Account disabled due to too many failed login attempts.

ycc

Joined: 2008-08-18
Posts: 25

Posted: Fri, 2010-12-24 09:52

I am not sure this is a problem of the software, I am not sure what it is.

Lately (during some months), I often get the following message when I try to login to my admin account:

Account disabled due to many failed login attempts.

I then make a password recovery and continue.

When I check the logs I see many hits from what I think is Googlebot
66.249.67.251
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

A couple of hrs ago it made 67 hits within ten minutes. I guess it is the real Google and it is not interested in hacking my account. It keeps coming now and then with many hits.

Would be nice to find the origin of the failed login attempts.

suprsidr

Joined: 2005-04-17
Posts: 8339

Posted: Fri, 2010-12-24 13:14

setup your robots.txt to disallow that page
http://www.robotstxt.org/robotstxt.html

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

ycc

Joined: 2008-08-18
Posts: 25

Posted: Sat, 2010-12-25 04:42

Thank you. Seems very logical.

What I tried was this:
I created robots.txt and put it in the root folder of my server
(my G2 folder is called gallery2_upd)

robots.txt contains the following:

Quote:

User-agent: *
Disallow: /gallery2_upd/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_return=/gallery2_upd/main.php?

I have not entered any url-hex-encodings (%2F for / and so on) like in the actual links, I hope it will be OK?

I will come back with the results from the logs. Thanks.

EDIT: I didn't read the instructions carefully enough, I rewrote this post.

ycc

Joined: 2008-08-18
Posts: 25

Posted: Sun, 2010-12-26 12:46

I introduced some more logs and this IP came up hitting my old G2 installation about seven times and then rest for a couple of days and then come again.
79.142.66.55
If I enter this IP in Google it comes up as a content spammer.
It seems it somehow has guessed the name of my admin account. (Not so difficult since it is my given name and the site is my personal homepage.)

However it seems it may be helped by the G2 error message: "This account has been disabled due to frequent failed logins"
If the spammer chooses a non existing account it receives another message "This account does not exist" or similar

Maybe it would be better to have the same "login failed" no matter the reason for the failed login.

Does anyone know how I best block the spammer robot? I am very happy with GoDaddy hosting, but they still run Apache 1 and I can only control the Apache through .htaccess. I would preferably block the spammer out of the entire site (not only out of G2).

(I haven't really understood what happens with my current installation, though.)

suprsidr

Joined: 2005-04-17
Posts: 8339

Posted: Sun, 2010-12-26 13:16

http://www.javascriptkit.com/howto/htaccess5.shtml

-s
FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

ycc

Joined: 2008-08-18
Posts: 25

Posted: Mon, 2010-12-27 03:17

Thanks, very time-saving link. Worked perfectly to block out a proxy for a while, as a test.

I have tried the following. I put a logging routine in theme.tpl. It will log time, requesting IP and the full URL being requested. I think one can then be able to see which bots are serious and which ones are not (trying to log in). If someone logs in he will request this URL (easy to find, containing the string 'UserLogin'):

http://example.com/gallery2/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_return=%2Fgallery2%2Fmain.php%3F

a successful login will be followed by the login cookie in the URL

http://example.com/gallery2/main.php?&g2_GALLERYSID=12341234123412341234123412341234

a failed login will go back to main:
http://example.com/gallery2/main.php

I hope it will then be possible to see which logins are malicious.

ycc

Joined: 2008-08-18
Posts: 25

Posted: Tue, 2010-12-28 02:27

Here are a couple of the pages (apart from photos) that googlebot are requesting.

http://example.com/gallery_2/main.php?g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_return=%2Fgallery_2%2Fmain.php%3Fg2_itemId%3D1405%26g2_imageViewsIndex%3D0&g2_returnName=photo

http://example.com/gallery_2/main.php?g2_view=search.SearchScan&g2_form%5BuseDefaultSettings%5D=1&g2_return=%2Fgallery_2%2Fmain.php%3Fg2_itemId%3D551%26g2_imageViewsIndex%3D1&g2_returnName=photo

It obviously tries to register itself. It also seems to use the search page. I guess this activity is what you expect.

However, since I removed the other, spammer bot through htaccess, I have not had any more errors "account disabled due to too many failed logins", so far.

ycc

Joined: 2008-08-18
Posts: 25

Posted: Sat, 2011-01-08 07:15

I do not know if this is the appropriate place to post, but so far I have found the following spammers that have been attacking my G2 installation specifically.

EDIT: I have updated this with new IP numbers.

.htaccess:

order allow,deny
allow from all
deny from 79.142.66.55
deny from 92.241.191.30
deny from 178.239.58.143

ycc Joined: 2008-08-18 Posts: 25	Posted: Fri, 2010-12-24 09:52
	I am not sure this is a problem of the software, I am not sure what it is. Lately (during some months), I often get the following message when I try to login to my admin account: Account disabled due to many failed login attempts. I then make a password recovery and continue. When I check the logs I see many hits from what I think is Googlebot 66.249.67.251 Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) A couple of hrs ago it made 67 hits within ten minutes. I guess it is the real Google and it is not interested in hacking my account. It keeps coming now and then with many hits. Would be nice to find the origin of the failed login attempts.
	XUser login Username: * Password: * Create new account Request new password
suprsidr Joined: 2005-04-17 Posts: 8339	Posted: Fri, 2010-12-24 13:14
	setup your robots.txt to disallow that page http://www.robotstxt.org/robotstxt.html -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

ycc Joined: 2008-08-18 Posts: 25	Posted: Sat, 2010-12-25 04:42
	Thank you. Seems very logical. What I tried was this: I created robots.txt and put it in the root folder of my server (my G2 folder is called gallery2_upd) robots.txt contains the following: Quote: User-agent: * Disallow: /gallery2_upd/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_return=/gallery2_upd/main.php? I have not entered any url-hex-encodings (%2F for / and so on) like in the actual links, I hope it will be OK? I will come back with the results from the logs. Thanks. EDIT: I didn't read the instructions carefully enough, I rewrote this post.

ycc Joined: 2008-08-18 Posts: 25	Posted: Sun, 2010-12-26 12:46
	I introduced some more logs and this IP came up hitting my old G2 installation about seven times and then rest for a couple of days and then come again. 79.142.66.55 If I enter this IP in Google it comes up as a content spammer. It seems it somehow has guessed the name of my admin account. (Not so difficult since it is my given name and the site is my personal homepage.) However it seems it may be helped by the G2 error message: "This account has been disabled due to frequent failed logins" If the spammer chooses a non existing account it receives another message "This account does not exist" or similar Maybe it would be better to have the same "login failed" no matter the reason for the failed login. Does anyone know how I best block the spammer robot? I am very happy with GoDaddy hosting, but they still run Apache 1 and I can only control the Apache through .htaccess. I would preferably block the spammer out of the entire site (not only out of G2). (I haven't really understood what happens with my current installation, though.)

suprsidr Joined: 2005-04-17 Posts: 8339	Posted: Sun, 2010-12-26 13:16
	http://www.javascriptkit.com/howto/htaccess5.shtml -s FlashYourWeb and Your Gallery with The E2 XML Media Player for Gallery2

ycc Joined: 2008-08-18 Posts: 25	Posted: Mon, 2010-12-27 03:17
	Thanks, very time-saving link. Worked perfectly to block out a proxy for a while, as a test. I have tried the following. I put a logging routine in theme.tpl. It will log time, requesting IP and the full URL being requested. I think one can then be able to see which bots are serious and which ones are not (trying to log in). If someone logs in he will request this URL (easy to find, containing the string 'UserLogin'): http://example.com/gallery2/main.php?g2_view=core.UserAdmin&g2_subView=core.UserLogin&g2_return=%2Fgallery2%2Fmain.php%3F a successful login will be followed by the login cookie in the URL http://example.com/gallery2/main.php?&g2_GALLERYSID=12341234123412341234123412341234 a failed login will go back to main: http://example.com/gallery2/main.php I hope it will then be possible to see which logins are malicious.

ycc Joined: 2008-08-18 Posts: 25	Posted: Tue, 2010-12-28 02:27
	Here are a couple of the pages (apart from photos) that googlebot are requesting. http://example.com/gallery_2/main.php?g2_view=core.UserAdmin&g2_subView=register.UserSelfRegistration&g2_return=%2Fgallery_2%2Fmain.php%3Fg2_itemId%3D1405%26g2_imageViewsIndex%3D0&g2_returnName=photo http://example.com/gallery_2/main.php?g2_view=search.SearchScan&g2_form%5BuseDefaultSettings%5D=1&g2_return=%2Fgallery_2%2Fmain.php%3Fg2_itemId%3D551%26g2_imageViewsIndex%3D1&g2_returnName=photo It obviously tries to register itself. It also seems to use the search page. I guess this activity is what you expect. However, since I removed the other, spammer bot through htaccess, I have not had any more errors "account disabled due to too many failed logins", so far.

ycc Joined: 2008-08-18 Posts: 25	Posted: Sat, 2011-01-08 07:15
	I do not know if this is the appropriate place to post, but so far I have found the following spammers that have been attacking my G2 installation specifically. EDIT: I have updated this with new IP numbers. .htaccess: order allow,deny allow from all deny from 79.142.66.55 deny from 92.241.191.30 deny from 178.239.58.143

Account disabled due to too many failed login attempts.

XUser login