Being logged out by bots trying to log in

Started by ACAMS, January 11, 2011, 11:11:02 PM

Previous topic - Next topic

Astra_200

Seems good advice to me Cal.

Just checked out the latest IP to find its way into my incorrect password log and its 50.16.127.162 (Amazon.com) :o

Now, I'm no expert here but I wouldn't have expected to see that IP trying to find its way into my forum??

Further searching reveals the IP is another culprit on the torproject.org list of  bad IP's.

Looking at Tors website, it appears to be all about protecting its users, there's nothing about abusing its proxy service.

I have emailed them about this at [email protected] They appear to be a voluntary organisation and don't promise instant response but if enough people email maybe they will have to look into the problem.

青山 素子

#181
Quote from: b4pjoe on February 15, 2011, 08:57:30 PM
Well, I don't know. It's still a hacking attempt and I think that is why they programmed it so it wouldn't trip any security features like too many attempts in a certain time period. When it first started on my forums it never tried the same user name for at least 9 minutes. I don't think that was an accident.

Did it only make one attempt every few minutes, or did it just switch among the usernames? The system I'm thinking of would still ban the IP for multiple failures, even across multiple usernames.


Quote from: Astral2000 on February 15, 2011, 09:54:39 PM
Just checked out the latest IP to find its way into my incorrect password log and its 50.16.127.162 (Amazon.com) :o

IP belongs to Amazon's Elastic Compute Cluster. It's a service where you can purchase virtual server capacity.


Quote from: Astral2000 on February 15, 2011, 09:54:39 PM
Looking at Tors website, it appears to be all about protecting its users, there's nothing about abusing its proxy service.

I have emailed them about this at [email protected] They appear to be a voluntary organisation and don't promise instant response but if enough people email maybe they will have to look into the problem.

They probably won't help too much. It's just an exit node and the whole point of the network is offering a way to stay anonymous. It can be abused, but anything can be abused.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


b4pjoe

Quote from: 青山 素子 on February 15, 2011, 11:29:10 PM
Quote from: b4pjoe on February 15, 2011, 08:57:30 PM
Well, I don't know. It's still a hacking attempt and I think that is why they programmed it so it wouldn't trip any security features like too many attempts in a certain time period. When it first started on my forums it never tried the same user name for at least 9 minutes. I don't think that was an accident.

Did it only make one attempt every few minutes, or did it just switch among the usernames? The system I'm thinking of would still ban the IP for multiple failures, even across multiple usernames.

When it first started it would try one user name every 9 minutes for 24 hours. Then it would change to another user and do the same. This went on for...I would guess at least two weeks before anyone started mentioning to me that they were getting auto logged out and then I started tracking it. Then I installed the http bl mod, bad behavior mod, and the stop forum spam mod and it stopped the problems...I thought. About 2 weeks later it started back up and the IP's it was using were not in the honeypot database or the stop forum spam database. Then it became relentless where there were multiple IP's trying multiple user names and they weren't using the same user name until quite a bit later. Then I added the list of IP addresses posted here to my .htaccess file and that slowed it greatly but I was still getting a few so I was adding those to the .htaccess file as they came in but I soon realized that could go on forever. When I upgraded my forum to RC5 over the weekend I didn't bother installing the 3 anti-spam mods I listed above. I kept the .htaccess entries and installed the cb|Emailogin mod and that has put a stop to them so far.

I do like the idea of the "ban the IP for multiple failures across multiple usernames" but not so much a "ban the IP for multiple failures over a given time frame". Many of my members log in from multiple locations and it's not unusual to see errors for wrong password from an IP that I know is theirs.

Aleksi "Lex" Kilpinen

Someone mentioned Honeypot + HttpBL as a solution, and after using those for a couple of days now - I can sadly say it is not. It will catch and stop some of them, but a large portion of the IPs used have no mentions in Honeypot DB at all, or only low risk scores if there is something, and these are mostly TOR addresses...
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

robbie93

I first noticed these hitting our site on the 2nd of Jan, but they could have been around before that,  gave up for a day or so and then returned, I see about 30+ pages of errors from them every day  >:( and with no signs of stopping, best way to stop your users being logged off is to tell them to make there display name different to there username, but that doesn't stop the attacks, hiding users names on the site would also take away apart of SMF, if you hide all of the usernames from the info center, and also if you use a portal, all of the blocks, your site would look quiet plain, best thing is to make PW something you don't use anywhere else ( which you should do anyway  :-X ) and make display different from username, get your active members to do the same, at first I thought the site was getting hacked  :o . Nasty little spam bots trying to steal our pw's  ::) 8). No point banning the ip's because every one if different, can u imaging banning 30 pages of ip's every day for seven weeks  :( . WANTED - a nice safe home for nasty spam bots lurking on SMF forums. This is sooooo last year.

b4pjoe

Quote from: LexArma on February 16, 2011, 12:22:27 AM
Someone mentioned Honeypot + HttpBL as a solution, and after using those for a couple of days now - I can sadly say it is not. It will catch and stop some of them, but a large portion of the IPs used have no mentions in Honeypot DB at all, or only low risk scores if there is something, and these are mostly TOR addresses...

Yes, that is what I found also so I didn't re-install it into RC5. Of course I may re-visit it later for other types of spammers if the need arises.

Cal O'Shaw

@robbie93,

With your portal and all, you may not wish to do so.  But then you need to make your usernames different from your display names (either by telling your users to change them or to use something like the email login MOD).

But I would like to have the OPTION as there is no benefit in our case to displaying names.

As you noted, hiding the names will not stop THIS ATTACK.  But you can be sure someone will use the script and try again.  Wouldn't you like to stop THE NEXT ATTACK.  Because it's going to come.  You've been under attack for over a month you say.  You think they're just going to take their ball and go home?  This type of attack will come again.  It's sophisticated enough that it can't be stopped by IP, it doesn't blast you so you can halt it that way.  It runs so slow that you can't be sure it's not a regular user without checking the IP against where you know the user lives.

It seems the only way to reduce (I didn't say stop) is by cloaking your site (hide membernames) and/or making sure what names are displayed are not valid for logging in. 

We take additional precautions, limiting what boards are visible, and limiting guests to seeing only the first post (which may help explain why the target list used against our site is so small; there wasn't a lot to harvest).  We blocked the Info Center as we felt there was no valid reason for guests to see that information.  We figure if they want to see more they will register (and we review them before accepting them).

Sorry if I come off as a Johnny One-Note, but it seems to be a repeated need to point out some of the features of this attack and that what works for one site will not work for another (hence my saying that maybe robbie93 doesn't see a need to hide names, but we most assuredly do want to hide them).

Cal

squad



I'd love to use the 'hide authors' but it returns a corrupt reply. I am using
1.1.13. So now will have to wait for either an update or other such mod.
I have and will be using the email log-in, hopefully that will cut back the attacks
in the future.

I am so tired of this and I am only a very small forum,  I wish these bots would
just move on and get well & truly lost :)

BPLive

yes I am having a huge problem with this on a forum with 20k plus users.  I can see in my error log ip's tryiing to loggin to users.  Users are complaining like crazy. 
www.ChineseDemocracy.com Your Guns N Roses Forum

Aleksi "Lex" Kilpinen

The actual problem of getting logged out because of these, should be fixed in the latest releases.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

Quote from: squad on February 16, 2011, 05:16:21 AM


I'd love to use the 'hide authors' but it returns a corrupt reply. I am using
1.1.13. So now will have to wait for either an update or other such mod.
I have and will be using the email log-in, hopefully that will cut back the attacks
in the future.

I am so tired of this and I am only a very small forum,  I wish these bots would
just move on and get well & truly lost :)


If you're referring to my mod, it won't work on 1.1.x, it was written for 2.0 only.

@Cal and anyone else asking about porting it to 1.1.x, I won't be, partly because I haven't written mods for 1.1.x since 2009, and partly because it was bad enough writing it for 2.0, 1.1.x's structure lends itself even less to doing something like that.

That said, if someone else wants the job, they're welcome to reuse any code from my mod in doing it (I won't even complain if it ends up on the mod site here if it's a 1.1.x only version)
Holder of controversial views, all of which my own.


