Well many users are getting the 'This IP has locked your account by logging in more than 5 times incorrectly' message, well, more like all the users. Several are different IPs so it looks clear to me the site is being brute forced. I'm just wondering what is the appropriate actions I should take to ensure the safety of my users and my website.
Site being brute forced.
Collapse
X
-
Tags: None
-
Check your Webserver logfiles, try to find who is doing the attacks, and report to his ISP.Want to take your board beyond the standard vBulletin features?
Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.org -
This has also happened on my site so I will be reporting the perpetrator to his ISP and also his forum host. He has tried to cover his tracks by using a proxy but it is obvious who it is.
What I need to know is can I check from the logs which user accounts have been affected, here is a sample of the log
84.66.92.24 - - [15/Mar/2006:13:18:04 -0500] "GET /forum/clientscript/vbulletin_menu.js HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/images/misc/vbulletin3_logo_white.gif HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/clientscript/vbulletin_md5.js HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/images/gradients/gradient_tcat.gif HTTP/1.1" 304 - "http://www.**co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/images/gradients/gradient_panelsurround.gif HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/images/gradients/gradient_panel.gif HTTP/1.1" 304 - "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:05 -0500] "GET /forum/clear.gif HTTP/1.1" 304 - "http://www.**co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
81.178.240.45 - - [15/Mar/2006:13:18:08 -0500] "GET /favicon.ico HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"
84.66.92.24 - - [15/Mar/2006:13:18:12 -0500] "POST /forum/login.php HTTP/1.1" 200 3014 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:15 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:20 -0500] "POST /forum/login.php HTTP/1.1" 200 3013 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:23 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:30 -0500] "POST /forum/login.php HTTP/1.1" 200 3013 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:33 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:36 -0500] "POST /forum/login.php HTTP/1.1" 200 3013 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:38 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:44 -0500] "POST /forum/login.php HTTP/1.1" 200 3013 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:46 -0500] "GET /forum/cron.php?&rand=184816 HTTP/1.1" 302 38 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
84.66.92.24 - - [15/Mar/2006:13:18:49 -0500] "POST /forum/login.php HTTP/1.1" 200 2961 "http://www.**.co.uk/forum/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"Comment
-
Why do you think those log entries are because of a bruteforce attempt?
They look like normal entries to me.Want to take your board beyond the standard vBulletin features?
Visit the official Member to Member support site for vBulletin Modifications: www.vbulletin.orgComment
-
It is not a brute force attempt , it is one idiot who keeps trying to login to admin and mod accounts and locking them out, one of the attempts returned the IP above and that is the only activity on the server log with that IP.
I was wondering if there was a way to see which members accounts had been subject to these attemptsComment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment