News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

password incorrect errors

Started by tempneff, February 01, 2011, 01:15:23 AM

Previous topic - Next topic

iLCapo

The email login was also successful for me in shutting down the attack.  However, 3 hours later 'someone' attempted to download my database:

Guest   
Today at 02:34:12 AM 
64.124.203.71     
395a86116c950ca9a87287cf4e1aaeb5 
http://www.romborossodoc.com/forum/index.phpstruct=on&data=on&compress=gzip&action=dumpdb&sesc=b135cedfc47c06b8dfca8902e66f8bc9 [nofollow] Only administrators can make database backups!

My forum is set as Read-only for guests.  How was a guest level viewer able to attempt to download the database?  I thought you could only access that function from the admin panel which wouldn't be available to a read-only guest right?

busterone

He didn't. That is why it is in your error log. He simply tried. these bots use known actions and are pre-programmed to attempt them. I see quite a few that drop in using  index.php?action=admin, etc. They can't see the admin button, they just randomly try different combinations to attempt access.

crash56

Quote from: laetabi on February 15, 2011, 02:38:58 AMPersonally, I think its the way to go. Denying IP addresses will go on forever as this thing seems to have infected genuine users and is probably continuing to do so at an increasing rate.

I gave up on denying IP addresses.  It's futile and it's labor-intensive.

I installed the e-mail login mod this morning.  It installed without a problem, and seems to have done the trick.  This seems to be the best solution so far.

iLCapo

Quote from: busterone on February 15, 2011, 08:33:04 AM
He didn't. That is why it is in your error log. He simply tried. these bots use known actions and are pre-programmed to attempt them. I see quite a few that drop in using  index.php?action=admin, etc. They can't see the admin button, they just randomly try different combinations to attempt access.

Ah, thank you.  I knew I couldn't see any way to do that logged in as a guest but these guys are much smarter at this stuff than me.

squad


This is driving me insane, I am waiting to have a couple of things
sorted on my forum, but will be installing the cb|Emailogin mod
asap following that.

I'll also be looking at the Hide membernames from guests at the
same time :)

Hope it works just as well for me as it appears to have for you
PLAYBOY.

I still wonder 'who' is reading all this stuff and are 'they' working
on getting around our actions or planned actions ?????

catfished

Quote from: squad on February 15, 2011, 01:06:51 PM

I still wonder 'who' is reading all this stuff and are 'they' working
on getting around our actions or planned actions ??? ??

I realize you're referring to the bad guys but It doesn't appear as if SMF support has been reading this or they would have at least said they were working on a solution. ??? :'(
You use and like this forum software? Then show your appreciation and support by becoming a Charter Member.



CatfishEd.com

Cal O'Shaw

I know Bigguy said they would, but hearing something from them that they're aware and maybe working on something (or that they're not) would let us know we're being heard.

Our attack has been underway for over a week now (a strike every 6 minutes on average).  I don't think they're going to wander away anytime soon.

Cal

Illori

if you read the similar thread here http://www.simplemachines.org/community/index.php?topic=416928.0 you will see there are some staff members adding comments

squad

Quote from: catfished on February 15, 2011, 08:02:10 PM
Quote from: squad on February 15, 2011, 01:06:51 PM

I still wonder 'who' is reading all this stuff and are 'they' working
on getting around our actions or planned actions ??? ??

I realize you're referring to the bad guys but It doesn't appear as if SMF support has been reading this or they would have at least said they were working on a solution. ??? :'(

Yes I was, sorry for not making that clear *sigh*


catfished

Quote from: squad on February 17, 2011, 11:19:45 PM

Yes I was, sorry for not making that clear *sigh*

Not a problem, I think you made it very clear, I was the one that changed the subject. :-[
You use and like this forum software? Then show your appreciation and support by becoming a Charter Member.



CatfishEd.com

lethal-danger

I had the same problem with bots trying to member accounts.

I'm running smf 1.1.13 and installed proxy blocker mod,

http://custom.simplemachines.org/mods/index.php?mod=2329

It seems to have stopped all incorrect login attempts for my site.

Arantor

Proxy Blocker can quite easily block genuine users too.

http://www.simplemachines.org/community/index.php?topic=416928.msg2960115#msg2960115 contains a patch that should neutralise the current bots.

butchs

#112
I found a new attack today. Could be the same attack you are talking about?

A user asked me to check out the log in a newly installed version of Forum Firewall a/k/a FF.  The visitor log literally had hundreds of blocked attacks in a single day from many different ip addresses.  Most likely the same bot.  FF blocked all the injection attacks using "action=register and some code". The code looks like some sort of automated password script dictionary attack. Maybe this is the same attack?

Here is what I saw:

1.  Obvious code injection attack EDITED.  Caught by FF.
2.  Many different really bad ip addresses being used directly and hidden in the proxy array.  Caught by FF.

The BB (now SMF 1.1.x compatible) & FF combo seems to take them down.   8)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

No, that's a different attack; the bot attack I was referring to is using a dictionary of user ids it's already obtained, and is trying to slowly brute force the password, directly hitting action=login2.

butchs

#114
That is the problem.  They never stop trying.  To make code for each specific attack is a waste.  This is why I went generic.

Does it start out with something like:

Quoteaction=Login2(EDITED)

if so FF will stop it cold.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

No, it doesn't. It's literally just action=login2 in the URL.

butchs

#116
Human attack?

If it is not, the bot will have to try to pass data somehow and BB/ FF should catch it either by the data passage or exceeding the speed limit.

I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

The bot is trying to brute force passwords. Requests are from inconsistent IPs, and could theoretically be genuine requests due to a minor vulnerability in the login code, which has been tracked on Mantis.

butchs

#118
I must correct myself since I accidently provided incomplete information.  I looked at the code assuming it was singular.  But did not notice, until after I took a break and looked at it with fresh eyes that, it was written specifically to attack four (4) methods of login, simultaneously (some more than once).  In fact the code in each uri was attacking via brute force via several ip addresses:

1) action=register
2) action=register2
3) action=login
4) action=login2

You may be seeing just the last injection?

As far as I can see FF is blocking all four (4) long before they can exploit the vulnerability that you plan to correct.
::)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

You and I are seeing different bots then. The one everyone else is seeing doesn't touch anything but login2, AND there's nothing at all in the request on it's own that would hit FF that I'm aware of, it is even possible for a normal person to exhibit the signs but somewhat unlikely.

Advertisement: