PDA

View Full Version : People are trying to brute force my account


!!!cyr0n_k0r
01-30-2013, 01:10 AM
I have received over 40 emails within the past 2 hours from this site saying that attempts have been made on my password. Here is a list of IP's.
You guys should look into this.

103.10.22.229
103.247.16.2
110.139.118.95
112.5.254.20
113.106.191.164
113.9.163.101
115.182.33.11
118.96.110.208
118.96.52.126
118.97.133.66
118.97.79.124
119.235.54.23
123.125.74.212
125.39.66.147
125.39.66.154
125.88.74.95
186.94.178.236
187.174.250.131
187.72.187.57
190.1.162.42
190.205.230.226
190.76.248.144
197.251.194.167
200.141.202.162
200.70.25.51
201.209.69.131
202.51.118.14
208.163.36.221
212.57.3.94
218.94.149.114
222.57.81.198
49.0.124.102
49.0.124.122
49.0.124.150
49.0.124.230
60.191.19.198
66.35.68.145
78.85.39.109
82.200.254.250
82.99.255.68

Paul M
01-30-2013, 02:32 AM
It happens every few months.
As long as your have a secure password, then you have nothing to worry about.

Max Taxable
01-30-2013, 02:36 AM
It ain't people, it's likely one person, with software designed for it.

20paws4awd
01-30-2013, 06:08 PM
Yah i got it too yesterday..

final kaoss
01-30-2013, 06:14 PM
Now would be a good time to change the directory name of your admincp/modcp. If it happens again a few month's later, change it again!

Abizaga
01-30-2013, 06:54 PM
I just got like 5 emails saying my account was locked do to failed account breakin attempts. What do I do?

Digital Jedi
01-30-2013, 07:57 PM
Er, nothing I suppose. Since you seem to be logged in...

Abizaga
01-30-2013, 08:16 PM
Er, nothing I suppose. Since you seem to be logged in...

Just a bit alarmed, thats all.

BirdOPrey5
01-31-2013, 04:09 PM
As long as you do not have common/easy to guess passwords there is nothing to worry about. The vBulletin lock-out system more or less makes brute force almost impossible.

That said you'd be surprised how many accounts they can find simply by trying the 5 or 10 most common passwords (including the username as the password.)

A site like VB.org with tens of thousands of users if they try a hundred users they can probably get 2 or 3 accounts.

It's all percentages.

Abizaga
01-31-2013, 05:14 PM
Good so a long, alpha numeric password is perfect for vBbulletin

Digital Jedi
01-31-2013, 08:24 PM
It doesn't even really need to be long. It can be long and be deciphered. What it needs is a random combo of caps, lowercase and numbers. And even better if you can include special characters.

DivisionByZero
02-01-2013, 02:56 AM
<a href="https://www.atomicorp.com/products/asl.html" target="_blank">https://www.atomicorp.com/products/asl.html</a>

I installed it, tweaked it, and never looked back.

Airkat
02-02-2013, 03:00 PM
I've gotten well over 100 this morning alone. It's all good to say "don't worry", but when you're getting craploads of emails about it, it's definitely annoying. One would think the makers of the forum software would be better prepared.

Agentus
02-02-2013, 03:22 PM
Same here, about 150 emails in the past hour. I haven't been on this site in years. Does anyone know how to delete your account here? Is it possible, because I looked and couldn't find it anywhere.

thanks and good luck.

Paul M
02-02-2013, 03:55 PM
One would think the makers of the forum software would be better prepared.
Better prepared for what exactly ? The software is doing its job.

DivisionByZero
02-02-2013, 04:06 PM
Better prepared for what exactly ? The software is doing its job.
People who use OOB software and call themselves entrepreneurs want everything in one big package. Most are disappointed though when they discover that websites are not Chia Pets. You don't just add water and watch it grow. You actually have to do some work and know what you're doing.

---MAD---
02-02-2013, 04:24 PM
I've received 56 in the last 4 days as well. Is there no way to stop these e-mails other than labelling them as spam?

Digital Jedi
02-02-2013, 04:35 PM
Here's a quick question, guys. Why would you NOT want to know that someone failed hacking into your account, considering the prevailing attitudes towards websites who never tell them anything about what they do behind the scenes?

DivisionByZero
02-02-2013, 06:53 PM
99% of SPAM comes from China. I have no reason for anyone in China to view any content on my servers, so I block all Chinese IP space at the firewall level.

The current IP list by country is available from ARIN or here: http://www.nirsoft.net/countryip/cn.html

I get maybe one or two a month at this rate and ASL blocks the IP of any suspicious activity forever.

Amaury
02-02-2013, 07:01 PM
Just got 10 e-mails saying my account was locked.

Like Paul said, though, if you have a strong password, there's nothing to worry about.

EDIT: Just got more. XD

Amit86
02-02-2013, 08:57 PM
Just received 180 emails about my account being locked for wrong password

Amenadiel
02-02-2013, 08:58 PM
A few more IPs from last hours

111.221.3.218
85.133.162.132
84.241.52.97
213.154.203.148
59.57.15.71
111.161.30.218
187.5.228.123
42.121.16.222
180.250.130.186
62.210.226.142
202.69.105.154
190.153.5.95
78.134.255.43
111.221.3.218
77.110.120.200
210.14.143.53
186.95.122.150

at least they bothered to hire a botnet to perform the attack.

Alex_Grist
02-02-2013, 09:10 PM
I've also had over 150 emails regarding my account being locked due to someone attempting to brute force my password; VBulletin should be better prepared for something like this, surely having an account locked means you can't attempt at all for 15 minutes? This is annoying spam that needs to be prevented.

Edit:

Added a GMail filter to automatically delete the annoying emails.

Azunai
02-02-2013, 10:00 PM
Well how about an email WHENEVER someone SUCCESSFULLY logs into your account
this would be very intersting to now + avoid "login try" spam

BarelyHangingOn
02-02-2013, 10:11 PM
I am getting a pole load of them too. Annoying.

DAMINK
02-02-2013, 10:18 PM
I changed locations for my admin and mod areas.
Never had an issue with false logins unless its me screwing up (happens often).

I made a fake admin/mod area that ultimately leads to a trap and .htaccess bans that ip address.
Nice simple easy solution.
I imagine these attacks are automated and looking for /admincp/ sort of thing.

I highly recommend renaming your admin and mod areas.
Not to mention hiding your version number as they often use the 2 as a means of targeting the desired board.

Bluemax712
02-02-2013, 10:50 PM
Yes - it should be redesigned to lockout for 15 minutes from any IP
I got 14 emails listing 14 different IPs within 5 minutes

or maybe it is locking out from all IPs for 15 minutes
and it's the message that should be changed when there are more attempts from different IPs during the lockout period:

Account already locked but another attempt has been made by xxx.xxx.xxx.xxx

AuroraStorm
02-02-2013, 10:57 PM
Yep...I got the same thing from an IP 180.241.113.26 that I tracked to Indonesia...

Digital Jedi
02-02-2013, 11:01 PM
I've also had over 150 emails regarding my account being locked due to someone attempting to brute force my password; VBulletin should be better prepared for something like this, surely having an account locked means you can't attempt at all for 15 minutes? This is annoying spam that needs to be prevented.

Edit:

Added a GMail filter to automatically delete the annoying emails.

Better prepared? The didn't get in. They got locked out. Your account did not get compromised. AND you were informed. Exactly what would be better than that?

Beretta1526
02-02-2013, 11:18 PM
More IP's from about 45 minutes ago, and then 36 minutes ago:

190.37.38.210
190.221.174.130
186.103.129.84
177.53.104.9
186.103.136.228
84.55.76.228

I guess it's a good thing I didn't use "monkey" for my password, huh?

.

Bluemax712
02-02-2013, 11:30 PM
For anyone keeping track here is the sorted list of previous 3 posts - with my own included:
42.121.16.222
49.0.124.102
49.0.124.122
49.0.124.150
49.0.124.230
58.56.33.99
59.57.15.71
60.191.19.198
62.210.226.142
66.35.68.145
77.110.120.200
78.134.255.43
78.85.39.109
80.250.35.180
82.200.254.250
82.99.255.68
84.241.52.97
84.55.76.228
85.133.162.132
103.10.22.229
103.246.146.149
103.247.16.2
109.224.1.110
110.139.118.95
110.139.141.104
111.161.30.218
111.221.3.218
112.5.254.20
113.106.191.164
113.9.163.101
115.182.33.11
115.238.83.98
116.25.237.211
118.96.110.208
118.96.52.126
118.97.133.66
118.97.79.124
119.235.54.23
123.125.74.212
125.39.66.147
125.39.66.154
125.88.74.95
177.53.104.9
180.250.130.186
186.0.194.26
186.103.129.84
186.103.136.228
186.94.178.236
186.95.122.15
187.126.88.225
187.174.250.131
187.5.228.123
187.72.187.57
190.1.162.42
190.153.5.95
190.205.230.226
190.221.174.130
190.248.67.118
190.37.38.210
190.76.248.144
197.251.194.167
200.141.202.162
200.70.25.51
200.88.113.147
201.208.49.238
201.209.69.131
202.51.118.14
202.69.105.154
208.163.36.221
210.14.143.53
211.100.47.244
212.57.3.94
213.154.203.148
218.94.149.114
222.57.81.198

mykkal
02-02-2013, 11:46 PM
Brute force will block logins via IP, not username so if you have it configured correctly, you won't have to worry about them ever trying to break your passwords again. It would take too long.

I look at my brute force reports now and then... But mostly I don't worry cause it blocks them.

--------------- Added 1359852530 at 1359852530 ---------------

I'm considering blocking China too. I do get indexed by baidu but I receive relatively little traffic from China. Its strange that its beneficial to cut 1 billion people off.

China's government has to know about these things. They are heavily industrialized and they seem to steal everything they can. Our government is doing nothing about it.

99% of SPAM comes from China. I have no reason for anyone in China to view any content on my servers, so I block all Chinese IP space at the firewall level.

The current IP list by country is available from ARIN or here: http://www.nirsoft.net/countryip/cn.html

I get maybe one or two a month at this rate and ASL blocks the IP of any suspicious activity forever.

--------------- Added 1359852764 at 1359852764 ---------------

How did you make that trap? That's hella cool.

I made a fake admin/mod area that ultimately leads to a trap and .htaccess bans that ip address.
Nice simple easy solution.

CableSux
02-03-2013, 12:26 AM
I just started receiving these emails now. Obviously it's working to keep them from getting into my account. But how do I set up my vbulletin to do the same for my site? Someone mentioned Brut Force?

Amaury
02-03-2013, 12:36 AM
I've also had over 150 emails regarding my account being locked due to someone attempting to brute force my password; VBulletin should be better prepared for something like this, surely having an account locked means you can't attempt at all for 15 minutes? This is annoying spam that needs to be prevented.

Edit:

Added a GMail filter to automatically delete the annoying emails.

If you checked "Remember Me?" whenever you last logged in and just close your browser when you're done browsing instead of logging out, then these brute force attacks won't affect you.

They only lock you out from logging in, but if you're already logged in, then you can still use the site as you would any other day.

As for account locks, for the reference, I've got a total of 66 e-mails.

BigJohnny
02-03-2013, 12:39 AM
Same here...just now. a few times.

I reset my password.

CaseLogic
02-03-2013, 12:44 AM
Damn, this is happening to me now. I came to create a thread but apparently some botnet is having a field day on these forums.

And clearly VB staff doesn't care much about these attempts given no one has officially commented in the past few days?

Bluemax712
02-03-2013, 12:44 AM
99% of SPAM comes from China. I have no reason for anyone in China to view any content on my servers, so I block all Chinese IP space at the firewall level.

The current IP list by country is available from ARIN or here: http://www.nirsoft.net/countryip/cn.html

I get maybe one or two a month at this rate and ASL blocks the IP of any suspicious activity forever.

Amazingly this is not true according to Spamhaus
most spam comes from US
http://www.spamhaus.org/statistics/countries/

Amaury
02-03-2013, 12:52 AM
Damn, this is happening to me now. I came to create a thread but apparently some botnet is having a field day on these forums.

And clearly VB staff doesn't care much about these attempts given no one has officially commented in the past few days?

The staff has no control over it.

CableSux
02-03-2013, 12:53 AM
I like how I was notified by vB that someone attempted to login to my account. How do I set up my site to do the same thing... and track those attempts?

CaseLogic
02-03-2013, 12:57 AM
The staff has no control over it.
First off, I disagree. They can start banning IP ranges so this doesn't keep happening slowly to their entire userbase.

Secondly, even if they don't take any action to prevent it, it couldn't hurt to send users emails to inform them that apparently botnets are trying to brute force their way into people's accounts, and to take the proper measures (ensure passwords are secured, etc).

Amaury
02-03-2013, 01:02 AM
First off, I disagree. They can start banning IP ranges so this doesn't keep happening slowly to their entire userbase.

Secondly, even if they don't take any action to prevent it, it couldn't hurt to send users emails to inform them that apparently botnets are trying to brute force their way into people's accounts, and to take the proper measures (ensure passwords are secured, etc).

They do send out e-mails.

Account on vBulletin.org Forum locked out

Dear Amaury25,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 218.17.157.20

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
https://vborg.vbsupport.ru/login.php?do=lostpw

All the best,
vBulletin.org Forum

BigAl205
02-03-2013, 01:07 AM
First off, I disagree. They can start banning IP ranges so this doesn't keep happening slowly to their entire userbase.

Secondly, even if they don't take any action to prevent it, it couldn't hurt to send users emails to inform them that apparently botnets are trying to brute force their way into people's accounts, and to take the proper measures (ensure passwords are secured, etc).
You can't be too broad with your restrictions unless your board has a specific target. For companies working with a global market such as VB, it's bad business to block too many ranges. I'm sure even China has legitimate customers using VB who would be blocked if a large enough range was used.

Carpesimia
02-03-2013, 01:13 AM
Hacking is at a big-time high. Twitter just got hacked. If your site is big enough, expect to someone to try and hack you.

vBulletin is working great knocking away the brute force attempts and sending emails to alert users someone is trying to log in as them. I got like 50 emails tonight, and decided to come in and update my already decent password to an even better one. Thats what the emails are for, in my opinion.

And VB not caring? If they didnt care, they wouldnt have built it into the system. People try to hack, they fail, and then they go away. If VB staff made a big deal about it each time, it would only encourage the people to try harder.

My $.02, anyways.

Big Al
02-03-2013, 01:17 AM
Dear Big Al,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 41.67.2.2

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
https://vborg.vbsupport.ru/login.php?do=lostpw

All the best,
vBulletin.org Forum

IP= 41.67.2.2 Proxy from Khartoum.

There is no doubt that spamming is getting worse and newer advanced programs are being used to counteract anti-spam measures we take. The providers need to become pro active, not brush the problem aside.
VB does send out an email, thanks, but action needs to be initiated to counteract the advances the spammer are putting in place.

If you checked "Remember Me?" whenever you last logged in and just close your browser when you're done browsing instead of logging out, then these brute force attacks won't affect you.

A valid point, but I think it will only work if you allow cookies to be stored.
Many people delete cookies when they log off.

--------------- Added 1359858815 at 1359858815 ---------------

99% of SPAM comes from China. I have no reason for anyone in China to view any content on my servers, so I block all Chinese IP space at the firewall level.

Exact figures are hard to come by. But it does appear that most spam comes from the USA.

