They didn't accomplish anything, they just tried to guess your password and failed. You say you just got those but the time says ~7:30 EDT so I guess the 15 minute lockout elapsed and you were able to log in.

Unless you mean "what do they hope to accomplish with only 5 guesses", then I don't know, seems like they'd have to get really lucky. Or they're just trying to annoy people, or clog the server with emails to send.

Hackers are out tonight!

94.228.204.30 x2

The lockout is actually IP specific.

I got a similar email too:
Received: from mx5.internetbrands.com (mx5.internetbrands.com [98.158.194.50])
by mtain-mh02.r1000.mx.aol.com (Internet Inbound) with ESMTP id 8B0EA38000083
for <deleted>; Sat, 28 May 2011 19:21:36 -0400 (EDT)
Received: from jelsoft3.internetbrands.com (jelsoft3.internetbrands.com [172.16.229.76])
by mx5.internetbrands.com (Postfix) with ESMTP id 45D432006C
for <deleted>; Sat, 28 May 2011 16:21:36 -0700 (PDT)
Received: from jelsoft3.internetbrands.com (localhost.localdomain [127.0.0.1])
by jelsoft3.internetbrands.com (8.13.8/8.13.8) with ESMTP id p4SNLanG030536
for <deleted>; Sat, 28 May 2011 16:21:36 -0700
Received: (from jelsoft@localhost)
by jelsoft3.internetbrands.com (8.13.8/8.13.8/Submit) id p4SNLaBr030533;
Sat, 28 May 2011 16:21:36 -0700
Date: Sat, 28 May 2011 16:21:36 -0700
X-Authentication-Warning: jelsoft3.internetbrands.com: jelsoft set sender to webmaster@vbulletin.org using -f
To: deleted
Subject: Account on vBulletin.org Forum locked out
From: "vBulletin.org Forum" <webmaster@vbulletin.org>
Auto-Submitted: auto-generated
Message-ID: <201105282336.fc033e6fa850@www.vbulletin.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Content-Transfer-Encoding: quoted-printable
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:255893488:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d60d64de183801e9c
X-AOL-IP: 98.158.194.50
X-AOL-SPF: domain : vbulletin.org SPF : permerror

Oh...so I guess if they have enough ips they can actually guess many times. Seems like it may be something to change in a future version. eta: ...oh, but I guess if it wasn't ip specific it would be easy for someone to keep you from logging in to your account.

Maybe vb.org would benefit from installing the bad behavior addon.

More here >> https://vborg.vbsupport.ru/showthrea...02#post2201102


I feel positively left out :p

I've merged both threads about the same attack into the same thread, within the feedback forum.

Got the same the 3 times I.P's are ..............

194.85.80.107
94.228.204.30
94.228.204.2

Here the same:

The person trying to log into your account had the following IP address: 222.173.42.106
The person trying to log into your account had the following IP address: 115.127.15.44

same here...
95.154.98.152

seems like a problem is starting....

..and here - 2 different IPs, identical times;
94.228.204.2
94.228.204.30

and here: 83.222.206.146 and 81.30.164.94

Someone might have coded a bot, best thing would be to disable the member list, otherwise they can get the list of our usernames. :(

Happend to me also. Seems they attacked all accounts with 3 bruteforce attempts. That makes me worry about those, who have only one or two and not three recorded events. Could mean they were succesful with one of their attempts.

I guess there are a few users here, which have sent their logins from servers or admincps to others (i.e. to mod developers in times of support etc.) Something very unsecure, but I?m sure some did that. Would be wise to inform all users - and to force all vb.org members to setup a secure passphrase.

--------------- Added [DATE]1306661692[/DATE] at [TIME]1306661692[/TIME] ---------------

Thats senseless. The bot can even read the threads or the WGO box etc. That makes no sense to disable the ML.

True.. But memberlist contains offline members, while online box has only online members. But good point anyway.

Bigger damage can be done with the memberlist than with the online box.

You?re right, true. I was regarding this from a point of the bigger threatlevel. I suppose an inactive account has not or not really often PN?s in it. So the threatlevel isn?t that big.
All others, the active users, can be found in the threads here. And to programm a bot to get those accountnames is done in a blink of an eye. Whatever, disabling the ML could help with an additional benefit, even when it would be a very little one. But sometimes that makes a difference.

I haven't logged on since Dec 2007 and just got the same email:
82.145.242.38
201.22.130.226

IP's resolve to online proxies, which means this is a 100% automated attack.

The only accounts really in danger of getting compromised by this are people who use the following passwords:

1) The same as their username (Sometime around 3.8 vBulletin actually added a check to prevent this)
2) password
3) 12345(6)...

Unfortunately I'd bet that counts for 10% or more of the users on any given site, including here.

I didn't get any emails but I changed my password to be extra-secure just to be sure today.

they must want plugins bad.....

I doubt that. I'd bet it was probably an attempt to harvest usernames for future spam attempts.

The person trying to log into your account had the following IP address: 58.61.154.169

Just thought I'd let the powers that be know that the following IP addresses were logged trying to brute force their way onto my account on the 28th of May. I received the emails from the system stating that the account had been locked because of this. The IPs are registered in the Russian domain space.

Enjoy

178.213.33.129
94.228.204.2

Also in mine, on 28/05/2011.

94.228.204.2
194.151.57.244