The Arcive of Official vBulletin Modifications Site.

Marco van Herwaarden · #21 08-24-2005, 11:57 AM

They usually use some calculation of the numer of different IP's (or subnet's) in a certain period of time. If that is higher then a set limit, it is asumed that it will be a share.

This work fine for pornsites for example where if an account is shared, immediae hundreds of people from all over the world try to use it.

Andreas · #22 08-24-2005, 12:01 PM

That's what I always tried to point out: You cannot detect if an account is being shared, you can only assume it, and this assumption might be good or bad, depending on your algortihms.

Marco van Herwaarden · #23 08-24-2005, 12:29 PM

@Kirby,

If you are so depressed all the time, what is that smile doing on your face.

sub_ubi · #24 08-24-2005, 08:53 PM

Thank you both. If I can gather the money I'll probably put this in paid requests.

FrozenCreations · #25 08-25-2005, 12:04 AM

ok, me being an admin, (well, im guessing we all are, lol) i have so many accounts on my site, it woudl drive you insane!) i log on2 all kinds of accounts, i see no need for this /;

CMX_CMGSCCC · #26 08-29-2005, 01:59 AM

What I would do is something like this: (It would not be full proof, but it would be a good start)

1) Save all of the IP's that a user logs in from. (I believe the vB does this already now.) You could add a number of times each IP has logged into that account as well to see which ISP is the most used.
2) Check if there is multiple sessions with the same username. If there is more than 3, start the extra check in number 3.
3) Check if the IP's are close together, or far apart. (i.e. make sure the xxx.xxx.*.* parts match up or are very close. (Even resolve the hostname to see if its the same ISP but a different IP address because it was dialed in.)
4) Have a check in to set the account to banned if it detects x number of sessions logged in the time period of y. (Both x and y would be settings that the owner can set.)
5) If it detects say over 20 ISP's of the account and all are different ISP's, ban the account automatically.

I think with the above stipulations, you could catch a number of accounts on www.bugmenot.com for example. You might get some legitmate users here and there, but some of the Untachy hacks I have seen would hit some legitmate users sometimes too I think.

-CMX

sub_ubi · #27 10-12-2005, 09:38 PM

Quote:

Originally Posted by CMX_CMGSCCC

What I would do is something like this: (It would not be full proof, but it would be a good start)

1) Save all of the IP's that a user logs in from. (I believe the vB does this already now.) You could add a number of times each IP has logged into that account as well to see which ISP is the most used.
2) Check if there is multiple sessions with the same username. If there is more than 3, start the extra check in number 3.
3) Check if the IP's are close together, or far apart. (i.e. make sure the xxx.xxx.*.* parts match up or are very close. (Even resolve the hostname to see if its the same ISP but a different IP address because it was dialed in.)
4) Have a check in to set the account to banned if it detects x number of sessions logged in the time period of y. (Both x and y would be settings that the owner can set.)
5) If it detects say over 20 ISP's of the account and all are different ISP's, ban the account automatically.

I think with the above stipulations, you could catch a number of accounts on www.bugmenot.com for example. You might get some legitmate users here and there, but some of the Untachy hacks I have seen would hit some legitmate users sometimes too I think.

-CMX

That would be a very nice hack.

To make it simpler, just check the domain. If more than x domains are logged into the same account over a period of y, do z.

"z" doesn't have to be automatically banning the account, changing the pass, or anything drastic. It could simply make a note in a text file for an admin to read.

Smiry Kin's · #28 12-18-2005, 09:48 PM

Quote:

Originally Posted by StarBuG

If you reset the password after a different ip accesses an account that was previously used by another IP you don?t take dial up users into account.
My DSL connection is separated after 24h.
When I am browsing the forum and get disconnected I reconnect immediatly with a new ip.

In that case nearly every day I would need to change my password so I doubt that this would be a good idea.

You could write a script that detects if a forum cookie for another account is already set and if that is the case then notify an admin about possible account sharing.

StarBuG

The guy was stating that if ppl log in at the same time... dial up, would mean disconecting.. there for loging back in. new ip etc.. only 1 user logged in..

Zxin · #29 12-19-2005, 06:55 PM

Over a 10 minute period of time you get http requests from 3 or 4 different IP addresses, I think that most people would say that is worth looking in to, so then FLAG the account.

Let me be specific that the requests contiune over the time period,
not IP1 for 10 munites then IP2 then IP3 then IP4, but a mix of requests.

A simple whois to check if the IP block belongs to the same ISP and then you KNOW its being shared (especially if you are talking saw east coast and westcoast IPs). (This can be done with a nightly cron job, or even on the fly depending on severity thesholds)

Quite possible to detect, since you are using authenticated access.
Remember its not that an account "changes" IPs its simultaneous requests.
A user with 10 requests per minute over 2 IP addresses for 10 minutes sure the heck IS sharing accounts

(unless the ISP has some real elaborate load sharing proxy, but in this case you can rely on whois lookups)

1. VBB detects more than X IP addresses per username in an X seconds, and flags the account.
2. Log parcer kicks in for flagged accounts and strips out username/IP data and does a whois and checks for IP ownership, and outputs an email address to the forums staff (keeps false positives down)
3. Automated step via theshold that says if X IPs in X hours (and whois data not matching) and starts actions placed in the plugin (admin can set anywhere from flag and email to shutdown the account (heck lauch a nuke if you have that kind of access :P)

-Zxin

Quote:

Originally Posted by Andreas

That's what I always tried to point out: You cannot detect if an account is being shared, you can only assume it, and this assumption might be good or bad, depending on your algortihms.

Borgs8472 · #30 12-19-2005, 07:10 PM

Quote:

Originally Posted by Andreas

Also, what about AOL Users?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.08861 seconds Memory Usage 2,260KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (4)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (1)pagenav (1)pagenav_curpage (4)pagenav_pagelink (10)post_thanks_box (10)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (10)post_thanks_postbit_info (10)postbit (10)postbit_onlinestatus (10)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start pagenav_page pagenav_complete tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!