Advertisement:
GCWebhosting

Author Topic: Simple Machines Forums attacks  (Read 1912783 times)

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,222
    • StoryBB/StoryBB on GitHub
Re: Simple Machines Forums attacks
« Reply #80 on: February 24, 2011, 12:59:59 PM »
They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline NanoSector

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 10,499
  • Gender: Male
  • VC321xb47@aperture:~#
    • Yoshi2889 on GitHub
Re: Simple Machines Forums attacks
« Reply #81 on: February 24, 2011, 01:05:25 PM »
They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)
Then...that is good for you, I guess ???

Mine has no errors at all since it's down :P
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,222
    • StoryBB/StoryBB on GitHub
Re: Simple Machines Forums attacks
« Reply #82 on: February 24, 2011, 01:27:46 PM »
Quote
Then...that is good for you, I guess

And I have my two line patch on the others, which negated them being an issue too ;D
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline demagpie

  • Newbie
  • *
  • Posts: 4
Re: Simple Machines Forums attacks
« Reply #83 on: February 24, 2011, 05:20:57 PM »
I own a very tiny forum.  I recently discovered a ton of unactivated accounts so I beefed up password requirements and lowered permissions for new members with no posts and suddenly my "guest" list overfloweth.  At the very same time (maybe coincidence) a new "runtime generated ap" was installed on my database: "load.php."  This seems to have been done under my account with my IP address (?)

Can anyone tell me if this is just an automatic patch sent through when my site did its daily smf updating?  I can't read computer-ese except that it seems to be setting up a "phantom" site for (?), with all sorts of scary searches for info and caches (which might also be phantom read) and mentions hackers and spiders repeatedly.  It's a very long package with a lot of technical data that (if I read it correctly) actually looks like it's a guardian angel for me and my users.  But then, what if it's lying? :o

I might never have noticed it, except it's generating unspecified errors in my log and seems to have wiped some of the icons in my drop down menu (simple portal).  Is this SMF's helping hand for the little folks who don't have the time to install the Big Guns?  Or something more sinister?  I can't find any references in the news, here.  Please advise.

Offline IchBin™

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 11,115
  • Gender: Male
  • I don't speak German.
Re: Simple Machines Forums attacks
« Reply #84 on: February 24, 2011, 05:26:54 PM »
Perhaps you would get better support if you posted in the support boards for your problem, instead of in the news and updates for SMF board. I'd suggest you start a topic here:

For SMF1.x
http://www.simplemachines.org/community/index.php?board=9.0

For SMF2.x
http://www.simplemachines.org/community/index.php?board=147.0
IchBin™        TinyPortal
Coding Guidelines       

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,320
  • Gender: Male
    • Kindred-999 on GitHub
Re: Simple Machines Forums attacks
« Reply #85 on: February 24, 2011, 06:10:52 PM »
do note that SMF *NEVER* pushes anything automatically (except news)
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 17,068
  • 戦場ヶ原、蕩れ!
    • srvrguy on GitHub
    • @motokochan on Twitter
    • Nekomusume Moe
Re: Simple Machines Forums attacks
« Reply #86 on: February 24, 2011, 06:25:16 PM »
do note that SMF *NEVER* pushes anything automatically (except news)

Not even news. It's requested automatically when you load the main admin page of the site in 1.1 and below, or by scheduled job in 2.0 (to speed up loading time).
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Offline robbie93

  • Sr. Member
  • ****
  • Posts: 733
    • R&H
Re: Simple Machines Forums attacks
« Reply #87 on: February 24, 2011, 10:03:23 PM »
Arantors patch has seemed to work, it's been over 24hrs now and no errors are showing from the bots although they are still hitting the site but because of the patch the error log isnt been filled up with error after error, I uninstalled the verification on log - in mod, because it filled my logs up with unnecessary errors.

Offline eyeseven

  • Semi-Newbie
  • *
  • Posts: 54
Re: Simple Machines Forums attacks
« Reply #88 on: February 25, 2011, 08:27:41 PM »
just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt" :(

Offline Road Rash Jr.

  • Sr. Member
  • ****
  • Posts: 765
Re: Simple Machines Forums attacks
« Reply #89 on: February 25, 2011, 08:30:59 PM »
just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt" :(

So it is working great then  ;D
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

Offline Clara Listensprechen

  • Jr. Member
  • **
  • Posts: 256
  • Gender: Female
  • Impossible Person
    • clara.listensprechen on Facebook
    • @ClaraListenspre on Twitter
    • Clara's Cranny blog
Re: Simple Machines Forums attacks
« Reply #90 on: February 26, 2011, 12:50:01 AM »
He's getting more traffic than my fresh install of rc5! :P

I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Online Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,435
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: Simple Machines Forums attacks
« Reply #91 on: February 26, 2011, 01:12:30 AM »
just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt" :(

So it is working great then  ;D

EDIT: I should be sleeping still, I could have sworn this was about the RC and not the login verification - Proceed, nevermind me :P

A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline billy2

  • Jr. Member
  • **
  • Posts: 187
Re: Simple Machines Forums attacks
« Reply #92 on: February 26, 2011, 07:39:42 AM »
over 1000 login attempts by brute force script kiddies- multitude of harvested proxies.

High visual verification and 3 random questions sorted them.

Well done SMF !!

Cheers
Billy

Offline Clara Listensprechen

  • Jr. Member
  • **
  • Posts: 256
  • Gender: Female
  • Impossible Person
    • clara.listensprechen on Facebook
    • @ClaraListenspre on Twitter
    • Clara's Cranny blog
Re: Simple Machines Forums attacks
« Reply #93 on: March 01, 2011, 12:02:44 AM »
"Script kiddies"--good thing to call 'em because I've got the impression they don't personally visit a site to do what they're doing.

I started up 2 different RC5 boards just to test-drive the machinery and I'm the only member on these boards. The hackbots found my free board on SMFNEW first, and they still haven't found my subforum on my paid host yet, at this point.  I get this curious error on the SMFNEW board, and I suspect it's because I'm the only member there:

Quote
8: Undefined index: latestRealName
?http://xxx.xxxxxxx.smfnew.com/

Now, on my 1.1.13 board I get bogus registrations like..

fabiaxnoxie456
IP: xxx.xxx.xxx.xxx
Hostname: yadda.yadda.com
email: youknowtheroutine@blahbla.info
Last active: Never.

Yup--Last active: Never. "Script kiddies" indeed. I t hink I'll borrow that expression, it's so apt.
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Offline Kenniee

  • Newbie
  • *
  • Posts: 4
Re: Simple Machines Forums attacks
« Reply #94 on: March 01, 2011, 02:37:01 AM »
Does anyone tell me that what is this forum all abut/
i am totally blank even after reading the previous posts.. :P

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,222
    • StoryBB/StoryBB on GitHub
Re: Simple Machines Forums attacks
« Reply #95 on: March 01, 2011, 07:45:30 AM »
@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.

@Kenniee: Recently there have been waves of automated account hacking going on - bots swiping a bunch of usernames from publicly visible threads, and trying to force themselves into those accounts by going through a list of the 50 or so most popular passwords.

In an attempt to combat it, several methods have been proposed, some very specific (like my patch) and some quite broad.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline billy2

  • Jr. Member
  • **
  • Posts: 187
Re: Simple Machines Forums attacks
« Reply #96 on: March 01, 2011, 09:19:59 AM »
* billy2 thinks Arantor should be knighted for his efforts

Offline catfished

  • Sr. Member
  • ****
  • Posts: 877
  • Gender: Male
  • pǝsnɟuoɔ ןןıʇs puɐ ʇɹıp uɐɥʇ ɹǝpןo
    • CatfishED.com
Re: Simple Machines Forums attacks
« Reply #97 on: March 01, 2011, 02:32:02 PM »
* billy2 thinks Arantor should be knighted for his efforts
+1
You use and like this forum software? Then show your appreciation and support by becoming a Charter Member.



CatfishEd.com

Offline Clara Listensprechen

  • Jr. Member
  • **
  • Posts: 256
  • Gender: Female
  • Impossible Person
    • clara.listensprechen on Facebook
    • @ClaraListenspre on Twitter
    • Clara's Cranny blog
Re: Simple Machines Forums attacks
« Reply #98 on: March 01, 2011, 08:17:12 PM »
@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.
...
I find that even I generate that error and one other--me and every Guest triggers those same two errors. Thanks.
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,222
    • StoryBB/StoryBB on GitHub
Re: Simple Machines Forums attacks
« Reply #99 on: March 01, 2011, 08:21:43 PM »
It's because the two values aren't being added to $modSettings as they should be; a fresh install should be setting those two values, and a new registration should reset them again (to the details of the new registration)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.