Excerpts from John Beckett's message of Wed May 01 04:29:16 +0200 2013: > 124 user accounts, including text fields intended to probe for > bugs that might be exploited to break in to the system. The bot did at least 20 login attemps per second !
http://www.vim.org/account/register.php I've added a minimal "I'm human test" - that should at least protect against "random attacks" made by bots without human intelligence. And if there are humans running the attack, then we have lost anyway. So its pretty easy: create a new table. Log IP when $_POST is not empty If an IP is using POST more than 15 times in 4 hours assume its a bot and die. A typical session: - login (POST 1) - update 5 scriptsr (POST 2-5) Thus 7 post requests. If you forgett your password 5 times - then you're still fine. Yes, there might be false positives - eg many people behind firewalls try to update their scripts within 4 hours but honestly scripts are not updated *that* often. Another problem could be you typing the same password 15 times ..) If this causing problems, please report it. The die message also tells this. vim.org/search.php is not affected, $_GET is used the way it should. Neither should it affect google (which may also run some post requests, usually based on JS init scripts) I hope this makes www.vim.org a lot more "bot proof" now. The implementation can be found in the datab*.inc file. Maybe its not the right place, but it should work. There have been too many issues lately. Marc Weber -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
