MMBA

[c0nsumer]

To all of you regularly experiencing this issue: Do you regularly use Tapatalk and/or do you have Tapatalk installed on a device?

[Loren]

Yes, current version of tapatalk on my iPhone.

[jonw9]

Yes, Tapatalk (paid version) on my Droid.

I stay logged in on the site via PC, but have issues with the phone. As Loren said, logging of (PC) and then entering the captcha will allow me to login on the phone, and work for a bit.

[c0nsumer]

Yes, Tapatalk (paid version) on my Droid.

I stay logged in on the site via PC, but have issues with the phone. As Loren said, logging of (PC) and then entering the captcha will allow me to login on the phone, and work for a bit.

Right around the time this started happening Tapatalk had released a new version of the plugin for the server side. Upgrading was required as it fixed an SQL injection, but I'm thinking it may be contributing to the problem and thus I'm trying to correlate things.

[Wolverine]

To all of you regularly experiencing this issue: Do you regularly use Tapatalk and/or do you have Tapatalk installed on a device?

I do not use Tapatalk and have not installed it on any device. Still having this problem on my laptop.

[c0nsumer]

To all of you regularly experiencing this issue: Do you regularly use Tapatalk and/or do you have Tapatalk installed on a device?

I do not use Tapatalk and have not installed it on any device. Still having this problem on my laptop.

Hmm. So what exactly are you experiencing? A capatcha at every login attempt?

[Loren]

This is your server and we know this isn't real, right? It's not some kid doing a brute force attack against the member list while the parents are in bed or something?

[c0nsumer]

This is your server and we know this isn't real, right? It's not some kid doing a brute force attack against the member list while the parents are in bed or something?

I currently suspect that it's a brute force attack using the list of currently logged in users as the target usernames. I'm working on proving this now, then taking steps to mitigate it.

[jonw9]

This is your server and we know this isn't real, right? It's not some kid doing a brute force attack against the member list while the parents are in bed or something?

I currently suspect that it's a brute force attack using the list of currently logged in users as the target usernames. I'm working on proving this now, then taking steps to mitigate it.

Should I change my password from "password" just in case?

[Loren]

Should I change my password from "password" just in case?

It's a long way from "aardvark" to "password". You're probably safe for a few more nights. School's back in session, and the kid probably has a 10:00 bedtime.

[c0nsumer]

This is your server and we know this isn't real, right? It's not some kid doing a brute force attack against the member list while the parents are in bed or something?

I currently suspect that it's a brute force attack using the list of currently logged in users as the target usernames. I'm working on proving this now, then taking steps to mitigate it.

Should I change my password from "password" just in case?

Depends. Here's a few that I just generated. You could use one of them:

dI&"v1<b1O]V!ml
FN<~E)h&0nUw?15
Wlv!#F_LNr6H'HA
a;C-N>S+f&$7Z6U
D:.?W,_zAGd3s8"

Secure and completely random.

In all seriousness, don't worry about it for now unless your password really sucks. The capatcha stuff is doing its job.

[c0nsumer]

Okay, so here's what's going on. We're getting a bunch of brute force attacks where malicious users coming from a range of IPs (including Tor exit nodes) are attempting to brute force log into account triggering the CAPTCHA for users. Thus the display of the CAPTCHA is function as both intended and designed; it's doing its job.

I suspect the list of logged in users and the memberlist are being looked at for accounts to try, so steps are being taken to restrict these from both unregistered users and recently registered accounts (those with less than a given number of posts). This will not eliminate current efforts, but it should curtail new attacks.

Additional steps are also being taken to mitigate spammers' efforts including easier (and potentially automated) banning from known-malicious networks.

So, in short, be sure you are using a good password, as described in here. That coupled with the CAPTCHA that comes into play after a few bad password attempts should keep your account secure. Unfortunately if an account gets flagged for CAPTCHA because of bad password attempts apparantly Tapatalk then can't log in.

[c0nsumer]

Additionally, to deal with this I've added a slight barrier to entry for new members where they are not allowed to view user's profiles nor the member list until they have a first post visible. Their first post requires a mod's approval before it'll appear, and all subsequent posts will fall into a moderation queue until approval of at least one post is granted. Contrary to the norm for some boards and in order to keep our Classifieds section as popular as it is new users can send PMs.

This will cut down on the ability for attackers to harvest usernames for brute forcing and should also handicap spammers by forcing us to give all newly registered accounts (most of which are spammers) a look.

I also bumped the setting that requires a CAPTCHA before logging in from 3 to 5 to hopefully alleviate the lockouts. Password complexity requirements have also been increased to require alphanumeric passwords.

[Sherpaboy]

Thanks Steve

[c0nsumer]

Thanks Steve

Sure thing. I hope this helps. It's always a cat and mouse game with spammers and there's no way to just block their creativity.