I recieved three e-mails within a minute of three different IPs being locked out for trying the wrong password on this forum...

I noticed the same thing on my account. I had to create this new account so i can post about it since i am unable to log in. The 3 emails i received are from IPs 78.x,200.x, and 219.x. When i do an IP lookup, these IPs is from Indoneisa, Argentina, and Czech Republic

I had the same 2 times. But I don't see any reason to mask the ip adresses of the abusive users:
94.228.204.2
and
178.213.33.129

But I'm not locked out which the mail says, because I'm always logged in.:)

However it's no good news when it seems people are trying to bruteforce accounts. Maybe somebody can do a good thing and put up some ip bans if they are not dynamic ip's.

I received a couple of emails too.

Both 114.141.50.11 and 125.167.233.138 are trying to access my account.

Here is the 3 IPs from the email:
200.117.239.246
78.41.17.230
219.83.101.234

Interesting they all of the IP address is different

A few minutes ago I received this notice in my email:
Dear cbiweb,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 200.94.71.73

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://www.vbulletin.org/forum/login.php?do=lostpw

All the best,
vBulletin.org ForumI'm glad the intruder didn't get in, because my password wasn't all that strong, but evidently strong enough... this time.

I have changed my password to something very strong now, and I'm only posting this as a heads up for anyone who either doesn't have a strong password, or thinks it's strong enough, or hasn't changed it in a while. It's time to check it out.

ear SpanishHarlem,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 194.44.172.18

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://www.vbulletin.org/forum/login.php?do=lostpw

All the best,
vBulletin.org Forum

I got the same email just now

203.29.27.114
222.173.42.106
218.98.192.202

Here

I got one too from another IP. The IP resolves to Bangkok, Thailand. Looks like a bot might have been at work.

Dear Boofo,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 119.46.110.247

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://www.vbulletin.org/forum/login.php?do=lostpw

All the best,
vBulletin.org Forum

Same here

189.90.254.146

Just got one too...

Dear Beav`,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 93.114.63.249

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://www.vbulletin.org/forum/login.php?do=lostpw

All the best,
vBulletin.org Forum

I just logged on here because I am also getting the emails. The IP's are: 222.124.29.242 & 201.22.184.4

The person trying to log into your account had the following IP address: 201.209.69.134 4:20 PM
The person trying to log into your account had the following IP address: 222.124.217.170 4:20pm
The person trying to log into your account had the following IP address: 195.191.168.5 4:20PM

I changed my password to something super secure. Combo of all my high tech passwords. Good luck h4x0rs

I changed my password to something super secure. Combo of all my high tech passwords. Good luck h4x0rs

I also changed mine.

Same thing happened here.
221.1.96.22 from China is the culprit at 01:40 (GMT+2).

218.28.111.46 which resolves to pc0.zz.ha.cn just locked out my account here.

A forum that I regularly visit was hacked last night and has been taken down, but strangely, my username is slightly different there, and the password is completely different.

Got the same email.. twice.

The person trying to log into your account had the following IP address: 213.197.81.50

The person trying to log into your account had the following IP address: 203.113.117.139

Not sure if I need to report this or not, but my account was locked out as some one was trying to guess/hack my password. I have updated it to something a little bit more secure just to be safe. The IP reported in the email was 122.225.100.5 which traces back to china.

I realize this isnt relevant to this forum btw, but no where else an unlicensed member can post that I know of.

Got the same emails.

You can't do anything. vB.org admins should disable the "Member list" feature:

http://www.vbulletin.org/forum/memberlist.php

Bots are taking usernames from that list and using brute force attack on this site.

I sent a PM to the admins about this.

Not sure if I need to report this or not, but my account was locked out as some one was trying to guess/hack my password. I have updated it to something a little bit more secure just to be safe. The IP reported in the email was 122.225.100.5 which traces back to china.

I realize this isnt relevant to this forum btw, but no where else an unlicensed member can post that I know of.

Happened to me as well 2x earlier. I logged in and also updated the password.

Ditto, 3 tries in the same minute from Bulgaria, Italy, and Brazil based upon the IPs. Password was already pretty secure, but just to be safe I changed it to a REALLY long (randomly generated) password.

KeePass FTW :)

Same here...from 120.29.159.14 and 210.245.85.33

Glad to see its not just me. Atleast I know I wasnt specifically targeted lol.

Yup, same thing about an hour ago.


Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 60.28.212.184

Ip shows China.

Strange, someone tried to access my account 3 times - each time failing. About 45 minutes ago.

I.P's used were:
78.41.17.230
222.124.5.82
200.117.239.246

Well, they can carry on trying - since I use alpha-numerics with symbols.

I just checked my password on http://passwordchecker.co.uk/ its states 100% strong! ;)

Yep same thing here, got 2 of those emails this morning. IP's were from Indonesia.

http://www.vbulletin.org/forum/showthread.php?t=264345

Are any of you guys on PSN? I'm getting all kinds of password reset requests today.

i got the same thing, check the other topic and you will see you are not alone:
http://www.vbulletin.org/forum/showthread.php?p=2201074#post2201074

Are any of you guys on PSN? I'm getting all kinds of password reset requests today.

I'm not... I do not play any game consoles at all.

I had someone try and get in to my Facebook account, but again they failed. If you're using secure hashed passwords I would very much doubt they could crack it anyway.

203.153.31.27
200.96.37.206

Both myself and the owner of our site got notices as well. We're not pleased.

91.203.178.139
109.238.238.242

This was at 7pm EST for me.

46.0.203.92
77.247.211.160

118.97.81.155
222.124.29.242

118.97.81.155
222.124.29.242

118.97.81.155
222.124.29.242

I just got two. However, when I logged in here, my original password worked without issue. Very odd. What would they accomplish? I checked the login link in the email and it looked like a direct link, not a redirect.

Mine occured at 7:24PM, IP addresses were 201.24.152.98
and 178.213.33.129


Dear JonUrban,

Your account on vBulletin.org Forum has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 178.213.33.129

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://www.vbulletin.org/forum/login.php?do=lostpw

All the best,
vBulletin.org Forum

--------------- Added 1306635143 at 1306635143 ---------------

Here's the header, minus my email address:


Status: U
Return-Path: <webmaster@vbulletin.org>
Received: from mx-dipper.atl.sa.earthlink.net ([207.69.195.166])
by mdl-glean.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1qqsRV1T93Nl34L0; Sat, 28 May 2011 19:24:31 -0400 (EDT)
Received: from mx5.internetbrands.com ([98.158.194.50])
by mx-dipper.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1qqsRU3hE3Nl36u0
for <removed>; Sat, 28 May 2011 19:24:30 -0400 (EDT)
Received: from jelsoft3.internetbrands.com (jelsoft3.internetbrands.com [172.16.229.76])
by mx5.internetbrands.com (Postfix) with ESMTP id 678E3213E1
for <removed>; Sat, 28 May 2011 16:24:30 -0700 (PDT)
Received: from jelsoft3.internetbrands.com (localhost.localdomain [127.0.0.1])
by jelsoft3.internetbrands.com (8.13.8/8.13.8) with ESMTP id p4SNOU7P031866
for <removed>; Sat, 28 May 2011 16:24:30 -0700
Received: (from jelsoft@localhost)
by jelsoft3.internetbrands.com (8.13.8/8.13.8/Submit) id p4SNOUVh031863;
Sat, 28 May 2011 16:24:30 -0700
Date: Sat, 28 May 2011 16:24:30 -0700
X-Authentication-Warning: jelsoft3.internetbrands.com: jelsoft set sender to webmaster@vbulletin.org using -f
To: <removed>
Subject: Account on vBulletin.org Forum locked out
From: "vBulletin.org Forum" <webmaster@vbulletin.org>
Auto-Submitted: auto-generated
Message-ID: <201105282330.c21fda88bfd0@www.vbulletin.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=0; sbrc=.0; sbf=00; sbw=000;
X-Brightmail-Tracker: AAAAARgtX4o=
X-Brightmail-Tracker: AAAAAA==

I'm pretty sure the mails are legit. Especially since the guy with the first reply actually got his account hacked.

I just got two. However, when I logged in here, my original password worked without issue. Very odd. What would they accomplish?

They didn't accomplish anything, they just tried to guess your password and failed. You say you just got those but the time says ~7:30 EDT so I guess the 15 minute lockout elapsed and you were able to log in.

Unless you mean "what do they hope to accomplish with only 5 guesses", then I don't know, seems like they'd have to get really lucky. Or they're just trying to annoy people, or clog the server with emails to send.

Hackers are out tonight!

94.228.204.30 x2

The lockout is actually IP specific.

I got a similar email too:
Received: from mx5.internetbrands.com (mx5.internetbrands.com [98.158.194.50])
by mtain-mh02.r1000.mx.aol.com (Internet Inbound) with ESMTP id 8B0EA38000083
for <deleted>; Sat, 28 May 2011 19:21:36 -0400 (EDT)
Received: from jelsoft3.internetbrands.com (jelsoft3.internetbrands.com [172.16.229.76])
by mx5.internetbrands.com (Postfix) with ESMTP id 45D432006C
for <deleted>; Sat, 28 May 2011 16:21:36 -0700 (PDT)
Received: from jelsoft3.internetbrands.com (localhost.localdomain [127.0.0.1])
by jelsoft3.internetbrands.com (8.13.8/8.13.8) with ESMTP id p4SNLanG030536
for <deleted>; Sat, 28 May 2011 16:21:36 -0700
Received: (from jelsoft@localhost)
by jelsoft3.internetbrands.com (8.13.8/8.13.8/Submit) id p4SNLaBr030533;
Sat, 28 May 2011 16:21:36 -0700
Date: Sat, 28 May 2011 16:21:36 -0700
X-Authentication-Warning: jelsoft3.internetbrands.com: jelsoft set sender to webmaster@vbulletin.org using -f
To: deleted
Subject: Account on vBulletin.org Forum locked out
From: "vBulletin.org Forum" <webmaster@vbulletin.org>
Auto-Submitted: auto-generated
Message-ID: <201105282336.fc033e6fa850@www.vbulletin.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
X-Priority: 3
X-Mailer: vBulletin Mail via PHP
Content-Transfer-Encoding: quoted-printable
x-aol-global-disposition: G
X-AOL-SCOLL-SCORE: 0:2:255893488:93952408
X-AOL-SCOLL-URL_COUNT: 0
x-aol-sid: 3039ac1d60d64de183801e9c
X-AOL-IP: 98.158.194.50
X-AOL-SPF: domain : vbulletin.org SPF : permerror

The lockout is actually IP specific.

Oh...so I guess if they have enough ips they can actually guess many times. Seems like it may be something to change in a future version. eta: ...oh, but I guess if it wasn't ip specific it would be easy for someone to keep you from logging in to your account.

Maybe vb.org would benefit from installing the bad behavior addon.

More here >> http://www.vbulletin.org/forum/showthread.php?p=2201102#post2201102


I feel positively left out :p

I've merged both threads about the same attack into the same thread, within the feedback forum.

Got the same the 3 times I.P's are ..............

194.85.80.107
94.228.204.30
94.228.204.2

hi,

It happend on mine to

94.228.204.2
178.213.33.129

i guess somebody is looking for freebies :D

Here the same:

The person trying to log into your account had the following IP address: 222.173.42.106
The person trying to log into your account had the following IP address: 115.127.15.44

same here...
95.154.98.152

seems like a problem is starting....

..and here - 2 different IPs, identical times;
94.228.204.2
94.228.204.30

and here: 83.222.206.146 and 81.30.164.94

Someone might have coded a bot, best thing would be to disable the member list, otherwise they can get the list of our usernames. :(

Happend to me also. Seems they attacked all accounts with 3 bruteforce attempts. That makes me worry about those, who have only one or two and not three recorded events. Could mean they were succesful with one of their attempts.

I guess there are a few users here, which have sent their logins from servers or admincps to others (i.e. to mod developers in times of support etc.) Something very unsecure, but I´m sure some did that. Would be wise to inform all users - and to force all vb.org members to setup a secure passphrase.

--------------- Added 1306661692 at 1306661692 ---------------

Someone might have coded a bot, best thing would be to disable the member list, otherwise they can get the list of our usernames. :(

Thats senseless. The bot can even read the threads or the WGO box etc. That makes no sense to disable the ML.

True.. But memberlist contains offline members, while online box has only online members. But good point anyway.

Bigger damage can be done with the memberlist than with the online box.

True.. But memberlist contains offline members, while online box has only online members. But good point anyway.

Bigger damage can be done with the memberlist than with the online box.

You´re right, true. I was regarding this from a point of the bigger threatlevel. I suppose an inactive account has not or not really often PN´s in it. So the threatlevel isn´t that big.
All others, the active users, can be found in the threads here. And to programm a bot to get those accountnames is done in a blink of an eye. Whatever, disabling the ML could help with an additional benefit, even when it would be a very little one. But sometimes that makes a difference.

I haven't logged on since Dec 2007 and just got the same email:
82.145.242.38
201.22.130.226

IP's resolve to online proxies, which means this is a 100% automated attack.

The only accounts really in danger of getting compromised by this are people who use the following passwords:

1) The same as their username (Sometime around 3.8 vBulletin actually added a check to prevent this)
2) password
3) 12345(6)...

Unfortunately I'd bet that counts for 10% or more of the users on any given site, including here.

I didn't get any emails but I changed my password to be extra-secure just to be sure today.

they must want plugins bad.....

they must want plugins bad.....

I doubt that. I'd bet it was probably an attempt to harvest usernames for future spam attempts.

The person trying to log into your account had the following IP address: 58.61.154.169

Just thought I'd let the powers that be know that the following IP addresses were logged trying to brute force their way onto my account on the 28th of May. I received the emails from the system stating that the account had been locked because of this. The IPs are registered in the Russian domain space.

Enjoy

178.213.33.129
94.228.204.2

Also in mine, on 28/05/2011.

94.228.204.2
194.151.57.244