admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
 |
 Posted: Thu May 28, 2009 6:53 pm Post subject: phpbb2: IMPORTANT spambot issue and resolutions |
 
|
|
For the last 24 hours we have had a sustained attack from over 400 addresses.
This attack was largely from Eastern Europe, but there were suspicious ips from the world over.
Whilst we have banned the IPs the attack did not really stop until we implemented a couple of board admin changes backed up by a code change.
The board change was to remove (very important) the visual confirm on registration and go over to admin activation.
This combined with a code change to prevent the hackers ever seeing the CAPTCHA image on an attempted registration seems to have halted the attack.
I have now added flood protection to the user registration visual confirm system that should further hamper hacking efforts.
What I surmise is that there is an attempt to train a spambot system to beat our so far uncracked CAPTCHA system in order to flood forums with spam.
You can tell if your forum is being attached by looking a "whos online", if there are 100's of guests in "view profile" then please temporarily remove visual confirm, and switch to admin activation.
The new system will dramatically cramp the hackers style, but best to stop them all together.
Please also report it here. Attack logs are being kept as part of the anti-flood system.
I hope the flood system will not activate unless there is really cause.
_________________
Family Friendly Shareware | | Web Design/Services | Free Forums
|
|
| Back to top |
|
 |
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
| Posted: Thu May 28, 2009 8:02 pm Post subject: |
|
|
The system should also now alert me by email of an attack on a forum.
I have to reserve the right to set such forums to Admin registration without user confirm.
We don't interfere in admin settings on forums more than we absolutely have to, but this qualifies as a case if a forum is actually under attack.
_________________
Family Friendly Shareware | | Web Design/Services | Free Forums
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
| Posted: Fri May 29, 2009 4:38 pm Post subject: |
|
|
For the record, an attack now causes an automatic switch in the admin panel to avoid the attack.
We are also isolating clearly rogue ips, and they will in future be fed straight into the firewall.
All this is very easily testable as we are still under attack 
_________________
Family Friendly Shareware | | Web Design/Services | Free Forums
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
| Posted: Fri May 29, 2009 7:10 pm Post subject: |
|
|
Okay so now the buggers get ip banned.
Kind of makes it tempting not to stop the attack vector, but to let them come and get banned. But them that lets them do more of what they want 
_________________
Family Friendly Shareware | | Web Design/Services | Free Forums
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
| Posted: Fri May 29, 2009 8:46 pm Post subject: |
|
|
On further checking, and rather oddly (but then a lot about this is odd) there was another place I could trap them we a flood control.
That is now in place but has only resulted in another 3 ip bans, so 42 in the firewall currently. This is down from 400 and more which shows the attack is dieing anyway.
_________________
Family Friendly Shareware | | Web Design/Services | Free Forums
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
| Posted: Fri May 29, 2009 10:04 pm Post subject: |
|
|
75...
You know I am beginning to think from the latest logs that this is not some clever attempt to break CAPTCHA at all.
That was me putting a spin on it and looking for something "intelligent" going on. In more detail the pattern looks like a spambot registration flood that is so badly coded it fails to get past our basis anti-spambot measures.
I need more logging to confirm that.
_________________
Family Friendly Shareware | | Web Design/Services | Free Forums
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
| Posted: Sat May 30, 2009 1:38 am Post subject: |
|
|
89
but that does seem like it has topped out.
all totally bizarre. I am basically getting email notifications of the attack, and that system applies to all the forums on the system, but it is only the support forum that is being reported as being attacked  Now how dumb is that?
_________________
Family Friendly Shareware | | Web Design/Services | Free Forums
|
|
| Back to top |
|
|
Zudane
Moderator
Virtual Cash: 14250
Joined: 10 May 2008
Posts: 1366
Add Karma
rated by 18 members
Add Comment
Show Comments
 |
| Posted: Sat May 30, 2009 5:44 am Post subject: |
|
|
Umm.. maybe someone that got a forum closed here is trying revenge by botnet attacks? I know there are ways to do that, someone got mad before and spammed my forum like that.
_________________
Harsh Reality - Unleash your creativity!
Harsh Reality |
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
| Posted: Sat May 30, 2009 10:02 am Post subject: |
|
|
112...
I did some checking in the early hours of the banned list, just in case legit users were being banned.
Moscow and Kiev featured very heavily! I think I can safely assume that that is not our normal demographic!
_________________
Family Friendly Shareware | | Web Design/Services | Free Forums
|
|
| Back to top |
|
|
admin (no pm's please)
Site Admin
Virtual Cash: 22860
Joined: 22 May 2005
Posts: 25384
Add Karma
rated by 213 members
Add Comment
Show Comments
|
| Posted: Sat May 30, 2009 10:27 am Post subject: |
|
|
110...
Going down, but then that is because some of the earlier bans were not as long, at one point over 400 bans were in place when I was doing it manually.
There are probably about 40 more that will expire soon.
_________________
Family Friendly Shareware | | Web Design/Services | Free Forums
|
|
| Back to top |
|
|
FAQ 
Search 
Memberlist 
Usergroups 
Join! (free)
Profile 
Log in to check your private messages 
Log in
