Login bruteforcer at ExeTools?

I had a 5 logins at my account attempt here at ExeTools. It seems that someone here is trying to gain illegal access or sth.

The attempt made by the IP: 218.86.217.58
Which by the way is online now.

Anyone had similar experience?

Same thing for my account, same IP.

[JMI]

This is about as close as one can get to the IP:

Search results for: 218.86.217.58

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

Seems someone "down under" may be attempting something they shouldn't.

Keep me advised. We may have to ban that IP range or something.

Regards,

It seems that the bruteforcer didnt knew how things and member levels work in ExeTools (= isnt a member or never been) because bruteforcing my account doesnt make any sense, since my level allows basic and limited things in forum and only uploading in FTP (the interesting part for most).

Anyway, a forum/ftp ban to the C class (218.86.217.*) would be good solution for now. And I dont believe that is an open proxy because ports 8080 and 1080 are closed.

[JMI]

You are speaking of a whole lot of IPs from 218.86.217.0 to 218.86.217.255.

Regards,

Yes, i know C Class is 255 IPs. Usually, admins ban the whole IP range to ensure that user will not use a neighbor ip to attempt more attacks.

[Shub-Nigurrath]

same here, the type and extension of the attack make me thinking of a simple robot used by some guy connected to an ISP..VisualRoute also reports some other infos

inetnum: 218.86.128.0 - 218.86.255.255
netname: CHINANET-GZ
descr: CHINANET Guizhou province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: DL72-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-GZ
status: ASSIGNED NON-PORTABLE
changed: [email protected] 20020424
changed: [email protected] 20040927
source: APNIC

so banning a single class is meaningless, better would be to ban the whole provider..try looking at the contact's log in the china area of the forum instead..if a there's a log..

[dyn!o]

Quote:

It seems that the bruteforcer didnt knew how things and member levels work in ExeTools (= isnt a member or never been) because bruteforcing my account doesnt make any sense

His real intention might be deeper than you suppose. A successfull login allows you:

1. Knowing user password.
2. Knowing user email address and thus pretty often user country.
3. Reading user private messages.
4. Trying to use ExeTools password (or slighty modified) on user email box - often it will work. Imagine what will happen.

Now you see how dangerous it can be.

Quote:

Originally Posted by dyn!o

His real intention might be deeper than you suppose. A successfull login allows you:

1. Knowing user password.

No!! You dont want to know my password

Btw, I agree with all provider BAN.

[JMI]

Well this is strange. Yesterday when I searched for the IP 218.86.217.58 I got the posting I got the information I listed in Post #3 above. I just wrote here that this was not the same as the one posted by Shub-Nigurrath:

218.86.128.0 - 218.86.255.255

but when I checked the original IP again I got the same information Shub-Nigurrath posted. I thought I had copied and pasted the original IP into the search engine, but I apparently did something wrong, because it is clearly from China, and not Australia.

However, I do not believe it would be a good idea to attempt to ban as wide a range of IPs using the C component (rather than the D component), since it would effectively ban the entire Guizhou province. Aaron's IP might even be from that group, I haven't checked recently. Then we'd all be in trouble.

It would be a GOOD IDEA to tighten up the security of your passwords, both here and on your email.

Regards,

HI!
Maybe this will sound stupid idea which I apologize for that.

This attack comes from a program (bot)? Is it possible that the login control contains a generated image with scrambled text and writen in a wierd way. A buch of random text readable only by human which is for example on the yahoo site when you apply for a new account. User would have to enter this code upon login which should prevent attacks from a bot.

But it is annoying sometimes to enter this code every time you log-in but it will definetly increase security. Also what is intresting how this person obtains user names to attack? Does he visit this forum or have a program that searches for a name inside for example public forum. It could be also something especialy writen for this php bulletin thing.

my 2 cents

Quote:

Originally Posted by JMI

Well this is strange.

Nothing strange, you just try to search APNIC's IP address in ARIN database, and you get APNIC postal address, one of A class IP-ranges owned by APNIC and link to APNIC's whois service
-------------------------------------
ARIN
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
NetRange: 218.0.0.0 - 218.255.255.255
NetType: Allocated to APNIC
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
-------------------------------------
APNIC
inetnum: 218.86.128.0 - 218.86.255.255
netname: CHINANET-GZ
descr: CHINANET Guizhou province network
descr: Data Communication Division
descr: China Telecom
country: CN
source: APNIC

[Mkz]

I got the same.
Same IP, same day.

[dedificator]

I was received similar email with this IP too at this date ...
This IP wasn't online, when i checked.

tried me too, but is some month ago, I had to reactivate my account, I overlooked it, cause I couldn't change it, so I cannot say the IP anymore...

maybe someone behind a proxy? if we close this spezific IP maybe others couldn't come in anymore...