Quit trying to log into my account! I’m not dead!

[5555624]

I don’t log in for a couple of months — I couldn’t or wasn’t allowed to ride for a while — and I suddenly get a message:

Failed Login Notification on Washington Area Bike Forum

Someone has tried to log into your account on Washington Area Bike Forum with an incorrect password at least 5 times. This person has been prevented from attempting tologin to your account for the next 15 minutes.

The person trying to log into your account had the followingIP address: 188.143.232.144

My first thought was who wants to log in as an old, slow, fat guy? (Personally, I blame Certifried, since he probably got caught trying to blame me for something and it was right after I was forced to shave off the beard, so I didn’t look like his evil twin.)

I didn’t have a heart attack. I woke up after surgery. I wasn’t paralyzed. All that matters is I am back on the bike as if nothing happened.

Topic

[Dirt]

Welcome back, numeric one.

[rcannon100]

@5555624 52231 wrote:

The person trying to log into your account had the followingIP address: 188.143.232.144[/INDENT]

I got bad news for you…. well for Tim. That IP number is from the Russian Federation, Petersburg Internet Network ltd. That was a hack attack on the forum.

Tim, if you can do it, you might try to turn on IP address filtering – and block IP addresses from… say…. Russia. (not sure if that is a feature in this software).

[jrenaut]

On the other hand, if your hacker isn’t smart enough to spoof his IP, he’s probably not hacking the forum.

[mstone]

@jrenaut 52236 wrote:

On the other hand, if your hacker isn’t smart enough to spoof his IP, he’s probably not hacking the forum.

1) IP spoofing doesn’t really work like that
2) There’s no guarantee that IP actually belongs to an attacker
3) Why would an attacker take additional steps if they aren’t necessary for success?

[jrenaut]

My point was that blocking a range of IP addresses isn’t likely to stop anyone who was likely to be successful in the first place, and I don’t like the idea of blocking large countries or regions from the forum just because some a**hats think it’s fun to hack websites.

[Steve]

Maybe Ovechkin was trying to reconnect after heading back to Mother Russia?

[rcannon100]

Dont lock your house; they will just bust down the door.

Hackers, particularly the Russians, its an industry by now. That have large groups of people who are employed to probe for vulnerabilities. It’s piece meal work. This hacker came to this forum, identified accounts that are inactive and therefore would not rise suspicion – and then pounded on the door. Most likely this wasnt the only account that was pounded on (Tim may have logs that can confirm that).

For the hack to work, the IP address could not be spoofed. The hacker had to receive a return message to know whether the hack worked and the hacker was in. The hacker could have gone through a proxy (or a zombie), but the IP number pretty much had to be real.

Cybersecurity is much like any form of security. Perfect security is difficult. You are simply making it more expensive to come in your door than the next guys door. When the next guy is an easier target, that’s where the dark hat will go.

As for blocking Russia…. really? This is a local bike forum. What possible difference would it make. We can balance someone in Leningrad know about the Third Thursday Happy Hour against securing the forum from spam. I think the math is simple.

[83b]

FWIW: I got the same email last night.

“Dear 83(b),

Someone has tried to log into your account on Washington Area Bike Forum with an incorrect password at least 5 times. This person has been prevented from attempting to login to your account for the next 15 minutes.

The person trying to log into your account had the following IP address: 188.143.232.144

All the best,
Washington Area Bike Forum”

[Joe Chapline]

This is the third unsuccessful attempt, that we know of, to log into a forum member’s account. As far as we know, there have been no successful attempts, and no damage done. If anyone receives a message like the one 5555624 quoted to start this thread, please forward to info@bikearlington.com. We will block the specific IP that was used in the attempt. I don’t know if it will help — many of the hackers we deal with apparently have access to all the IP addresses they need. I’ll block this one now, and do some research today into why this might be happening.

[jrenaut]

I will not believe that there exists a country, city, town, or even neighborhood on this planet that would not want to share in the wisdom of this forum.

[Bilsko]

The IP lookup info for that address is all over the place – some lookups return an IP in the Russian Fed., registered through Amsterdam and others show it registered to some guy in Tomteboda, Sweden.

As much of a hassle as it always is, it’s probably time to change your passwords folks. Some good advice

[PotomacCyclist]

On a related note, there used to be a mysterious account on the forum. That person signed up a couple years ago but never posted anything. How did I learn about him? I noticed that he had visited my profile. I also saw that he visited a lot of other people’s profiles. Could have been just a curious lurker, except for the fact that his profile page was a list of spam links advertising various non-bike products.

It was strange for a spammer to use a profile page to post spam, but not on the forum itself. It was also creepy that he seemed to be monitoring active accounts of other people. I reported that profile and it was later deactivated.

I don’t know what that person’s ultimate plan was or how it would have worked, but he was clearly up to no good.

[jabberwocky]

@PotomacCyclist 52347 wrote:

It was strange for a spammer to use a profile page to post spam, but not on the forum itself. It was also creepy that he seemed to be monitoring active accounts of other people. I reported that profile and it was later deactivated.

I believe its a form of search-engine bombing; by creating a ton of accounts on forums that let user profiles be publicly viewed, and then putting spam links in the signatures of those accounts, the spammer gets their links all over the internet. And if they never post, it generally gets overlooked. Viewing other peoples profiles might have been a way to increase the links pointing back to the spam profile (since your profile is viewable publicly, and now your profile will include a link to the spam profile, that profile is seen as more important by search engines).

I dealt with this on a forum I helped admin a while back. The solution is to disallow html links in signatures until a certain post threshold is met, or simply make profiles unviewable unless logged in (in which case search engines can’t see them).

[PotomacCyclist]

The post threshold would work for that guy’s strategy, but the log-in requirement wouldn’t. When I checked on the profile, I noticed that he had logged in recently, within the past few days. This was two years after the profile was created, so he was doing some sort of maintenance on the account. He was also actively monitoring other accounts. I know this because our profiles only show the last 10 people to look at our profiles. Those lists change frequently, except for the spam profile. His name was always there.

At first, I didn’t think anything of it. I just thought it was odd because the name was unusual (even for a spammer) and I never saw that person post on the forum. Then finally I got curious and looked at the profile. That’s when I discovered that he was monitoring other people and including spam on his profile page.

[Author]

Replies