People are trying to brute force my account
 

I have received over 40 emails within the past 2 hours from this site saying that attempts have been made on my password. Here is a list of IP's.
You guys should look into this.

103.10.22.229
103.247.16.2
110.139.118.95
112.5.254.20
113.106.191.164
113.9.163.101
115.182.33.11
118.96.110.208
118.96.52.126
118.97.133.66
118.97.79.124
119.235.54.23
123.125.74.212
125.39.66.147
125.39.66.154
125.88.74.95
186.94.178.236
187.174.250.131
187.72.187.57
190.1.162.42
190.205.230.226
190.76.248.144
197.251.194.167
200.141.202.162
200.70.25.51
201.209.69.131
202.51.118.14
208.163.36.221
212.57.3.94
218.94.149.114
222.57.81.198
49.0.124.102
49.0.124.122
49.0.124.150
49.0.124.230
60.191.19.198
66.35.68.145
78.85.39.109
82.200.254.250
82.99.255.68

It happens every few months.
As long as your have a secure password, then you have nothing to worry about.

It ain't people, it's likely one person, with software designed for it.

Yah i got it too yesterday..

Now would be a good time to change the directory name of your admincp/modcp. If it happens again a few month's later, change it again!

I just got like 5 emails saying my account was locked do to failed account breakin attempts. What do I do?

Er, nothing I suppose. Since you seem to be logged in...

Just a bit alarmed, thats all.

As long as you do not have common/easy to guess passwords there is nothing to worry about. The vBulletin lock-out system more or less makes brute force almost impossible.

That said you'd be surprised how many accounts they can find simply by trying the 5 or 10 most common passwords (including the username as the password.)

A site like VB.org with tens of thousands of users if they try a hundred users they can probably get 2 or 3 accounts.

It's all percentages.

Good so a long, alpha numeric password is perfect for vBbulletin

It doesn't even really need to be long. It can be long and be deciphered. What it needs is a random combo of caps, lowercase and numbers. And even better if you can include special characters.

<a href="https://www.atomicorp.com/products/asl.html" target="_blank">https://www.atomicorp.com/products/asl.html</a>

I installed it, tweaked it, and never looked back.

I've gotten well over 100 this morning alone. It's all good to say "don't worry", but when you're getting craploads of emails about it, it's definitely annoying. One would think the makers of the forum software would be better prepared.

Same here, about 150 emails in the past hour. I haven't been on this site in years. Does anyone know how to delete your account here? Is it possible, because I looked and couldn't find it anywhere.

thanks and good luck.

Better prepared for what exactly ? The software is doing its job.

People who use OOB software and call themselves entrepreneurs want everything in one big package. Most are disappointed though when they discover that websites are not Chia Pets. You don't just add water and watch it grow. You actually have to do some work and know what you're doing.

I've received 56 in the last 4 days as well. Is there no way to stop these e-mails other than labelling them as spam?

Here's a quick question, guys. Why would you NOT want to know that someone failed hacking into your account, considering the prevailing attitudes towards websites who never tell them anything about what they do behind the scenes?

99% of SPAM comes from China. I have no reason for anyone in China to view any content on my servers, so I block all Chinese IP space at the firewall level.

The current IP list by country is available from ARIN or here: http://www.nirsoft.net/countryip/cn.html

I get maybe one or two a month at this rate and ASL blocks the IP of any suspicious activity forever.

Just got 10 e-mails saying my account was locked.

Like Paul said, though, if you have a strong password, there's nothing to worry about.

EDIT: Just got more. XD

Just received 180 emails about my account being locked for wrong password

A few more IPs from last hours

111.221.3.218
85.133.162.132
84.241.52.97
213.154.203.148
59.57.15.71
111.161.30.218
187.5.228.123
42.121.16.222
180.250.130.186
62.210.226.142
202.69.105.154
190.153.5.95
78.134.255.43
111.221.3.218
77.110.120.200
210.14.143.53
186.95.122.150

at least they bothered to hire a botnet to perform the attack.

I've also had over 150 emails regarding my account being locked due to someone attempting to brute force my password; VBulletin should be better prepared for something like this, surely having an account locked means you can't attempt at all for 15 minutes? This is annoying spam that needs to be prevented.

Edit:

Added a GMail filter to automatically delete the annoying emails.

Well how about an email WHENEVER someone SUCCESSFULLY logs into your account
this would be very intersting to now + avoid "login try" spam

I am getting a pole load of them too. Annoying.

I changed locations for my admin and mod areas.
Never had an issue with false logins unless its me screwing up (happens often).

I made a fake admin/mod area that ultimately leads to a trap and .htaccess bans that ip address.
Nice simple easy solution.
I imagine these attacks are automated and looking for /admincp/ sort of thing.

I highly recommend renaming your admin and mod areas.
Not to mention hiding your version number as they often use the 2 as a means of targeting the desired board.

Yes - it should be redesigned to lockout for 15 minutes from any IP
I got 14 emails listing 14 different IPs within 5 minutes

or maybe it is locking out from all IPs for 15 minutes
and it's the message that should be changed when there are more attempts from different IPs during the lockout period:

Account already locked but another attempt has been made by xxx.xxx.xxx.xxx

Yep...I got the same thing from an IP 180.241.113.26 that I tracked to Indonesia...

Better prepared? The didn't get in. They got locked out. Your account did not get compromised. AND you were informed. Exactly what would be better than that?

More IP's from about 45 minutes ago, and then 36 minutes ago:

190.37.38.210
190.221.174.130
186.103.129.84
177.53.104.9
186.103.136.228
84.55.76.228

I guess it's a good thing I didn't use "monkey" for my password, huh?

.

For anyone keeping track here is the sorted list of previous 3 posts - with my own included:
42.121.16.222
49.0.124.102
49.0.124.122
49.0.124.150
49.0.124.230
58.56.33.99
59.57.15.71
60.191.19.198
62.210.226.142
66.35.68.145
77.110.120.200
78.134.255.43
78.85.39.109
80.250.35.180
82.200.254.250
82.99.255.68
84.241.52.97
84.55.76.228
85.133.162.132
103.10.22.229
103.246.146.149
103.247.16.2
109.224.1.110
110.139.118.95
110.139.141.104
111.161.30.218
111.221.3.218
112.5.254.20
113.106.191.164
113.9.163.101
115.182.33.11
115.238.83.98
116.25.237.211
118.96.110.208
118.96.52.126
118.97.133.66
118.97.79.124
119.235.54.23
123.125.74.212
125.39.66.147
125.39.66.154
125.88.74.95
177.53.104.9
180.250.130.186
186.0.194.26
186.103.129.84
186.103.136.228
186.94.178.236
186.95.122.15
187.126.88.225
187.174.250.131
187.5.228.123
187.72.187.57
190.1.162.42
190.153.5.95
190.205.230.226
190.221.174.130
190.248.67.118
190.37.38.210
190.76.248.144
197.251.194.167
200.141.202.162
200.70.25.51
200.88.113.147
201.208.49.238
201.209.69.131
202.51.118.14
202.69.105.154
208.163.36.221
210.14.143.53
211.100.47.244
212.57.3.94
213.154.203.148
218.94.149.114
222.57.81.198

Brute force will block logins via IP, not username so if you have it configured correctly, you won't have to worry about them ever trying to break your passwords again. It would take too long.

I look at my brute force reports now and then... But mostly I don't worry cause it blocks them.

--------------- Added [DATE]1359852530[/DATE] at [TIME]1359852530[/TIME] ---------------

I'm considering blocking China too. I do get indexed by baidu but I receive relatively little traffic from China. Its strange that its beneficial to cut 1 billion people off.

China's government has to know about these things. They are heavily industrialized and they seem to steal everything they can. Our government is doing nothing about it.

--------------- Added [DATE]1359852764[/DATE] at [TIME]1359852764[/TIME] ---------------

How did you make that trap? That's hella cool.

I just started receiving these emails now. Obviously it's working to keep them from getting into my account. But how do I set up my vbulletin to do the same for my site? Someone mentioned Brut Force?

If you checked "Remember Me?" whenever you last logged in and just close your browser when you're done browsing instead of logging out, then these brute force attacks won't affect you.

They only lock you out from logging in, but if you're already logged in, then you can still use the site as you would any other day.

As for account locks, for the reference, I've got a total of 66 e-mails.

Same here...just now. a few times.

I reset my password.

Damn, this is happening to me now. I came to create a thread but apparently some botnet is having a field day on these forums.

And clearly VB staff doesn't care much about these attempts given no one has officially commented in the past few days?

Amazingly this is not true according to Spamhaus
most spam comes from US
http://www.spamhaus.org/statistics/countries/

The staff has no control over it.

I like how I was notified by vB that someone attempted to login to my account. How do I set up my site to do the same thing... and track those attempts?

First off, I disagree. They can start banning IP ranges so this doesn't keep happening slowly to their entire userbase.

Secondly, even if they don't take any action to prevent it, it couldn't hurt to send users emails to inform them that apparently botnets are trying to brute force their way into people's accounts, and to take the proper measures (ensure passwords are secured, etc).