Being logged out by bots trying to log in

[Arantor]

Not the same as searching a database such as project honeypot and etc.  Only one "gethostbynamel" per cache run for only the Big 3 bots which if set 20+ seconds covers most bot runs.

Hence "I take it that you're not counting..." - just clarifying the situation.

That is only an issue with Ubuntu 10+ servers using the BB code which is not the same as the mod.

No, it's a PHP issue generally, actually, where the DNS lookup returned false somewhat ambiguously, which is why all the tests were subsequently commented out in BB, even in 2.1.11 - roundtripdns.inc.php:

Code Select Expand

# FIXME: Returns false on DNS server failure; PHP provides no distinction
# between no records and error condition

(I've been following BB's code fairly closely for a while, trying to engineer IPv6 support into it, and into SMF generally, is no small task.)

[butchs]

Hence "I take it that you're not counting..." - just clarifying the situation.

That is not a database look-up per-say, it is using a built in php function.  Do some diligence and you will find a lookup at project honey pot et al takes longer.  EDIT:  Besides the test will be a option in the final BB 1.4.0 mod version.

No, it's a PHP issue generally, actually, where the DNS lookup returned false somewhat ambiguously, which is why all the tests were subsequently commented out in BB, even in 2.1.11 - roundtripdns.inc.php:

I have been following it too since I wrote the SMF mod for BB and I wrote the last "roundtripdns.inc.php" for BB.  Put your dollar store reading glasses on and look closely.    You will discover that it is a Ubuntu issue and note the issue is for a function that is NOT used in the mod.  I have been running my version of "roundtripdns.inc.php" for over 6 months with zero issues.  Every now and then I block a fake google that others may believe is real.  Good for me...   

(I've been following BB's code fairly closely for a while, trying to engineer IPv6 support into it, and into SMF generally, is no small task.)

Why?  BB works mostly with ipv6.   BB does not care about the ip's since it is all about looking at other things.  The mod uses adjusted ip's for cache which accept ipv6 addresses and that is all she wrote. 

ipv6 is not difficult.  I have already written some code for ipv6 compatibility with FF mod.  The only known (at its creation) with ipv6 protection against what would otherwise be a vulnerability.  I have some beta code prepared for BB.  But honestly, further ipv6 development for both mods for the roundtrip test is a waste of time until ipv6 becomes more popular.  Maybe next winter.

EDIT:  I believe SMF needs to standardize the long ipv6 address DB storage issue first.

[krick]

I've discovered something interesting by looking at the search queries that resulted in hits on my site using Google Webmaster tools:
http://www.google.com/webmasters/tools/

Below are some of the things that people (bots) are searching for that lead them to my site.  Usually, the search string has some other random word at the beginning and/or a timestamp, presumably to "randomize" the search to prevent you and/or google from blocking them.

The other disturbing thing was that my site is a world of warcraft related site and many of the bot queries actually had keywords that are specific to warcraft and other MMOs, so it appears that at least some of the bots are targeting specific types of sites.

"/index.php?topic="
"always stay logged in"
"always stay logged in:"
"forum stats"
"hot topic (more than"
"locked topic"
"login (forgot your password?)"
"login with username, password and session length"
"members - latest member:"
"minutes to stay logged in"
"minutes to stay logged in:"
"no new posts"
"normal topic"
"posts"
"powered by smf 1.1.12"
"powered by smf"
"signature"
"simple machines llc"
"smf 1.1"
"smf 1.1.12"
"sticky topic"
"summary"
"topic you have posted in"
"users online"
"very hot topic (more than"
"view the most recent posts on the forum"
"view the most recent posts on the forum."
"welcome, guest. please login or register"
"welcome,"
.index.php action=
.member.php u=
/entry.php
/forum
/forums
/index.php/topic
/index.php?topic=
/member.php?
/read.php?
/suggest.php?action=
/thread
/thread-
/topic
/view-last-messages.html
/viewforum.php?f=
/viewtopic.php?f=
/viewtopic.php?t=
add message
add reply
add topic
forum
forums/index.php s=
forums/member.php
forums/members
message/member.php u=
new topic
phorum
posting
smf
username: password: minutes to stay logged in:
viewprofile
viewtopic.php

[Aleksi "Lex" Kilpinen]

Some of those have nothing to do with SMF, which basically proves what has been said before - this is not an SMF specific issue.
Still, we are working on it, to see if there is something we can do about it.

[Cal O'Shaw]

LexArma,

Are you considering having the ability to block display of names to guests (you had to know I'd ask)?  Again, does zip for current attack, but renders future account harvesting nearly impossible.

Will any solution cover 1.1.13 sites?

Grazie,

Cal

[Aleksi "Lex" Kilpinen]

At the moment we are mostly brainstorming about this, so can't really answer that one yet...

[Cal O'Shaw]

No worries.  But as my Mum always said, you don't know if you don't ask...

Grazie mille,

Cal

[Clara Listensprechen]

Methods to block the attack entirely do not exist, you and I both know that.

This attack, I happen to disagree, because I've been doing some research into the mechanics of this specific attack. There is one notable feature that is rather consistent in the attack pattern. I won't disclose it publicly, naturally, but I'm currently working on a way to neutralise it.

Sure, we can and should be educating users. But we can't make them do anything, and nor should we.

You certainly got my curiosity up, because I've noticed a peculiar pattern in the attacks I've been getting--they're not using everybody's username, just 4 (on both my boards). They're not all admin or mod people, either (2 admin, 1 mod, one regular). It's something that makes me go "hmmmm."

=============

Oh yeah--none of the 4 are the latest member, either. Hmmmm.

[Tanks]

I did two things to my RC2 forum and I now have a clean error log.

First I installed Arantor's abuse mod to hide all user names from guests. Seriously guest have no need for user names to find the content of a board interesting.

Secondly I installed Codebirth's EmailLogin mod and warned all my users 12 hours in advance. Now users must log on with their email and so far that has not given me any objections from my members.

I have now cleared my htaccess file and I still have a clean error log. I know the bots are still attacking, but they are not able to log my members out, and they are not filling up my error log.

I feel satisfied, and just wanted to share what I did to stop this pain in the a** attack.

[Arantor]

That is not a database look-up per-say, it is using a built in php function.  Do some diligence and you will find a lookup at project honey pot et al takes longer.

Now you're just being facetious. Yes, a lookup to an external site will take longer, which is why I was clarifying that you weren't referring to anything additional there. Though if you're behind a slow RDNS, even the DNS roundtrip can be slow.

You will discover that it is a Ubuntu issue and note the issue is for a function that is NOT used in the mod.

It's not used because it was commented out following that issue. Oh, and I get the same behaviour on Windows, which kind of blows that theory out of the water. But as all the comments for http://php.net/gethostbyaddr show, it can lag pretty hard anyway...

Why?

I think you misunderstand me. There are parts of the code that do use IPv4 blocks for checking (some of the search engine checks, mainly). IPv4 is exhausted at the most coarse level, several of the RIRs are talking about exhaustion by them within 3-6 months, so it only makes sense to have IPv6 support - and if you're using in SMF, you kind of need to get your checks in very, very early (I can't remember how early you added them) because cleanRequest() will nuke the IPv6 address because it doesn't understand IPv6.

Oh, and if you're trying to tell me your implementation of BB into SMF is solid, I really hope you're not trying to store binary compressed IP addresses into a 16 byte character field, since there will typically be some invalid code points in there.

And roundtripdns.inc.php even says itself that it's not IPv6 safe.

But honestly, further ipv6 development for both mods for the roundtrip test is a waste of time until ipv6 becomes more popular.  Maybe next winter.

Actually in all honesty it's a waste of time until SMF supports IPv6. Fortunately, I don't have that problem, since I do have IPv6 support in the core in my development files.

The other disturbing thing was that my site is a world of warcraft related site and many of the bot queries actually had keywords that are specific to warcraft and other MMOs, so it appears that at least some of the bots are targeting specific types of sites.

WoW is a big enough presence even in fan forums that it's worth spending some effort targetting them. But yeah, mostly they're finding forums through search engines. But I will echo what Lex said, some of those search terms are vBulletin or phpBB specific - but they will show up in *links* between forums too.

You certainly got my curiosity up, because I've noticed a peculiar pattern in the attacks I've been getting--they're not using everybody's username, just 4 (on both my boards). They're not all admin or mod people, either (2 admin, 1 mod, one regular). It's something that makes me go "hmmmm."

That's not the only commonality, either.

[BPLive]

The actual problem of getting logged out because of these, should be fixed in the latest releases.

this is good to hear.  Today I upgraded from 2.0 rc3 to rc5

I'll have to wait for feedback. However I do see in the errorlog IP's still trying to do so with 'users' failed password etc.  however I guess you guys did something to keep this from the log outs.  but the error log will continue to build I guess.   anyway Thanks!
I'll post back if Rc5 fixed the issue via feedback.

So far after doing the rc5 upgrade I got feedback from a couple users that the loggin issue is fixed.  however I have 174 new entries since I cleared my user log yesterday.  and yes 1 IP does attack multiple usernames, other times its only one ip per user.

I don't know why you want access to my server, but if you want admin access still to the forum or both, please let me know if that will help you.  I'd like to give something back to SMF if this helps.

[Aleksi "Lex" Kilpinen]

The actual problem of getting logged out because of these, should be fixed in the latest releases.

this is good to hear.  Today I upgraded from 2.0 rc3 to rc5

I'll have to wait for feedback. However I do see in the errorlog IP's still trying to do so with 'users' failed password etc.  however I guess you guys did something to keep this from the log outs.  but the error log will continue to build I guess.   anyway Thanks!
I'll post back if Rc5 fixed the issue via feedback.

So far after doing the rc5 upgrade I got feedback from a couple users that the loggin issue is fixed.  however I have 174 new entries since I cleared my user log yesterday.  and yes 1 IP does attack multiple usernames, other times its only one ip per user.

I don't know why you want access to my server, but if you want admin access still to the forum or both, please let me know if that will help you.  I'd like to give something back to SMF if this helps.

If you'd PM Norv about this, would probably be best

[BPLive]

The actual problem of getting logged out because of these, should be fixed in the latest releases.

this is good to hear.  Today I upgraded from 2.0 rc3 to rc5

I'll have to wait for feedback. However I do see in the errorlog IP's still trying to do so with 'users' failed password etc.  however I guess you guys did something to keep this from the log outs.  but the error log will continue to build I guess.   anyway Thanks!
I'll post back if Rc5 fixed the issue via feedback.

So far after doing the rc5 upgrade I got feedback from a couple users that the loggin issue is fixed.  however I have 174 new entries since I cleared my user log yesterday.  and yes 1 IP does attack multiple usernames, other times its only one ip per user.

I don't know why you want access to my server, but if you want admin access still to the forum or both, please let me know if that will help you.  I'd like to give something back to SMF if this helps.

If you'd PM Norv about this, would probably be best

done and made him an account.  cheers!

[butchs]

...

The other disturbing thing was that my site is a world of warcraft related site and many of the bot queries actually had keywords that are specific to warcraft and other MMOs, so it appears that at least some of the bots are targeting specific types of sites.

"hot topic (more than"
"locked topic"
"login (forgot your password?)"
.member.php u=
/entry.php
/read.php?
/suggest.php?action=
/thread
/thread-
/view-last-messages.html
/viewforum.php?f=
/viewtopic.php?f=
/viewtopic.php?t=
phorum
username: password: minutes to stay logged in:
viewprofile
viewtopic.php

No need for SMF to add more code just to slow down the package.  They have more important things to do like functional improvements and bugs.

My solution is simple, look at the list and pick a couple non-SMF phrases from the bot attack and add them to the Forum Firewall mod "Injection List" in the admin panel.  Problem solved, the bot will get blocked and give up.  The only question is which is the best phrase to pick.  I think I will start with "phorum".  I added "phorum|" to the front of my list.

[DJPlamen]

What if we arm our LOIC and fight back to the most imprudent bot ip?    

[Arantor]

What if we arm our LOIC and fight back to the most imprudent bot ip?    

Hahaha, if only it weren't legally questionable, and likely to be someone random that gets hit rather than the orchestration of this attack.

[DJPlamen]

Ahm, It's not an attack, it's more like "active self-defense"  

[Arantor]

Not really, no. Those orchestrating the current login attempts are not doing so directly. They have a large number of IP addresses at their disposal, the LOIC wouldn't really be able to proactively defend against anyone, unless you plan on hitting innocent bystanders.

[DJPlamen]

One dumb question then... my site was attacked via ..smf/index.php?action=login2...
Will help to change the link and function name to login3 (in LogInOut.php and index.php)??

[DarkBlizz]

I had that happen once, but my account wasn't locked out, even though I have do have a failed pw attempt limit.  Try using Login Security Mod (http://custom.simplemachines.org/mods/index.php?mod=2181), it will prevent anyone logging into your account that's not on your IP.