads in the signatures, but they don't make any posts for the members to see the ads. This part I don't understand. Why go to the trouble of making an account with an ad and not posting it for people to see? The membernames are of the form two words and some numbers -

riceticky06
jillskinny12

I also have hundreds of errors in the log for password incorrect errors.

Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,150
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: Being logged out by bots trying to log in
« Reply #62 on: February 13, 2011, 09:33:38 PM »
I have a forum I help out with being hit hard by this junk. The bots make accounts with spam ads in the signatures, but they don't make any posts for the members to see the ads. This part I don't understand. Why go to the trouble of making an account with an ad and not posting it for people to see? The membernames are of the form two words and some numbers -

riceticky06
jillskinny12

I also have hundreds of errors in the log for password incorrect errors.
The two usernames you listed are probably just spammers not connected to the log in attack that has been going on. The spammers put their ads in profiles with the hope that if profiles are viewable by guests, they will be viewable and indexed by search engines. Most forum admins do not allow guest viewing of profiles, so it becomes a wasted effort by the spammers. Who ever said that spammers are smart though.  ;)

Offline Norv

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 18,313
  • Blue Wolf
Re: Being logged out by bots trying to log in
« Reply #63 on: February 13, 2011, 09:33:56 PM »
This problem started in my forum yesterday so I upgraded to RC4 and added the security patch but it didn't help.
Also, I don't know if this is related but not one member has signed in or posted on my site since I did the upgrade. I keep seeing lots of guest viewing the site but no one signing in.
That's kind of unusal for my site so I don't know if my members are having problems because of the bots or the upgrade.

You can log in, as I understand. You could make another account, a simple member account, and see if you can log in on that account and navigate normally around the forum.
To-do lists are for deferral. The more things you write down the later they're done… until you have 100s of lists of things you don't do.
File a security report | Developers' Blog | Bug Tracker

Also known as Norv on D* | Norv N. on G+ | Norv on Github

Offline xrunner

  • Sophist Member
  • *****
  • Posts: 1,019
  • Gender: Male
  • Karma +584/-1
Re: Being logged out by bots trying to log in
« Reply #64 on: February 13, 2011, 09:39:48 PM »
The two usernames you listed are probably just spammers not connected to the log in attack that has been going on. The spammers put their ads in profiles with the hope that if profiles are viewable by guests, they will be viewable and indexed by search engines. Most forum admins do not allow guest viewing of profiles, so it becomes a wasted effort by the spammers. Who ever said that spammers are smart though.  ;)

Ah OK, well the member's profiles can't be seen by guests so that's a waste of effort alright. Most of the time the spammer member name is exactly the same as the first part of the registration email they use, so I think I'll switch to account approval and see if I can't cull out some of these vile spam accounts.

Offline nvcnvn

  • Full Member
  • ***
  • Posts: 546
  • Gender: Male
  • Super Somethings
    • Hocvui.net - Cùng học những điều cơ bản mà vui
Re: Being logged out by bots trying to log in
« Reply #65 on: February 13, 2011, 10:08:35 PM »
Can we just show a Verification Questions on login page!?

Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,150
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: Being logged out by bots trying to log in
« Reply #66 on: February 13, 2011, 10:11:57 PM »
That will help deter them from actually getting the password by brute force, but it will not stop them from trying. The errors will still be in the error log.

Offline nvcnvn

  • Full Member
  • ***
  • Posts: 546
  • Gender: Male
  • Super Somethings
    • Hocvui.net - Cùng học những điều cơ bản mà vui
Re: Being logged out by bots trying to log in
« Reply #67 on: February 13, 2011, 10:22:25 PM »
Ok.

But, my question is: why the true user was log-out when these bot enter the wrong password!?

I have update my forum to RC5 I hope this issue will be fix. just wait....

Offline busterone

  • SMF Hero
  • ******
  • Posts: 2,150
  • Gender: Male
  • Devil Dog
    • The Demon's Den
Re: Being logged out by bots trying to log in
« Reply #68 on: February 13, 2011, 10:24:18 PM »
The upgrade fix is to stop logged in users from being logged out by the bot attacks.

Offline nvcnvn

  • Full Member
  • ***
  • Posts: 546
  • Gender: Male
  • Super Somethings
    • Hocvui.net - Cùng học những điều cơ bản mà vui
Re: Being logged out by bots trying to log in
« Reply #69 on: February 13, 2011, 10:30:34 PM »
Ok, I see!
now keep discuss about how to stop them!

Offline PLAYBOY

  • SMF Hero
  • ******
  • Posts: 2,065
  • Livephotoshop.com & Lullabyabc.com
    • Lullabies and Us
Re: Being logged out by bots trying to log in
« Reply #70 on: February 13, 2011, 11:23:44 PM »
Can we just show a Verification Questions on login page!?

Cool idea, or a recaptcha would work perfect too.


Quote
If you have a text editor that handles regular expressions, set the find string to "^" and the replace to "Deny from ".

but there is no ^ string. Its just single ips on each line.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,072
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Being logged out by bots trying to log in
« Reply #71 on: February 14, 2011, 12:04:11 AM »
Quote
If you have a text editor that handles regular expressions, set the find string to "^" and the replace to "Deny from ".

but there is no ^ string. Its just single ips on each line.

Right, which is why I mentioned regular expressions. In regex-speak, "^" is code for "beginning of the line".
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline Ryan2320

  • Semi-Newbie
  • *
  • Posts: 82
  • Gender: Male
    • Cisco Skills
Re: Being logged out by bots trying to log in
« Reply #72 on: February 14, 2011, 12:12:51 AM »
One of the forums I look after has been hit bigtime by this problem, but I've found a solution which seems to work. The IP addresses being used by the bots are all connected with the torservers network.

So, I created a list of the IPs (all 1,334 of them!) which need to be blocked and added that to my .htaccess file in the webspace and the login attempts have stopped dead. I'm attaching the list here so that anyone can try it. It's saved as a plain text file so you can download it and copy / paste the contents to your existing .htaccess file if you have one. If you haven't got one then simply upload this text file to your webspace, and rename it from htaccess.txt to .htaccess and then go check your error logs. You should find the login failures have stopped.

Thanks for that list this should at least slow them down more...
Ryan

Offline krick

  • Jr. Member
  • **
  • Posts: 173
    • tank + paladin = tankadin
Re: Being logged out by bots trying to log in
« Reply #73 on: February 14, 2011, 12:26:06 AM »

I still think there are better targets to hit than forums.


I run a forum for World of Warcraft players.  If someone on my forum uses the same username and password as their user account on Warcraft, and my forum gets hacked by these bots, guess who is probably going to get their Warcraft account looted?   There's big money in Warcraft gold.
« Last Edit: February 14, 2011, 12:30:33 AM by krick »

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,697
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Being logged out by bots trying to log in
« Reply #74 on: February 14, 2011, 12:41:04 AM »
The sad truth of it is that forums are pretty much the last place on internet where you can harvest accountnames, e-mail addresses, and passwords linked to both of those, easily from centralised locations - if you are succesfull at brute forcing your way in to those accounts. So, it kind of makes sense that bots like these  target forums. They are not after information kept on the forum, or your private messages, they are more probably after actual login data.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline laetabi

  • Full Member
  • ***
  • Posts: 428
  • Gender: Male
Re: Being logged out by bots trying to log in
« Reply #75 on: February 14, 2011, 02:23:37 AM »
I posted previously in this topic having been an early target of the bot in question.

Denying IP addresses and installing anti-spam mods like httpBL are all good things to do but a simple secure fix for this attack is to hide all email addresses by default and force members to log-in using their email address.

Part of the vulnerability of forums to this type of attack is that one part of the log-in info is public domain (eg. Usernames can be seen all over the forum and can be harvested easily).

By logging in using email address the bots have to find out and hit an active email address to log-out a user.

There is a simple mod for this 'force email log-in' and this will stop all error log entries and make your forum much more secure to any future variants these script kiddies develop.

http://custom.simplemachines.org/mods/index.php?mod=1665
« Last Edit: February 14, 2011, 03:24:15 AM by laetabi »
What type of washing machine is September?

An autumnatic. :)

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,846
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #76 on: February 14, 2011, 03:14:46 AM »
Funnily enough this discussion was had not that long ago in the beta board.

I wonder if Facebook will turn off the ability to login via username in that case... (because you can)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline laetabi

  • Full Member
  • ***
  • Posts: 428
  • Gender: Male
Re: Being logged out by bots trying to log in
« Reply #77 on: February 14, 2011, 03:28:48 AM »
I think it would make sense. Many users use the same password or variations of it on multiple sites. Once cracked I hate to think of the damage that could be done with just a little exploring.

If this bot is successful it effectively gives the owner your email address from your profile, perhaps your name or location or dob and a password. Off someone goes to Paypal or eBay or Amazon etc etc and has a ball.

Facebook is the same.
What type of washing machine is September?

An autumnatic. :)

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,846
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #78 on: February 14, 2011, 03:44:09 AM »
Well, Facebook allows login with a username, and getting access to FB would probably wreak more havoc than a forum, but you're entirely right.

My question still stands: do you think Facebook will turn that feature off? Do you think your users will tolerate the additional inconvenience of using an email instead of a username?
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline laetabi

  • Full Member
  • ***
  • Posts: 428
  • Gender: Male
Re: Being logged out by bots trying to log in
« Reply #79 on: February 14, 2011, 04:12:52 AM »
Facebook will when they come under attack ;)

And my users have all tolerated it. If you've had this bot attack, they welcome it!
What type of washing machine is September?

An autumnatic. :)