Support » Plugin: Login Security Solution » [Plugin: Login Security Solution] change password loop if site under attack when logging in

  • Resolved Jason Lewis

    (@jasonblewis)


    Hi,

    My site was undergoing brute force attack today and then one of my admins tried to log in and got stuck in a loop of “change password” to verify yourself.

    Each time she changed password, I got an email:

    Your website, XXX, may have been broken in to.

    Someone just logged in using the following components. Prior to that, some combination of those components were a part of 254 failed attempts to log in during the past 120 minutes

    Maybe another reason for some kind of white list to ensure this kind of lock out does not happen?

    http://wordpress.org/extend/plugins/login-security-solution/

Viewing 15 replies - 1 through 15 (of 21 total)
  • I have the same thing, an email saying someone tried to log in 87 times using my username now I keep re-setting the password then asked to re-set again as I try to log-in.

    One of my clients is now telling me that they can’t log-in either, they have a completely different login (something any hacker is unlikely to guess as it’s not admin)

    Plugin Author Daniel Convissor

    (@convissor)

    Jason and Dom:

    Can you please email me or provide access to your <prefix>login_security_solution_fail tables?

    danielc@analysisandsolutions.com

    Thanks,

    –Dan

    Hi Daniel,

    I went out for a few hours and now I can login, but haven’t heard from my client yet.

    A one suggestion on another issue (thanks for the great software even though it’s a pain every now and then 🙂 is why not auto generate and email passwords in the way that wordpress.com does, people can be very web illiterate so generating and sending them a password means they don’t have to figure out what a safe password is.

    Fixing this issue would be good, this would become one of the best used plugins for wordpress if it worked like a dream 🙂

    Thanks again

    Plugin Author Daniel Convissor

    (@convissor)

    Dom (and Jason too):

    I’m still curious why y’all are running into this in the first place. Can you run the following query for me (edit the <prefix> first, of course):

    SELECT COUNT(*), ip, MAX(date_failed) FROM <prefix>login_security_solution_fail GROUP BY ip ORDER BY COUNT(*);

    Thanks,

    –Dan

    COUNT(*)
    ip
    MAX(date_failed)
    1
    82.8.218.136
    2012-09-11 02:36:59
    1
    82.3.42.73
    2012-09-05 06:08:58
    1
    86.178.50.81
    2012-08-30 07:27:05
    1
    220.200.61.34
    2012-09-06 07:22:21
    1
    213.220.217.59
    2012-08-27 01:30:07
    1
    61.241.203.128
    2012-09-06 08:26:51
    1
    109.111.197.130
    2012-09-11 01:07:17
    2
    89.194.26.196
    2012-08-29 08:22:40
    2
    130.43.54.242
    2012-09-10 17:09:04
    2
    176.8.22.77
    2012-09-04 02:29:19
    3
    83.167.166.135
    2012-09-11 02:04:58
    4
    125.255.84.98
    2012-08-24 10:32:50
    5
    203.59.233.238
    2012-08-29 09:30:20
    5
    83.37.13.187
    2012-08-26 20:54:47
    6
    178.137.70.205
    2012-09-04 16:02:06
    24
    178.137.160.246
    2012-08-28 06:40:32
    27
    46.118.122.205
    2012-09-06 16:09:28
    36
    91.203.166.210
    2012-09-02 00:39:47
    151
    200.76.90.5
    2012-09-04 08:40:08
    273
    46.119.120.233
    2012-09-11 08:06:11
    311
    46.119.121.35
    2012-09-11 08:04:45

    Someone from the Ukraine really wants to login to my website!

    Plugin Author Daniel Convissor

    (@convissor)

    Dom:

    Okay, I was just checking if your server is behind a proxy or something. It’s not.

    Which version of LSS was in use when you and your user got locked out?

    Yeah, email me a dump of the fail table if you can, please. And let me know your and your user’s user names.

    Thanks,

    –Dan

    It’s just happened again! Where is the fail table and how do I get a dump of it?

    Plugin Author Daniel Convissor

    (@convissor)

    If you have access to a shell:

    mysqldump -u <mysql_user_name> -p <db_name> <prefix>login_security_solution_fail > lss.dom.sql

    If you don’t have access to a shell, you’ll have to ask your ISP.

    Hi Daniel,

    I just emailed the dump of the table to you.

    Hope that helps,

    Jason

    I seem to be having trouble getting a simple dump out of the database, so sorry about that – I tried the above oviously with the real names included, I even tried using a password after the -p, but nothing is working (1064 – You have an error in your SQL syntax)

    Plugin Author Daniel Convissor

    (@convissor)

    Dom: The mysqldump command is to be run from a login shell, not an SQL command line. –Dan

    Plugin Author Daniel Convissor

    (@convissor)

    Jason:

    There are large number of login failures for most of your user names. Run this query to see what I mean:


    select count(*) as ct, user_login, min(date_failed), max(date_failed)
    from wp_login_security_solution_fail
    group by user_login;

    To examine what’s happening to a specific user, execute this:


    select count(*) as ct, user_login, ip, min(date_failed), max(date_failed)
    from wp_login_security_solution_fail
    where user_login = '<USER>'
    group by user_login, ip
    order by min(date_failed);

    If you run the above query for a few users you’ll see there’s a pattern to the IP addresses, times and quantities. If admin isn’t a legitimate account on your site, you can use that as a reference to IP’s that are attackers.

    Hi Daniel,

    I think the attacker grabs the user names from the posts on the blog and uses them to narrow his brute force attack.

    It’s unfortunate that one of the themese we use puts a line like “posted by XYZ” after the post, where XYZ is the login name of the user.

    Jason

    I just also did a count on failed attempts by ip. very interesting. 3 IP addresses seem to be the culprits, with over 2000 failed attempts each.

    What do you think about blanket blocking abusive IP addresses?

Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘[Plugin: Login Security Solution] change password loop if site under attack when logging in’ is closed to new replies.