Security Announcement - Login attempts exceeded - comments

Moderator: Site Moderators

Security Announcement - Login attempts exceeded - comments

Postby uncle_fungus » Wed Jan 05, 2011 10:13 am

A number of our members have reported receiving the "You exceeded the maximum number of login attempts" message while trying to login to the forum, and are then prompted to enter the confirmation code as well as their username and password.

Unfortunately it seems that several phpbb based forums have been attacked in the same manner which involves a bot persistently trying to login to member's accounts. The forum software catches this and after 3 attempts prompts with the challenge question.
There is no indication that the bot has ever got past this challenge (as it is specific to our forum) as it would require both the correct password, and the correct challenge answer.
Furthermore there is no indication that any accounts have been compromised by the bot correctly guessing a password in less than 3 attempts.

However, if you have a "weak" password, we would recommend that you change it to something that would be much more difficult for a bot to guess, using either a dictionary or brute force attack.

Recommendations for increasing the strength of your password are using a combination of letters and numbers, using upper and lower case letters, and adding non-alphanumeric characters (i.e. *&$% etc.)
User avatar
uncle_fungus
Site Admin
 
Posts: 1702
Joined: Fri Nov 30, 2007 9:37 am
Location: Oxfordshire, UK

Re: Security Announcement - Login attempts exceeded - commen

Postby Qinsp » Wed Jan 05, 2011 3:18 pm

This happened to me yesterday on Attempt #1. Something is wrong with the site cookie. Sometimes it can recall the PW, other times it can't.

And the cookie retrieval is sometimes very slow. The reason it saw an incorrect password, was that the cooking PW was not retrieved in time, so I had a blank field, I typed in my PW at the same time it retrieved it from the cookie, and ended up with a double entry. IE8/Win7
Quality Inspection - Corona, CA, USA
Dimensional Inspection Laboratory
Pat McSwain, President
Qinsp
 
Posts: 596
Joined: Sun Oct 17, 2010 2:34 pm

Re: Security Announcement - Login attempts exceeded - commen

Postby uncle_fungus » Wed Jan 05, 2011 5:02 pm

Your password is not stored anywhere in the cookie, only a unique session id is stored to maintain a persistent login.

If you saw the message described in the OP either, you entered your password incorrectly 3 times (which isn't what happened in your case), or someone else did, in this case a bot. Regardless of the session cookie, at this point the forum software will force you to authenticate with your username, password and challenge question/answer.

Your browser is auto-completing the password field for you, and this is independent of any session cookie.
User avatar
uncle_fungus
Site Admin
 
Posts: 1702
Joined: Fri Nov 30, 2007 9:37 am
Location: Oxfordshire, UK

Re: Security Announcement - Login attempts exceeded - commen

Postby COOLDUDEGAMER » Mon Jan 10, 2011 10:36 am

I just got hit with this thing. I thank this thread for helping me out as I was confused at first!

Signed,

COOLDUDEGAMER
Why am I always tired?!

My avatar is Lelouch from Code Geass. Does anyone know where Suzaku is? I want to use my Geass on him for fun! :P

Image
User avatar
COOLDUDEGAMER
 
Posts: 117
Joined: Wed Jan 28, 2009 11:01 pm
Location: Dracut, MA, USA ; Kingston, NH, USA

Re: Security Announcement - Login attempts exceeded - commen

Postby GTron » Thu Jan 20, 2011 10:03 pm

The bot must still be targeting the folding forum -- I just got hit with this.

Greg
GTron
 
Posts: 66
Joined: Wed Dec 05, 2007 3:47 pm
Location: Denver area, Colorado

Re: Security Announcement - Login attempts exceeded - commen

Postby uncle fuzzy » Fri Jan 21, 2011 12:37 am

I've seen it 5-6 times over the past 2 weeks. The last time was 3-4 days ago.
Proud to crash my machines as a Beta Tester!

Image
User avatar
uncle fuzzy
 
Posts: 1192
Joined: Sun Dec 02, 2007 10:15 pm
Location: Michigan

Re: Security Announcement - Login attempts exceeded - commen

Postby Leonardo » Fri Jan 21, 2011 5:45 am

Thanks for the announcement/warning. What you described happened to me yesterday (19 January).
Image
User avatar
Leonardo
 
Posts: 654
Joined: Tue Dec 04, 2007 5:09 am
Location: Eagle River, Alaska

Re: Security Announcement - Login attempts exceeded - commen

Postby toTOW » Fri Jan 21, 2011 8:26 pm

I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ... :mrgreen:
Folding@Home beta tester since 2002. Folding Forum moderator since July 2008.

FAH-Addict : latest news, tests and reviews about Folding@Home project.

Image
User avatar
toTOW
Site Moderator
 
Posts: 8914
Joined: Sun Dec 02, 2007 10:38 am
Location: Bordeaux, France

Re: Security Announcement - Login attempts exceeded - commen

Postby kiore » Fri Jan 21, 2011 10:48 pm

I got hit yesterday too.. :roll:
Image

Current system failure, rebuilding soon.
kiore
 
Posts: 1303
Joined: Fri Jan 16, 2009 5:45 pm
Location: USA

Re: Security Announcement - Login attempts exceeded - commen

Postby Nathan_P » Fri Jan 21, 2011 11:20 pm

kiore wrote:I got hit yesterday too.. :roll:


Yeah they are going after a fair few forums recently, Hardocp has been hit several times in the last couple of week.
Image
Nathan_P
 
Posts: 1704
Joined: Wed Apr 01, 2009 9:22 pm
Location: Jersey, Channel islands

Re: Security Announcement - Login attempts exceeded - commen

Postby bruce » Sat Jan 22, 2011 4:16 am

toTOW wrote:I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ... :mrgreen:


They haven't given up ... but uncle_fungus is still making security changes and the types of attacks that the bots use are becoming less effective here at foldingforum.org (though on a global basis, every time security is improved, terrorists are forced to find ways to improve their attacks).
bruce
 
Posts: 21276
Joined: Thu Nov 29, 2007 10:13 pm
Location: So. Cal.

Re: Security Announcement - Login attempts exceeded - commen

Postby chrisretusn » Fri Jan 28, 2011 12:35 pm

I just got hit with it.
Image
Folding on Slackware Linux.
chrisretusn
 
Posts: 196
Joined: Sat Feb 02, 2008 10:12 am
Location: Philippines

Re: Security Announcement - Login attempts exceeded - commen

Postby mhouston » Fri Jan 28, 2011 4:07 pm

+1
mhouston
 
Posts: 915
Joined: Sun Dec 02, 2007 8:19 pm

Re: Security Announcement - Login attempts exceeded - commen

Postby rjbelans » Sat Jan 29, 2011 1:59 am

I'm a member of the club now too.
Image
Image
folding@evga - Donor Advisory Board Representative
User avatar
rjbelans
 
Posts: 104
Joined: Fri Nov 27, 2009 2:48 am

Re: Security Announcement - Login attempts exceeded - commen

Postby Amaruk » Tue Feb 01, 2011 5:47 am

YAIM

(Yet Another Involuntary Member)
Image
User avatar
Amaruk
 
Posts: 512
Joined: Fri Jun 20, 2008 3:57 am
Location: Watching from the Woods

Next

Return to Issues with this forum

Who is online

Users browsing this forum: No registered users and 1 guest

cron