Security Announcement - Login attempts exceeded - comments

Moderator: Site Moderators

uncle_fungus
Site Admin
Posts: 1288
Joined: Fri Nov 30, 2007 9:37 am
Location: Oxfordshire, UK

Security Announcement - Login attempts exceeded - comments

Post by uncle_fungus »

A number of our members have reported receiving the "You exceeded the maximum number of login attempts" message while trying to login to the forum, and are then prompted to enter the confirmation code as well as their username and password.

Unfortunately it seems that several phpbb based forums have been attacked in the same manner which involves a bot persistently trying to login to member's accounts. The forum software catches this and after 3 attempts prompts with the challenge question.
There is no indication that the bot has ever got past this challenge (as it is specific to our forum) as it would require both the correct password, and the correct challenge answer.
Furthermore there is no indication that any accounts have been compromised by the bot correctly guessing a password in less than 3 attempts.

However, if you have a "weak" password, we would recommend that you change it to something that would be much more difficult for a bot to guess, using either a dictionary or brute force attack.

Recommendations for increasing the strength of your password are using a combination of letters and numbers, using upper and lower case letters, and adding non-alphanumeric characters (i.e. *&$% etc.)
Qinsp
Posts: 216
Joined: Sun Oct 17, 2010 2:34 pm

Re: Security Announcement - Login attempts exceeded - commen

Post by Qinsp »

This happened to me yesterday on Attempt #1. Something is wrong with the site cookie. Sometimes it can recall the PW, other times it can't.

And the cookie retrieval is sometimes very slow. The reason it saw an incorrect password, was that the cooking PW was not retrieved in time, so I had a blank field, I typed in my PW at the same time it retrieved it from the cookie, and ended up with a double entry. IE8/Win7
Quality Inspection - Corona, CA, USA
Dimensional Inspection Laboratory
Pat McSwain, President
uncle_fungus
Site Admin
Posts: 1288
Joined: Fri Nov 30, 2007 9:37 am
Location: Oxfordshire, UK

Re: Security Announcement - Login attempts exceeded - commen

Post by uncle_fungus »

Your password is not stored anywhere in the cookie, only a unique session id is stored to maintain a persistent login.

If you saw the message described in the OP either, you entered your password incorrectly 3 times (which isn't what happened in your case), or someone else did, in this case a bot. Regardless of the session cookie, at this point the forum software will force you to authenticate with your username, password and challenge question/answer.

Your browser is auto-completing the password field for you, and this is independent of any session cookie.
COOLDUDEGAMER
Posts: 38
Joined: Wed Jan 28, 2009 11:01 pm
Hardware configuration: Folding Systems -
System 1 - Intel Xeon X3360, 8 GB A-Tech DDR2 800, Intel DG33FB, NVIDIA GeForce GTX 660 1.5 GB, 650 Watt EVGA PSU, Western Digital 80 GB ATA hard drive
Location: Dracut, MA, USA ; Kingston, NH, USA

Re: Security Announcement - Login attempts exceeded - commen

Post by COOLDUDEGAMER »

I just got hit with this thing. I thank this thread for helping me out as I was confused at first!

Signed,

COOLDUDEGAMER
Why am I always tired?!

Image
GTron
Posts: 53
Joined: Wed Dec 05, 2007 3:47 pm
Location: Denver area, Colorado

Re: Security Announcement - Login attempts exceeded - commen

Post by GTron »

The bot must still be targeting the folding forum -- I just got hit with this.

Greg
uncle fuzzy
Posts: 460
Joined: Sun Dec 02, 2007 10:15 pm
Location: Michigan

Re: Security Announcement - Login attempts exceeded - commen

Post by uncle fuzzy »

I've seen it 5-6 times over the past 2 weeks. The last time was 3-4 days ago.
Proud to crash my machines as a Beta Tester!

Image
Leonardo
Posts: 260
Joined: Tue Dec 04, 2007 5:09 am
Hardware configuration: GPU slots on home-built, purpose-built PCs.
Location: Eagle River, Alaska

Re: Security Announcement - Login attempts exceeded - commen

Post by Leonardo »

Thanks for the announcement/warning. What you described happened to me yesterday (19 January).
Image
toTOW
Site Moderator
Posts: 6349
Joined: Sun Dec 02, 2007 10:38 am
Location: Bordeaux, France
Contact:

Re: Security Announcement - Login attempts exceeded - commen

Post by toTOW »

I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ... :mrgreen:
Image

Folding@Home beta tester since 2002. Folding Forum moderator since July 2008.
kiore
Posts: 921
Joined: Fri Jan 16, 2009 5:45 pm
Location: USA

Re: Security Announcement - Login attempts exceeded - commen

Post by kiore »

I got hit yesterday too.. :roll:
Image
i7 7800x RTX 3070 OS= win10. AMD 3700x RTX 2080ti OS= win10 .

Team page: https://www.rationalskepticism.org/viewtopic.php?t=616
Nathan_P
Posts: 1164
Joined: Wed Apr 01, 2009 9:22 pm
Hardware configuration: Asus Z8NA D6C, 2 x5670@3.2 Ghz, , 12gb Ram, GTX 980ti, AX650 PSU, win 10 (daily use)

Asus Z87 WS, Xeon E3-1230L v3, 8gb ram, KFA GTX 1080, EVGA 750ti , AX760 PSU, Mint 18.2 OS

Not currently folding
Asus Z9PE- D8 WS, 2 E5-2665@2.3 Ghz, 16Gb 1.35v Ram, Ubuntu (Fold only)
Asus Z9PA, 2 Ivy 12 core, 16gb Ram, H folding appliance (fold only)
Location: Jersey, Channel islands

Re: Security Announcement - Login attempts exceeded - commen

Post by Nathan_P »

kiore wrote:I got hit yesterday too.. :roll:
Yeah they are going after a fair few forums recently, Hardocp has been hit several times in the last couple of week.
Image
bruce
Posts: 20824
Joined: Thu Nov 29, 2007 10:13 pm
Location: So. Cal.

Re: Security Announcement - Login attempts exceeded - commen

Post by bruce »

toTOW wrote:I didn't get the confirmation in the last few days ... maybe they given up trying to crack my password ... :mrgreen:
They haven't given up ... but uncle_fungus is still making security changes and the types of attacks that the bots use are becoming less effective here at foldingforum.org (though on a global basis, every time security is improved, terrorists are forced to find ways to improve their attacks).
chrisretusn
Posts: 101
Joined: Sat Feb 02, 2008 10:12 am
Hardware configuration: AMD Athlon(tm) 64 X2 Dual Core Processor 4000+
AMD Athlon(tm) XP 2600+
Location: Philippines

Re: Security Announcement - Login attempts exceeded - commen

Post by chrisretusn »

I just got hit with it.
Image
Folding on Slackware Linux.
mhouston
Scientist
Posts: 319
Joined: Sun Dec 02, 2007 8:19 pm
Contact:

Re: Security Announcement - Login attempts exceeded - commen

Post by mhouston »

+1
rjbelans
Posts: 77
Joined: Fri Nov 27, 2009 2:48 am

Re: Security Announcement - Login attempts exceeded - commen

Post by rjbelans »

I'm a member of the club now too.
Image
Image
folding@evga - Donor Advisory Board Representative
Amaruk
Posts: 254
Joined: Fri Jun 20, 2008 3:57 am
Location: Watching from the Woods

Re: Security Announcement - Login attempts exceeded - commen

Post by Amaruk »

YAIM

(Yet Another Involuntary Member)
Image
Post Reply