1. While you are free to lurk, we welcome you to register for a (free) account so that you will be able to participate in forum discussions.

Brute Force Attack

Discussion in 'Forum Announcements' started by Converse, Feb 19, 2015.

  1. Converse Active Member


    You may have noticed that the forum was very slow earlier or, like me, you may not have been able to connect to it at all. That is because the forum was undergoing a brute force attack.

    A brute force attack is when automated methods are used to attempt to obtain the user password for the administrative account of the forum, using a trial and error algorithm that generates a large number of consecutive guesses. Since many people use words that they can remember as passwords, brute force attacks often begin by trying all of the words in the dictionary, rapidly, using multiple connections, or simply try commonly-used passwords or combinations of letters and numbers.

    In this case, they were all from Chinese IPs. They didn't get in, and I don't think they will get in, but they put quite a drain on the resources of the server, causing a slowdown that resulted in timeouts for some of us.

    In forums, brute force attacks are usually aimed at the Admin account but they do sometimes target other user accounts as well, so it's good to have complex passwords.

    Things seem to have calmed down now, however.

    Last edited: Feb 20, 2015
  2. Converse Active Member


    I don't think that this forum was specifically targeted, as the same thing was occurring with my other forum. Although hosted with the same hosting company, they are on separate accounts. I doubt anyone will be getting in, as I have taken to using passwords that are a mile long, consisting of random characters, and I change them every now and then.

  3. toradrake Member


    Wow, thanks for the tip @Converse. Now I know for my own sites to make complex passwords and to change them often. I don't understand why they would attack a forum though... what could they possibly gain from that?

  4. Ray Active Member


    Provably unrelated but, last week, I received an email from GoDaddy, telling me that my account had been put on lock-down due to multiple login attempts, I had not gone into my account for over 2 months. I assume someone was trying to break in.

    Depending on the type of hosting you use, you can block entire IP Ranges at the server level.

    I have a dedicated server from HostGator, and have lots of IP Ranges from that part of the world blocked, or as they call it "IP Address Deny". This, more than likely, will not stop all brute force attacks but, since most of these attacks tend to come from there, I think its worth the effort.

  5. Converse Active Member


    It looks like they hit us again this morning, but didn't keep it up for as long.

  6. toradrake Member


    Does this happen frequently? How can you tell you are getting hit? Is there a way I can check mine?

  7. Converse Active Member


    In some cases, I don't know until my host lets me know that I am using a lot of resources. However, depending on your hosting plan, you may be able to check your resource use in much the same way that you might check other statistics. When you see spikes in resources that don't correspond with some event that has led a bunch of real people to your site, that's a good possibility.

    During a DDOS or brute force attack, you won't be looking at a slight rise, but a dramatic increase, most often (in my experience, anyhow) from Chinese or Russian ISPs.

  8. toradrake Member


    Interesting. I really never thought to keep an eye on things like this for my forum because I never thought that they would go after one. I can't seem to even grasp the idea that they would. There is no motive or reasoning behind it that I can foresee. There is no profit or enjoyment involved in it.... I just don't get it.

  9. Converse Active Member


    Maybe it is personal. My Web Directory Digest site is under attack today too, and that's hosted with a different hosting company. These attacks are coming from Spain, though.

    On Feb 20, 2015, at 2:49 PM, WordPress <wordpress@webdirectorydigest.org> wrote:

    Your website, Web Directory Digest, is undergoing a brute force attack.

    There have been at least 80 failed attempts to log in during the past 120 minutes that used one or more of the following components:

    Component Count Value from Current Attempt
    ------------------------ ----- --------------------------------
    Network IP 18 77.224.232.*
    Username 50 *********
    Password MD5 11 ************************************************

    The most recent attempt came from the following IP address:

    The Login Security Solution plugin (0.50.0) for WordPress is repelling the attack by making their login failures take a very long time. This attacker will also be denied access in the event they stumble upon valid credentials.

    Further notifications about this attacker will only be sent if the attack stops for at least 120 minutes and then resumes.

  10. Converse Active Member


    Having never been involved in such a thing, except on the receiving end, I don't know for sure, but I think that these things are fairly random sometimes. Perhaps they are trying to break into a range of Xenforo forums. As I suggested earlier, they might have been targeting domains on that particular server, except that my Digest site is on another server.

    Or perhaps I made someone angry. A lot of nefarious people hang out in the larger SEO forums, I'm afraid, and I do participate in Digital Point quite a bit. I have no reason to think that's the case and, for that matter, I don't think I've ever mentioned, let alone linked to, my Seniors forum at DP.

    As is generally the case, I doubt that I'll ever know what it was about but once a site begins getting traffic, or starts doing well in the SERPs, it is almost certain to be targeted by someone.

  11. KenBrace New Member


    Many forum software packages also have this feature. They allow you to block a range of IP addresses.

    I had a really mallicious member join my site once and he got banned. Not long after that he tried to hack the forum. I ended up having to block the whole range of ip addresses from his ISP. The hacking attack stopped after that so I guess it worked. Anyone else who is experiencing a hack I advise doing this.


Share This Page