Currently there is a lot from USA, China and Ukraine etc.

China is sensitive to international pressure and their reputation.

They have made large strides recently to curb scammers and other fraud. Closing down large numbers of bad sites etc . This is to their credit and is welcome.

However most governments are reluctant to curb any income producing method and the income from Chinese business who use spam is very large.

Until recently, a lot of the traffic was curtailed and quite a few businesses used ISP's in Hong Kong and Switzerland to bypass restrictions in mainland china. I think this is now not so common.

chiapeterson
02-03-2013, 02:23 AM
I've received 40 messages in the last 5 minutes about my account being locked because someone has entered the password wrong 5 times. Each message has a different IP address. PLEASE close\delete this account. I've not used VBulletin in over 4 years. Thank you!

Amaury
02-03-2013, 02:36 AM
As far as I know, they don't delete accounts here.

chrisngrod
02-03-2013, 02:44 AM
Just wanted to chime in that they are trying to brute force mine as well.

Chevy II
02-03-2013, 02:53 AM
I also received 47 of these email. The reports were from many different IP addresses too. Romania, China, Brazil and India to name a few...

What is up with this?

--------------- Added 1359863784 at 1359863784 ---------------

BTW, this was an attempt from someone trying to log into my account 5 times with the wrong PW... Not an account deletion.

Here is an example of 1 of the 47 email I received.


Dear Chevy II,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 103.7.64.51

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
https://vborg.vbsupport.ru/login.php?do=lostpw

All the best,
vBulletin.org Forum

Amaury
02-03-2013, 03:01 AM
I also received 47 of these email. The reports were from many different IP addresses too. Romania, China, Brazil and India to name a few...

What is up with this?

--------------- Added 1359863784 at 1359863784 ---------------

BTW, this was an attempt from someone trying to log into my account 5 times with the wrong PW... Not an account deletion.

Here is an example of 1 of the 47 email I received.

Nothing to worry about if you have a strong password. Just spam accounts trying to get in.

Digital Jedi
02-03-2013, 03:21 AM
Damn, this is happening to me now. I came to create a thread but apparently some botnet is having a field day on these forums.

And clearly VB staff doesn't care much about these attempts given no one has officially commented in the past few days?

The staff has no control over it.

Um, Paul commented on it today. The software is working like it's supposed to. This thread is bewildering. The software is doing what it's supposed to. Locking them out, and informing you of attempts. But this is, for some reason, considered out of control? So far no one has answered my question. What more do you want it to do?

chrisngrod
02-03-2013, 03:38 AM
I don't think anyone should complain. If you are a large forum owner, you knowhhowit fgoes.

I just came to note that it was happening to me.

CAG CheechDogg
02-03-2013, 05:52 AM
Yeep happened to me today too.

bingocaller
02-03-2013, 06:50 AM
I recieved around 50 of the same e.mails this morning as well.....

Amadeusmq
02-03-2013, 07:03 AM
This is happening to me too.

Hundreds of emails from vbulletin.org in my mailbox today. I think that's what's freaking people out.

broonzy
02-03-2013, 08:13 AM
They're doing it alphabetically apparently.
They tried mine last night, 55 emails from 1:10am to 1:55am.

What I'm thinking about, you could change the account locking time to a bigger but acceptable delay (15 mins is nothing, 1 hour would be reasonable).

Andyucs
02-03-2013, 08:28 AM
same here

Simon Lloyd
02-03-2013, 09:57 AM
AFAIK vBulletin software is sold as a community building software, i don't remember seeing on the box anything about server management, webmastering or Authoring or html & coding help..etc

Part of being a forum owner is trying out ways to overcome certain unwanted aspects and we do this to try and stop bots and spammers, at server level it's up to your hosts and yourself to harden your server environment. One thing is for sure if they really want to get in they will, good thing is there aren't that many who are that determined.

Christie
02-03-2013, 10:49 AM
Happened to me today too - just going to hit deleted button on all the notifications and change my password - just wanted to know it's not only happened to me.

BigAl205
02-03-2013, 12:11 PM
I'm curious as to how they are getting the usernames

Simon Lloyd
02-03-2013, 12:16 PM
Just a wild guess but https://vborg.vbsupport.ru/memberlist.php

Bluemax712
02-03-2013, 12:33 PM
deleted

Big Al
02-03-2013, 12:34 PM
Just a wild guess but https://vborg.vbsupport.ru/memberlist.php :)

There are many hackers and scammers that sell what we call " Dumps"

Just as there are email harvesters, so it is for many other places they want to get into.

Hackers in some of the countries that are not so rigid on cybercrime, run websites that advertise such things. I am chasing a guy in India who is actively running some of these websites, that sell programs for harvesting.

Below, chosen at random is part of one of these Dumps. This particular guy is from Nigeria.

I am a working boy wey dey run shows for guys online concerning Bobming of mails
Cpanel cloning,bank transfers TRojans to hack PCS & Paypal transfer to any
of your client acount

CONTACT ME ON xxxxx

CeesT
02-03-2013, 01:19 PM
Last night I also received 38 mails of failed login attempts.

But why are there 38 mails within a period of 2 minutes ???

After the first attempt, the mail is send and then the next 15 minutes no logins should be possible for my account. But it seems that you can immediately try to login again if you use a different IP adress as the attempts came from different ip's.

Is this normal behaviour or is this a bug in this version of vbulletin (3.6.12) ??

cellarius
02-03-2013, 01:33 PM
Just a wild guess but https://vborg.vbsupport.ru/memberlist.php
Even without that it's not hard to harvest vB usernames.

Anyway, my account is under attack, too, but I wish them luck with my 20 digit random password including caps, lowercase, digits and special chars. :D

Else, I totally agree with digital jedi - the software is doing its job, it locks out the bots and sends out notifications. All nice and dandy, nothing staff could do about that, really.

Paul M
02-03-2013, 02:27 PM
Last night I also received 38 mails of failed login attempts.

But why are there 38 mails within a period of 2 minutes ???


We process e-mails in batches, plus as far as remember, attempts from a different IP address will trigger a seperate e-mail.

Its obvious its targeting each username from a wide range of IPs. If you have no interest in the e-mails, simply delete them.

Chase
02-03-2013, 02:42 PM
I really like vb.orgs email notification saying someone has been trying to log into your account.

How can I implement this on my forum? I find this very useful.

CeesT
02-03-2013, 02:47 PM
We process e-mails in batches, plus as far as remember, attempts from a different IP address will trigger a seperate e-mail.

Its obvious its targeting each username from a wide range of IPs. If you have no interest in the e-mails, simply delete them.

I have no problems with the mails, I was just surprised that the 'locked' account is unlocked directly when the request comes from another ip. I did not know that before.
I have just tested it with one of my forums (3.8.7) and indeed the same happens. When I try to login from another ip, I have 5 more possibilities to use bruteforce hacking.

Perhaps it would be better to lock the account for 15 minutes without checking if the ip has changed. The successrate for a hacker is minimized then and a forum member normally will not change IP if he has typed the wrong password.

The only disadvantage of this is that some joker could stop a real member from logging-in if he continues to do this. So maybe that's the reason for unlocking from a new ip.

Lynne
02-03-2013, 04:50 PM
I really like vb.orgs email notification saying someone has been trying to log into your account.

How can I implement this on my forum? I find this very useful.
AdminCP > Settings > Options > General Settings > Use Login "Stikes" System > Yes

CableSux
02-03-2013, 08:47 PM
AdminCP > Settings > Options > General Settings > Use Login "Stikes" System > Yes

Thanks, that works for the user, but I'd like the admin to get a copy of that e-mail, too. Anyone know a way to make that happen?

BigAl205
02-03-2013, 10:27 PM
Just a wild guess but https://vborg.vbsupport.ru/memberlist.php
I meant to ask how non-members are getting to the members list. I'm assuming that a member is aggregating the list. Is there any way to pull up members within the offending IP range and verify their intent or restrict their permissions?

Simon Lloyd
02-03-2013, 10:35 PM
I meant to ask how non-members are getting to the members list. I'm assuming that a member is aggregating the list. Is there any way to pull up members within the offending IP range and verify their intent or restrict their permissions?Nope!, here memberlist.php is available to guests!

BigAl205
02-03-2013, 10:55 PM
Oh, OK...seems like hiding the member list to the public would be a nice first step.

Chickenpotpie
02-03-2013, 11:42 PM
Ok So I see I'm not the only one. I got 78 messages about being locked out. I agree its annoying as hell.

chaser.nl
02-04-2013, 11:53 AM
got the same thing yesterday, looks like it started again.. annoying but i use a save password :)

BirdOPrey5
02-04-2013, 01:22 PM
Oh, OK...seems like hiding the member list to the public would be a nice first step.

Would be futile... The entire site is open to the public to read (posts) - You could skim usernames by simply browsing threads and capturing the usernames- it would be nothing to build the same list assuming you ever made a post.

Antonio Pereira
02-04-2013, 01:29 PM
Same Problem here:

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

134.181.130.86
81.169.135.82
202.228.204.224
207.158.26.16
103.246.145.184
177.70.8.162
195.69.191.204
125.216.144.199

If the people enter here the IPs ,maybe you can ban in the firewall server.

moreno
02-04-2013, 09:10 PM
Same here, brute force from following IPs:
180.244.193.110
218.107.193.59
186.90.153.5
77.37.168.32
109.185.118.156
202.51.226.140
218.28.254.242
141.170.239.132
212.175.88.3
124.240.187.81
202.46.85.107
190.207.185.188
112.133.201.70
203.223.47.206
78.38.30.146
91.232.102.134

Blocking IPs will not help, you should set locking accounts based on username attempts, not IPs.

Azucar
02-05-2013, 01:24 AM
Oh, OK...seems like hiding the member list to the public would be a nice first step.

Ditto.

Got 12 emails myself. These are the IPs:

112.133.201.70
190.207.185.188
182.48.107.219
59.60.7.146
91.98.128.97
180.244.193.110
124.160.104.132
80.250.35.180
124.240.187.81
183.61.244.47
218.107.193.59
124.129.30.74

b6gm6n
02-05-2013, 01:37 AM
I got the same, I thought I'd come here to find this thread...

It seems to me that some one/group has been sold a database of 'older' user names & password combinations for various sites/forums etc... most likely gleaned some years ago due to past hacks, key-loggers, infected email accounts and probably a raft of other exploits which all exact the same purpose... to ultimately fund organized crime through spamming which results in revenue generation sadly, they just don't want to sell you sex-aids and cheap trainers and then live a life of access themselves... there's a reason to the madness, it's prevalent and widespread and it's organized, racketeering bodies are sold on databases of such information over and over, year in year out.. the older they get the more useless they become (and cheaper to the gangs) so they take the data and do a sweep to see what falls... any monies made go's back to the source, in years past it was drug trafficking and such & such.. today the internet and such data the public pass through their keyboards is used both commercially by the sites themselves and illegally by criminals if they can get at it... you've all heard of the high-profile attacks on 'steam' accounts for example... well guess what happens to all those accounts? yup that's it... sold on and used not right away but some years later... they'll be due to pop-up soon... i think this round of attacks shows that either the vb.org database was compromised some years back and no-one told you about it... or it's just a collection for username/password combos from an older collection of data... so all of us in this thread is on some kind of older database being sold on to gullible new gangs in the hope of making some illicit funds, i bet it wasn't just vb that was hit recently...

oh and twitter was hacked, apparently... tell you what, that's old data again... old account longs since setup lost to a gang, ripe for spamming and making some money from... all go's back to the same people... Kim Dotcom or whatever he calls himself these days made a million or 20 out of hosting ripped off content... he didn't make that kinda money selling space to students making maps for games or for people to hold their music files online... no, it was rife piracy... he still has lots on the boil... they hack the sites, share the content amount the higher echelons of their content-mules then dish it out multiple times across many forums... all going back to a pay download option...

anyhew if you have an older account... bet you had a little bit-tickle recently... silly sods.

cellarius
02-05-2013, 06:19 AM
Sorry, that's pretty much nonsense and backed up by nothing, just silly speculation. You don't need a database to do such a brute force attempt, you just harvest usernames either from the userlist or the posts and throw those usernames at the login form.

b6gm6n
02-05-2013, 03:07 PM
Sorry, that's pretty much nonsense and backed up by nothing, just silly speculation. You don't need a database to do such a brute force attempt, you just harvest usernames either from the userlist or the posts and throw those usernames at the login form.

"Sorry, that's pretty much nonsense and backed up by nothing"

be well.

cellarius
02-06-2013, 06:15 AM
You are the one claiming vb.org was hacked at some time in the past and the database stolen. You back that up by nothing, and you can't explain why the much simpler method everyone else in this thread assumes won't work. So...

Simon Lloyd
02-06-2013, 07:36 AM
The fact that they are doing it in alphabetical order proves that they are scanning the members list as the database, if it was stolen, is not automatically in alphabetical order but in order of userid.

It's as simple as that, pretty soon they'll be through the entire list and all this will be forgotten, if you want advice, change your password to something strong and they wont get anywhere with their 5 attempts per ip.

mykkal
02-06-2013, 01:50 PM
The fact that they are doing it in alphabetical order proves that they are scanning the members list as the database, if it was stolen, is not automatically in alphabetical order but in order of userid.

It's as simple as that, pretty soon they'll be through the entire list and all this will be forgotten, if you want advice, change your password to something strong and they wont get anywhere with their 5 attempts per ip.

That actually depends on 'preferences', sort options, and how the data is exported. It could be a custom script. So even if it downloads in alphabetical order by username they could still resort by USERID.

Just my opinion but your accusation could have a lot of simpler truths. I don't think thats evidence of stealing.

Whenever I export data I almost always have to manipulate it. It's never in the form I need it to be at export.

kh99
02-06-2013, 01:56 PM
Well, as cellarius pointed out, if someone had stolen the database the thing to do would be to use the hashed passwords and salt values to try to crack the passwords on a local computer. Using a stolen database just to get the usernames for a brute force attack over the net would be pretty stupid (but, well, I suppose there are people like that around).

Edit: but of course the point is that there's no reason to think they have access to the database, since it can easily be done with the member list.

mykkal
02-06-2013, 02:01 PM
Cosign...

Well, as cellarius pointed out, if someone had stolen the database the thing to do would be to use the hashed passwords and salt values to try to crack the passwords on a local computer. Using a stolen database just to get the usernames for a brute force attack would be pretty stupid (but, well, I suppose there are people like that around).

--------------- Added 1360163835 at 1360163835 ---------------

brute force is an attempt to login...Not the aftermath of data stolen. If someone had the data they could just clone the site, login, and do whatever without fear of being caught.

I don't think brute force should be by username but by IP because the intruder is foreign and blocking by username would lock out the legitimate user. Just create a strong password and that is enough. Mixed with symbols, numbers, and letters a strong password would take until infinity to crack. That's totally safe.

Paul M
02-06-2013, 03:24 PM
No one has stolen any data. Thats enough of such nonsense, any more such ridiculous posts will be removed. Stick to the topic and facts, not wild imagination.

Simon Lloyd
02-06-2013, 04:07 PM
@Paul M, do you not think this thread has run its course now? :)

mykkal
02-06-2013, 04:10 PM
it should be closed.

ForceHSS
02-06-2013, 04:16 PM
Agree close this, it should of been closed a long time ago

Lynne
02-06-2013, 05:35 PM
I am going to close this as the original question was actually responded to in the second post. :)