Mysterious guest with no IP and critical errors

[bluejay51]

Hi everyone

Just a quick question regarding a mysterious guest with no IP address.

First of all, the site is running SMF v2.0.6. Everything has always been kept up to date and well maintained.

Within the last 3-4 days there have been nearly 100 errors generated each day at various times in the SMF error log. These errors are all originating from a mysterious guest with no IP address and nearly all of them point to the file "security.php". Most of the actual error messages are "Undefined index: permissions" and then there are the critical ones like "Sorry, but you've reached your login attempts threshold. Please wait 30 seconds and try again later" but there are a number of other error messages being generated as well.

Looking at the dates and times these error messages are generated, it appears to be a bot because, for example, there are as mnany as 30-40 all generated with a matter of seconds. However, there have also been instances where they have been spread out over time.

Stop Spammer, httpBL (and more recently) Forum Firewall have been installed. Many other measures have been taken as well (captcha, various restrictions and challenges, etc). However, the mysterious guest just seems to blows right through them without leaving a single trace and since there is nothing to ban or block (IP, hostname, user agent, headers, etc) it continues.

Because of the nature of the errors and the lack of an IP address, it would be difficult to imagine that this is simply a rogue MOD (the same MODS have been installed for a long time and there have been no issues).

I guess the questions here are: Is there anything that can be done to unmask whoever (or whatever) is doing this and block them? and is this something that others have experienced as well?. Any input or recommendations on how to proceed would be really appreciated. Thanks so much!.

[Kindred]

1- if you are using cloudflare, IPs might come across as 0.0.0.0
2- if they are using IPv6, IPs may come across as 0.0.0.0

undefined permissions is almost certainly due to a mod - since SMF by itself does not generate any errors.

[bluejay51]

Thank you for your reply.

Not using Cloudfare. The IP's aren't showing up as 0.0.0.0 - they aren't showing up at all. What about the fact that the IP's are completely hidden?. How does one unmask them?. What about the numerous error messages each day with the message "Sorry, but you've reached your login attempts threshold" (as if someone or something was attempting to hide their identity and then make numerous attempts to login)?. Obviously, it would be nice to be able to find out who or what is doing this and then, if necessary, block them. Is there anything that can be done?.

I guess the last question I have is: are there any MODS that are well-known for causing these permissions errors?.

Thanks again for your help and input!.

[Arantor]

What URLs are being visited that are causing the undefined 'permissions' error messages?

[bluejay51]

On the undefined permissions errors (of which there are many each day by this guest with no IP), the main URL visited is...

http://www.anxietyzone.com/index.php?board=6.50

The entire thing looks like this...

http://www.anxietyzone.com/index.php?board=6.50
8: Undefined index: permissions
File: /home/********/public_html/Sources/Security.php

On the two critical errors produced so far (just today) by the mysterious guest with no IP address, the URL's visited are...

http://www.anxietyzone.com/index.php?board=6.50

...and...

http://www.anxietyzone.com/index.php?/topic,77452.0/prev_next,next.html

Below each of these, there is an error that reads...

"Sorry, but you've reached your login attempts threshold. Please wait 30 seconds and try again later".

There are other errors generated by this guest as well.

Thanks again!

[Arantor]

What line of Security.php?

What modifications do you have installed?

[bluejay51]

Sorry, about that. Here are the two security.php errors in more detail...

* Guest
* (No IP address)
* http://www.anxietyzone.com/index.php?board=6.50
* 2: in_array() expects parameter 2 to be array, null given
* File: /home/********/public_html/Sources/Security.php
* Line: 831

...and...

* Guest
* (No IP address)
* http://www.anxietyzone.com/index.php?board=6.50
* 2: in_array() expects parameter 2 to be array, null given
* File: /home/********/public_html/Sources/Security.php
* Line: 831

Practically all of them (about 100 each day) look like this and point to the same error, line number, etc. Of perhaps greater concern is the fact that the IP is always hidden and there are numerous login attempts each day.

As far as listing all of the installed MODS is concerned, I'm a little apprehensive about doing that (from a security standpoint) - just being honest. Is there another way?.

Hope this helps and thanks again for your help.

[Arantor]

As far as listing all of the installed MODS is concerned, I'm a little apprehensive about doing that (from a security standpoint) - just being honest. Is there another way?.

Not really, no. Something's calling for a permission check before the permissions are loaded. If you really are bothered by it (and honestly, I wouldn't be myself), feel free to PM me the list of mods.

Of course, if Tapatalk is installed, all bets should be considered to be off, especially if it is out of date.

[bluejay51]

Thanks, I was just updating my last post and then noticed that you had replied.

Is there any way to unmask this person (or bot) with the hidden IP address and block them?. When I see things like a hidden IP address hitting the site hundreds of times over a period of days and then see permission errors and security.php as well as repeated login attempts, etc...kind of puts the nerves on edge. Is this something that I should be concerned about?.

Tapatalk is not installed. I think there are probably too many MODS to even list. For example, under browse packages, there are a total of 86 (some left over from previous installs/updates/upgrades) and under installed packages, there are 38.

[Arantor]

Is there any way to unmask this person (or bot) with the hidden IP address and block them?.

Doubtful.

Is this something that I should be concerned about?.

Not sure what you can do about it, honestly.

under installed packages, there are 38.

That all? I know forums with over 150 installed packages.

[bluejay51]

I went ahead and sent you the list of installed MODS via a PM message. Thanks again for your help with this!

[Arantor]

Forcing login by email sounds like a wonderful thing except form a security perspective it actually isn't. It is actually less secure than the normal method of logging in - unless you're using SSL which you're not.

It may even be related to the 'too many logins' error you're seeing, actually, especially if you have bad bots trying to break in.


None of the others seem immediately like typical candidates for this issue, though :/ But it's something doing a permission check too early. What I really need to add at some point in SMF is the ability to get full backtraces which would help diagnose this stuff absolutely properly.

[bluejay51]

I just wanted to say that you have been very quick to respond, with good answers and extremely helpful. Thanks!.

Having said that, I have been planning to uninstall the email login MOD for a long time but have just never gotten around to it. In fact, I don't even remember anymore what the reason was but I know there was some issue that caused a number of problems awhile back.

Some of the other MODS haven't been updated because they are no longer being actively developed. In some instances, prior to installing a MOD, the code had to be edited to change the SMF version just to get the MOD to install and to prevent it from being rejected by the package manager.

It would be nice to be able to install the entire forum from scratch. I've already done this on a test server and it went very well. The main issues is that there would still be all kinds of leftovers of various MODS in the database and I have no idea how to clean out all of those.

[Arantor]

Glad I could help to even a small degree

As far as clearing house is, removing mods will help with that anyway - and there's always the Large Upgrade package which will restore all files to their default state.

Data left in the database will largely be a minor inconvenience, removing those traces is not a particularly easy or pleasant job but it shouldn't affect anything else to just leave it around there.

[bluejay51]

I just wanted to do a quick follow-up here...

I've very systematically and carefully replaced all code from the cb|email login MOD with original SMF 2.0.6 code and everything works flawlessly. Members can now login with their username but here's the rub - they can also login with their email address if they wish.

Is there some way of forcing members to sign in using their username only?. I believe this is the way an out-of-the-box installation of SMF works. I'm wondering if their are leftover fragments in the database itself or if there is some setting that needs to be adjusted.

Thanks as always for any help with this!.

[Arantor]

Nope. The SMF code specifically accepts both, but it much, much prefers username (because that can be protected during transit and email addresses cannot, at least not by SMF itself)

[bluejay51]

I guess if SMF works both ways on a vanilla install then everything is back to the way it should be then which is good 

Thanks again for the speedy reply!.

[bluejay51]

Sending this as a PM instead.

[Arantor]

I don't like doing support by PM unless I specifically ask for PMs first (which, in this case, I only did for *sensitive* information even though it actually wasn't very sensitive in the first place)

Now I'm under an obligation to answer it as opposed to leaving the tab open and answering if an idea strikes me or it turns up in my unread list.

[Kindred]

also, by removing your post and sending it by PM to Arantor, you have now removed your chances of ANYONE else helping you...

[bluejay51]

I had not realized until sometime after the message had been sent the link in your signature. Please feel free to reply only at your convenience and thanks in advance for your help. Here then is the original post...

In spite of the removal of the cb|Email Login MOD (which I was hoping might correct a few issues), the mysterious guest with no IP address is continuing to rack up login attempts, repeatedly reaching the login threshold and then returning again and again causing critical errors in the logs and many more elsewhere.

Since this guest only seems to be affected by the login threshold, I was wondering if someone here could tell me how to change the number of seconds (currently 30) that members who pass the login threshold must wait to a different number. For example, how to change the 30 second wait time to something like 60 or 120, etc. Also, is there a way to automatically ban/block a guest after a certain number of failed login attempts?.

Thank you.

[butchs]

Maybe my post is a tad late.  I have been busy at work and have not visited as often as I used to...  But if Forum Firewall has both "Enable Testing", "Block Violations", "Logging" and "Enable IP Validation" checked and the visitor has an ipv4 address then the user will get blocked because it is using a reserved ip address.  A visitor can show up on the SMF log and still be blocked.  Next time you see it, check the Forum Firewall log around the date and time the visitor with the "Invalid ip".

I suggest looking into the "DOS Attack" option to rid yourself of the bot.

[Chas Large]

I get lots of error messages with no IP address and I remember somewhere in the dim distant past, this question was asked before, the answer being (I think) that these missing addresses were most likely IPV6 addresses which is why SMF does not show them.

I could be mistaken, "ze littel grey cells are not wat zey once were mon ami"

[cortez]

+1

I also started getting the exactly same thing in last couple of days. No changes to forum software in weeks.

Guest permissions, smf 2.0.6, no ip, security.php (default, with no changes to it by any mod) and line 831.

But it spams my error log heavily, like 1000-2000 entries per day. Could this be a bot?