News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

Vincent Volmer


kat

Just had a thought...

My v1.1.13 forum's not having any hassles, with this.

Been trying to figure out why...

Could it be because I have this?

http://english-72682862726.spampoison.com

Arantor

It's possible but it doesn't fit the MO of the current bots we've seen thus far.

kat

Only one error, in my logs:

8: Undefined variable: modSettings
File: /home/tlakoco/public_html/Themes/BlueMarble/index.template.php
Line: 511

Dunnowhat that's about and I don't give a poodle, coz everything works OK, so... ;)

owg

Over 24 hours now, and not a single failed login attempt - this a first for me in at least a week or more.  :)

Norv

#345
Please see also
Simple Machines Forums attacks

ETA: owg, can you please tell how did you protect your forum? :)
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

catfished

Thanks a bunch Arantor, I just installed it so we'll see. I was getting hit every 2 to 5 minutes so I'll know soon and will report here either way.

You use and like this forum software? Then show your appreciation and support by becoming a Charter Member.



CatfishEd.com

owg

Quote from: Norv on February 19, 2011, 05:41:05 PM
ETA: owg, can you please tell how did you protect your forum? :)
Very little actually, and it is probably just a coincidence, but here it is:

The login bot attacks started about a week or so ago.  At the time, I had http:BL and Stop Forum Spam installed.  About 4 days ago I installed CrawlProtect and Forum Firewall - I also had the list of the Tor IP addresses that someone posted in .htaccess.  None of these measures halted the login bot.  The pattern seemed to be more hits at night, and periodically during the day.  Coincident with the attacks, I was being crawled by the GoogleBot in the address range 66.249.71.* in a way that I never have before.  Typically Google visits my site during the day with only a single crawler IP, but now it was sometimes 20-25 simultaneous connections continuously during the day.

Because I thought it was possible that someone was spoofing Google, I went into Webmaster controls and reduced the number of times GoogleBots should visit, but there was no change in activity.  Finally in desperation, I added that particular IP range (66.249.71.*) to .htaccess and the I watched as the failed login attempts dropped off one by one.  This was yesterday morning, and not a peep since.  I had even removed all of the Tor IP addresses that I had in .htaccess, which now contains only a single IP range: 66.249.71.*. 

What is interesting is that Forum Firewall visitor logs reported a hack attempt by 66.249.85.3 within moments of my adding the 66.249.71.* range to .htaccess.

I don't know anything about security, and all of this is probably just a huge coincidence (the login bot probably just went away), but I'm just happy that my forum activity is back to normal.

krick

The only errors I've gotten since I installed Arantor's patch are a few of these, which are odd because that board most certainly exists.  It's always board 5 too for some reason.

Guest    Today at 04:46:02 PM
67.195.112.226      29c60c63ff1003e691be5a5c4328aaa8
http://www.tankadin.com/forum/index.php?board=5
The board you specified doesn't exist

catfished

Quote from: catfished on February 19, 2011, 06:15:03 PM
Thanks a bunch Arantor, I just installed it so we'll see. I was getting hit every 2 to 5 minutes so I'll know soon and will report here either way.

Well, it's been over an hour now and no login password errors so apparently the mod is working fine.

Thanks again Arantor, I realize this is not a permanent fix against these bots but it's sure nice to get rid of them for awhile. ;D
You use and like this forum software? Then show your appreciation and support by becoming a Charter Member.



CatfishEd.com

trebul

I haven't taken any actions yet i.e. installing additional mods. Today there was no bot activity to report. It's kind of odd but nice at the same time.

      Love talking about pets?
      Visit a friendly pet forum!

      Looking for tips to running a forum?
      Trebul's community guide


         

Aleksi "Lex" Kilpinen

Disabling Tor Access and setting up a Honeypot and installing httpBL worked for very well for me, and I've also been able to keep other bots like spammers at bay with this setup very well.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

rillani

#352
I, too, have been having frequent visits from a possibly fake google address:  66.249.67.243 .  This guest only shows up as doing "Nothing, or nothing you can see..."  I have never noticed it prior to these attacks (which I only noticed a couple days ago, so take that with a grain of salt).

Update: Since banning that IP, I'm now getting error logs of it trying to view member profiles and the recent posts page.

butchs

#353
Quote from: rillani on February 20, 2011, 03:08:12 AM
I, too, have been having frequent visits from a possibly fake google address:  66.249.67.243 .  This guest only shows up as doing "Nothing, or nothing you can see..."  I have never noticed it prior to these attacks (which I only noticed a couple days ago, so take that with a grain of salt).

Update: Since banning that IP, I'm now getting error logs of it trying to view member profiles and the recent posts page.

Do not block Google!  Doing so will decrease real membership.  I have been blocking fake Googles for over a year.  Here are some solutions that work:
1) The new and improved Bad Behavior mod detects fake Googles.  Selecting "Search Engine DNS", if you do not have an Ubuntu 10x server, will do a reverse DNS test on the suspected Google bot.
2) The Optimus Brave, Forum Firewall Combo can be used to detect and block fake Googles that hit faster than specified.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

xrunner

Quote from: catfished on February 19, 2011, 06:15:03 PM
Thanks a bunch Arantor, I just installed it so we'll see. I was getting hit every 2 to 5 minutes so I'll know soon and will report here either way.

So was I, but not a single error since yesterday since the mod was installed.

owg

Quote from: butchs on February 20, 2011, 08:43:59 AM
Do not block Google!  Doing so will decrease real membership.  I have been blocking fake Googles for over a year.  Here are some solutions that work:
1) The new and improved Bad Behavior mod detects fake Googles.  Selecting "Search Engine DNS", if you do not have an Ubuntu 10x server, will do a reverse DNS test on the suspected Google bot.
2) The Optimus Brave, Forum Firewall Combo can be used to detect and block fake Googles that hit faster than specified.
Thanks for the tip on Bad Behavior - I've not installed that mod yet. Might give it a go this afternoon.  In the mean time, not a single bad login since I blocked that particular IP range, yet other Google bots are still doing their normal thing on my site.  Even though it is not a great idea to block Google, I'd rather do away with this subset of bad IPs until a complete solution is found rather than having my site constantly bombarded.

As of nearly a day and a half, my site is operating as it did before all this started - not a single bot login attempt..

butchs

Well...  The solution I gave you is tried and tested.   O:)

They hit you because you are now on a list.  Once they start they will not stop unless you block them back.  You must fight back and force them to remove you from the list. 

I too was attacked hard last year.  They hit me so hard my bandwidth was over 8GB a month and I was almost forced to get a dedicated server.  Instead, I fought back with my brain and created these mods with a few other measures.  The end result was zero spam for a year and my traffic was reduced drastically.  Many agree, my solution works!

One could say that I am the Jared of spam.  I lost 7GB of spam in one (1) month!  I can help you loose the excess spam too...
  8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Vincent Volmer

#357
I installed :

httpBL, Honeypot, Disabling Tor Access , Forum Firewall, Bad Behavior + the fix of Arantor and it killed my VPS. The whole server crashed 2 times after reboot.

When removing Forum Firewall and Bad Behavior all is working fine.....

What could be the reason?


This is/was not the reason. I removed the FF and BB but still having the same issue yesterday.

Thanks
Vincent


butchs

#358
Both mods are totally different in what they do and how they load.  Neither will cause a crash if you follow instructions.  Nevertheless, if you want support and/ or come up with more info I can chew on, by all means please come to the support boards, ask away and I will gladly try to solve your problems.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Vincent Volmer

Okay, thanks!

I'll come over to the support boards next week.

Vincent

Advertisement: