Yesterday's brute force attempts at password hacking
 

Yesterday afternoon, it seems there was somebody (or a group of somebodies) who decided to try to brute force their way to hacking vbulletin.org user accounts. Several of you got emails about being locked out of your accounts after the five attempts were made. Unfortunately, there is no one IP, or even an IP range, that we can block to stop this as the IPs came from all over.

I would strongly suggest that users change their passwords. You should pick a password that is at least fourteen characters long and utilize both lower and upper case letters as well as numbers and other keyboard characters

There is a password generator here that you may use to create a random, strong, password - http://strongpasswordgenerator.com/

ahh i wondered why i got the message, my site had been hacked recently and we have introduced a heck of a lot of new security measures and ive made my passwords 30 chars long.

Thank god it wasnt just me

But what happened to me was different, even after entering the right password it said incorrect. After 15mins i got the account locked email . .But i manually entered my password for all the 5times.

Then you should PM an admin for help.

You can block the useragent and other aspects with vB Bad Behavior.

I got the email
Now I changed my password, vbulletin.org & vbulletin.com
Now my passwords 33 characters

Dear administrator,

1) vbulletin.org Lost Password Recovery Form generates base 10 only passwords (0-9), 8 characters long. PHP suggests the following characters for higher bases:
*base 16: (0-9, a-f)
*base 32: (0-9, a-v)
*base 64: (0-9, a-z, A-Z, "-", ",")
You should adopt the base 64 for generated passwords and make it 16 chars long.

2) Wysisyg mode on Google Chrome will prevent you from replying to this thread and your message will be lost. I had to write it again. :mad:

You should not be keeping the generated password. You should only use it to login and then you should be setting it yourself.

82.145.242.38
201.22.130.226
120.136.20.91

Those are the IPs I got for my old "Revan" account, in case you wanted to ban them or write them down or whatever :p


Fillip

The person trying to log into your account had the following IP address: 200.181.109.18

add this IP to the list...

<font color="DarkRed">201.41.166.59

This is the IPs and they are from Brazil!

I was like "What the heck is this?"

I decided to review my account. Thanks for the headsup. </font>

Mine was from a proxy...

Fortunately, vBulletin throttles login attempts so it's pretty hopeless trying to hack through the applications login functionality.

Lynne,
do you know a mod, where the minimum password length could be altered? I thought I´d seen something like that, but I can´t find it anymore..

I do not know of one, but I've never looked for one either.

Is it possible to set up login so everyone uses their email address to sign in rather than their display name? It helps on other large corporate sites that have forums.

How would that help here?

^ I'm guessing so members email addresses can't be guessed in the first place.

+1 Exactly. :)

If it can help, here are the IP who tried to access my account:
82.199.105.194
81.177.144.176

You probably don't want to advertise how long your password is. It's one less thing a hacker has to guess.

I realize brute forcing 33 character password is futile but it's orders of magnitude easier than not knowing how long it is.

Thanks for information !

Here is an example of a site that already utilizes email addresses to login, that is vBulletin software:
http://forums.electronicarts.co.uk/

In my opinion, it should be a default option for the admin to choose whether to use a regular username or email address to sign in. I would automatically choose email address login for my site.

The person trying to log into your account had the following IP address: 203.153.29.50
The person trying to log into your account had the following IP address: 190.202.184.75

This event has now passed.