Simple Machines Forums attacks

[Arantor]

They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)

[NanoSector]

They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)

Then...that is good for you, I guess

Mine has no errors at all since it's down

[Arantor]

Then...that is good for you, I guess

And I have my two line patch on the others, which negated them being an issue too

[demagpie]

I own a very tiny forum.  I recently discovered a ton of unactivated accounts so I beefed up password requirements and lowered permissions for new members with no posts and suddenly my "guest" list overfloweth.  At the very same time (maybe coincidence) a new "runtime generated ap" was installed on my database: "load.php."  This seems to have been done under my account with my IP address (?)

Can anyone tell me if this is just an automatic patch sent through when my site did its daily smf updating?  I can't read computer-ese except that it seems to be setting up a "phantom" site for (?), with all sorts of scary searches for info and caches (which might also be phantom read) and mentions hackers and spiders repeatedly.  It's a very long package with a lot of technical data that (if I read it correctly) actually looks like it's a guardian angel for me and my users.  But then, what if it's lying?

I might never have noticed it, except it's generating unspecified errors in my log and seems to have wiped some of the icons in my drop down menu (simple portal).  Is this SMF's helping hand for the little folks who don't have the time to install the Big Guns?  Or something more sinister?  I can't find any references in the news, here.  Please advise.

[IchBin™]

Perhaps you would get better support if you posted in the support boards for your problem, instead of in the news and updates for SMF board. I'd suggest you start a topic here:

For SMF1.x
http://www.simplemachines.org/community/index.php?board=9.0

For SMF2.x
http://www.simplemachines.org/community/index.php?board=147.0

[Kindred]

do note that SMF *NEVER* pushes anything automatically (except news)

[青山 素子]

do note that SMF *NEVER* pushes anything automatically (except news)

Not even news. It's requested automatically when you load the main admin page of the site in 1.1 and below, or by scheduled job in 2.0 (to speed up loading time).

[robbie93]

Arantors patch has seemed to work, it's been over 24hrs now and no errors are showing from the bots although they are still hitting the site but because of the patch the error log isnt been filled up with error after error, I uninstalled the verification on log - in mod, because it filled my logs up with unnecessary errors.

[eyeseven]

just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt"

[Road Rash Jr.]

just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt"

So it is working great then 

[Clara Listensprechen]

He's getting more traffic than my fresh install of rc5!

[Aleksi "Lex" Kilpinen]

just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt"

So it is working great then 

EDIT: I should be sleeping still, I could have sworn this was about the RC and not the login verification - Proceed, nevermind me

[billy2]

over 1000 login attempts by brute force script kiddies- multitude of harvested proxies.

High visual verification and 3 random questions sorted them.

Well done SMF !!

Cheers
Billy

[Clara Listensprechen]

"Script kiddies"--good thing to call 'em because I've got the impression they don't personally visit a site to do what they're doing.

I started up 2 different RC5 boards just to test-drive the machinery and I'm the only member on these boards. The hackbots found my free board on SMFNEW first, and they still haven't found my subforum on my paid host yet, at this point.  I get this curious error on the SMFNEW board, and I suspect it's because I'm the only member there:

8: Undefined index: latestRealName
?http://xxx.xxxxxxx.smfnew.com/

Now, on my 1.1.13 board I get bogus registrations like..

fabiaxnoxie456
IP: xxx.xxx.xxx.xxx
Hostname: yadda.yadda.com
email: [email protected]
Last active: Never.

Yup--Last active: Never. "Script kiddies" indeed. I t hink I'll borrow that expression, it's so apt.

[Kenniee]

Does anyone tell me that what is this forum all abut/
i am totally blank even after reading the previous posts..

[Arantor]

@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.

@Kenniee: Recently there have been waves of automated account hacking going on - bots swiping a bunch of usernames from publicly visible threads, and trying to force themselves into those accounts by going through a list of the 50 or so most popular passwords.

In an attempt to combat it, several methods have been proposed, some very specific (like my patch) and some quite broad.

[billy2]

* billy2 thinks Arantor should be knighted for his efforts

[catfished]

* billy2 thinks Arantor should be knighted for his efforts

+1

[Clara Listensprechen]

@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.
...

I find that even I generate that error and one other--me and every Guest triggers those same two errors. Thanks.

[Arantor]

It's because the two values aren't being added to $modSettings as they should be; a fresh install should be setting those two values, and a new registration should reset them again (to the details of the new registration)