Login bruteforcer at ExeTools?

I had a 5 logins at my account attempt here at ExeTools. It seems that someone here is trying to gain illegal access or sth.

The attempt made by the IP: 218.86.217.58
Which by the way is online now.

Anyone had similar experience?

Same thing for my account, same IP.

[JMI]

This is about as close as one can get to the IP:

Search results for: 218.86.217.58

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

Seems someone "down under" may be attempting something they shouldn't.

Keep me advised. We may have to ban that IP range or something.

Regards,

It seems that the bruteforcer didnt knew how things and member levels work in ExeTools (= isnt a member or never been) because bruteforcing my account doesnt make any sense, since my level allows basic and limited things in forum and only uploading in FTP (the interesting part for most).

Anyway, a forum/ftp ban to the C class (218.86.217.*) would be good solution for now. And I dont believe that is an open proxy because ports 8080 and 1080 are closed.

[JMI]

You are speaking of a whole lot of IPs from 218.86.217.0 to 218.86.217.255.

Regards,

Yes, i know C Class is 255 IPs. Usually, admins ban the whole IP range to ensure that user will not use a neighbor ip to attempt more attacks.

[Shub-Nigurrath]

same here, the type and extension of the attack make me thinking of a simple robot used by some guy connected to an ISP..VisualRoute also reports some other infos

inetnum: 218.86.128.0 - 218.86.255.255
netname: CHINANET-GZ
descr: CHINANET Guizhou province network
descr: Data Communication Division
descr: China Telecom
country: CN
admin-c: CH93-AP
tech-c: DL72-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CHINANET-GZ
status: ASSIGNED NON-PORTABLE
changed: [email protected] 20020424
changed: [email protected] 20040927
source: APNIC

so banning a single class is meaningless, better would be to ban the whole provider..try looking at the contact's log in the china area of the forum instead..if a there's a log..

[dyn!o]

Quote:

It seems that the bruteforcer didnt knew how things and member levels work in ExeTools (= isnt a member or never been) because bruteforcing my account doesnt make any sense

His real intention might be deeper than you suppose. A successfull login allows you:

1. Knowing user password.
2. Knowing user email address and thus pretty often user country.
3. Reading user private messages.
4. Trying to use ExeTools password (or slighty modified) on user email box - often it will work. Imagine what will happen.

Now you see how dangerous it can be.

Quote:

Originally Posted by dyn!o

His real intention might be deeper than you suppose. A successfull login allows you:

1. Knowing user password.

No!! You dont want to know my password

Btw, I agree with all provider BAN.

[JMI]

Well this is strange. Yesterday when I searched for the IP 218.86.217.58 I got the posting I got the information I listed in Post #3 above. I just wrote here that this was not the same as the one posted by Shub-Nigurrath:

218.86.128.0 - 218.86.255.255

but when I checked the original IP again I got the same information Shub-Nigurrath posted. I thought I had copied and pasted the original IP into the search engine, but I apparently did something wrong, because it is clearly from China, and not Australia.

However, I do not believe it would be a good idea to attempt to ban as wide a range of IPs using the C component (rather than the D component), since it would effectively ban the entire Guizhou province. Aaron's IP might even be from that group, I haven't checked recently. Then we'd all be in trouble.

It would be a GOOD IDEA to tighten up the security of your passwords, both here and on your email.

Regards,

HI!
Maybe this will sound stupid idea which I apologize for that.

This attack comes from a program (bot)? Is it possible that the login control contains a generated image with scrambled text and writen in a wierd way. A buch of random text readable only by human which is for example on the yahoo site when you apply for a new account. User would have to enter this code upon login which should prevent attacks from a bot.

But it is annoying sometimes to enter this code every time you log-in but it will definetly increase security. Also what is intresting how this person obtains user names to attack? Does he visit this forum or have a program that searches for a name inside for example public forum. It could be also something especialy writen for this php bulletin thing.

my 2 cents

[JMI]

Any guest can get the names of members to try. It would not be necessary to use a bot and the limited number of attempts so far reported does not suggest a bot attack.

One feature of vBulletin is the fact that you get only 5 wrong login attempts before you are locked out and sent an email which you have to use to get back in. Therefore, a bruteforcer would get only 5 guesses before no further attempts on that username would be permitted, at least until the holder of the email account logs into the email account and clicks on the link provided. Even then the attacker would only get another 5 attempts before another lockout would occur.

So the attack requires both the username and userpassword to access one's account and if the email password is NOT the same as the userpassword here, then the security is that much more difficult to break. Using proper password protocols, such as combinations of uppercase and lowercase and alphanumeric letters and/or symbols would also increase that security. Forewarned is forearmed. This is also one of the reasons why changing passwords from time to time is required. Without your email password, an attacker is at a disadvantage, even if they guess your Forum login password.

Regards,

[bukkake]

I don't think it's an attack, I think some people are using google web accelerator, and that's what causing the problem. I saw something like this behavior in some other forums, and then again, I might be wrong

Quote:

Originally Posted by JMI

Well this is strange.

Nothing strange, you just try to search APNIC's IP address in ARIN database, and you get APNIC postal address, one of A class IP-ranges owned by APNIC and link to APNIC's whois service
-------------------------------------
ARIN
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
NetRange: 218.0.0.0 - 218.255.255.255
NetType: Allocated to APNIC
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
-------------------------------------
APNIC
inetnum: 218.86.128.0 - 218.86.255.255
netname: CHINANET-GZ
descr: CHINANET Guizhou province network
descr: Data Communication Division
descr: China Telecom
country: CN
source: APNIC

[JMI]

Thank you for clearing up the "mystery" of my original search. What I did was chose the wrong URL from my list of Whois sources and did, indeed, end up searching ARIN instead of APNIC, which was the URL above ARIN in my "favorites" subfolder.

Regards,