Are you implementing any new spambot protections?

[Mel]

I am asking this because i am having some issues loging in the boards. Normally i don't keep my connection, so i log in every time to read new stuff and such. It tells me that the number of login attempts i have done has reached the current limit and i have to solve an aditional captcha, not very hard, but it is something i wouldn't expect.

[hybrid]

Not sure why this suddenly happens. SF has had severe problems yesterday, so I first thought it was related to that. But maybe not. There have been some problems with excessive spam bos as well over the last days, so maybe Yoran started to bounce them off harder than before. Should be come simpler again in the next days hopefully

[Mel]

Indeed, yesterday the forums didn't work during all the day for me. It seems something is trying to brute force log in into the boards using passwords lists. Guessing usernames isn't hard

[CuteAlien]

Number of failed login attempts has been reduced from 5 to 3. I think Yoran also tried some stuff (unfortunately nothing we tried so far really worked), but no idea what was going on yesterday. It was also down here for most of the time. And I suppose spammers have usernames anyway - once you have one member you can look at the memberlist, so them starting to try out passwords for everyone would make sense :-(

[Mel]

The last poster on the boards also point to some probable login target. That could be avoided somehow if for example, a person had a logon name diferent from the displayed name.

[hybrid]

I suspect a bug in the MySQL database, though. As we have had the DB crash last week, exactly breaking at the number of logins field. So probably the forum now cannot access the proper field and reads some huge number instead of the proper value.

[CuteAlien]

Hm, not sure. I had not had the problem yesterday - but today I'm having it as well.
edit: I just told Yoran, he'll take a look. And his changes shouldn't have affected login.

[CuteAlien]

Ok, Yoran reset that part in the DB and at least for now it seems to work again.

[Mel]

Yeah, i haven't had any problem login in now. Still antispambot features are welcome, at any rate, thanks!

[CuteAlien]

Problem is that we don't really know how they get around the current antispambot captcha's. I mean I could think of some ways to get around them half-automatically (for example creating a database of answers over time), but I'm not certain if that is what happens. One idea was that humans are cracking them, but it doesn't really fit with the timing (sometimes for example 2-3 new bots per hour all day long).

Maybe they just brute-force their way in with dictionary attacks on the captcha (would also explain why the forum is always slow).

And unfortunately SF doesn't allow protection using IP's (we don't have the real IP's, but get only the IP from some SF server).

[Mel]

It is more a PHPBB vulnerability than brute force. When developping a system, appear exploits that are unsuspected in the begining, careless programming, sets of operations that leave the server open for direct database accesses etc. Then, the spambot programmers know them, and use them to gain access to the boards, and leave their "signature". Most of the times, they are harmless, but it is something relative, when a spambot successfully attacks a forum, it tries to copy itself somewhere in the PHP sources, and then, it spreads to other PHPBB forums using the attacked server as the starting point for a new attack. The code is inserted into a file commonly accessed, like the viewtopic.php, so every time someone access that file, to see a topic, for instance, the code is executed, and performs a new attack. More or less, that is how it works.

A Captcha like the one here for instance, it is relatively easy to overcome just because of common answers, or because it is done only once. For instance, using a diferent captcha, using graphical captchas, using more than one question using random questions... in one word, diferenciating the system from the common practices, uses to be enough. The problem becomes contextualized to these boards, and while it is still relatively easy to crack again, it needs to be specialized, which is something not friendly for programming, and thus, makes the system more robust to attacks.

[CuteAlien]

Captcha questions here are already randomly selected and I changed them just a week ago. But even when changed the bots came back an hour later which is why I rather suspect dictionary attacks or something completely different there (maybe they just send the questions on to amazon turk...). We also tried graphical captcha's before, but changed away because they started working so bad.

Cracks could be - one reason why we just updated the board a few days ago in case there is an open vulnerability. Checking if the forum _is_ already hacked might be an idea. I guess with php it should be possible to do a code-comparison.

[CuteAlien]

Ok, problem with logins is back :-(

edit: Trying now by allowing 5 attempts again (old value), maybe there's a bug when this is reduced to 3?

[hybrid]

No, did not help.

[CuteAlien]

Ok, there was also a settings for attempts per IP which we didn't see before. Maybe new, or the value got changed on forum update - but Yoran just reset that and now it seems to work again. And that would make sense as all users have the same IP here.