Page 1 of 2

Security Announcement - Login attempts exceeded - comments

PostPosted: Wed Jan 05, 2011 10:13 am
by uncle_fungus
A number of our members have reported receiving the "You exceeded the maximum number of login attempts" message while trying to login to the forum, and are then prompted to enter the confirmation code as well as their username and password.

Unfortunately it seems that several phpbb based forums have been attacked in the same manner which involves a bot persistently trying to login to member's accounts. The forum software catches this and after 3 attempts prompts with the challenge question.
There is no indication that the bot has ever got past this challenge (as it is specific to our forum) as it would require both the correct password, and the correct challenge answer.
Furthermore there is no indication that any accounts have been compromised by the bot correctly guessing a password in less than 3 attempts.

However, if you have a "weak" password, we would recommend that you change it to something that would be much more difficult for a bot to guess, using either a dictionary or brute force attack.

Recommendations for increasing the strength of your password are using a combination of letters and numbers, using upper and lower case letters, and adding non-alphanumeric characters (i.e. *&$% etc.)

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Wed Jan 05, 2011 3:18 pm
by Qinsp
This happened to me yesterday on Attempt #1. Something is wrong with the site cookie. Sometimes it can recall the PW, other times it can't.

And the cookie retrieval is sometimes very slow. The reason it saw an incorrect password, was that the cooking PW was not retrieved in time, so I had a blank field, I typed in my PW at the same time it retrieved it from the cookie, and ended up with a double entry. IE8/Win7

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Wed Jan 05, 2011 5:02 pm
by uncle_fungus
Your password is not stored anywhere in the cookie, only a unique session id is stored to maintain a persistent login.

If you saw the message described in the OP either, you entered your password incorrectly 3 times (which isn't what happened in your case), or someone else did, in this case a bot. Regardless of the session cookie, at this point the forum software will force you to authenticate with your username, password and challenge question/answer.

Your browser is auto-completing the password field for you, and this is independent of any session cookie.

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Mon Jan 10, 2011 10:36 am
by COOLDUDEGAMER
I just got hit with this thing. I thank this thread for helping me out as I was confused at first!

Signed,

COOLDUDEGAMER

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Thu Jan 20, 2011 10:03 pm
by GTron
The bot must still be targeting the folding forum -- I just got hit with this.

Greg

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Fri Jan 21, 2011 12:37 am
by uncle fuzzy
I've seen it 5-6 times over the past 2 weeks. The last time was 3-4 days ago.

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Fri Jan 21, 2011 5:45 am
by Leonardo
Thanks for the announcement/warning. What you described happened to me yesterday (19 January).

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Fri Jan 21, 2011 8:26 pm
by toTOW
I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ... :mrgreen:

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Fri Jan 21, 2011 10:48 pm
by kiore
I got hit yesterday too.. :roll:

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Fri Jan 21, 2011 11:20 pm
by Nathan_P
kiore wrote:I got hit yesterday too.. :roll:


Yeah they are going after a fair few forums recently, Hardocp has been hit several times in the last couple of week.

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Sat Jan 22, 2011 4:16 am
by bruce
toTOW wrote:I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ... :mrgreen:


They haven't given up ... but uncle_fungus is still making security changes and the types of attacks that the bots use are becoming less effective here at foldingforum.org (though on a global basis, every time security is improved, terrorists are forced to find ways to improve their attacks).

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Fri Jan 28, 2011 12:35 pm
by chrisretusn
I just got hit with it.

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Fri Jan 28, 2011 4:07 pm
by mhouston
+1

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Sat Jan 29, 2011 1:59 am
by rjbelans
I'm a member of the club now too.

Re: Security Announcement - Login attempts exceeded - commen

PostPosted: Tue Feb 01, 2011 5:47 am
by Amaruk
YAIM

(Yet Another Involuntary Member)