BPLive

Quote from: LexArma on February 16, 2011, 07:16:39 AM
The actual problem of getting logged out because of these, should be fixed in the latest releases.

this is good to hear.  Today I upgraded from 2.0 rc3 to rc5

I'll have to wait for feedback. However I do see in the errorlog IP's still trying to do so with 'users' failed password etc.  however I guess you guys did something to keep this from the log outs.  but the error log will continue to build I guess.   anyway Thanks!
I'll post back if Rc5 fixed the issue via feedback.
www.ChineseDemocracy.com Your Guns N Roses Forum

Norv

Quote from: Cal O'Shaw on February 16, 2011, 01:02:43 AM
Sorry if I come off as a Johnny One-Note, but it seems to be a repeated need to point out some of the features of this attack and that what works for one site will not work for another (hence my saying that maybe robbie93 doesn't see a need to hide names, but we most assuredly do want to hide them).

Cal
I think there are common points, but yes, there are divergent points as well.

@ All,

We would very much appreciate if any of the affected forums admins agree to make us available your server access and error logs for the past days, as well as forum admin access. (for forum error logs)
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Arantor

QuoteWe would very much appreciate if any of the affected forums admins agree to make us available your server access and error logs for the past days, as well as forum admin access. (for forum error logs)

To what end, exactly? Give me a good reason and I'll provide said access since I'm affected by it too on some forums.
Holder of controversial views, all of which my own.


Norv

We need to analyze the logs, to see the commonalities and differences in what is happening. Both the pattern of the attacks as well as the IPs used does seem to have common points and different points according to what is reported in the community.
Moreover, it seems the attack itself has changed, a while ago there were a few forums it hit endlessly, including the login page, but they didn't try to login. Now they do. There are other aspects as well.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Arantor

*shrug* I don't keep access logs out of space preservation, the error log is pruned fairly regularly and won't right now tell you anything you didn't already know, so I'm not giving out admin access at any point soon.

But I might write some better logging tools to see if there are any other patterns involved that we're not seeing right now.
Holder of controversial views, all of which my own.


StarWars Fan

This is a slow-motion Brute Force attack and should be patched as such by SimpleMachines...

Cpanel's brute force attack protection is an example SimpleMachines could use as a model...

Basically, if IP x.x.x.x already has a failed login in the Error Log then IP x.x.x.x. does not get any more log in attempts... Add a time limit (ala Cpanel if you wish)... Should not be that hard...

SMF admins should not be told to apply a MOD that may or may not work...

Arantor

But they use different IP addresses, that's part of the problem. Some of the lists of IP addresses are huge.

And what happens if a genuine user fails to type their password correctly? By that logic, they're booted straight off.
Holder of controversial views, all of which my own.


Maver!ck

#198
The attack has changed in my case for sure.  It was attacking relentlessly hitting multiple users from the same ip in waves.  One big wave, and minutes later, another wave.  I had previously had some strange attacks back at the first of the year and consequently installed honeypot and stopspammer.  So when the most recent attacks of login attempts the only thing i changed was upgrading from rc3 to rc5, which didn't seem to make a difference.  But after banning several of the ip addresses(by ranges as it was not anything close to current member ips) and being now about a week after the main relentless attack, I'm seeing a completely different pattern -
Now, you see one user login attempt every few minutes, but the next attack will be from a different ip and attempting login using a different name.  It does seem to be cycling only about 5-6 usernames, but again, every time it tries(spaced out time frames) it is from a completely different ip, and the ip may be from arin one time, then from ripe network the next. After an hour or so, you might see an ip address used the last hour now attempting a different name than before, but again still pulling from what seems to be a very short list of about 5-6 or so names.

I am still receiving some attacks from the original group of ip address seen in the first wave which have been banned(up to 100 or so attempts getting the 'sorry u are banned' msg) but nothing compared to the close to the several hundred attempts per day i was receiving before)

Hope this info helps in the fight to find an answer,
Maver!ck

Norv

StarWars Fan, some mods worked for some forums, and don't for others. That's (part of) the problem, it doesn't seem the same set of IPs or attack, or it changed meanwhile. We need to gather as much information as possible.

But I think you're right, something along those lines should help.

To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

Advertisement: