Site being brute forced.

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • GenDeathRaiser
    Member
    • May 2005
    • 95
    • 4.0.0

    Site being brute forced.

    Well many users are getting the 'This IP has locked your account by logging in more than 5 times incorrectly' message, well, more like all the users. Several are different IPs so it looks clear to me the site is being brute forced. I'm just wondering what is the appropriate actions I should take to ensure the safety of my users and my website.
    Last edited by GenDeathRaiser; Mon 20 Feb '06, 2:48pm.
  • Marco van Herwaarden
    Senior Member
    • Nov 2004
    • 6999
    • 3.8.x

    #2
    Check your Webserver logfiles, try to find who is doing the attacks, and report to his ISP.
    Want to take your board beyond the standard vBulletin features?
    Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

    Comment

    • Sinbad
      Member
      • Jan 2003
      • 62

      #3
      This has also happened on my site so I will be reporting the perpetrator to his ISP and also his forum host. He has tried to cover his tracks by using a proxy but it is obvious who it is.

      What I need to know is can I check from the logs which user accounts have been affected, here is a sample of the log

      84.66.92.24 - - [15/Mar/2006:13:18:04 -0500] "GET /forum/clientscript/vbulletin_menu.js HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/images/misc/vbulletin3_logo_white.gif HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/clientscript/vbulletin_md5.js HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/images/gradients/gradient_tcat.gif HTTP/1.1" 304 - "http://www.**co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/images/gradients/gradient_panelsurround.gif HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/images/gradients/gradient_panel.gif HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/clear.gif HTTP/1.1" 304 - "http://www.**co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      81.178.240.45 - - [15/Mar/2006:13:18:08 -0500] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"

      84.66.92.24 - - [15/Mar/2006:13:18:12 -0500] "POST /forum/login.php HTTP/1.1" 200 3014 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:15 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:20 -0500] "POST /forum/login.php HTTP/1.1" 200 3013 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:23 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:30 -0500] "POST /forum/login.php HTTP/1.1" 200 3013 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:33 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:36 -0500] "POST /forum/login.php HTTP/1.1" 200 3013 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:38 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:44 -0500] "POST /forum/login.php HTTP/1.1" 200 3013 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:46 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      84.66.92.24 - - [15/Mar/2006:13:18:49 -0500] "POST /forum/login.php HTTP/1.1" 200 2961 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

      Comment

      • Marco van Herwaarden
        Senior Member
        • Nov 2004
        • 6999
        • 3.8.x

        #4
        Why do you think those log entries are because of a bruteforce attempt?
        They look like normal entries to me.
        Want to take your board beyond the standard vBulletin features?
        Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org

        Comment

        • Sinbad
          Member
          • Jan 2003
          • 62

          #5
          It is not a brute force attempt , it is one idiot who keeps trying to login to admin and mod accounts and locking them out, one of the attempts returned the IP above and that is the only activity on the server log with that IP.

          I was wondering if there was a way to see which members accounts had been subject to these attempts

          Comment

          • Basscat
            Member
            • Jan 2005
            • 70
            • 3.8.x

            #6
            Did you do a Search IP address? If they have been successful at getting in, it will show which users have the ip.

            You can also ban the ip.

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...