Advertisement:

Author Topic: Being logged out by bots trying to log in  (Read 143363 times)

Offline Elysia

  • Semi-Newbie
  • *
  • Posts: 52
Re: Being logged out by bots trying to log in
« Reply #100 on: February 15, 2011, 09:47:44 AM »
Are profiles accessible to guests?
No absolutely not, and have never been.

A simple solution would be to create a mod that obfuscates (or simply hides) display names when a guest views the forum. Like the way eBay does it... instead of displaying "EagleMan" it'd display "E***n".
No that won't stop it, as the display name isn't the issue. The username is the issue and that does not appear on the board at all - it's the display name which shows in post and it's not that which is being used for the login attempts. I have an example where the login name is all capitals (e.g. FRED) and the username normal case (e.g. Fred) and the login failures are showing FRED not Fred.

Offline crash56

  • Jr. Member
  • **
  • Posts: 207
  • Test Dummy Extraordinaire
Re: Being logged out by bots trying to log in
« Reply #101 on: February 15, 2011, 09:53:31 AM »
No that won't stop it, as the display name isn't the issue. The username is the issue and that does not appear on the board at all - it's the display name which shows in post and it's not that which is being used for the login attempts. I have an example where the login name is all capitals (e.g. FRED) and the username normal case (e.g. Fred) and the login failures are showing FRED not Fred.

This is really weird because my forums always show the display name on all the login attempts ... including my own when I simply botch my password.  I assumed it was the default set up by the SMF software, not something that relied on what the person (or bot) was using to login.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #102 on: February 15, 2011, 09:55:12 AM »
The error is misleading. When it's doing the lookup, it fetches the actual member name in the database, and THAT's what's in the error log, not what the user typed in.

See LogInOut.php around line 245. There's a query that fetches all the important details from the members row, stores them in $user_settings. Then it checks the hashes, upgrades passwords if they're using older hashes etc. But if it's wrong:
Code: [Select]
log_error($txt['incorrect_password'] . ' - <span class="remove">' . $user_settings['member_name'] . '</span>', 'user');
That's where it's getting it from. It ISN'T what's being typed.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline _Ziggy_

  • Jr. Member
  • **
  • Posts: 300
    • Bluesforum.com
Re: Being logged out by bots trying to log in
« Reply #103 on: February 15, 2011, 09:58:35 AM »
So if you simply put an "!" (or something else) is will stop them?

Like "Ziggy!" or "Arantor!"
Bluesforum.com   2.0                     Bluesforum.nl   2.0
Rockabilly-forum.com   2.0              Bluesharp.nl   2.0
Bungalowpark-forum.nl   2.0        Eee pad forum   2.01
Cristiano Ronaldo   2.02              Lockout Tagout   2.02


Looking to buy existing forums, send pm.

Offline szinski

  • Jr. Member
  • **
  • Posts: 114
  • Gender: Male
  • Programmer by day, photographer by night.
    • Pizza Making
Re: Being logged out by bots trying to log in
« Reply #104 on: February 15, 2011, 10:00:12 AM »
That's where it's getting it from. It ISN'T what's being typed.

Thanks for explaining that one!

So, back to my original statement, if we had a mod that showed obfuscated display names to guests, then the bots would harvest that information which would render the bot benign.

Offline szinski

  • Jr. Member
  • **
  • Posts: 114
  • Gender: Male
  • Programmer by day, photographer by night.
    • Pizza Making
Re: Being logged out by bots trying to log in
« Reply #105 on: February 15, 2011, 10:03:14 AM »
So if you simply put an "!" (or something else) is will stop them?

Like "Ziggy!" or "Arantor!"

Sure, that would work, but what if the bot were designed to simply strip off the ! ... then they'd have the username again. What I'm thinking is like the eay eBay does it for showing bids... Ziggy would be Z***y and Arantor would be A***r... there's no way the bot could reconstruct the actual name.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #106 on: February 15, 2011, 10:04:03 AM »
@Ziggy: It might, but I wouldn't hold your breath. Better would be a different display name entirely.

@szinski: Yes, in theory.


Or better, just have it say 'HIDDEN' for everyone ;D
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Elysia

  • Semi-Newbie
  • *
  • Posts: 52
Re: Being logged out by bots trying to log in
« Reply #107 on: February 15, 2011, 10:06:20 AM »
This is really weird because my forums always show the display name on all the login attempts ... including my own when I simply botch my password.  I assumed it was the default set up by the SMF software, not something that relied on what the person (or bot) was using to login.

Is that because most times the display name and the username are the same?

I only picked up on this as I have some users for who this isn't the case, as we have "allow users to edit their displayed name" set to yes in config and some have changed it - handy when we have users who signed up with their full name or an email address and then realise it wasn't such a good idea! I know admins can make changes but we try and encourage our members to do their own as they learn more that way.

Offline szinski

  • Jr. Member
  • **
  • Posts: 114
  • Gender: Male
  • Programmer by day, photographer by night.
    • Pizza Making
Re: Being logged out by bots trying to log in
« Reply #108 on: February 15, 2011, 10:06:43 AM »
Or better, just have it say 'HIDDEN' for everyone ;D

I like that idea... that would also encourage lurkers to register for an account.

Offline Astra_200

  • Jr. Member
  • **
  • Posts: 113
  • Gender: Male
Re: Being logged out by bots trying to log in
« Reply #109 on: February 15, 2011, 10:13:50 AM »
I do not have profiles accessible to guests.

I have an htaccess list as long as my arrm though with banned ip's - yet these things keep coming...  Its like war of the worlds!!

Its possible that a few of our passwords have been compromised already as I have stuff about avatars and html_safe mainly in sources subs.php and language files yet I dont see anything suspicious on my custom theme forum. I now have a 80 page + error log.

I put the forum in maintenance mode overnight, but the errors still appeared. Anybody know why that should happen?

Does anybody know what the likely impact of this attack will be? as personlly I am a little fed up wasting my time combating it. I have just had to rebuild my forum 2 weeks ago following a spam email hack that apparently originated from my smf account (which was also blacklisted for a while)

Since then I have upgraded to RC4 with security patch.

I know no one can stop these attacks from taking place, but why are they targeting smf? Is there a vunerability within it?

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #110 on: February 15, 2011, 10:16:49 AM »
There's no vulnerability they're targetting as far as we know. What IS happening is that they're trying to get your password.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline szinski

  • Jr. Member
  • **
  • Posts: 114
  • Gender: Male
  • Programmer by day, photographer by night.
    • Pizza Making
Re: Being logged out by bots trying to log in
« Reply #111 on: February 15, 2011, 10:19:01 AM »
I do not have profiles accessible to guests.

I don't think the bots are going through profiles, I suspect that the bots are simply crawling the forum picking up user names (display names) from the postings. Then, the bot is probably attempting to login as those people using easily-guessable passwords.

Does anyone have a log of what password(s) the bots are using?

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,072
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Being logged out by bots trying to log in
« Reply #112 on: February 15, 2011, 10:21:40 AM »
I put the forum in maintenance mode overnight, but the errors still appeared. Anybody know why that should happen?

The login form still exists in standard maintenance mode to allow for admins to login, so that won't do a thing. Setting maintenance mode to 2 would as it turns off everything. Doing so is a manual edit.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,432
Re: Being logged out by bots trying to log in
« Reply #113 on: February 15, 2011, 10:23:05 AM »
Does anyone have a log of what password(s) the bots are using?

there is no way to tell the difference in valid users trying to log in and the bots, so if you did find a way to catch the passwords it would be a security breach for all your members.

Offline Astra_200

  • Jr. Member
  • **
  • Posts: 113
  • Gender: Male
Re: Being logged out by bots trying to log in
« Reply #114 on: February 15, 2011, 10:26:40 AM »
The login form still exists in standard maintenance mode to allow for admins to login, so that won't do a thing. Setting maintenance mode to 2 would as it turns off everything. Doing so is a manual edit.

Ah got it thank you.

So does anyone know the actual purpose of this attack, has anyone been affected by it yet and how?

Offline szinski

  • Jr. Member
  • **
  • Posts: 114
  • Gender: Male
  • Programmer by day, photographer by night.
    • Pizza Making
Re: Being logged out by bots trying to log in
« Reply #115 on: February 15, 2011, 10:29:55 AM »
there is no way to tell the difference in valid users trying to log in and the bots, so if you did find a way to catch the passwords it would be a security breach for all your members.

No, just log the invalid (bad) password... not valid passwords. And I'm talking about a temporary thing, to be used for debugging this situation.

The way I see it, my forums are being "probed" from a LOT of different IP addresses. But they're not trying to login to the same account over-and-over (i.e., dictionary attack). No, the logins are somewhat random and a dictionary attack would take decades at that rate!

So, back to my original observation... I suspect that the bots are using a list of commonly-used passwords for their attack. Perhaps if we knew those passwords we'd have a bot "signature" or "footprint" to work with.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: Being logged out by bots trying to log in
« Reply #116 on: February 15, 2011, 10:33:01 AM »
You almost never get the real password; it's invariably sent encrypted in the first place.

In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline szinski

  • Jr. Member
  • **
  • Posts: 114
  • Gender: Male
  • Programmer by day, photographer by night.
    • Pizza Making
Re: Being logged out by bots trying to log in
« Reply #117 on: February 15, 2011, 10:38:04 AM »
You almost never get the real password; it's invariably sent encrypted in the first place.

In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

Hey, I can't see your forum's usernames... dang... now I have to rethink my bot-tactics! LOL

Dude, you are quick! Nicely done!

Offline Tanks

  • Full Member
  • ***
  • Posts: 583
  • Gender: Male
  • Danish Dude
Re: Being logged out by bots trying to log in
« Reply #118 on: February 15, 2011, 10:39:41 AM »
@ Arantor - Will your mod work with RC2 if I emulate RC4 ?

Yes i know I should be upgrading but with 50+ mods installed i have not gotten around to do it.

Offline Astra_200

  • Jr. Member
  • **
  • Posts: 113
  • Gender: Male
Re: Being logged out by bots trying to log in
« Reply #119 on: February 15, 2011, 10:41:25 AM »
In other news, I'm feeling very generous: http://arantor.org/index.php?topic=262.msg4580#msg4580

Thats very kind of you Arantor :) Thank you!!

Is it only downloadable from your site?