I've had similar problems on my site with accounts getting hijacked, passwords being cracked, moderactor accounts getting compromised and topics getting deleted, crap being spread across the board and other dirty tricks
Here's the things I've either learned the hard way, been able to track down, or done to my board to make it harder for the no-gooders. Each of these things helped in a small way for a small while, but the net effect of all of 'em has seems to make a huge improvement.
- Key Members and Moderators who were active on a competitive site before we launched, and used the same login name and password on our site that were used over there where the first accounts hijaacked. So we changed passwords of course, but the same accounts we're compromised again
- Other Accounts were compromised (and often 3 or 4 at a time) where the publicly displayed name was the same as login name. I setup Web Trends to track hits to the login url, and sure enough we were getting slammed with 50-60 login attempts per minute, for short stretches of time at a frequency of 20-30 times a day.
Fixes:
- I Put lots of work into the wordlets used on the registration form to explain to folks the diff between login name and public name, and stress the need for unique login name not used elsewhere.
- I got help here on ubbdev to apply the standard floodcheck to login, and I set my floodcheck value really high at times of unrest.
- Older Accounts still got hijacked, and one moderator account hit most often. They even got in the control panel under that moderator account and had a real long look around at everything then deleted other moderator accounts.
Fixes:
- I kicked all my moderators out of the control panel and made it Admin access only with a fix I found here on ubbdev. Plus turned Window Integrated Authentication on for cp.cgi file (Windows equivalent of .htaccess trick on NIX). This was double effective - many ISPS require users to make certain proxy settings that dont allow them to even get authentication login prompt, and we had to laugh because suspected culprits suddenly began fishing the grapevine to find out what ISPs me and the moderators were on.
- I ran Windows Baseline Security Analyzer and found a OS level weakness (undocumented M$ hole only disclosed in this dang tool!!). They could of been abusing this to get partial info out of members directory so I shut that backdoor down.
- I tied my Windows Authentication on cp.cgi to my subnet firewall, and a few failed network logins up in there now results in total shutout from my site for several days + my server/subnet maintenance guy gets a report sent to his cell phone via text message. FWIW This trapped was sprung once early on, then they never bothered again.
- I made another little fix I got help with here on ubbdev for moderators to be able to get into Recent Visitors Admin View for help 'patrolling'
- It still kept happening way too often. So in desperation, I closed my board and munged all the text files one night to replace login names. And we finally got a short break from the insanity.. about 4 or 5 weeks worth. NOTE - my situation is/was extreme, so I dont recommend this unless absolutely necessary. With us - there's nasty vengence behind our attacks from 10+ years of dirty laundry and bad attitudes between the moderator account always getting hit (who happens to be one of my sponsors/advertisers as well) and the idiot who runs competitive site.
- It still kept happening including the prime target moderator account, albeit in smaller doses along the lines of stealth deletes. And password spinner attacks on login had died out while excessive hits to the Community Directory kicked in. And another pattern emerged - all the compromised accounts had aol email addresses.
Fixes:
- We got key members who had another email address to change their profile. And those who didnt, now change their aol password frequently.
- I got help here on ubbdev to keep junior members out of the member directory to cut down on "trolling" for login names.
- We got the prime target moderator on a non aol email address and we finally had several months of peace until last weekend.
- So now we got a once-in-blue-moon problem with accounts other than the prime target moderator. And last time the blue moon rose yet another pattern emerged... the last few compromised accounts, along with a couple from early on, were all approved within a 4-5 day timeframe back in March and were dormant - never returned to my site and logged in after registration. Also, we always get 'hit' when my name and the other key members who help patrol are not showing on Recent Visitors list. And low-and-behold, hits to Recent Visitors url has spiked while hits to Community Directory are now rare.
So I'm certain now the main cause of my long term problems was that the prime target moderator's aol account was compromised atleast twice, his login name and password for my site was retrieved from the "forgot your password" link while they had access to his mailbox, AND worst of all - that moderator was also cc'd on the registration mailbox so they snooped out login names and password from registration confirmation emails in his aol mailbox for a certain time period.
Fixes:
- I'm going in the backdoor and changing passwords on all other dormant accounts approved at the same time period extended to 2-3 weeks before and after. We figure If those accounts havent been back to my site in 3 or 4 months (not unusual in my community since we're a seasonal sport), when and if they do come back they wont remember their password anyway and just retrieve it.
- Other active accounts from same time period will get a friendly but non-informative note in near future asking them to change their password.
- I got help here on UBB to make Recent Visitors require login
Other mildly useful tricks we found for patrolling include IP address lookups and monitoring (the Last Login IP is way different than registration IP and we have patterns with last login IP on hijaacked accounts pointing to wireless/cellular service in one particular region).
Plus we were keeping some of our moderators hidden from Recent Visitors so that they couldnt tell when we were lurking. And when an account first gets hijaacked, we suspend posting priviledges only at first (so they cant tell they've been caught until their next post is denied). Then we sit back and wait for their return in order to get more IP Adddresses and/or determine if it's more than one person playing tricks.
Sorry for long post... if it's not obvious, I've been thru he!! I have no doubt I have a personal vendetta behind my trouble who has declared war on my site. The upside being when I get hit it's actually a good thing in a sick twisted way: community loyalty grows, the clans rally and more new registrations pour in, and more and more people come to their own conclusion who's behind it without the need for public accusations.
So here's hoping more good comes of it and hopefully some of this helps you (salblack) to keep that one-step-ahead thing going thats needed in situations like this :rolleyes: