Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 06-23-2008, 10:14 AM
Eunos Eunos is offline
 
Join Date: Sep 2003
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Tor project enables anonymous hack attempts - how to combat it?

In the past 5 days, I've been getting swamped with email from registered forum users who are responding to the vB note that gets sent out when someone fails after 5 login attempts. Every one of them was telling me "it wasn't me".

Investigation of the IP addresses they're coming from reveals that they're bouncing off exit nodes from the Tor network. The Tor network is a distributed cryptographic anonymizing proxy service. It is not possible at this time to identify the actual source.

So in layman's terms - the hack attempts are coming from someone who is abusing the Tor network in order to anonymously attempt to log in to this forum as a legitimate user. If they succeed, they're most likely going to use it to spam the forum with ads.

I've been firewalling out IP addresses right and left, but this is proving to be useless since there are hundreds, or maybe thousands of Tor servers out there, and the hackers simply find another one to continue their barrage. And since Tor is totally anonymous, there's no way to identify the originator, and therefore no way to halt the break in attempts.

I found an abuse FAQ, and it has some hints on how to determine whether an IP is a Tor exit server.

What I'd like to do is have a hack that can identify a server as a Tor server, and simply block all registration and login attempts from those servers.

Has anyone does this? Any different suggestions?
Reply With Quote
  #2  
Old 06-23-2008, 10:29 AM
KURTZ KURTZ is offline
 
Join Date: Nov 2006
Location: Italy
Posts: 2,257
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

have you tried PM's hack 'proxy to real ip' add-on?
Reply With Quote
  #3  
Old 06-23-2008, 10:57 AM
Eunos Eunos is offline
 
Join Date: Sep 2003
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

How would that help?
Reply With Quote
  #4  
Old 06-26-2008, 08:39 AM
Angel-Wings's Avatar
Angel-Wings Angel-Wings is offline
 
Join Date: Sep 2007
Posts: 206
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

That wouldn't help - no need to install it. About the problem - there's not much you can do
Reply With Quote
  #5  
Old 06-26-2008, 09:45 AM
fedorama fedorama is offline
 
Join Date: Jun 2008
Posts: 36
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I'm pretty sure there is something you can add server-side that will block all Tor IPs .. at least I remember reading that on the Tor project.
Reply With Quote
  #6  
Old 06-26-2008, 09:51 AM
Eunos Eunos is offline
 
Join Date: Sep 2003
Posts: 12
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Its really getting annoying, mostly because of the email that vB sends telling the account holder that someone tried to hack their account. So they get all worked up and scared, and they send me email telling me to delete their account - which I don't want to do because I hate having posts from someone named "Guest".
Reply With Quote
  #7  
Old 06-26-2008, 11:45 AM
Alfa1's Avatar
Alfa1 Alfa1 is offline
 
Join Date: Dec 2005
Location: Netherlands
Posts: 3,537
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Proxy to IP is real helpful with identifying proxy users. Consider this hack:
https://vborg.vbsupport.ru/showthrea...ighlight=proxy
Note that it excludes safari users.
Reply With Quote
  #8  
Old 06-26-2008, 12:42 PM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I don't think you understand the Tor network, Alfa1. Tor makes it pretty much impossible to locate where data originally came from, as it is passed from node to node before reaching its destination.
Reply With Quote
  #9  
Old 06-26-2008, 12:57 PM
JoeBOBBillyTed JoeBOBBillyTed is offline
 
Join Date: Feb 2005
Posts: 42
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Why not disable the email. It won't fix the main problem, however it may stop the bleeding.
Reply With Quote
  #10  
Old 06-26-2008, 01:50 PM
blind-eddie's Avatar
blind-eddie blind-eddie is offline
 
Join Date: Apr 2006
Location: Michigan
Posts: 2,310
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

wild card ban thier ip within your host, not only your site.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 04:13 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.05289 seconds
  • Memory Usage 2,244KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete