Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

Elysia

Quote from: Arantor on February 15, 2011, 09:36:05 AM
Are profiles accessible to guests?
No absolutely not, and have never been.

Quote from: szinski on February 15, 2011, 09:40:34 AM
A simple solution would be to create a mod that obfuscates (or simply hides) display names when a guest views the forum. Like the way eBay does it... instead of displaying "EagleMan" it'd display "E***n".
No that won't stop it, as the display name isn't the issue. The username is the issue and that does not appear on the board at all - it's the display name which shows in post and it's not that which is being used for the login attempts. I have an example where the login name is all capitals (e.g. FRED) and the username normal case (e.g. Fred) and the login failures are showing FRED not Fred.

crash56

Quote from: Elysia on February 15, 2011, 09:47:44 AM
No that won't stop it, as the display name isn't the issue. The username is the issue and that does not appear on the board at all - it's the display name which shows in post and it's not that which is being used for the login attempts. I have an example where the login name is all capitals (e.g. FRED) and the username normal case (e.g. Fred) and the login failures are showing FRED not Fred.

This is really weird because my forums always show the display name on all the login attempts ... including my own when I simply botch my password.  I assumed it was the default set up by the SMF software, not something that relied on what the person (or bot) was using to login.

Arantor

The error is misleading. When it's doing the lookup, it fetches the actual member name in the database, and THAT's what's in the error log, not what the user typed in.

See LogInOut.php around line 245. There's a query that fetches all the important details from the members row, stores them in $user_settings. Then it checks the hashes, upgrades passwords if they're using older hashes etc. But if it's wrong:
log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');

That's where it's getting it from. It ISN'T what's being typed.

_Ziggy_

So if you simply put an "!" (or something else) is will stop them?

Like "Ziggy!" or "Arantor!"
Bluesforum.com   2.0                     Bluesforum.nl   2.0
Rockabilly-forum.com   2.0              Bluesharp.nl   2.0
Bungalowpark-forum.nl   2.0        Eee pad forum   2.01
Cristiano Ronaldo   2.02              Lockout Tagout   2.02


Looking to buy existing forums, send pm.

szinski

Quote from: Arantor on February 15, 2011, 09:55:12 AM
That's where it's getting it from. It ISN'T what's being typed.

Thanks for explaining that one!

So, back to my original statement, if we had a mod that showed obfuscated display names to guests, then the bots would harvest that information which would render the bot benign.

szinski

Quote from: Ziggy on February 15, 2011, 09:58:35 AM
So if you simply put an "!" (or something else) is will stop them?

Like "Ziggy!" or "Arantor!"

Sure, that would work, but what if the bot were designed to simply strip off the ! ... then they'd have the username again. What I'm thinking is like the eay eBay does it for showing bids... Ziggy would be Z***y and Arantor would be A***r... there's no way the bot could reconstruct the actual name.

Arantor

@Ziggy: It might, but I wouldn't hold your breath. Better would be a different display name entirely.

@szinski: Yes, in theory.


Or better, just have it say 'HIDDEN' for everyone ;D

Elysia

Quote from: crash56 on February 15, 2011, 09:53:31 AM
This is really weird because my forums always show the display name on all the login attempts ... including my own when I simply botch my password.  I assumed it was the default set up by the SMF software, not something that relied on what the person (or bot) was using to login.

Is that because most times the display name and the username are the same?

I only picked up on this as I have some users for who this isn't the case, as we have "allow users to edit their displayed name" set to yes in config and some have changed it - handy when we have users who signed up with their full name or an email address and then realise it wasn't such a good idea! I know admins can make changes but we try and encourage our members to do their own as they learn more that way.

szinski

Quote from: Arantor on February 15, 2011, 10:04:03 AM
Or better, just have it say 'HIDDEN' for everyone ;D

I like that idea... that would also encourage lurkers to register for an account.

Astra_200

I do not have profiles accessible to guests.

I have an htaccess list as long as my arrm though with banned ip's - yet these things keep coming...  Its like war of the worlds!!

Its possible that a few of our passwords have been compromised already as I have stuff about avatars and html_safe mainly in sources subs.php and language files yet I dont see anything suspicious on my custom theme forum. I now have a 80 page + error log.

I put the forum in maintenance mode overnight, but the errors still appeared. Anybody know why that should happen?

Does anybody know what the likely impact of this attack will be? as personlly I am a little fed up wasting my time combating it. I have just had to rebuild my forum 2 weeks ago following a spam email hack that apparently originated from my smf account (which was also blacklisted for a while)

Since then I have upgraded to RC4 with security patch.

I know no one can stop these attacks from taking place, but why are they targeting smf? Is there a vunerability within it?

Arantor

There's no vulnerability they're targetting as far as we know. What IS happening is that they're trying to get your password.

szinski

Quote from: Astral2000 on February 15, 2011, 10:13:50 AM
I do not have profiles accessible to guests.

I don't think the bots are going through profiles, I suspect that the bots are simply crawling the forum picking up user names (display names) from the postings. Then, the bot is probably attempting to login as those people using easily-guessable passwords.

Does anyone have a log of what password(s) the bots are using?

青山 素子

Quote from: Astral2000 on February 15, 2011, 10:13:50 AM
I put the forum in maintenance mode overnight, but the errors still appeared. Anybody know why that should happen?

The login form still exists in standard maintenance mode to allow for admins to login, so that won't do a thing. Setting maintenance mode to 2 would as it turns off everything. Doing so is a manual edit.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Illori

Quote from: szinski on February 15, 2011, 10:19:01 AM
Does anyone have a log of what password(s) the bots are using?

there is no way to tell the difference in valid users trying to log in and the bots, so if you did find a way to catch the passwords it would be a security breach for all your members.

Astra_200

Quote from: 青山 素子 on February 15, 2011, 10:21:40 AM
The login form still exists in standard maintenance mode to allow for admins to login, so that won't do a thing. Setting maintenance mode to 2 would as it turns off everything. Doing so is a manual edit.

Ah got it thank you.

So does anyone know the actual purpose of this attack, has anyone been affected by it yet and how?

szinski

Quote from: Illori on February 15, 2011, 10:23:05 AM
there is no way to tell the difference in valid users trying to log in and the bots, so if you did find a way to catch the passwords it would be a security breach for all your members.

No, just log the invalid (bad) password... not valid passwords. And I'm talking about a temporary thing, to be used for debugging this situation.

The way I see it, my forums are being "probed" from a LOT of different IP addresses. But they're not trying to login to the same account over-and-over (i.e., dictionary attack). No, the logins are somewhat random and a dictionary attack would take decades at that rate!

So, back to my original observation... I suspect that the bots are using a list of commonly-used passwords for their attack. Perhaps if we knew those passwords we'd have a bot "signature" or "footprint" to work with.

Arantor

You almost never get the real password; it's invariably sent encrypted in the first place.

In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

szinski

Quote from: Arantor on February 15, 2011, 10:33:01 AM
You almost never get the real password; it's invariably sent encrypted in the first place.

In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

Hey, I can't see your forum's usernames... dang... now I have to rethink my bot-tactics! LOL

Dude, you are quick! Nicely done!

Tanks

@ Arantor - Will your mod work with RC2 if I emulate RC4 ?

Yes i know I should be upgrading but with 50+ mods installed i have not gotten around to do it.

Astra_200

Quote from: Arantor on February 15, 2011, 10:33:01 AM
In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

Thats very kind of you Arantor :) Thank you!!

Is it only downloadable from your site?

Advertisement: