As was mentioned multiple times, if your password is secure, you have nothing to worry about. You do realize that this happens on every account you have across the internet, right? Daily. It's just vBulletin has a built in notification process when it happens. Most places, you'd never know unless you have an awful password. Seriously, though. Knowing your PayPal email address is about as potentially dangerous as someone knowing your last name. Everyone we did business with already knows it.

We really have to stop this paranoia every time hacking bots randomly pick this site as a target. Everything that can be done on the administration end has been done. Now you have to secure your password, just like you would everywhere else on the web. I can't understand why this doesn't sink in.

If you have a secure password it would take hundreds of thousands or millions or more chances to brute force break your password. Even someone who got 50 emails only had 250 max unique passwords checked on their account. The chances of them getting it right are almost zero. If your password is even puppy1036 they are never going to get it with this attack.

They are looking for the extremely week passwords- such as-
password
123456
abcde
[your username]

etc...

I can assure you they are not related. This happens every few months around here- they are only looking for valid, licensed, accounts.

The paypal field is only of value to coders/designers who can receive donations from other members as thanks for their mods.

There is no risk so long as you don't have the same password for vbulletin.org and paypal.

My paypal email is: paypal@juot.net - I welcome any donations anyone wants to send - there is ZERO risk making this public.

getting brute forced as well here getting notifications of wrong password.

It may happen every few months, but it doesn't make it any less serious. Maybe there is something the site can do to help prevent or minimize further attacks? I'm sure there are a number of things that can be done.

Vbulletin.org is the only site I have had this happen at. While its possible or likely it may have happened at others and I never knew about it, its still not reassuring IMO.

Or is it gonna take something catastrophic to happen and the damage done before its taken more seriously. Simply put this I don't think should be happening as often as it is to the point its affecting members here. Let alone to the point its making them jittery.

We don't know what they are after or what the true intention is. Having a good password may still not stop them. Its obvious they are looking for something. The question is if they get what they are looking for, is VB.org prepared to deal with the fallout and who will take responsibility for not trying to do more about it ahead of time when the chance was there?

This caught my attention. Downplaying it is not something I know I would be doing.

The only thing we will likely do at some point is stop having so many emails sent to the users since there is really nothing you can do about it.

We will monitor when these things happen but there isn't a whole lot anyone can do.

The fact these emails are generated frankly means the system is working.

vBulletin.org has no real sensitive data beyond forum holder email addresses- and as long as you use a unique password and a secure password there is no need to worry.

I just changed my password to something freakishly long and complex. I suggest others to do the same.

32 chars FTW ;-)

I have dynamic IP address. It's normal in my country.

Every time I login, I'm using different IP. This would mean I'd receive emails every time when I login.

On the other hand, something like this would mean a difference to people who wants to be extra safe.

Good to know I'm not alone, someone has been trying to hack my account with a proxy as well. How annoying >_< Guess it's time to change the PW to something ridiculous ;)

*singing voice*

IT'S THE MOWWWWWWWWWWWWST WONDERFUL TYYYYYYYYYYYYME OF THE YEAR!
WHEN YOUR IP GETS HACKED AND YOUR PASSWORDS GET JACKED!
ON VB DOT OAAAAAAAAAAAAAAARRRG! IT'S THE MOST - WONDERFUL TIME OF THE YEAAAAAAAAAAAAAR!

I am also affected. Changed my password. Maybe this is caused through the heartbleed case?

I farted at the same time the plane they found near Australia went off its planned route. Maybe they were related?

Seriously, random failbots attempting to break into vBulletin accounts have nothing to do with OpenSSL bugs.

You guys who say this only happens on vbulletin.org - do you ever check your server access logs? I'm not talking about the apache access_logs, but the ones that show when someone tries to brute force your server. This, at vbulletin.org, is nothing compared to that!

Come on vb.org, this is absolutely ridiculous. What's the issue here and what have you done to address it?


Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 183.220.40.221

The person trying to log into your account had the following IP address: 195.189.30.10

The person trying to log into your account had the following IP address: 116.213.62.122

Seriously, I'm not trying to be an a-hole about this, but if you check this thread from the beginning, this type of attack happens around this time every year. I caught on to that fact when I got caught last year. If my account had been locked down, I wouldn't have been able to get in and I keep this thing logged on all the time.

...and for real tho, when I really sit back and think about it, if this account gets hacked, could the hacker please go in and check off that I've installed some of the modifications? I keep forgetting to do that. THANKS!

You would never be locked out unless the attack was coming from your IP Address.

Everyone in the forum software world knows the file structure of many forum software including vbulletin.

We all know bots crawl our sites everyday, they know that every member account path is "member.php?u=".
Its really easy to start with 1 then 2 then 3 ....etc...at the end of "member.php?u=" and paste your name in the login box and use a random password to see if it works.

You then get the locked account email...so what, it was not you... you know that.

Change your password to a stronger password for shits and giggles just to be safe.

Many requesting to add ip's to ban list should do a little research, its a waste of time to ban ip's... getting a new ip is easy to do.

There is nothing that can be done to stop it from happening..no one is to blame for this happening.. there is nothing wrong with vbulletin software... welcome to the internet.

Very good post.

But.... vBorg could probably re-word the email message, making it say something like:

"We locked IP 123.456.789 out of login to your account, due to multiple failed attempts to log in. The login attempts failed but please insure you have a strong password."


Might save alot of this hand wringing every time this occurs.

I'm getting the same thing, started yesterday and all different IP address.

6 attempts in the past hour.

same stuff, different IP: 195.19.214.8

so annoying..

Would be helpful if vBorg also captured the offender's user agent string and sent it in the email as well - for those of us who use the "ban spiders by user agent" mod.

Is there a way to just delete my account? I no longer participate in the VB community and would rather just remove this vector of internet from attachment to me.

Add 117.164.9.166 as they tried again tonight. I will be glad when this OpenSSL issue is addressed.

I am too getting a lot of emails from the past, that some one is trying to loginto my account, can you keep my account in safe place.

Just found this thread after I got about 10+ emails saying my account was locked out.
All IPs are different and from all other the world, so looks like some kind of botnet.

I originally thought... No... My precious myself thought this attack is directed to me only, but after finding this thread I realized that I'm no special. Good.
So it seems like this is just a silly bruteforce to get a hold for some forum accounts to post spam, etc.
Nothing special, no mystery, no hidden kittens. Oh, well.

That's completely unrelated to this and is also not a vbulletin issue. The heartbleed exploit is not a brute force password cracker.

If you're concerned about site vulnerability to the heartbleed SSL issue, test it here.

Remove your email address from the account via UserCP, then log out.

Same

Same here:

got this message the other day, then just now as well..

The person trying to log into your account had the following IP address: 223.84.180.232

I deleted the other email, so no idea what the proxy ip was.. not that it really matters ;)

Several more ips from today:
119.46.203.37
183.221.174.3
117.172.66.7

I have researched this matter 1-2 years ago. There are such geo-ip apache modules - you need root access to your server to install it. But it is reasonable to do only for very localized non-english language forums. Not to mention that this approach gives false positives or negatives sometimes.

99% of the ordinary users in the world, esp. in the "post ip v4" era when there is shortage and recycling of IP blocks, are using DYNAMIC addresses. So, unless this is made as an option in the User Control Panel that can be turned off, this is not very clever solution.

I agree it is not really dangerous, but it is just very annoying. VB Staff should just turn off these emails - can't be that hard.

This has nothing to do with it.

That is true. I am administering also a PHPBB3 forum - on a very micro forum (read less than 10 K posts) i get around 10-20 such bruteforce attempts per day on average. Initially i was annoyed at the PHPBB guys, because these were not logged, not autobanned, there in no notification and these are stored in a temporary SQL table that gets auto-cleared. But after i looked at how many times these attacks happen i saw this was the right decision, otherwise the logs on the server will get HUGE.
Here is how it looks in mysql right now:


The conclusion: VB Staff, please disable email spam, thank you.

In the future I hope we can make some changes to stop sending these emails to customers and instead send them to a local email address where network admins can keep an eye out. However- with the nature of the way things work here- it won't come soon enough to stop this attack, only hope it won't happen again in the future.

Not an OpenSSL issue. Completely unrelated- vBulletin.org doesn't use SSL. Even if it did, a brute force attack isn't a symptom of the OpenSSL issue- they would already have the sensitive data, they wouldn't be trying to figure it out.

As long as you have a decently secure password you are safe. Make sure all websites, especially vBulletin.org has a secure (complex/long) and unique password. The unique part being perhaps the most importing. With a unique password the absolute worst thing a hacker could do is post as you- which isn't high on the severity meter.

We hear you and will do something as soon as we can, but it won't be today unfortunately.

Joe, I would think long and hard about turning off the warnings.

All that will happen is on the next attack , staff and the forum will be swamped with people whining that their account was locked, that they couldn't get mods, that nobody warned them, and they should have been told that someone was attempting to access their account.

Been there, done it .......... you can't win.

As forum admins the members here should know what the emails mean, after all their own forums do exactly the same when the Bots are active.

Very irritating... 5 emails concerning this in less than a minute.

No one is locked out. Even when they get the emails, they aren't locked out. The lock only applies to the IP address causing the problem, so unless their own computer is part of the attack they can always access their account.

Got an email about the account lock myself yesterday. IP was 80.80.209.186 (Uzbekistan). First time I've logged in here in a very long time...last time was to change my password from the last big security flaw in vB. ;)

I got around 20 of these emails. 10 yesterday 10 today in my inbox.
I switched Passwords just to be safe.

It's a lot of different IP's tho.
Could this be a DDoS?

Same here, got lots of lockout mails with different IPs.
Because of timedifference my phone made me crazy last night... & had to turn of nortifications for mail receive

I got 5 emails in two days also changed my pw is there anything else I can do to prevent this? Thanks!