News:

Wondering if this will always be free?  See why free is better.

Main Menu

Simple Machines Forums attacks

Started by Norv, February 19, 2011, 04:33:48 PM

Previous topic - Next topic

Arantor

They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)
Holder of controversial views, all of which my own.


NanoSector

Quote from: Arantor on February 24, 2011, 12:59:59 PM
They find them through Google, based on 'Powered by <forum software>', and then start following forum threads trying to find usernames.

IOW, using the path of least resistance. (I know this because I have two forums that state 'Powered by a custom SMF 2.0' and similar which is not outside the licence terms at this time and neither have been hit even though they're publicly visible)
Then...that is good for you, I guess ???

Mine has no errors at all since it's down :P
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Arantor

QuoteThen...that is good for you, I guess

And I have my two line patch on the others, which negated them being an issue too ;D
Holder of controversial views, all of which my own.


demagpie

I own a very tiny forum.  I recently discovered a ton of unactivated accounts so I beefed up password requirements and lowered permissions for new members with no posts and suddenly my "guest" list overfloweth.  At the very same time (maybe coincidence) a new "runtime generated ap" was installed on my database: "load.php."  This seems to have been done under my account with my IP address (?)

Can anyone tell me if this is just an automatic patch sent through when my site did its daily smf updating?  I can't read computer-ese except that it seems to be setting up a "phantom" site for (?), with all sorts of scary searches for info and caches (which might also be phantom read) and mentions hackers and spiders repeatedly.  It's a very long package with a lot of technical data that (if I read it correctly) actually looks like it's a guardian angel for me and my users.  But then, what if it's lying? :o

I might never have noticed it, except it's generating unspecified errors in my log and seems to have wiped some of the icons in my drop down menu (simple portal).  Is this SMF's helping hand for the little folks who don't have the time to install the Big Guns?  Or something more sinister?  I can't find any references in the news, here.  Please advise.

IchBin™

Perhaps you would get better support if you posted in the support boards for your problem, instead of in the news and updates for SMF board. I'd suggest you start a topic here:

For SMF1.x
http://www.simplemachines.org/community/index.php?board=9.0

For SMF2.x
http://www.simplemachines.org/community/index.php?board=147.0
IchBin™        TinyPortal

Kindred

do note that SMF *NEVER* pushes anything automatically (except news)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

青山 素子

Quote from: Kindred on February 24, 2011, 06:10:52 PM
do note that SMF *NEVER* pushes anything automatically (except news)

Not even news. It's requested automatically when you load the main admin page of the site in 1.1 and below, or by scheduled job in 2.0 (to speed up loading time).
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


robbie93

Arantors patch has seemed to work, it's been over 24hrs now and no errors are showing from the bots although they are still hitting the site but because of the patch the error log isnt been filled up with error after error, I uninstalled the verification on log - in mod, because it filled my logs up with unnecessary errors.

eyeseven

just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt" :(

Road Rash Jr.

Quote from: eyeseven on February 25, 2011, 08:27:41 PM
just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt" :(

So it is working great then  ;D
Never argue with an Idiot like myself, they just drag you down to their level then beat you with experience.

Clara Listensprechen

He's getting more traffic than my fresh install of rc5! :P

I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Aleksi "Lex" Kilpinen

Quote from: Road Rash on February 25, 2011, 08:30:59 PM
Quote from: eyeseven on February 25, 2011, 08:27:41 PM
just installed rc5 yesterday and now, lot of bots attacking my site.. I installed login verification and still error on my site "login attempt" :(

So it is working great then  ;D

EDIT: I should be sleeping still, I could have sworn this was about the RC and not the login verification - Proceed, nevermind me :P

Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

billy2

over 1000 login attempts by brute force script kiddies- multitude of harvested proxies.

High visual verification and 3 random questions sorted them.

Well done SMF !!

Cheers
Billy

Clara Listensprechen

"Script kiddies"--good thing to call 'em because I've got the impression they don't personally visit a site to do what they're doing.

I started up 2 different RC5 boards just to test-drive the machinery and I'm the only member on these boards. The hackbots found my free board on SMFNEW first, and they still haven't found my subforum on my paid host yet, at this point.  I get this curious error on the SMFNEW board, and I suspect it's because I'm the only member there:

Quote8: Undefined index: latestRealName
?http://xxx.xxxxxxx.smfnew.com/

Now, on my 1.1.13 board I get bogus registrations like..

fabiaxnoxie456
IP: xxx.xxx.xxx.xxx
Hostname: yadda.yadda.com
email: [email protected]
Last active: Never.

Yup--Last active: Never. "Script kiddies" indeed. I t hink I'll borrow that expression, it's so apt.
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Kenniee

Does anyone tell me that what is this forum all abut/
i am totally blank even after reading the previous posts.. :P

Arantor

@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.

@Kenniee: Recently there have been waves of automated account hacking going on - bots swiping a bunch of usernames from publicly visible threads, and trying to force themselves into those accounts by going through a list of the 50 or so most popular passwords.

In an attempt to combat it, several methods have been proposed, some very specific (like my patch) and some quite broad.
Holder of controversial views, all of which my own.


billy2

* billy2 thinks Arantor should be knighted for his efforts

catfished

You use and like this forum software? Then show your appreciation and support by becoming a Charter Member.



CatfishEd.com

Clara Listensprechen

Quote from: Arantor on March 01, 2011, 07:45:30 AM
@Clara: That's a bug in SMFNEW's deployment; latestRealName should be set up on registration just fine.
...
I find that even I generate that error and one other--me and every Guest triggers those same two errors. Thanks.
I shall continue to be an impossible person so long as those who are now possible remain possible. {Michael Bakunin 1814-1876}

Arantor

It's because the two values aren't being added to $modSettings as they should be; a fresh install should be setting those two values, and a new registration should reset them again (to the details of the new registration)
Holder of controversial views, all of which my own.


Advertisement: