IntegraMOD

Hi,

I got on my 1.4.1 forum the following pm :

An account was just locked. Below are the details.

Account Locked: XXXXX
IP For Who Locked It: 91.213.50.235

This is an automated response, do not reply. If you have an IP tracker installed, check the above IP against the ones you have stored in the database.

And repeated 80 times, for 80 different accounts, last 24 hours... My best guess is that someone tries to brute force all account one after the other.

Two questions :

- how can I prevent that (IPs are different everytime...)
- how can I reset the security so that all those members do not need to answer their security question (preferably by myphp to do it automatically).

I also must mention that all administrator accounts, including mine, where targeted too, and I had to use several time the captcha procedure to unblock my own account...

Thanks <img>

sanji

yeah i think thats happening to alot of phpbb boards people are tring to get the passwords ive seen it on a few different sites

Anything we can do against that ?

And how to reset the count of "errors", so that normal users do not have to enter their safety question ?

I have added this to the portal tools, you can reset all user login attempts or any given user...
I will post the code later...

You know, I was curious about this problem. Every single phpBB2 or 3 board I normally visit, I am having to use the captcha for excessive amount of login attempts. Even at sites I only visit once or twice a month.

"Michaelo" wrote:I have added this to the portal tools, you can reset all user login attempts or any given user...
I will post the code later...

I have managed to do this through myphp... but this not deter people from continuing to try to log on the site by bruteforce...

In fact, a good idea could be to block an IP which attempt to log - and fails - on several usernames from the same IP.

I am just afraid that some users won't have a password strong enough, even if I do not see the interest of managing to log as a normal user on a forum...

sanji

"sanji" wrote:Hi,

I got on my 1.4.1 forum the following pm :

An account was just locked. Below are the details.

Account Locked: XXXXX
IP For Who Locked It: 91.213.50.235

This is an automated response, do not reply. If you have an IP tracker installed, check the above IP against the ones you have stored in the database.

And repeated 80 times, for 80 different accounts, last 24 hours... My best guess is that someone tries to brute force all account one after the other.

Two questions :

- how can I prevent that (IPs are different everytime...)
- how can I reset the security so that all those members do not need to answer their security question (preferably by myphp to do it automatically).

I also must mention that all administrator accounts, including mine, where targeted too, and I had to use several time the captcha procedure to unblock my own account...

Thanks <img>

Looks like its a recently started problem. We are facing the same issue from 19th January, 2011. Daily we are receiving 200+ PM. I tried blocking IP in the firewall but still facing the same. Its really frustrating. Any work around to block this??

you can go to Admin / CrackerTracker / Reports, and check all IP addresses used to try to login. You then add those addresses in the IP & Agents blockers (not sure the exact translation, but it is in the same CrackerTracker menu), and you add all those IP addresses one by one. It takes some time, but you make sure that those hackers won't be able to use the same IP address twice...

to reset your users accounts, unzip and upload the attached file to your forum root, then browse to reset_login.php. Be sure to delete the file when finished. It will reset both phpBB security and CrackerTracker login tries.

Hello Friends,

This is my first post in the forum.
I have received 300 such PM's in last 3 hours on our 1.4.0 forum the following pm :

An account was just locked. Below are the details.

Account Locked: XXXXX
IP For Who Locked It: 78.107.237.16

This is an automated response, do not reply. If you have an IP tracker installed, check the above IP against the ones you have stored in the database.

All administrator accounts where targeted along with the user accounts. The worst part is our site admin suddenly left the organisation & none of us is aware how to upgrade IM to latest version. I am looking for desperate help to upgrade IM to latest version & install CrackerTracker.

I am not sure if this is the best place to ask if any one is willing to do the above on a chargeable basis.

Looking forward for positive response.

Thanks,
SG

I have some time tomorrow. PM me your ftp info for the 140 site

Helter / IntegraMod team,
I have been experiencing the same brute force attacks as the others describe here. To combat this, I have been doing as sanji suggests, and identifying IPs used to attach two or more different screen names and then blocking them. Yesterday I was in the process of adding some more to the blocked list, when suddenly I became blocked myself. Since then I have been getting flooded by emails from my site's members complaining of the same thing. It seems that the hackers have succeeded in gaining access to my ACP and blocking everyone out.

Can anyone advise me on how to regain control of my site?

Thanks in advance!

it looks like you may have added a wildcard to your ban list.
if you used ctracker to ban then youll have to edit your db via phpmyadmin to remove the ban data. If you used phpBB's or phpbb security to ban then rename your root/ctracker folder, then loging and remove the ban data via your acp.

"HelterSkelter" wrote:it looks like you may have added a wildcard to your ban list.
if you used ctracker to ban then youll have to edit your db via phpmyadmin to remove the ban data.

I was using the CTracker. I do not, however, know how to edit a database. Is there any chance you'll have any free time that you could assist me with this? It is off season (for wrestling) so I'm not in any huge rush for this.

your last entry in the ctracker ban table was blank so it basically banned all ips. I deleted it and your site is accessible again <img>