MEM China attack

[Jo]

Just to let you all know over the last week our forum has been inundated with attempted log-ons from China. To prevent this attack from bringing down the server we have had to effectively ban all Chinese IP addresses 

If anyone finds that they have been banned for no apparent reason it may be that we have mistakenly banned you computer's IP address. We are monitoring things and will unban you as soon as we realise our mistake

Jo

[crueby]

More internet crazyness. I guess they want our cutting-edge steam technology... 

[Jasonb]

That's what you get for allowing the Red Devil into your workshop Jo

[Jo]

That's what you get for allowing the Red Devil into your workshop Jo

 

[Art K]

I think it's our cutting edge IC engine tech.
Art

[stevehuckss396]

Hello Jo!

What exactly is the point of these attacks? What do they hope to gain? Are they fishing for free plans thinking they are stored on sites like this? I know they have started producing many of the steam and hit miss engines that have free plans available on the interweb. Do they think that a disruption to a site as important as this one will lead to a total collapse of the government? Other than just being a$$ho!es I don't see what's in it for them.

???

[b.lindsey]

Steve, there are various way to check individual ISP addresses as to location (China in this case) and sometimes more information if that address has had a history of nefarious activity from spamming, to being infected with one of the many botnet viruses which can pass from computer to computer. When looking at many of these, sometimes they show little if anything, but I have run across one or two that indicated they had a history of for personal information...things like credit card info, etc.  I don't think MEM has much exposure there, but we all still need to be vigilant about storing any personal date here or anywhere for that matter. I think your a$$hole assessment is the more accurate for most of these attacks. While you may still see the "number online" figure climb above normal levels, 99% of them are now banned and can NOT gain access to the forum, yet still they sit there trying to connect time after time and that shows up in the count too. We hope they will eventually get tired of the ban notices and just move on.

Bill

[Jo]

Other than just being a$$ho!es I don't see what's in it for them.

I think you have hit the button on the nose. They get a buzz for being a pain. What they have also done is denied their countrymen access to our website so that they can copy our photos and claim our builds as theirs


We get other spammers who seem to think we want to see other types of porn other than machine tools or model engines  But many are just trying to join so they can tempt you to go to their infected website so they can scam you 

Jo

[Jasonb]

I've recently had a batch of spammers on ME forum selling embalming powders, was half tempted to approve them as the lack of model making there makes you think they are all one step in the grave

[stevehuckss396]

Well thanks for staying on top of the situation and thank you for your hard work keeping this forum safe. It's a great place with some darn right nice people and one of very few places that supports the hobby.

[b.lindsey]

Thanks Steve. I have to say dealing with this insanity isn't much fun though, but must be done.

Bill

[MJM460]

Another vote of thanks to the Admin and moderators.  Well done.  Your efforts are much appreciated.

MJM460

[Craig DeShong]

I used to (back in my working days) manage the unit that ran the web severs for NCState University.  The hacking from China was relentless.  Keeping the university web sites safe was a full time job so I know the effort y’all are taking.  Thanks for your efforts.

[b.lindsey]

Craig, it is amazing ( not in a good way) how relentless they are. Even when banned, they just keep trying, some obviously using the equivalent of robocalling. One of the more active ones I saw this morning had something like 175 pages of bans to one isp address over 24 hours, at 15 ban notices per page. They just don't quit, but at this point I think we have most of them banned and hopefully with minimal disruption to our members.

The total hits to all bans in place has been over 6000 just since 8:30 this morning. And all this for a small hobby forum . I can even begin to imagine it at the University level!!

Bill

[crueby]

Maybe we should put up threads with titles about 'supercheap nukes' for them to target, fill the threads with blurry plans (with bad dimensions) for old toaster ovens. Would keep them busy for a while...   

[b.lindsey]

Rather keep them off ALL pages!!

Bill

[derekwarner]

Wednesday 10th July 2019 ....... flew 1100 km to Adelaide .....the wonderful bag handlers with Qantas  destroyed my Toshiba Ultrabook.....used an alternate Desktop & logged into Paddleducks & Model Boat Mayhem & a few others OK

Attempted to log into MEM ...saw a message I was banned for life & this exclusion was not reveresable...... 

Waited 24 hours......the same......waited another 24 hours & the system asked me if I wanted to revise my password.....then all OK

Returning home in a few days on the 26th    so I may find issues logging on when I purchase a new Laptop??

Derek

[b.lindsey]

Sorry for the scare Derek. Unfortunately some isp blocks overlap between China and Australia. As soon as it was noticed that a few valid members were being caught in the high level bans, they were modified/refined to remove your isp address. You shouldn't have issues with the new laptop, not from your usual isp address anyway.

Bill

[Alan Haisley]

This is not the only server that uses this software. They may use ones like this to try to develop hacking methods that they could use on more sensitive servers.

[nats]

Usually they don't care about the content pf website (let's talk about the general case, not gov server). They have automated exploit system that scan website (and in particular Forum/blog/etc... because they have well known problems) and they want to use the compromised server for botnet/spamming/ddos.

[Farmboy]

As a regular viewer but, sadly, an infrequent contributor, I would like to express my appreciation to those who volunteer their time to keep things running smoothly 

[Elam Works]

A Forum that I help out with (also using SMF 2.0.15) is also experiencing a glut of registration attempts. Started late June, but recently has ramped up to about sixty per day, nearly all from Russia. It too is a boutique forum, of limited interest except to a relatively minor portion of the population, of which I somehow suspect none reside in the former USSR. Thankfully, the anti-spam plug-in for SMF is still supported and sidelines the registrations pending Moderator approval (which never comes!) The policy is to ignore the applications that get flagged by the anti-spam plug-in ban list, unless an actual person follows up with an email asking why their membership application has not yet been approved. Then it is looked at to set if it is legit. None of them are, because they are on the ban list already for repeated offences reported across the internet. I think once in the last several years we did have a follow-up from a flagged membership application. It turned out the individual unfortunately chose a username that was frequently turning up on anti-spamming lists.

Also at some time back, the entire China IP was banned. The chance of someone from China legitimately wanting to join was weighed against the chance of someone slipping through not yet on the ban list, and the fact the Admin and Moderators still received an email notification of the pending membership application that got flagged (and so a flood of notification emails). Hence it was not worth it keeping membership open to that country IP address.

As for why they do it, you might as well ask why life evolved. Just because! Point to remember nearly all of this is not done by an actual person but rather a computer program. It does not care if it fails a million times in succession, it is working for peanuts and it only takes it a few seconds anyway! It will just keep trying until occasionally it gets lucky and finds a forum with a venerable membership registration process.

What can it do with a membership to an obscure forum? Well that is even harder to fathom the specifics. Rest assured- be it trying to mine for personal details, or just placing spam posts at a later date (usually there is a delay until the registration is sold to another party), there is somehow money to be made. It might seem like a potential return of a pittance, but it is a computer program doing this over and over again a thousand times a second. It eventually the pennies add up. Sometimes it obvious like a hyperlink to a website that has been compromised (fishing scams) or will download malicious files to your computer. Most internet users have been warned about those perils and are savvy to them now. So you do not see that type of exploitation as much, just as you do not see the Nigerian prince emails as much anymore. Sometimes it is just so they can post apparently innocuous phrases in a message, or the auto-signature of a post, that do not initialy seem like spam. But they somehow help the ranking score of a client's website during a Google search (or other search engine). So the spammers are selling ranking advancement services, using your forum to increase their client's internet presence. And that is just the tip of the iceberg, there are almost certainly many more ways to scam a penny and lots of folk out there more devious than you willing to bend their minds to it.

Even the (live) hackers just trying to break into a system for jollies are practicing their skills so they can sell them later on to identity theft brokers or spammers. No one does this long term for free. (Unless they are some thirty-five year old geek still living with their mother!) Somewhere at the end of it, no matter how convoluted a path, there is money to be made. It has nothing to do with what the forum is about or how strategically important your post is. What is important to remember these programs are reading the public posts to look for keywords, like your email address. If they manage to register, the programs (autobots) also read the member private boards (of which MEM does not have any that I know of, other than those setup for restricted membergroups like Admin, Moderator, etc.) So don't put your personal email address in the body of a post; not unless in a few months time you want your personal email inbox to become inundated with spam. Use the forum email or PM system to have folk that you do not already know contact you. They at least have to be a registered member to access those tools. And they would have to hack the admin side of the forum or the SMF database to get to your personal email addresses that are linked to your membership.

And don't forget to thank the admin(s) and moderator(s) for keeping it all up and running behind the scenes; dealing with all this spam nonsense so you don't have to. Thank You! I know exactly what you have to deal with!

-Doug

[Kim]

Thanks for that post Doug!

And I'd like to thank Bill and Jo who have done all the work to stem the tide of these hacker attempts on our site.  They have spent many hours setting up bans to thwart the ne'er-do-wells!  Thank you, Bill and Jo!

Kim

[Jo]

Thanks Doug for explaining the challenges of these  in the long 

...  So don't put your personal email address in the body of a post; not unless in a few months time you want your personal email inbox to become inundated with spam. Use the forum email or PM system to have folk that you do not already know contact you.

This is why you will find that one of the moderators will sometimes modify your posts to remove an Email address: it is to protect you


Thankfully the blocks seem to be working and I am getting a little more time for the workshop 

Jo

[mike mott]

Yes and I would also like to thank you for all the work you do the make this site safe and enjoyable.

Mike

[Zephyrin]

Yes and I would also like to thank you for all the work you do the make this site safe and enjoyable.

I fully agree with the above thanks...

[JC54]

Thank you moderators JC

[AdeV]

I would also like to thank Jo and the moderators, who have really stepped in and sorted this out at great cost to their own personal time. 99% of the time, running a forum like this is extremely easy - it virtually runs itself. The other 1%, it's like a duck on speed - still looks reasonably calm on the surface, but under the waterline all hell has broken lose!

So again, thanks to you all. Once again, what few grey hairs I have left have been saved for another crisis! 

[Laurentic]

Thank you - to you moderators.  Great work.  Was one on a yachtie website years ago and know the pain! 

Chris

[Ginger Nut]

Thanks for your 3m aail regarding outage etc. Its been sometime since I'd even opened the forum, i do read via tablet latest posts tho of subscribed threads.

Sent from my SM-T580 using Tapatalk

[derekwarner]

So Bill says.....

"Sorry for the scare Derek. Unfortunately some isp blocks overlap between China and Australia......you shouldn't have issues with the new laptop, not from your usual isp address anyway".

Well I am back here at my home ISP address Bill...your MEM Server will confirm I have attempted logged on some 11 times in the past days.......each time I receive the notification to open the e-mail & reset my pass word

I do this then auto log-on........etc

Close out.....& attempt a log-in....& the system then tells me to repeat the reset my pass word process again and again......a little disconcerting   

Derek

[b.lindsey]

Derek, yes I can see the 11 attempts with the notice of password failure. I have no idea why you are getting that message. I can see also that you are logged into the forum currently so did the issue finally resolve itself? 

Jo, can you shed any light on this issue, it shouldn't be related to the overlapping ISP issue that we resolved ?

Bill

[Jo]

The log implies that the software claims it was the wrong password that had been entered  . Now that you are able to log in Derek can you let us know if it does it again?

Jo

[Allen Smithee]

Suggest derek clears cookies and purges the browser cache (<ctrl>+F5) then log in as normal - it may be that his browser has saved the old password in cookies and hasn't updated them, or it is trying to be clever by loading a cached page with the old password. Deleting cookies and purging the cache would address the problem if this is it.

AS