WordPress.org

Forums

Login Security Solution
[resolved] change password loop if site under attack when logging in (22 posts)

  1. Jason Lewis
    Member
    Posted 2 years ago #

    Hi,

    My site was undergoing brute force attack today and then one of my admins tried to log in and got stuck in a loop of "change password" to verify yourself.

    Each time she changed password, I got an email:

    Your website, XXX, may have been broken in to.

    Someone just logged in using the following components. Prior to that, some combination of those components were a part of 254 failed attempts to log in during the past 120 minutes

    Maybe another reason for some kind of white list to ensure this kind of lock out does not happen?

    http://wordpress.org/extend/plugins/login-security-solution/

  2. dom2002
    Member
    Posted 2 years ago #

    I have the same thing, an email saying someone tried to log in 87 times using my username now I keep re-setting the password then asked to re-set again as I try to log-in.

    One of my clients is now telling me that they can't log-in either, they have a completely different login (something any hacker is unlikely to guess as it's not admin)

  3. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Jason and Dom:

    Can you please email me or provide access to your <prefix>login_security_solution_fail tables?

    danielc@analysisandsolutions.com

    Thanks,

    --Dan

  4. dom2002
    Member
    Posted 2 years ago #

    Hi Daniel,

    I went out for a few hours and now I can login, but haven't heard from my client yet.

    A one suggestion on another issue (thanks for the great software even though it's a pain every now and then :) is why not auto generate and email passwords in the way that wordpress.com does, people can be very web illiterate so generating and sending them a password means they don't have to figure out what a safe password is.

    Fixing this issue would be good, this would become one of the best used plugins for wordpress if it worked like a dream :)

    Thanks again

  5. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Dom (and Jason too):

    I'm still curious why y'all are running into this in the first place. Can you run the following query for me (edit the <prefix> first, of course):

    SELECT COUNT(*), ip, MAX(date_failed) FROM <prefix>login_security_solution_fail GROUP BY ip ORDER BY COUNT(*);

    Thanks,

    --Dan

  6. dom2002
    Member
    Posted 2 years ago #

    COUNT(*)
    ip
    MAX(date_failed)
    1
    82.8.218.136
    2012-09-11 02:36:59
    1
    82.3.42.73
    2012-09-05 06:08:58
    1
    86.178.50.81
    2012-08-30 07:27:05
    1
    220.200.61.34
    2012-09-06 07:22:21
    1
    213.220.217.59
    2012-08-27 01:30:07
    1
    61.241.203.128
    2012-09-06 08:26:51
    1
    109.111.197.130
    2012-09-11 01:07:17
    2
    89.194.26.196
    2012-08-29 08:22:40
    2
    130.43.54.242
    2012-09-10 17:09:04
    2
    176.8.22.77
    2012-09-04 02:29:19
    3
    83.167.166.135
    2012-09-11 02:04:58
    4
    125.255.84.98
    2012-08-24 10:32:50
    5
    203.59.233.238
    2012-08-29 09:30:20
    5
    83.37.13.187
    2012-08-26 20:54:47
    6
    178.137.70.205
    2012-09-04 16:02:06
    24
    178.137.160.246
    2012-08-28 06:40:32
    27
    46.118.122.205
    2012-09-06 16:09:28
    36
    91.203.166.210
    2012-09-02 00:39:47
    151
    200.76.90.5
    2012-09-04 08:40:08
    273
    46.119.120.233
    2012-09-11 08:06:11
    311
    46.119.121.35
    2012-09-11 08:04:45

  7. dom2002
    Member
    Posted 2 years ago #

    Someone from the Ukraine really wants to login to my website!

  8. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Dom:

    Okay, I was just checking if your server is behind a proxy or something. It's not.

    Which version of LSS was in use when you and your user got locked out?

    Yeah, email me a dump of the fail table if you can, please. And let me know your and your user's user names.

    Thanks,

    --Dan

  9. dom2002
    Member
    Posted 2 years ago #

    It's just happened again! Where is the fail table and how do I get a dump of it?

  10. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    If you have access to a shell:

    mysqldump -u <mysql_user_name> -p <db_name> <prefix>login_security_solution_fail > lss.dom.sql

    If you don't have access to a shell, you'll have to ask your ISP.

  11. Jason Lewis
    Member
    Posted 2 years ago #

    Hi Daniel,

    I just emailed the dump of the table to you.

    Hope that helps,

    Jason

  12. dom2002
    Member
    Posted 2 years ago #

    I seem to be having trouble getting a simple dump out of the database, so sorry about that - I tried the above oviously with the real names included, I even tried using a password after the -p, but nothing is working (1064 - You have an error in your SQL syntax)

  13. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Dom: The mysqldump command is to be run from a login shell, not an SQL command line. --Dan

  14. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Jason:

    There are large number of login failures for most of your user names. Run this query to see what I mean:


    select count(*) as ct, user_login, min(date_failed), max(date_failed)
    from wp_login_security_solution_fail
    group by user_login;

    To examine what's happening to a specific user, execute this:


    select count(*) as ct, user_login, ip, min(date_failed), max(date_failed)
    from wp_login_security_solution_fail
    where user_login = '<USER>'
    group by user_login, ip
    order by min(date_failed);

    If you run the above query for a few users you'll see there's a pattern to the IP addresses, times and quantities. If admin isn't a legitimate account on your site, you can use that as a reference to IP's that are attackers.

  15. Jason Lewis
    Member
    Posted 2 years ago #

    Hi Daniel,

    I think the attacker grabs the user names from the posts on the blog and uses them to narrow his brute force attack.

    It's unfortunate that one of the themese we use puts a line like "posted by XYZ" after the post, where XYZ is the login name of the user.

    Jason

  16. Jason Lewis
    Member
    Posted 2 years ago #

    I just also did a count on failed attempts by ip. very interesting. 3 IP addresses seem to be the culprits, with over 2000 failed attempts each.

    What do you think about blanket blocking abusive IP addresses?

  17. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Jason:

    When you look at the output of that second query for you and your associate's user name, do you see any IP's that are legitimately yours or theirs? Which ones?

    I see some that look like they are and there is overlap between those of you and your associates.

    Is there a pattern? What part of the output corresponds to when you folks were in the password reset loops?

    What's the output of the following. Does anything correspond to the above?


    select user_login, meta_value
    from wp_usermeta
    join wp_users on (wp_usermeta.user_id = wp_users.ID)
    where meta_key = 'login-security-solution-verified-ips';

    Thanks,

    --Dan

  18. Jason Lewis
    Member
    Posted 2 years ago #

    Hi Dan,

    That gives both of mine and my associate's user names and the valid IP addresses.

    I log in from 2 IPs and they log in from 1 currently. We share 1 ip address.

    Jason

  19. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Jason:

    The goal here is to figure out the correlation between those IP's, failure times and the times of the password reset loops.

    So what are those legit IP's, what are the values in the verified IP metadata for each of you and what are the times of the reset loops?

    --Dan

  20. Jason Lewis
    Member
    Posted 2 years ago #

    Ah, ok.

    I will email you that info.

    Jason

  21. Daniel Convissor
    Member
    Plugin Author

    Posted 2 years ago #

    Hi Jason:

    Between seeing the list of emails in your inbox and reviewing my code I figured out what was going on. There's a combination of expected (though undesirable) behaviors and a bug. Both have been fixed in the new release, 0.28.0.

    When a successful login happens during an attack (whether by a legitimate user or an attacker) an email is sent to the admin and the user. Since you are both, you got two emails for each login. And the subject line of both emails was the same.

    The subject line for the user notification email has been modified to differentiate them. Now the admin and user emails only go out if the user's IP has not been verified and the number of failed attempts from the user's IP address is over the "Breach Email Confirm" threshold. In addition, the user email message now provides the steps for verifying one's email address to avoid future annoyance.

    Thanks for all your help,

    --Dan

  22. Jason Lewis
    Member
    Posted 2 years ago #

    Hi Dan,

    Thats great to hear. I've upgraded.

    Thanks for your perseverance in working through the issues.

    Jason

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Login Security Solution
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.