Security Announcement - Login attempts exceeded - comments
Moderator: Site Moderators
-
- Site Admin
- Posts: 1288
- Joined: Fri Nov 30, 2007 9:37 am
- Location: Oxfordshire, UK
Security Announcement - Login attempts exceeded - comments
A number of our members have reported receiving the "You exceeded the maximum number of login attempts" message while trying to login to the forum, and are then prompted to enter the confirmation code as well as their username and password.
Unfortunately it seems that several phpbb based forums have been attacked in the same manner which involves a bot persistently trying to login to member's accounts. The forum software catches this and after 3 attempts prompts with the challenge question.
There is no indication that the bot has ever got past this challenge (as it is specific to our forum) as it would require both the correct password, and the correct challenge answer.
Furthermore there is no indication that any accounts have been compromised by the bot correctly guessing a password in less than 3 attempts.
However, if you have a "weak" password, we would recommend that you change it to something that would be much more difficult for a bot to guess, using either a dictionary or brute force attack.
Recommendations for increasing the strength of your password are using a combination of letters and numbers, using upper and lower case letters, and adding non-alphanumeric characters (i.e. *&$% etc.)
Unfortunately it seems that several phpbb based forums have been attacked in the same manner which involves a bot persistently trying to login to member's accounts. The forum software catches this and after 3 attempts prompts with the challenge question.
There is no indication that the bot has ever got past this challenge (as it is specific to our forum) as it would require both the correct password, and the correct challenge answer.
Furthermore there is no indication that any accounts have been compromised by the bot correctly guessing a password in less than 3 attempts.
However, if you have a "weak" password, we would recommend that you change it to something that would be much more difficult for a bot to guess, using either a dictionary or brute force attack.
Recommendations for increasing the strength of your password are using a combination of letters and numbers, using upper and lower case letters, and adding non-alphanumeric characters (i.e. *&$% etc.)
Re: Security Announcement - Login attempts exceeded - commen
This happened to me yesterday on Attempt #1. Something is wrong with the site cookie. Sometimes it can recall the PW, other times it can't.
And the cookie retrieval is sometimes very slow. The reason it saw an incorrect password, was that the cooking PW was not retrieved in time, so I had a blank field, I typed in my PW at the same time it retrieved it from the cookie, and ended up with a double entry. IE8/Win7
And the cookie retrieval is sometimes very slow. The reason it saw an incorrect password, was that the cooking PW was not retrieved in time, so I had a blank field, I typed in my PW at the same time it retrieved it from the cookie, and ended up with a double entry. IE8/Win7
Quality Inspection - Corona, CA, USA
Dimensional Inspection Laboratory
Pat McSwain, President
Dimensional Inspection Laboratory
Pat McSwain, President
-
- Site Admin
- Posts: 1288
- Joined: Fri Nov 30, 2007 9:37 am
- Location: Oxfordshire, UK
Re: Security Announcement - Login attempts exceeded - commen
Your password is not stored anywhere in the cookie, only a unique session id is stored to maintain a persistent login.
If you saw the message described in the OP either, you entered your password incorrectly 3 times (which isn't what happened in your case), or someone else did, in this case a bot. Regardless of the session cookie, at this point the forum software will force you to authenticate with your username, password and challenge question/answer.
Your browser is auto-completing the password field for you, and this is independent of any session cookie.
If you saw the message described in the OP either, you entered your password incorrectly 3 times (which isn't what happened in your case), or someone else did, in this case a bot. Regardless of the session cookie, at this point the forum software will force you to authenticate with your username, password and challenge question/answer.
Your browser is auto-completing the password field for you, and this is independent of any session cookie.
-
- Posts: 38
- Joined: Wed Jan 28, 2009 11:01 pm
- Hardware configuration: Folding Systems -
System 1 - Intel Xeon X3360, 8 GB A-Tech DDR2 800, Intel DG33FB, NVIDIA GeForce GTX 660 1.5 GB, 650 Watt EVGA PSU, Western Digital 80 GB ATA hard drive - Location: Dracut, MA, USA ; Kingston, NH, USA
Re: Security Announcement - Login attempts exceeded - commen
I just got hit with this thing. I thank this thread for helping me out as I was confused at first!
Signed,
COOLDUDEGAMER
Signed,
COOLDUDEGAMER
Why am I always tired?!
Re: Security Announcement - Login attempts exceeded - commen
The bot must still be targeting the folding forum -- I just got hit with this.
Greg
Greg
-
- Posts: 460
- Joined: Sun Dec 02, 2007 10:15 pm
- Location: Michigan
Re: Security Announcement - Login attempts exceeded - commen
I've seen it 5-6 times over the past 2 weeks. The last time was 3-4 days ago.
Proud to crash my machines as a Beta Tester!
-
- Posts: 260
- Joined: Tue Dec 04, 2007 5:09 am
- Hardware configuration: GPU slots on home-built, purpose-built PCs.
- Location: Eagle River, Alaska
Re: Security Announcement - Login attempts exceeded - commen
Thanks for the announcement/warning. What you described happened to me yesterday (19 January).
-
- Site Moderator
- Posts: 6349
- Joined: Sun Dec 02, 2007 10:38 am
- Location: Bordeaux, France
- Contact:
Re: Security Announcement - Login attempts exceeded - commen
I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ...
Re: Security Announcement - Login attempts exceeded - commen
I got hit yesterday too..
i7 7800x RTX 3070 OS= win10. AMD 3700x RTX 2080ti OS= win10 .
Team page: https://www.rationalskepticism.org/viewtopic.php?t=616
-
- Posts: 1164
- Joined: Wed Apr 01, 2009 9:22 pm
- Hardware configuration: Asus Z8NA D6C, 2 x5670@3.2 Ghz, , 12gb Ram, GTX 980ti, AX650 PSU, win 10 (daily use)
Asus Z87 WS, Xeon E3-1230L v3, 8gb ram, KFA GTX 1080, EVGA 750ti , AX760 PSU, Mint 18.2 OS
Not currently folding
Asus Z9PE- D8 WS, 2 E5-2665@2.3 Ghz, 16Gb 1.35v Ram, Ubuntu (Fold only)
Asus Z9PA, 2 Ivy 12 core, 16gb Ram, H folding appliance (fold only) - Location: Jersey, Channel islands
Re: Security Announcement - Login attempts exceeded - commen
Yeah they are going after a fair few forums recently, Hardocp has been hit several times in the last couple of week.kiore wrote:I got hit yesterday too..
Re: Security Announcement - Login attempts exceeded - commen
They haven't given up ... but uncle_fungus is still making security changes and the types of attacks that the bots use are becoming less effective here at foldingforum.org (though on a global basis, every time security is improved, terrorists are forced to find ways to improve their attacks).toTOW wrote:I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ...
Posting FAH's log:
How to provide enough info to get helpful support.
How to provide enough info to get helpful support.
-
- Posts: 101
- Joined: Sat Feb 02, 2008 10:12 am
- Hardware configuration: AMD Athlon(tm) 64 X2 Dual Core Processor 4000+
AMD Athlon(tm) XP 2600+ - Location: Philippines
Re: Security Announcement - Login attempts exceeded - commen
I just got hit with it.
Re: Security Announcement - Login attempts exceeded - commen
I'm a member of the club now too.
Re: Security Announcement - Login attempts exceeded - commen
YAIM
(Yet Another Involuntary Member)
(Yet Another Involuntary Member)