Login gives captcha on first attempt

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
solutionsetcetera
Registered User
Posts: 16
Joined: Tue Jul 08, 2008 11:24 pm

Re: Login gives captcha on first attempt

Post by solutionsetcetera »

I was referring to the changes described in:

http://www.phpbb.com/community/viewtopi ... #p12929303

According to the user log entries it generates, users accounts are not being captcha-triggered by any IP addresses other then their own, and they all swear to me that they have made no unsuccessful attempts since their last session.
Ryon
Registered User
Posts: 6
Joined: Sat Dec 10, 2005 4:43 pm

Re: Login gives captcha on first attempt

Post by Ryon »

Pit$Bull wrote:This is not a new occurrence, it may just now happening to you.
It is happening world wide and not just to phpBB, and it's not version specific.
Hackers/spammers are trying to 'brute force' passwords. The protection built into phpBB is only allowing x number of attempts then the CAPTCHA is presented.
If this is true, then a good counter move would be to put the qualifying questions or captcha BEFORE allowing logon. Anybody working on something like this?
arcticwolf
Registered User
Posts: 6
Joined: Thu Apr 15, 2010 2:59 am

Re: Login gives captcha on first attempt

Post by arcticwolf »

I have suddenly been experiencing the same exact issue, still using 3.07-PL1 on an established forum. No MODs.

I first noticed it a few days ago with my Admin account, but when I checked the Admin logs, it shows only that there was a single failed login attempt at the exact same moment of my actual login, from my own IP address. However, in reality I had no actual failed attempts before it showed the "Exceeded maximum login attempts" error message along with the reCaptcha prompt. No other failed login attempts show in the logs.

Now I have several random users reporting the same exact experience. They're entering the correct password, and it gives the error on the first attempt.

Nothing has changed on my board and 3.07-PL1 has otherwise been running stable since release. Unless spam-bots have found a way to completely circumvent the phpBB logging system, I'm not sure I buy that explanation.
Pit$Bull
Former Team Member
Posts: 23099
Joined: Sat Dec 02, 2006 4:08 pm
Name: Can't Remember

Re: Login gives captcha on first attempt

Post by Pit$Bull »

Looks like everyone is just beating a dead horse.
What is so difficult to understand about ->
Pit$Bull wrote:This is not a new occurrence, it may just now happening to you.
It is happening world wide and not just to phpBB, and it's not version specific.
Hackers/spammers are trying to 'brute force' passwords. The protection built into phpBB is only allowing x number of attempts then the CAPTCHA is presented. ACP->main page->user registration settings
Maximum number of login attempts:
After this number of failed logins the user needs to additionally solve the anti-spambot task.
A strong password will also insure the 'brute force' will not succeed.
arcticwolf
Registered User
Posts: 6
Joined: Thu Apr 15, 2010 2:59 am

Re: Login gives captcha on first attempt

Post by arcticwolf »

Pit$Bull wrote:Looks like everyone is just beating a dead horse.
What is so difficult to understand about ->
Pit$Bull wrote:This is not a new occurrence, it may just now happening to you.
It is happening world wide and not just to phpBB, and it's not version specific.
Hackers/spammers are trying to 'brute force' passwords. The protection built into phpBB is only allowing x number of attempts then the CAPTCHA is presented. ACP->main page->user registration settings
Maximum number of login attempts:
After this number of failed logins the user needs to additionally solve the anti-spambot task.
A strong password will also insure the 'brute force' will not succeed.
I believe the outstanding question is why don't these brute force attempts appear in the logs?

As I explained above, if someone was brute-forcing my Admin account, there should be some record of the failed attempts. Under "logged administrator actions". There isn't. I can post screenshots if need be, to prove it.
sentinelace
Registered User
Posts: 151
Joined: Wed Nov 19, 2008 7:17 pm

Re: Login gives captcha on first attempt

Post by sentinelace »

Pit$Bull wrote:Looks like everyone is just beating a dead horse.
What is so difficult to understand about ->
Pit$Bull wrote:This is not a new occurrence, it may just now happening to you.
It is happening world wide and not just to phpBB, and it's not version specific.
Hackers/spammers are trying to 'brute force' passwords. The protection built into phpBB is only allowing x number of attempts then the CAPTCHA is presented. ACP->main page->user registration settings
Maximum number of login attempts:
After this number of failed logins the user needs to additionally solve the anti-spambot task.
A strong password will also insure the 'brute force' will not succeed.
Correct, but in my case and many other cases, you can't login because even the CAPTCHA image is broken. I had to use a SQl SCRIPT to create a user with ADM rights. Change the CAPTCHA to a image that works so my others could actually reset their passwords. I've researched this, and it's all over the net even with broken CAPTCHA images. Mine in this case was the 3D image. It also appears spammer are back at the battle. Boards are getting flooded.
Stoepsel
Registered User
Posts: 395
Joined: Sun Oct 23, 2005 11:23 am

Re: Login gives captcha on first attempt

Post by Stoepsel »

arcticwolf wrote:I believe the outstanding question is why don't these brute force attempts appear in the logs?
Successful and failed admin login attempts are only logged for when an admin has to re-authenticate himself when accessing the ACP.

For normal logins, however, no log entries are created.

The brute force login attacks are normal logins. They do not try to access the ACP. And hence they do not create the log entries. This is by design. It is the intended behaviour. It is not a bug.
sigsauerny
Registered User
Posts: 13
Joined: Mon Feb 14, 2011 7:17 pm

Re: Login gives captcha on first attempt

Post by sigsauerny »

hi everyone

my forum has been having this issue from admin to users, I dont know if its spam related, or someone just trying to hack accounts.

is there any way to track or log who is doing this and block them?

is there a way to cut off access from countries? (ive been noticing a lot of foreign countries popping up on the map)

thanks
Pit$Bull
Former Team Member
Posts: 23099
Joined: Sat Dec 02, 2006 4:08 pm
Name: Can't Remember

Re: Login gives captcha on first attempt

Post by Pit$Bull »

sigsauerny,
What's wrong with reading the topic, it's all explained above. :roll:
sigsauerny
Registered User
Posts: 13
Joined: Mon Feb 14, 2011 7:17 pm

Re: Login gives captcha on first attempt

Post by sigsauerny »

Pit$Bull wrote:sigsauerny,
What's wrong with reading the topic, it's all explained above. :roll:

I realize that now sorry, couldnt reach my support guy and was getting flooded with messages / emails
splot-bob
Registered User
Posts: 17
Joined: Wed Jul 27, 2005 7:35 am

Re: Login gives captcha on first attempt

Post by splot-bob »

Hi Guys,
I'm having the same problem, my board is getting around 1k+ failed logins a day now.
I was wondering is it possible to add something to the login form like the question added to the registration form that would stop submission if it wasn't completed?
Maybe a "I am a real person" yes/no field, preferably a radio button or checkbox?

Thnks,
Bob
mrsyardbroom
Registered User
Posts: 36
Joined: Sat Jan 20, 2007 4:03 pm
Location: Cornwall
Contact:

Re: Login gives captcha on first attempt

Post by mrsyardbroom »

Members of my forum are also saying that they're getting the exceeded login attempts message. I'll put my thinking cap on and try to find a way round it.
Rob-Rah
Registered User
Posts: 36
Joined: Tue Sep 07, 2004 9:53 pm

Re: Login gives captcha on first attempt

Post by Rob-Rah »

I have been getting this problem for a month or two now as well, and it's starting to drive away my members, which is not good.

I checked our server log today and can see groups of attempted logins. They typically come in groups of between 1 and 4 attempts from multiple IP addresses within the same group.

I followed up with google searches on samples of the IP addresses that these attempted logins are coming from, and all of them are coming up as known sources of spam. A similar sample of logins that are just done once, and which look legitimate to me, shows these to be non-spam IP addesses.

The IP addresses are far far too numerous for me to enter them all manually in the admin control panel as banned: I can't manually scour my entire server log looking for login swarms as it is vast.

Is there any way to set things up, or provide a MOD, so that when a login attempt to a single username fails to enter the right details a specific number of times (eg. 3) then the current IP address of the logger-in is immediately banned?

I have seen the "Check IP against DNS Blackhole List" feature, but I am unclear what this will exactly do about this problem. Can someone explain if this will help? Does this prevent the submission of a login attempt, or merely prevent the result of a login attempt?

Thanks.

Rob.
http://www.ukorchidforum.com
splot-bob
Registered User
Posts: 17
Joined: Wed Jul 27, 2005 7:35 am

Re: Login gives captcha on first attempt

Post by splot-bob »

I'm lucky with my board, it's only the Mods that are having problems, our memberlist is not viewable by anyone other than Admins and I have tweaked the display of "Who has been here" so that only registered users can see it when logged in, and then only humans, registered bots can't.
My main problem now is the brute force login attempts, that's why I'm looking at adding the extra step before the login form is submitted, if I have any luck I'll pass it on or if any gurus are watching this thread any pointers will be greatly appreciated.

Bob
http://ozcruiseclub.com.au/Boards
nfs
Registered User
Posts: 49
Joined: Mon May 16, 2005 10:04 pm

Re: Login gives captcha on first attempt

Post by nfs »

We've just started to see this on a forum I administer too. I considered the MOD above but decided it doesn't solve the problem. A log entry that says someone has gone over the login limit is no use to me unless the problem is self-inflicted user error. What I need logged are the password failures that caused the overlimit condition.

Our board is not ridiculously busy. So, a quick hack to includes/functions.php ...

FIND

Code: Select all

            // Username, password, etc...
            default:
 
BEFORE, ADD:

Code: Select all

            case LOGIN_ERROR_PASSWORD:
                add_log('user', $user->data['user_id'], 'Password failure', $username);
 
The log entries will be shown in ACP > Maintenance > User logs. Critically, it gets me an IP address without trolling through apache's logs looking for patterns.

Hope it helps.

P.S. Something like this should be standard and ACP configurable in future releases IMHO.
Locked

Return to “[3.0.x] Support Forum”