PDA

View Full Version : What to do if someone is trying to distributed brute force my account?


WetWired
05-28-2011, 10:12 PM
I recieved three e-mails within a minute of three different IPs being locked out for trying the wrong password on this forum...

azspeedbullet
05-28-2011, 10:29 PM
I noticed the same thing on my account. I had to create this new account so i can post about it since i am unable to log in. The 3 emails i received are from IPs 78.x,200.x, and 219.x. When i do an IP lookup, these IPs is from Indoneisa, Argentina, and Czech Republic

Black Tiger
05-28-2011, 10:45 PM
I had the same 2 times. But I don't see any reason to mask the ip adresses of the abusive users:
94.228.204.2
and
178.213.33.129

But I'm not locked out which the mail says, because I'm always logged in.:)

However it's no good news when it seems people are trying to bruteforce accounts. Maybe somebody can do a good thing and put up some ip bans if they are not dynamic ip's.

popowich
05-28-2011, 10:55 PM
I received a couple of emails too.

Both 114.141.50.11 and 125.167.233.138 are trying to access my account.

azspeedbullet
05-28-2011, 10:55 PM
Here is the 3 IPs from the email:
200.117.239.246
78.41.17.230
219.83.101.234

Interesting they all of the IP address is different

cbiweb
05-28-2011, 10:59 PM
A few minutes ago I received this notice in my email:
Dear cbiweb,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 200.94.71.73

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
https://vborg.vbsupport.ru/login.php?do=lostpw

All the best,
vBulletin.org ForumI'm glad the intruder didn't get in, because my password wasn't all that strong, but evidently strong enough... this time.

I have changed my password to something very strong now, and I'm only posting this as a heads up for anyone who either doesn't have a strong password, or thinks it's strong enough, or hasn't changed it in a while. It's time to check it out.

SpanishHarlem
05-28-2011, 11:01 PM
ear SpanishHarlem,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 194.44.172.18

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
https://vborg.vbsupport.ru/login.php?do=lostpw

All the best,
vBulletin.org Forum

SpanishHarlem
05-28-2011, 11:01 PM
I got the same email just now

WetWired
05-28-2011, 11:02 PM
203.29.27.114
222.173.42.106
218.98.192.202

Here

Boofo
05-28-2011, 11:03 PM
I got one too from another IP. The IP resolves to Bangkok, Thailand. Looks like a bot might have been at work.

Dear Boofo,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 119.46.110.247

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
https://vborg.vbsupport.ru/login.php?do=lostpw

All the best,
vBulletin.org Forum

KevinL
05-28-2011, 11:03 PM
Same here

189.90.254.146

Beav`
05-28-2011, 11:03 PM
Just got one too...

Dear Beav`,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 93.114.63.249

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
https://vborg.vbsupport.ru/login.php?do=lostpw

All the best,
vBulletin.org Forum

DarknessDivine
05-28-2011, 11:05 PM
I just logged on here because I am also getting the emails. The IP's are: 222.124.29.242 & 201.22.184.4

TheEnd
05-28-2011, 11:09 PM
The person trying to log into your account had the following IP address: 201.209.69.134 4:20 PM
The person trying to log into your account had the following IP address: 222.124.217.170 4:20pm
The person trying to log into your account had the following IP address: 195.191.168.5 4:20PM

I changed my password to something super secure. Combo of all my high tech passwords. Good luck h4x0rs

DarknessDivine
05-28-2011, 11:10 PM
I changed my password to something super secure. Combo of all my high tech passwords. Good luck h4x0rs

I also changed mine.

Zidane007nl
05-28-2011, 11:15 PM
Same thing happened here.
221.1.96.22 from China is the culprit at 01:40 (GMT+2).

Limey-YMR
05-28-2011, 11:16 PM
218.28.111.46 which resolves to pc0.zz.ha.cn just locked out my account here.

A forum that I regularly visit was hacked last night and has been taken down, but strangely, my username is slightly different there, and the password is completely different.

regeneration
05-28-2011, 11:24 PM
Got the same email.. twice.

The person trying to log into your account had the following IP address: 213.197.81.50

The person trying to log into your account had the following IP address: 203.113.117.139

Xplorer4x4
05-28-2011, 11:24 PM
Not sure if I need to report this or not, but my account was locked out as some one was trying to guess/hack my password. I have updated it to something a little bit more secure just to be safe. The IP reported in the email was 122.225.100.5 which traces back to china.

I realize this isnt relevant to this forum btw, but no where else an unlicensed member can post that I know of.

regeneration
05-28-2011, 11:28 PM
Got the same emails.

You can't do anything. vB.org admins should disable the "Member list" feature:

https://vborg.vbsupport.ru/memberlist.php

Bots are taking usernames from that list and using brute force attack on this site.

I sent a PM to the admins about this.

underESTIMATED
05-28-2011, 11:30 PM
Not sure if I need to report this or not, but my account was locked out as some one was trying to guess/hack my password. I have updated it to something a little bit more secure just to be safe. The IP reported in the email was 122.225.100.5 which traces back to china.

I realize this isnt relevant to this forum btw, but no where else an unlicensed member can post that I know of.

Happened to me as well 2x earlier. I logged in and also updated the password.

Wired1
05-28-2011, 11:36 PM
Ditto, 3 tries in the same minute from Bulgaria, Italy, and Brazil based upon the IPs. Password was already pretty secure, but just to be safe I changed it to a REALLY long (randomly generated) password.

KeePass FTW :)

smacklan
05-28-2011, 11:37 PM
Same here...from 120.29.159.14 and 210.245.85.33

Xplorer4x4
05-28-2011, 11:44 PM
Glad to see its not just me. Atleast I know I wasnt specifically targeted lol.

kylek
05-28-2011, 11:49 PM
Yup, same thing about an hour ago.

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 60.28.212.184

Ip shows China.

syrus.xl
05-28-2011, 11:56 PM
Strange, someone tried to access my account 3 times - each time failing. About 45 minutes ago.

I.P's used were:
78.41.17.230
222.124.5.82
200.117.239.246

Well, they can carry on trying - since I use alpha-numerics with symbols.

I just checked my password on http://passwordchecker.co.uk/ its states 100% strong! ;)

sbryan
05-28-2011, 11:57 PM
Yep same thing here, got 2 of those emails this morning. IP's were from Indonesia.

cbiweb
05-28-2011, 11:57 PM
<a href="https://vborg.vbsupport.ru/showthread.php?t=264345" target="_blank">https://vborg.vbsupport.ru/showthread.php?t=264345</a>

NBSFlak
05-28-2011, 11:58 PM
Are any of you guys on PSN? I'm getting all kinds of password reset requests today.

shof515
05-28-2011, 11:58 PM
i got the same thing, check the other topic and you will see you are not alone:
https://vborg.vbsupport.ru/showthread.php?p=2201074#post2201074

syrus.xl
05-29-2011, 12:16 AM
Are any of you guys on PSN? I'm getting all kinds of password reset requests today.

I'm not... I do not play any game consoles at all.

I had someone try and get in to my Facebook account, but again they failed. If you're using secure hashed passwords I would very much doubt they could crack it anyway.

warnmar10
05-29-2011, 12:20 AM
203.153.31.27
200.96.37.206

Biker_GA
05-29-2011, 12:20 AM
Both myself and the owner of our site got notices as well. We're not pleased.

Hurricane
05-29-2011, 12:20 AM
91.203.178.139
109.238.238.242

This was at 7pm EST for me.

ThorstenA
05-29-2011, 12:42 AM
46.0.203.92
77.247.211.160

SCRIPT3R
05-29-2011, 12:51 AM
118.97.81.155
222.124.29.242

SCRIPT3R
05-29-2011, 12:52 AM
118.97.81.155
222.124.29.242

SCRIPT3R
05-29-2011, 12:53 AM
118.97.81.155
222.124.29.242

JonUrban
05-29-2011, 01:09 AM
I just got two. However, when I logged in here, my original password worked without issue. Very odd. What would they accomplish? I checked the login link in the email and it looked like a direct link, not a redirect.

Mine occured at 7:24PM, IP addresses were 201.24.152.98
and 178.213.33.129


Dear JonUrban,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 178.213.33.129

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
https://vborg.vbsupport.ru/login.php?do=lostpw

All the best,
vBulletin.org Forum

--------------- Added 1306635143 at 1306635143 ---------------

Here's the header, minus my email address:


Status: U
Return-Path: <webmaster@vbulletin.org>
Received: from mx-dipper.atl.sa.earthlink.net ([207.69.195.166])
by mdl-glean.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1qqsRV1T93Nl34L0; Sat, 28 May 2011 19:24:31 -0400 (EDT)
Received: from mx5.internetbrands.com ([98.158.194.50])
by mx-dipper.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1qqsRU3hE3Nl36u0
for <removed>; Sat, 28 May 2011 19:24:30 -0400 (EDT)
Received: from jelsoft3.internetbrands.com (jelsoft3.internetbrands.com [172.16.229.76])
by mx5.internetbrands.com (Postfix) with ESMTP id 678E3213E1
for <removed>; Sat, 28 May 2011 16:24:30 -0700 (PDT)
Received: from jelsoft3.internetbrands.com (localhost.localdomain [127.0.0.1])
by jelsoft3.internetbrands.com (8.13.8/8.13.8) with ESMTP id p4SNOU7P031866
for <removed>; Sat, 28 May 2011 16:24:30 -0700
Received: (from jelsoft@localhost)
by jelsoft3.internetbrands.com (8.13.8/8.13.8/Submit) id p4SNOUVh031863;
Sat, 28 May 2011 16:24:30 -0700
Date: Sat, 28 May 2011 16:24:30 -0700
X-Authentication-Warning: jelsoft3.internetbrands.com: jelsoft set sender to webmaster@vbulletin.org using -f
To: <removed>
Subject: Account on vBulletin.org Forum locked out
From: "vBulletin.org Forum" <webmaster@vbulletin.org>
Auto-Submitted: auto-generated
Message-ID: <201105282330.c21fda88bfd0@www.vbulletin.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
X-Brightmail-Tracker: AAAAARgtX4o=
X-Brightmail-Tracker: AAAAAA==

WetWired
05-29-2011, 01:17 AM
I'm pretty sure the mails are legit. Especially since the guy with the first reply actually got his account hacked.

kh99
05-29-2011, 01:18 AM
I just got two. However, when I logged in here, my original password worked without issue. Very odd. What would they accomplish?

They didn't accomplish anything, they just tried to guess your password and failed. You say you just got those but the time says ~7:30 EDT so I guess the 15 minute lockout elapsed and you were able to log in.

Unless you mean "what do they hope to accomplish with only 5 guesses", then I don't know, seems like they'd have to get really lucky. Or they're just trying to annoy people, or clog the server with emails to send.

TundraSoul
05-29-2011, 01:21 AM
Hackers are out tonight!

94.228.204.30 x2

WetWired
05-29-2011, 01:23 AM
The lockout is actually IP specific.

shof515
05-29-2011, 01:24 AM
I got a similar email too:
Received: from mx5.internetbrands.com (mx5.internetbrands.com [98.158.194.50])
by mtain-mh02.r1000.mx.aol.com (Internet Inbound) with ESMTP id 8B0EA38000083
for <deleted>; Sat, 28 May 2011 19:21:36 -0400 (EDT)
Received: from jelsoft3.internetbrands.com (jelsoft3.internetbrands.com [172.16.229.76])
by mx5.internetbrands.com (Postfix) with ESMTP id 45D432006C
for <deleted>; Sat, 28 May 2011 16:21:36 -0700 (PDT)
Received: from jelsoft3.internetbrands.com (localhost.localdomain [127.0.0.1])
by jelsoft3.internetbrands.com (8.13.8/8.13.8) with ESMTP id p4SNLanG030536
for <deleted>; Sat, 28 May 2011 16:21:36 -0700
Received: (from jelsoft@localhost)
by jelsoft3.internetbrands.com (8.13.8/8.13.8/Submit) id p4SNLaBr030533;
Sat, 28 May 2011 16:21:36 -0700
Date: Sat, 28 May 2011 16:21:36 -0700
X-Authentication-Warning: jelsoft3.internetbrands.com: jelsoft set sender to webmaster@vbulletin.org using -f
To: deleted
Subject: Account on vBulletin.org Forum locked out
From: "vBulletin.org Forum" <webmaster@vbulletin.org>
Auto-Submitted: auto-generated
Message-ID: <201105282336.fc033e6fa850@www.vbulletin.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Content-Transfer-Encoding: quoted-printable
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:255893488:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d60d64de183801e9c
X-AOL-IP: 98.158.194.50
X-AOL-SPF: domain : vbulletin.org SPF : permerror

kh99
05-29-2011, 01:25 AM
The lockout is actually IP specific.

Oh...so I guess if they have enough ips they can actually guess many times. Seems like it may be something to change in a future version. eta: ...oh, but I guess if it wasn't ip specific it would be easy for someone to keep you from logging in to your account.

