Author Topic: Simple Machines Forums attacks (Read 1912783 times)

Arantor · « **Reply #80 on:** February 24, 2011, 12:59:59 PM »

They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)

NanoSector · « **Reply #81 on:** February 24, 2011, 01:05:25 PM »

Quote from: Arantor on February 24, 2011, 12:59:59 PM

They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)

Then...that is good for you, I guess

Mine has no errors at all since it's down

Arantor · « **Reply #82 on:** February 24, 2011, 01:27:46 PM »

Quote

Then...that is good for you, I guess

And I have my two line patch on the others, which negated them being an issue too

demagpie · « **Reply #83 on:** February 24, 2011, 05:20:57 PM »

I own a very tiny forum. I recently discovered a ton of unactivated accounts so I beefed up password requirements and lowered permissions for new members with no posts and suddenly my "guest" list overfloweth. At the very same time (maybe coincidence) a new "runtime generated ap" was installed on my database: "load.php." This seems to have been done under my account with my IP address (?)

Can anyone tell me if this is just an automatic patch sent through when my site did its daily smf updating? I can't read computer-ese except that it seems to be setting up a "phantom" site for (?), with all sorts of scary searches for info and caches (which might also be phantom read) and mentions hackers and spiders repeatedly. It's a very long package with a lot of technical data that (if I read it correctly) actually looks like it's a guardian angel for me and my users. But then, what if it's lying?

I might never have noticed it, except it's generating unspecified errors in my log and seems to have wiped some of the icons in my drop down menu (simple portal). Is this SMF's helping hand for the little folks who don't have the time to install the Big Guns? Or something more sinister? I can't find any references in the news, here. Please advise.

IchBin™ · « **Reply #84 on:** February 24, 2011, 05:26:54 PM »

Perhaps you would get better support if you posted in the support boards for your problem, instead of in the news and updates for SMF board. I'd suggest you start a topic here:

For SMF1.x
http://www.simplemachines.org/community/index.php?board=9.0

For SMF2.x
http://www.simplemachines.org/community/index.php?board=147.0

Kindred · « **Reply #85 on:** February 24, 2011, 06:10:52 PM »

do note that SMF *NEVER* pushes anything automatically (except news)

青山素子 · « **Reply #86 on:** February 24, 2011, 06:25:16 PM »

Quote from: Kindred on February 24, 2011, 06:10:52 PM

do note that SMF *NEVER* pushes anything automatically (except news)

Not even news. It's requested automatically when you load the main admin page of the site in 1.1 and below, or by scheduled job in 2.0 (to speed up loading time).

robbie93 · « **Reply #87 on:** February 24, 2011, 10:03:23 PM »

Arantors patch has seemed to work, it's been over 24hrs now and no errors are showing from the bots although they are still hitting the site but because of the patch the error log isnt been filled up with error after error, I uninstalled the verification on log - in mod, because it filled my logs up with unnecessary errors.

eyeseven · « **Reply #88 on:** February 25, 2011, 08:27:41 PM »

just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt"

Road Rash Jr. · « **Reply #89 on:** February 25, 2011, 08:30:59 PM »

Quote from: eyeseven on February 25, 2011, 08:27:41 PM

just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt"

So it is working great then

Clara Listensprechen · « **Reply #90 on:** February 26, 2011, 12:50:01 AM »

He's getting more traffic than my fresh install of rc5!

Aleksi "Lex" Kilpinen · « **Reply #91 on:** February 26, 2011, 01:12:30 AM »

Quote from: Road Rash on February 25, 2011, 08:30:59 PM

Quote from: eyeseven on February 25, 2011, 08:27:41 PM
just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt"

So it is working great then

EDIT: I should be sleeping still, I could have sworn this was about the RC and not the login verification - Proceed, nevermind me

billy2 · « **Reply #92 on:** February 26, 2011, 07:39:42 AM »

over 1000 login attempts by brute force script kiddies- multitude of harvested proxies.

High visual verification and 3 random questions sorted them.

Well done SMF !!

Cheers
Billy

Clara Listensprechen · « **Reply #93 on:** March 01, 2011, 12:02:44 AM »

"Script kiddies"--good thing to call 'em because I've got the impression they don't personally visit a site to do what they're doing.

I started up 2 different RC5 boards just to test-drive the machinery and I'm the only member on these boards. The hackbots found my free board on SMFNEW first, and they still haven't found my subforum on my paid host yet, at this point. I get this curious error on the SMFNEW board, and I suspect it's because I'm the only member there:

Quote

8: Undefined index: latestRealName
?http://xxx.xxxxxxx.smfnew.com/

Now, on my 1.1.13 board I get bogus registrations like..

fabiaxnoxie456
IP: xxx.xxx.xxx.xxx
Hostname: yadda.yadda.com
email: youknowtheroutine@blahbla.info
Last active: Never.

Yup--Last active: Never. "Script kiddies" indeed. I t hink I'll borrow that expression, it's so apt.

Kenniee · « **Reply #94 on:** March 01, 2011, 02:37:01 AM »

Does anyone tell me that what is this forum all abut/
i am totally blank even after reading the previous posts..

Arantor · « **Reply #95 on:** March 01, 2011, 07:45:30 AM »

@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.

@Kenniee: Recently there have been waves of automated account hacking going on - bots swiping a bunch of usernames from publicly visible threads, and trying to force themselves into those accounts by going through a list of the 50 or so most popular passwords.

In an attempt to combat it, several methods have been proposed, some very specific (like my patch) and some quite broad.

billy2 · « **Reply #96 on:** March 01, 2011, 09:19:59 AM »

* billy2 thinks Arantor should be knighted for his efforts

catfished · « **Reply #97 on:** March 01, 2011, 02:32:02 PM »

Quote from: billy2 on March 01, 2011, 09:19:59 AM

* billy2 thinks Arantor should be knighted for his efforts

+1

Clara Listensprechen · « **Reply #98 on:** March 01, 2011, 08:17:12 PM »

Quote from: Arantor on March 01, 2011, 07:45:30 AM

@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.
...

I find that even I generate that error and one other--me and every Guest triggers those same two errors. Thanks.

Arantor · « **Reply #99 on:** March 01, 2011, 08:21:43 PM »

It's because the two values aren't being added to $modSettings as they should be; a fresh install should be setting those two values, and a new registration should reset them again (to the details of the new registration)

News:

Author Topic: Simple Machines Forums attacks (Read 1912783 times)