password incorrect errors

[djkimmel]

Thanks. Both helpful posts. I have not installed the project honeypot mod yet. I'll try that and look at the forum post.

[HamishM]

Also happening on my site, it should ebb out sometime soon hopefully.

[Cal O'Shaw]

As guests are reading the membernames off the main index of the page visible to guests, BLOCKING those membernames to guests will make it impossible for them to get membernames by searching for "last post by".

There are two MODs, one for 1.1.x and 2.x that say they will do this.

I'm on 1.1.13 and the MOD ( http://custom.simplemachines.org/mods/index.php?mod=2082 ) turns on the "NEW" flag and it can't be turned off.

Can anyone put together a fix that only has to do the following:

If Guest = yes then display "(hidden)" else display membername

when displaying "last post by"?

Grazie!

Cal

[ApplianceJunk]

Also happening on my site, it should ebb out sometime soon hopefully.

What do you mean ebb out?

Going to give CloudFlare a try.

[Cal O'Shaw]

The problem is the attackers are screenscraping, so as long as they can see membernames, they can keep trying until they crack a password.  Blocking membernames from guests means they can't try to break in because they won't know the names.

And since it's obviously automated, why should they stop anytime soon?  Has anyone that's reported this seen the attacks "ebb"?  They started reporting them on 31 Jan 2011 and it's 12 Feb now.

Cal

[HamishM]

Bots usually give up after a while...........

I have noticed that the bot has not tried to login as me, I think this is because my login name is different to what is shown on the forum........

[Cal O'Shaw]

The bot appears to be walking as much of the site as we allow guests to see, and going into each board hoping for names.  At least that's how it looks from the error log.

So I guess a fix should also look at any place account names are displayed, main index, board index, topic.  We already hid the Info Center.

But we better plan on this type of attack coming back.  Several months ago script kiddies tried exploiting a hole filled two years before.

[Rik©]

Bots usually give up after a while...........

I have noticed that the bot has not tried to login as me, I think this is because my login name is different to what is shown on the forum........

Maybe the anti-spam mods should have a setting that completely blocks/bans those spam-bot ip's when they try to log in.....

-Rik©

[HamishM]

I guess a quick, temporary and dirty fix could be (Probably only viable on forums with low membership, I have way to many membs to do it on mine)

Add a space or a full stop after the username in the field "This is the displayed name that people will see.", do it on all member profiles, this would result in the bot getting a "Member does not exist" message.
It would not affect the individual member login process.

Like I said, quick and dirty but will probably work..............

[PLAYBOY]

The bot appears to be walking as much of the site as we allow guests to see, and going into each board hoping for names.  At least that's how it looks from the error log.

So I guess a fix should also look at any place account names are displayed, main index, board index, topic.  We already hid the Info Center.

But we better plan on this type of attack coming back.  Several months ago script kiddies tried exploiting a hole filled two years before.

Wow. you are pretty good at this man. I mean seriously i have looked at my raw logs and everything but i couldnt figure out any pattern.

Most ips are from Germany and from proxies.  You cant just block them all because they keep changing their ips. I have been having this issue since yesterday also. I also have that login security mod.


Here is a very quick and easy fix!
I think it would be a very good idea to put a image verification on the login form

But until a good solution i have closed my forum to guests. Its members only for now.

[ApplianceJunk]

Bots usually give up after a while...........

I have noticed that the bot has not tried to login as me, I think this is because my login name is different to what is shown on the forum........

Having a different login name then what is shown on the forum is something I had not thought of before. I changed my login name along with a password change, thanks!

[ApplianceJunk]

Most ips are from Germany and from proxies.  You cant just block them all because they keep changing their ips. I have been having this issue since yesterday also

You can block whole countries. It started yesterday for us too.

[Cal O'Shaw]

Rico,
Except we're seeing addresses from the UK, Sweden, Germany and elsewhere.  Anti-bot MODs aren't going to be able to keep up with this kind of attack.  We need to have the ability to starve the bots and that would be hiding account names from guests.


HamishM,
Yes, but that means going through every account manually, right?
A little decision coding before displaying username based on if the viewer is a guest takes care of all sites, regardless of member count.

if guest = true then nametoshow = "(hidden)" else nametoshow = username
display nametoshow


PLAYBOY,
We don't have much of our site open to guests, so I was able to pick up the pattern (accounts not listed on the main index but on a board as the last poster were showing up).  And I did DP for 30 years.

Image verification becomes a pain for your members.  Remember, these guys are trying to pass themselves off as your members to get inside.

[Cal O'Shaw]

You really want to block your audience countries?

We can't block them, so let's starve them.  No names to see, no attack to make.

[PLAYBOY]

Most ips are from Germany and from proxies.  You cant just block them all because they keep changing their ips. I have been having this issue since yesterday also

You can block whole countries. It started yesterday for us too.

Do you have a pretty good up-to-date list for ips from each country? and are they %100 accurate?
I am not gonna use in this case but it would be useful in other cases

And I did DP for 30 years.

HAHA, thas how...

Image verification becomes a pain for your members.

yeah but it would be nice (and useful) to have some kinda mod for it so we can at least turn it on and off when necessary.

[Rik©]

Most of the ip's they use are listed at Stop Forum Spam, so if the anti-spam mod also checks at log-in (besides registering) it can block/ban those ip's after their first try.

Hiding (user)names for guests is possible.... there is already a Hide Post Authors From Guests mod.

-Rik©

[Cal O'Shaw]

Yes, and as I noted, on my 1.1.13 site it turns on the "new" icon for every topic and will not turn them off.  So it's got a problem.  Hence my request for a quick and dirty.  Tell me what code to put where and I'll do it manually until it can become a MOD.

And before it's mentioned, even if 2.0 RC 5 became the final product today, we'd still wait several months until 2.02 or 2.03 for all the really arcane bugs to come out, all the MODs to catch up, and be sure the 1.x to 2.0 upgrade is bulletproof.  There's a lot of us who just can't give hours to an upgrade and see it hang.  Very cautious.  Part of why I lasted 30 years in DP .

[PLAYBOY]

And before it's mentioned, even if 2.0 RC 5 became the final product today, we'd still wait several months until 2.02 or 2.03 for all the really arcane bugs to come out, all the MODs to catch up, and be sure the 1.x to 2.0 upgrade is bulletproof.  There's a lot of us who just can't give hours to an upgrade and see it hang.  Very cautious.  Part of why I lasted 30 years in DP .

Totally agree.

I would give it at least a year or year and a half for 2.x to be ready for us. As i have said before in another topic, We are ready for 2.0 but it is not ready for our requests and needs.


Now we need an image verification of somekind to be integrated on the login form so i can open my forum to guests again. Every second my forum is close cost me money, Alarm! alarm! I am loosing money here :p




Update: Just to give more info about this bot,
Maybe it would be helpful to people...

I got another type of form (more like a question answer style) on my site and nobody has ever sent any spams through it before. However this bot has been filling its sections and sending them continuously. Here is one of the examples...



Form data:

Question 1: betathomeromania
Question 2: Abkhazia
3: betathomeromania
4: google
5: England
6: Elk
7: 143040
8: Konu hakkında hangi kaynaklardan ne derece araştırma yaptınız?: 143040
9: betathomeromania
10: 143040
11:
12: Romania
13:
14: betathomeromania
15: This www is interesting
bet at home romania
16: betathomeromania
17: This www is interesting
bet at home romania 



So this bot is basically filling in (and tries) every kinda form it sees not just smf.

[PLAYBOY]

I closed my forum to guests view but the bot is still trying my password?

It seems like the bot is also saving the membernames. Is there any good solution for this guys? Can anybody help us?

[PLAYBOY]

That would not work well for this bot because it keeps changing its ip.