Alfa1
05-29-2011, 01:50 AM
Maybe vb.org would benefit from installing the bad behavior addon.

AdrianH
05-29-2011, 03:13 AM
More here >> https://vborg.vbsupport.ru/showthread.php?p=2201102#post2201102


I feel positively left out :p

King Kovifor
05-29-2011, 04:27 AM
I've merged both threads about the same attack into the same thread, within the feedback forum.

jaffaman
05-29-2011, 05:44 AM
Got the same the 3 times I.P's are ..............

194.85.80.107
94.228.204.30
94.228.204.2

Delphiprogrammi
05-29-2011, 06:06 AM
hi,

It happend on mine to

94.228.204.2
178.213.33.129

i guess somebody is looking for freebies :D

tekram
05-29-2011, 06:18 AM
Here the same:

The person trying to log into your account had the following IP address: 222.173.42.106
The person trying to log into your account had the following IP address: 115.127.15.44

Brandon Sheley
05-29-2011, 06:28 AM
same here...
95.154.98.152

seems like a problem is starting....

Oblivion Knight
05-29-2011, 06:40 AM
..and here - 2 different IPs, identical times;
94.228.204.2
94.228.204.30

Kesomir
05-29-2011, 07:08 AM
and here: 83.222.206.146 and 81.30.164.94

Frosty
05-29-2011, 07:43 AM
Someone might have coded a bot, best thing would be to disable the member list, otherwise they can get the list of our usernames. :(

Marv
05-29-2011, 08:33 AM
Happend to me also. Seems they attacked all accounts with 3 bruteforce attempts. That makes me worry about those, who have only one or two and not three recorded events. Could mean they were succesful with one of their attempts.

I guess there are a few users here, which have sent their logins from servers or admincps to others (i.e. to mod developers in times of support etc.) Something very unsecure, but I?m sure some did that. Would be wise to inform all users - and to force all vb.org members to setup a secure passphrase.

--------------- Added 1306661692 at 1306661692 ---------------

Someone might have coded a bot, best thing would be to disable the member list, otherwise they can get the list of our usernames. :(

Thats senseless. The bot can even read the threads or the WGO box etc. That makes no sense to disable the ML.

Frosty
05-29-2011, 08:43 AM
True.. But memberlist contains offline members, while online box has only online members. But good point anyway.

Bigger damage can be done with the memberlist than with the online box.

Marv
05-29-2011, 08:59 AM
True.. But memberlist contains offline members, while online box has only online members. But good point anyway.

Bigger damage can be done with the memberlist than with the online box.

You?re right, true. I was regarding this from a point of the bigger threatlevel. I suppose an inactive account has not or not really often PN?s in it. So the threatlevel isn?t that big.
All others, the active users, can be found in the threads here. And to programm a bot to get those accountnames is done in a blink of an eye. Whatever, disabling the ML could help with an additional benefit, even when it would be a very little one. But sometimes that makes a difference.

Nukey
05-29-2011, 10:02 AM
I haven't logged on since Dec 2007 and just got the same email:
82.145.242.38
201.22.130.226

Frosty
05-29-2011, 10:15 AM
IP's resolve to online proxies, which means this is a 100% automated attack.

BirdOPrey5
05-29-2011, 10:58 AM
The only accounts really in danger of getting compromised by this are people who use the following passwords:

1) The same as their username (Sometime around 3.8 vBulletin actually added a check to prevent this)
2) password
3) 12345(6)...

Unfortunately I'd bet that counts for 10% or more of the users on any given site, including here.

I didn't get any emails but I changed my password to be extra-secure just to be sure today.

preemz10314
05-29-2011, 12:44 PM
they must want plugins bad.....

BirdOPrey5
05-29-2011, 12:49 PM
they must want plugins bad.....

I doubt that. I'd bet it was probably an attempt to harvest usernames for future spam attempts.

CtrlAltDel
05-29-2011, 11:58 PM
The person trying to log into your account had the following IP address: 58.61.154.169

Cloudrunner
05-31-2011, 08:33 PM
Just thought I'd let the powers that be know that the following IP addresses were logged trying to brute force their way onto my account on the 28th of May. I received the emails from the system stating that the account had been locked because of this. The IPs are registered in the Russian domain space.

Enjoy

178.213.33.129
94.228.204.2

FFZoneXtreme
05-31-2011, 11:02 PM
Also in mine, on 28/05/2011.

94.228.204.2
194.151.57.244