Russian Hackers!!

[ACR_Ted]

I got this email earlier today:

Dear ACR_Ted,

Someone has tried to log into your account on RailPictures.Net Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 188.143.232.144

All the best,
RailPictures.Net Forums


Anyone else ever get one like this? The IP is somewhere in Russia...thats as far as I went in researching it.

Ted

[jac_murphy]

Whoa - you managed to actually get an e-mail from the admins??

-Jacques

[Holloran Grade]

Automated email.

[Daniel SIMON]

I have received the same message from the admins today. Anybody knows more about these hackers?

******************************
Dear Daniel SIMON,

Someone has tried to log into your account on RailPictures.Net Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 188.143.234.6

All the best,
RailPictures.Net Forums

[ddavies]

Yesterday, I got one that IDed 188.143.235.118

[adickson]

Quote:

Originally Posted by ddavies

Yesterday, I got one that IDed 188.143.235.118

I've gotten 2 or 3 from this IP and one from the original post.

[Andrew Crosby]

I've also received 3 or 4 of these emails in the past week, supposedly from Chris Kilroy at RP Forums, citing a similar IP address.

Now, of course, it looks like some hack job, and not anything from RP. (I was wondering who'd want to impersonate me. Chase, Joe, or Janusz, yes, but me?)

So - Are these emails from a hacker, or is RP notifying us of a hacker they've caught onto??

[Appalachianrails]

I have gotten a similar email three times within the past week.

-JE

"Dear Appalachianrails,

Someone has tried to log into your account on RailPictures.Net Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 188.143.234.6

All the best,
RailPictures.Net Forums"

[troy12n]

Netblock is owned by some russian company:

reverse-ip: sexmuviki.ru
inetnum: 188.143.234.0 - 188.143.234.255
netname: ToussaintDesaulniers-net
descr: dedicated server client
country: RU
admin-c: TD2673-RIPE
tech-c: TD2673-RIPE
status: ASSIGNED PA
mnt-by: MNT-PIN
source: RIPE # Filtered

person: Toussaint Desaulniers
address: 57, cours Franklin Roosevelt 13007 MARSEILLE
phone: +49 0 9401 784 003
nic-hdl: TD2673-RIPE
mnt-by: MNT-PINSUPPORT
source: RIPE # Filtered

route: 188.143.234.0/23
descr: PINROUTE
origin: as44050
mnt-by: MNT-PIN
source: RIPE # Filtered

[JMC]

Can you break that down Barney-level for folks like me?

[Deano12056]

Me too....

[Deano12056]

Got two messages Sunday and one tonight.

[CSX1702]

Ditto.....

[troy12n]

In soviet Russia, computer hacks you!

[Andrew Crosby]

I'm still hoping for the Barney-level take on this matter, too.

And does anyone know if those emails we received came from this Russian place, or was RP notifying us about real attempts to hack in?

[Mgoldman]

I don't get it - what's the point of such a hack?

They didn't ask for anything? No password or address, nothing?

/Mitch

Quote:

Originally Posted by ACR_Ted

I got this email earlier today:

Dear ACR_Ted,

Someone has tried to log into your account on RailPictures.Net Forums with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 188.143.232.144

All the best,
RailPictures.Net Forums


Anyone else ever get one like this? The IP is somewhere in Russia...thats as far as I went in researching it.

Ted

[bigbassloyd]

Quote:

Originally Posted by troy12n

In soviet Russia, computer hacks you!

+1

Loyd Lowry

[Andrew Crosby]

Mitch - If this is hacking, the only thing I can think of is perhaps hackers will hack anything trying to obtain any identifying info (email addresses, IDs, passwords, zip codes) on anyone. That can then be used to hack into something else - like bank accounts or credit / debit card accounts.

A friend of mine had her debit card account hacked by someone who apparently obtained her email address and zip code somehow, then used that to change a password on the account. Then he accessed the account and purchased a couple thousand bucks worth of computer games and garbage online.

Of course, this could just be a simple glitch, too.

So ... does anyone have any more info on this?

[jac_murphy]

Welp, I thought I was immune, until I got one this morning. IP was 188.143.234.6

-Jacques

[James Heinrich]

Since this is apparently widespread (I also just received a similar warning, which I believe to be a legitimate feature of vBulletin), can an admin please add

Code:

deny from 188.143.

to .htaccess (or forum-level IP blacklist if server-level blacklisting isn't possible)?

[troy12n]

Quote:

Originally Posted by James Heinrich

Since this is apparently widespread (I also just received a similar warning, which I believe to be a legitimate feature of vBulletin), can an admin please add

Code:

deny from 188.143.

to .htaccess (or forum-level IP blacklist if server-level blacklisting isn't possible)?

Doing that will block potentially 65,000 IP addresses. The company who owns the entire class B netblock 188.143.0.0/16 is a company in Amsterdam called RIPE. They own the address space and have leased at least 188.143.232-235.0/24 to some Russian ISP or hosting provider.

You dont want to block an entire class B network, no one does that... even foreign netblocks.

[James Heinrich]

Quote:

Originally Posted by troy12n

You dont want to block an entire class B network, no one does that... even foreign netblocks.

Well, at least 188.143.232-235 then.
Or, at the very least, the 4 offending IPs noted in this thread:
188.143.232.144
188.143.234.6
188.143.234.14
188.143.235.118

[jay124]

I just received one to.
Oh the fun
Jason

[JMC]

At what point does someone of importance step in and say "no need to worry, we are working this issue"?

[JRMDC]

I suspect this is not within RP's control. In fact, they are doing what needs to be done, they are blocking further log-in attempts.