| Archive for myfreeforum.org Before posting please check the "stickies" in the support forums. Please ask questions in real English and not "txt". You will get a better response. Please do not ask support questions via PMs. |
| admin (no pm's please) |
phpbb2: IMPORTANT spambot issue and resolutionsFor the last 24 hours we have had a sustained attack from over 400 addresses.This attack was largely from Eastern Europe, but there were suspicious ips from the world over. Whilst we have banned the IPs the attack did not really stop until we implemented a couple of board admin changes backed up by a code change. The board change was to remove (very important) the visual confirm on registration and go over to admin activation. This combined with a code change to prevent the hackers ever seeing the CAPTCHA image on an attempted registration seems to have halted the attack. I have now added flood protection to the user registration visual confirm system that should further hamper hacking efforts. What I surmise is that there is an attempt to train a spambot system to beat our so far uncracked CAPTCHA system in order to flood forums with spam. You can tell if your forum is being attached by looking a "whos online", if there are 100's of guests in "view profile" then please temporarily remove visual confirm, and switch to admin activation. The new system will dramatically cramp the hackers style, but best to stop them all together. Please also report it here. Attack logs are being kept as part of the anti-flood system. I hope the flood system will not activate unless there is really cause. |
||
| admin (no pm's please) |
I have added for phpbb2 forums the new page, for example on this forum:
http://forum.myfreeforum.org/viewflood.php This should give information on such attacks. |
||
| admin (no pm's please) |
The system should also now alert me by email of an attack on a forum.
I have to reserve the right to set such forums to Admin registration without user confirm. We don't interfere in admin settings on forums more than we absolutely have to, but this qualifies as a case if a forum is actually under attack. |
||
| admin (no pm's please) |
For the record, an attack now causes an automatic switch in the admin panel to avoid the attack.
We are also isolating clearly rogue ips, and they will in future be fed straight into the firewall. All this is very easily testable as we are still under attack 
|
||
| admin (no pm's please) |
Okay so now the buggers get ip banned.
Kind of makes it tempting not to stop the attack vector, but to let them come and get banned. But them that lets them do more of what they want 
|
||
| admin (no pm's please) |
On further checking, and rather oddly (but then a lot about this is odd) there was another place I could trap them we a flood control.
That is now in place but has only resulted in another 3 ip bans, so 42 in the firewall currently. This is down from 400 and more which shows the attack is dieing anyway. |
||
| admin (no pm's please) |
53.... | ||
| admin (no pm's please) |
57.... | ||
| admin (no pm's please) |
70.... | ||
| admin (no pm's please) |
75...
You know I am beginning to think from the latest logs that this is not some clever attempt to break CAPTCHA at all. That was me putting a spin on it and looking for something "intelligent" going on. In more detail the pattern looks like a spambot registration flood that is so badly coded it fails to get past our basis anti-spambot measures. I need more logging to confirm that. |
||
| admin (no pm's please) |
89
but that does seem like it has topped out. all totally bizarre. I am basically getting email notifications of the attack, and that system applies to all the forums on the system, but it is only the support forum that is being reported as being attacked  Now how dumb is that?
|
||
| Zudane |
Umm.. maybe someone that got a forum closed here is trying revenge by botnet attacks? I know there are ways to do that, someone got mad before and spammed my forum like that. | ||
| admin (no pm's please) |
101.... | ||
| admin (no pm's please) |
112...
I did some checking in the early hours of the banned list, just in case legit users were being banned. Moscow and Kiev featured very heavily! I think I can safely assume that that is not our normal demographic! |
||
| admin (no pm's please) |
110...
Going down, but then that is because some of the earlier bans were not as long, at one point over 400 bans were in place when I was doing it manually. There are probably about 40 more that will expire soon. |
||
| admin (no pm's please) |
84...
but we are still being attacked. I have massively increased the ban time again, to about 4 days. There seems little point in the ban time not being roughly in line with the duration of the attack. |
||
| admin (no pm's please) |
72 ...
4 new bans, 2 Ukraine, 2 Germany. |
||
| admin (no pm's please) |
70...
and a ban from the USA, San Jose California. Could that be a mistake I wonder? However only 1 more ban in that time is a good sign. |
||
| admin (no pm's please) |
66... | ||
| admin (no pm's please) |
and now back up to 73.
Two other forums on the Ford server have triggered a flood reaction as well. Again on iffy ip locations, the Ukraine and the Philippines. |
||
| admin (no pm's please) |
I have removed the flood system that was tweaking the board settings, I didn't like that happening, and now I believe that the attack is not aimed at CAPTCHA I think it is over kill.
The flood system now concentrates on registration. |
||
| admin (no pm's please) |
90..... | ||
| admin (no pm's please) |
101... | ||
| admin (no pm's please) |
116... | ||
| *LetsTalk* |
Admin thought you might like to know that MSliveFormNew is a spammer. I`ve seen posts under that name to do with credit cards on other forums. | ||
| admin (no pm's please) |
thanks but no need for such reports.
now up to 126... |
||
| admin (no pm's please) |
155....
It is quite telling that the emails generated keep piling in, two at a time! One goes to the forum admin, the other to me 
I have had buckets of emails about this forum and three emails about other forums. Plainly it is this forum that is the target and the flood system is if anything lax. |
||
| admin (no pm's please) |
173... | ||
| admin (no pm's please) |
220 .. | ||
| admin (no pm's please) |
228...
ban time increased again, as I say no point in banning for less than the potential attack duration. |
||
| admin (no pm's please) |
233
one ip removed, as I think it was a false alarm. Algorithms updates to avoid triggering on that case. |
||
| admin (no pm's please) |
250...
The flood vising link now shows the Countries involved. I may start racially profiling the bans a dreadful thing to have to contemplate.
|
||
| admin (no pm's please) |
265 but a couple of what I think were false alarms, each time this happens the testing gets tweaked a bit to help it not happen again. | ||
| admin (no pm's please) |
301... | ||
| admin (no pm's please) |
355...
I believe it is finally slowing again. |
||
| admin (no pm's please) |
359...
but there was actually a whole 5 minutes clear of any rogues. |
||
| admin (no pm's please) |
Peaked at 360 down to 354. Lets hope that that does mark the start of what will be a slow decline. | ||
| admin (no pm's please) |
408.... so much for optimism. | ||
| admin (no pm's please) |
455
This is really getting too much. |
||
| admin (no pm's please) |
489 ... | ||
| admin (no pm's please) |
500... | ||
| admin (no pm's please) |
520.
I now have the profile of these attacks logged exactly, this makes it possible with 99.99% accuracy to zap them instantly. |
||
| admin (no pm's please) |
549... | ||
| admin (no pm's please) |
602...
I think we are simply on the forums list of some newly released auto-spamming software, the software is run my spamming morons 99.5% of who fall at the first hurdle of anti-spam measures and none of which get passed the CAPTCHA system. But they probably have a 1000 or more forums on the default list and so don't care about failures. Touch wood they can't use proxy servers as they would be flooding the proxy servers and get banned at that point, so the ip bans are reasonably safe. |
||
| admin (no pm's please) |
652...
that is running at close to 1 a minute in terms of new bans, one failing registration attempt a minute is nothing load wise, but if we did not ban the ips what would that accelerate to I wonder? |
||
| admin (no pm's please) |
771...
Currently we are clocking up ip bans at 40 an hour, that is simply not sustainable for network performance. I think we may have to revert to short term bans. |
||
| admin (no pm's please) |
22...
Cleared the bans, seeing what happens with shorted bans, but tougher heuristics for instant banning. |
||
| admin (no pm's please) |
52....
So perhaps now 100 an hour, implying some of these spammers are on a continual loop persisting even when they were banned. The check are now I think pretty much 100%, they spot and ban as soon as it can be done. All we can do is adjust ban length to a balance between firewall load and taking the hit at the server level. At that point if we want to get back to running and improving a forums service we have to just live with it. |
||
| admin (no pm's please) |
108...
give or take thats 1 a minute, on the basis of a ban time of near 3 hours, we are looking at maybe reaching a max of 150 or so bans. Meanwhile we have 30 or so "guest" on line, and the server is not going to balk at dealing with one spam attempt a minute! |
||
| admin (no pm's please) |
Time to try and chill, a peak of 129 was reached, now it's 112, number of guests has varied from over 50 to 16 when I looked just now. That is not so far off what we would expect.
We are not being targeted specifically as forums system, so this is just one more problem all forums systems and even individual forums are going to have to cope with. We are lucky in that we are a system and that we do run on dedicated servers, and do have the skills to cope. Coping has involved not only php code, but 200 lines of 'c' code, if you were running a forum on a standard host you simply would not have the tools to do this. |
||
| Gosu71 |
Thats good to hear 
|
||
| admin (no pm's please) |
110...
When people toddle off to the "freedom" of running their own forums, I don't say very much as it would sound like sour grapes and probably they will be okay. Running 1000's of forums is of course more work than running 1 forum, but not proportionally so, and I spend close to two working months a year on maintenance issues, including attacks. It will take me the rest of the week for example to upgrade phpbb3. How many people *really* have the skills or the time to deal with it when a database gets corrupted, an automatic update goes wrong, or an army of spammers descend? |
||
| CodyT07 |
Aren't you running an external/hardware firewall to ban from? | ||
| admin (no pm's please) |
We don't disclose security details. Give someone the model of your firewall... | ||
| CodyT07 |
I didn't mean go into specifics
|
||
| admin (no pm's please) |
Overnight we have gone as high as 175 bans.
I rather hope this will follow a path, numpties get the spamming software and think they will make money from criminal affiliate schemes, they will run the crap with the supplied forum list and parameters and lacking the work ethic even to work on this list they will find that the software reports back rapidly diminishing results until even they cannot be bothered. Meanwhile they are too lazy to edit out the negatives in the list and hence we continue to get pummeled
The flaw to this is if this sort of crap just wipes out unprotected sites but they are left open giving these idiots the feeling that things are working for them. |
||
| admin (no pm's please) |
140... down from a 180 peak.
But I think this will just run and run. |
||
| admin (no pm's please) |
171....
I have signed on here: http://www.stopforumspam.com/ You can see our contribution at the bottom of the list here: http://www.stopforumspam.com/contributors It is rising fast. I will make it a priority (yet another one) to start querying their database when people try and register, I think especially on phpbb3 this will be useful. |
||
| admin (no pm's please) |
96..
We have well over 400 spammers logged now at stop forum spam. But the numbers we are getting do seem to be dropping off at last. |
||
| admin (no pm's please) |
101
With 857 spammers now reported. |
||
| admin (no pm's please) |
72...
Close to 1,500 spammers reported. |
||
| admin (no pm's please) |
59...
1596 reported. This has to be the lowest rate of attack since all this crap began more than a week ago. |
||
| admin (no pm's please) |
68...
1778 reported. I guess that's a little over 30 an hour being reports, which gels with the fact that the reporting is running across servers and slarti now has 64, Ford a stonking 173, though the Ford/Slarti figures are based on longer bans that have not been cleared. |
||
| Roy |
I've noticed its alway's the same spam bots registering and if you free up the user name by deleting the account with that name the user name is used again at a later date. My idea of banning IP addresses doesn't seem to be the answer after what i've read. 
|
||
| admin (no pm's please) |
We recommend against ip bans against individuals as they can be behind proxies, the big time criminal spammers though are not, or using criminal proxies anyway.
So our new system does ban ips. I'd advise anyone not to take their own measures, we are ramping up our own systems to shield everyone. |
||
| Roy |
Oh, in that case its ok for moderators to ban the offending spam bot till an admn comes on to delete them or should we just leave them on the banned list? | ||
| admin (no pm's please) |
Leave them on a banned list based on email for now. | ||
| Roy |
Based on email, ok i will start banning there emails now.
|
||
| admin (no pm's please) |
We're down to 48 current bans with 4701 spammers reported so far.
The slow decline of the attack has basically continued. I wonder if at this point if the new defenses were lifted we'd even notice anything was going on 
48 bans amounts to one auto spam bot about every 4 minutes, even if they were all targeting the support forum that is a pretty small number. |
||
| admin (no pm's please) |
Back to over 100 again, with close to 10,000 reported.
Certainly justifies ongoing work in this area. Already a phpbb3 tweak is in, but that is only the smallest of starts to quite a big plan. |
||