password incorrect errors

Started by tempneff, February 01, 2011, 01:15:23 AM

Previous topic - Next topic

djkimmel

Thanks. Both helpful posts. I have not installed the project honeypot mod yet. I'll try that and look at the forum post.

HamishM

Also happening on my site, it should ebb out sometime soon hopefully.

Cal O'Shaw

As guests are reading the membernames off the main index of the page visible to guests, BLOCKING those membernames to guests will make it impossible for them to get membernames by searching for "last post by".

There are two MODs, one for 1.1.x and 2.x that say they will do this.

I'm on 1.1.13 and the MOD ( http://custom.simplemachines.org/mods/index.php?mod=2082 ) turns on the "NEW" flag and it can't be turned off.

Can anyone put together a fix that only has to do the following:

If Guest = yes then display "(hidden)" else display membername

when displaying "last post by"?

Grazie!

Cal

ApplianceJunk

Quote from: HamishM on February 11, 2011, 10:44:43 PM
Also happening on my site, it should ebb out sometime soon hopefully.

What do you mean ebb out?

Going to give CloudFlare a try.


Cal O'Shaw

The problem is the attackers are screenscraping, so as long as they can see membernames, they can keep trying until they crack a password.  Blocking membernames from guests means they can't try to break in because they won't know the names.

And since it's obviously automated, why should they stop anytime soon?  Has anyone that's reported this seen the attacks "ebb"?  They started reporting them on 31 Jan 2011 and it's 12 Feb now.

Cal

HamishM

Bots usually give up after a while...........

I have noticed that the bot has not tried to login as me, I think this is because my login name is different to what is shown on the forum........

Cal O'Shaw

The bot appears to be walking as much of the site as we allow guests to see, and going into each board hoping for names.  At least that's how it looks from the error log.

So I guess a fix should also look at any place account names are displayed, main index, board index, topic.  We already hid the Info Center.

But we better plan on this type of attack coming back.  Several months ago script kiddies tried exploiting a hole filled two years before.

Rik©

Quote from: HamishM on February 12, 2011, 02:43:53 AM
Bots usually give up after a while...........

I have noticed that the bot has not tried to login as me, I think this is because my login name is different to what is shown on the forum........
Maybe the anti-spam mods should have a setting that completely blocks/bans those spam-bot ip's when they try to log in.....

-Rik©

HamishM

#28
I guess a quick, temporary and dirty fix could be (Probably only viable on forums with low membership, I have way to many membs to do it on mine)

Add a space or a full stop after the username in the field "This is the displayed name that people will see.", do it on all member profiles, this would result in the bot getting a "Member does not exist" message.
It would not affect the individual member login process.

Like I said, quick and dirty but will probably work..............

PLAYBOY

Quote from: Cal O'Shaw on February 12, 2011, 02:50:30 AM
The bot appears to be walking as much of the site as we allow guests to see, and going into each board hoping for names.  At least that's how it looks from the error log.

So I guess a fix should also look at any place account names are displayed, main index, board index, topic.  We already hid the Info Center.

But we better plan on this type of attack coming back.  Several months ago script kiddies tried exploiting a hole filled two years before.

Wow. you are pretty good at this man. I mean seriously i have looked at my raw logs and everything but i couldnt figure out any pattern.

Most ips are from Germany and from proxies.  You cant just block them all because they keep changing their ips. I have been having this issue since yesterday also. I also have that login security mod.


Here is a very quick and easy fix!
I think it would be a very good idea to put a image verification on the login form

But until a good solution i have closed my forum to guests. Its members only for now.

ApplianceJunk

Quote from: HamishM on February 12, 2011, 02:43:53 AM
Bots usually give up after a while...........

I have noticed that the bot has not tried to login as me, I think this is because my login name is different to what is shown on the forum........

Having a different login name then what is shown on the forum is something I had not thought of before. I changed my login name along with a password change, thanks!

ApplianceJunk

QuoteMost ips are from Germany and from proxies.  You cant just block them all because they keep changing their ips. I have been having this issue since yesterday also

You can block whole countries. It started yesterday for us too.

Cal O'Shaw

Rico,
Except we're seeing addresses from the UK, Sweden, Germany and elsewhere.  Anti-bot MODs aren't going to be able to keep up with this kind of attack.  We need to have the ability to starve the bots and that would be hiding account names from guests.



HamishM,
Yes, but that means going through every account manually, right?
A little decision coding before displaying username based on if the viewer is a guest takes care of all sites, regardless of member count.

if guest = true then nametoshow = "(hidden)" else nametoshow = username
display nametoshow



PLAYBOY,
We don't have much of our site open to guests, so I was able to pick up the pattern (accounts not listed on the main index but on a board as the last poster were showing up).  And I did DP for 30 years.

Image verification becomes a pain for your members.  Remember, these guys are trying to pass themselves off as your members to get inside.

Cal O'Shaw

You really want to block your audience countries?

We can't block them, so let's starve them.  No names to see, no attack to make.


PLAYBOY

Quote from: ApplianceJunk on February 12, 2011, 03:14:16 AM
QuoteMost ips are from Germany and from proxies.  You cant just block them all because they keep changing their ips. I have been having this issue since yesterday also

You can block whole countries. It started yesterday for us too.

Do you have a pretty good up-to-date list for ips from each country? and are they %100 accurate?
I am not gonna use in this case but it would be useful in other cases :)

QuoteAnd I did DP for 30 years.
HAHA, thas how...

QuoteImage verification becomes a pain for your members.

yeah but it would be nice (and useful) to have some kinda mod for it so we can at least turn it on and off when necessary.

Rik©

Most of the ip's they use are listed at Stop Forum Spam, so if the anti-spam mod also checks at log-in (besides registering) it can block/ban those ip's after their first try.

Hiding (user)names for guests is possible.... there is already a Hide Post Authors From Guests mod.

-Rik©

Cal O'Shaw

Yes, and as I noted, on my 1.1.13 site it turns on the "new" icon for every topic and will not turn them off.  So it's got a problem.  Hence my request for a quick and dirty.  Tell me what code to put where and I'll do it manually until it can become a MOD.

And before it's mentioned, even if 2.0 RC 5 became the final product today, we'd still wait several months until 2.02 or 2.03 for all the really arcane bugs to come out, all the MODs to catch up, and be sure the 1.x to 2.0 upgrade is bulletproof.  There's a lot of us who just can't give hours to an upgrade and see it hang.  Very cautious.  Part of why I lasted 30 years in DP ;).

PLAYBOY

#37
QuoteAnd before it's mentioned, even if 2.0 RC 5 became the final product today, we'd still wait several months until 2.02 or 2.03 for all the really arcane bugs to come out, all the MODs to catch up, and be sure the 1.x to 2.0 upgrade is bulletproof.  There's a lot of us who just can't give hours to an upgrade and see it hang.  Very cautious.  Part of why I lasted 30 years in DP .

Totally agree.

I would give it at least a year or year and a half for 2.x to be ready for us. As i have said before in another topic, We are ready for 2.0 but it is not ready for our requests and needs.


Now we need an image verification of somekind to be integrated on the login form so i can open my forum to guests again. Every second my forum is close cost me money, Alarm! alarm! I am loosing money here :p





Update: Just to give more info about this bot,
Maybe it would be helpful to people...

I got another type of form (more like a question answer style) on my site and nobody has ever sent any spams through it before. However this bot has been filling its sections and sending them continuously. Here is one of the examples...




Form data:

Question 1: betathomeromania
Question 2: Abkhazia
3: betathomeromania
4: google
5: England
6: Elk
7: 143040
8: Konu hakkında hangi kaynaklardan ne derece araştırma yaptınız?: 143040
9: betathomeromania
10: 143040
11:
12: Romania
13:
14: betathomeromania
15: This www is interesting
bet at home romania
16: betathomeromania
17: This www is interesting
bet at home romania 





So this bot is basically filling in (and tries) every kinda form it sees not just smf.

PLAYBOY

I closed my forum to guests view but the bot is still trying my password?

It seems like the bot is also saving the membernames. Is there any good solution for this guys? Can anybody help us?

PLAYBOY

That would not work well for this bot because it keeps changing its ip.

Advertisement: