SMF 2.0 hacked?

[realvision]

Hello,

I had no spam during few years, but now they are back
The intriguing thing is that users that post spams are official users that registered few years ago
So I think they have found a way to steal real accounts and post messages

When I track the IP

I can always see 3 messages sent by the forum to the user just before they post the spam

Password incorrect - TheUser
/forum/index.php?PHPSESSID=c80b56d29791e52a1950376f267cfe85&action=login2

Password incorrect - TheUser
/forum/index.php??PHPSESSID=14c925530e3acf9d36e95a5dfb4434a5&action=login2

Password incorrect - TheUser
/forum/index.php?action=login2

So they are using the password incorrect page to steal the account

Very dangerous !

[shadav]

chances are the accounts emails and passwords were leaked elsewhere so they are using known passwords from other sites associated with that email

also what version of smf is this for
what antispam methods do you use to deter spam, ie verification questions? probably time to replace your questions with new ones

what's in your server logs?

but as for the older members again it's more likely their info was leaked elsewhere and so now "hackers" are just looking for accounts with that email and trying known passwords for it
change the users password and send them an email telling them they need to reset it due to suspicious activity
it's also not uncommon for spammers to join places and not make a single post for a while (maybe they forgot) and then come back later to start spamming

[realvision]

I am using SMF version 2.0.18
I am using Stop Forum Spam that blocks 99% of the spam registrations
and 3 questions
But it seems they know how to answer my questions now, even if I change the word to write
I maybe need to change the syntax

There are tons of things in the server logs. difficult to understand for me
In the errors, I can see they try to bruteforce the wordpress login page

Thanks for your answer anyway

[shawnb61]

Shadav is correct.  We've seen the same on our site - lots of logon attempts for many users, many fail, but the ones that make it thru post spam.  All from the same IP.

A significant problem the last few weeks - and we very rarely see spam.

I've been resetting the passwords of affected users. 

Folks do tend to use the same ids/passwords in many places. 

[Steve]

But it seems they know how to answer my questions now

You really need to have a dozen or so questions that you can rotate through the 3 you want answered. Periodically changing the questions helps significantly.

https://simplemachines.org/community/index.php?topic=531660.msg3776163#msg3776163

[SpacePhoenix]

But it seems they know how to answer my questions now

You really need to have a dozen or so questions that you can rotate through the 3 you want answered. Periodically changing the questions helps significantly.

https://simplemachines.org/community/index.php?topic=531660.msg3776163#msg3776163

I don't know if there's any plugins but what about having a couple of hundred questions and choosing 3 randomly each time?

[Kindred]

You only need 20-30 questions.... and I only ask 2...  and have not had a autospammer in 3 years

[shadav]

But it seems they know how to answer my questions now

You really need to have a dozen or so questions that you can rotate through the 3 you want answered. Periodically changing the questions helps significantly.

https://simplemachines.org/community/index.php?topic=531660.msg3776163#msg3776163

I don't know if there's any plugins but what about having a couple of hundred questions and choosing 3 randomly each time?

the problem with a plug in, is then that everyone would be using the same questions and answers, which would defeat the purpose, bots would just record the questions and answers and bypass them on any site using said plug in

I mean, I do use a few generic questions and answers, was using a few posted by a member here but as stated if everyone's using the same questions/answers bots jot them down and well had to change mine because they learned them
typically I was using maybe 5 from a member posted here in the forums and 5 somewhat generic and 5 aimed at my site, started seeing a few bots so changed the ones from here and the generic ones, no more bots

[a10]

Write the numbers seen in qwert1234yuiop
Enter the 1st three numbers seen in qwerty1234567uiop
Write the three last letters seen in 123qwertyu456
Enter the 5th letter seen in a67dfg78hjk
The first two non-letter symbols seen in asdfg?&%+hjkl are
Write the last 3 numbers seen in zxcv1234567bnm
Enter the first 2 uppercase letters seen in asd123fGHJKLasdf123
etc etc etc

Of course, don't copy this literally :O) Roll your own, style, content, complexity.
So easy to make (and edit, change) a bunch of questions in this genre. 30 questions, 3 to 4 active, bots utterly crushed.

Over the years I'd have a million 'members' by now without the questions :O)
Some days many 100's attempts. Short example from today:
Guest (181.214.206.40)    20:16    Registering for an account on the forum.
Guest (185.191.124.143) 19:47    Registering for an account on the forum.
Guest (176.10.104.240)    19:47    Registering for an account on the forum.
Guest (51.178.216.7)    19:39    Registering for an account on the forum.
Guest (185.31.175.220)    19:28    Registering for an account on the forum.
Guest (223.91.2.68)    18:48    Registering for an account on the forum.
Guest (89.187.165.123)    18:41    Registering for an account on the forum.
Guest (173.44.165.28)    18:24    Registering for an account on the forum.
Guest (154.85.125.162)    18:07    Registering for an account on the forum.
Guest (120.219.80.218)    18:04    Registering for an account on the forum.
Guest (104.244.79.196)    17:56    Registering for an account on the forum.
Guest (104.223.105.149) 17:47    Registering for an account on the forum.
Guest (1.169.67.234)    17:42    Registering for an account on the forum.

As for the human bots, many seemingly operating using their home\mobile isp, once the hostname is identified, will be seriously annoyed by some 'cannot register' hostname bans, examples *.ru  *.vn  *.ua  *.kyivstar.net  etc
And of course add some mandatory email 'cannot register' bans: *@*.ru and the like.
Particularly zealous ips (and ip ranges): temporarily in .htaccess until they vanish.

[realvision]

Thank you for your ideas.
I have just changed my 3 questions, as I think they have now set the bot to answer my questions
Let's check it for next few days...

[a10]

I have just changed my 3 questions

3?? The bots will really appreciate that :O)

Again: make it 30 (if lazy, start with at least 10, add more over time)
Set "Number of verification questions user must answer" to 3 or 4. Even more is fine ...but think about not annoying any legit visitor wanting to join.

[Kindred]

I only ask 2.... but I have a stock of 30 to draw from

[SpacePhoenix]

I have just changed my 3 questions

3?? The bots will really appreciate that :O)

Again: make it 30 (if lazy, start with at least 10, add more over time)
Set "Number of verification questions user must answer" to 3 or 4. Even more is fine ...but think about not annoying any legit visitor wanting to join.

What about having the list of questions and a lower and upper limit on the number of questions asked, with the exact number being chosen at random each time. It might make it harder for bots as they wouldn't know how many questions to expect

[realvision]

Still having some bots registered
So they know to answer basic questions, or a human is simply answering the questions and save it to the bot configuration
Just added few more complicated questions
Let's see

In the past years, 3 basic questions was enough to stop the bots

[Steve]

In the past years, 3 basic questions was enough to stop the bots

Things change over the years. The bad guys get smarter so we have to get smarter with them.

[shadav]

this is where setting the members under x post count must pass verification helps as well
even if a human signs up, the bots can't post since they can't pass the verifications