FYI... Getting emails: "Failed Login Attempt" for EEVblog

[boB]

FYI   I have had several automatic emails in the last couple of weeks with this subject and IP address.

Two came up today and several last week or the week before.

Not sure why or who Zacharymit  might be ?  Searched for  Zacharymit  but no posts came up.

Wondering if anybody else has seen something like this recently ?

boB




Hello boB,
We have detected a failed login attempt on your account.

Matched forum members with same ip address:
Zacharymit


IP address of the failed login attempt: 77.243.11.58


On 3/12/2020 3:11 AM, EEVblog Electronics Community Forum wrote:
> Hello boB,
> We have detected a failed login attempt on your account.
>
>
>
> IP address of the failed login attempt: 77.243.11.58
>

[Cyberdragon]

Hmmm...

https://whatismyipaddress.com/ip/77.243.11.58

[Domagoj T]

You might want to check this:
https://haveibeenpwned.com

[boB]

Hmmm...

https://whatismyipaddress.com/ip/77.243.11.58

That's the first thing I did I think.  Didn't think too much of it until it happened another time.

I was just mentioning that someone was trying to login as me

[boB]

This is happening again today.  Several login attempts.   Just an FYI in case others are seeing this activity on their accounts here.

failed login attempt  all from the same IP address...

FROM:

do_not_reply@eevblog.com

Hello boB,
We have detected a failed login attempt on your account.

IP address of the failed login attempt: 78.106.87.3

[eti]

78.106.87.3 seem to be Germany. I can ping and traceroute it fine.

[boB]

78.106.87.3 seem to be Germany. I can ping and traceroute it fine.

I wouldn't doubt it !     I'm not worried about it but still...

Nothing to get from me here except maybe to be able to spam the forum if they happen to guess my credentials ?

Just curious if I am the only one trying to be hacked ?   If you can even call it hacking ?

[Black Phoenix]

I wouldn't doubt it !     I'm not worried about it but still...

Nothing to get from me here except maybe to be able to spam the forum if they happen to guess my credentials ?

Just curious if I am the only one trying to be hacked ?   If you can even call it hacking ?

No reports from my part for example. Probably someone got hold of your username and is trying to brute force it. It would not be bad to report it to the Admins for them to block the IPs.

[fordem]

Forum admins/moderators generally avoid blocking ip addresses - ip addresses, especially ipv4 addresses are the property of the ISP and are usually not assigned to a specific subscriber, this means that one ip address can be used by numerous people, blocking that one address can affect all of them.

I'm not saying don't alert the admins, just don't be too disappointed if they choose not to block the address.

[Xenon]

Another one here, twice in one minute.
Hello Xenon. We have detected a failed login attempt on your account. IP address of the failed login attempt: 92.97.12.155

That ip is located in Dubai. I'm not even close to that location.
As long as the attempts keep failing I'm not worried.

[RJSV]

   Of course, cause for being alert, but ...
   That could be an attempt, for now to just get (you) to reply, or, since you can't (?),  Perhaps next they would sent a more 'urgent' status, like, (perhaps):
   "We've now detected three, (3), partial logins on your account. Your data is now in jeopardy, please reply now, for download fix code ...".
Something bogus like that. The play being, that you are 'gratefull', to supply your password, etc.

[boB]

Got another email from EEVblog today...

Hello boB,
We have detected a failed login attempt on your account.

Matched forum members with same ip address:
ktyecz
dbjkf
vtktif
Flamebinder
andronych
Iaranan
Pietrowicz
Brightfury
Styur
gtnjf
hecnbr
gtnhzrf
rctybz
JoJojas
ufkif
Aschoff
tyz[f
alexanderk
vladimirushka
tueyz
avdotyushka
cnfybckfdf
gfienf
rjcn.hf
iroid
orme
Marianich
dfcbkbcf
genashe
njveyz
gettinginvolved
hbvf
vitalia
dflif
Reemiel
ujif
rcif
Ninelka
ktcz
Borislav
miach
vase
Wakenight
ajun
vfhkty
Anusha
Hiqur
Jerrygod
Andreich
rfhbyrf
Arambat
afrosim
Vasa
Artem
Dalara
abkbgg
buecz
shurunya
Denisych
ktyeif
hbnecz
Crary
ujieyz
njkz
Bajinn
vfhbcz
anikitic
dtctkmt
Antargan
loud
ktjyblsx
bkyz
andhe
Alsara
rfnthbyrf
vfhf
yfcnfcm.irf
ktdjy
Nunya
efrosim
dfczyf
rjcz
fytkbrf
Timokha
vvfyebkrf
Adrierdin
fylhjybr
Darim
olgusha
Babyangel
vfhbfyyf
yflt[f
Adoraris
rfkblrf
kbysx
lovely
ufkbf
byyeirf
fktyz
ueif
cdtnkfy
Allegro
uthvfybr
Nalme
Tenaciri
Anicasalar
dzxtckfdrf
Rusya
uheyznrf
fylhjybq
pouting
ktrcfyf
trust
ckfdeyz
rjkzf
hbneyz
onions
Salkree
robe
uhtwbz
Fehuginn
Leonty
tahjcbybz
rjcn.if
frcbymirf
pbyef
Rhettok
Dathis
aleutinich
nastyuha
nastasia
Maricela
witch
Kelenin
Kornyukha
Miroha
Middevit
Bonnec
mitrich
Victorians
Shanely
Miene
dfkthf
Dular
venedim
tujhsx
Julianich
Dickhok
ybyfyz
yfnfkbq
ufkbyf
vfrc
Itananen
Berkohik
dzxf
daisy
tossed
tktyz
gfdkbyrf
Janngoes
fighting
Androrim
Bandilhala
dflz
nfbcf
Jessaka
Bloodfire
Mohito
ufktrf
Awenes
dctdjkjleirf
cnfybckfdrf
ybrbnbx
Arisha
cdtnecz
mura
Jayday
utjhubx
Bevisorl
dfkthmzy
nfnf
bkif
Angelena
dbnyz
djkjlzrf
arinka
Ttexav
Llbery
goose
Kyhner
dekabrynych
ellochka
byekz
Ranes
Caroline
Huongok
Rossojok
Ivaniusha
Aurizar
seed
vfcz
nfyf
jktusx
vfz
vfycz
Veniaminych
kerfcz
fkmby
dthjybxrf
elvirka
leonia
Ahrefas
rfvbkkf
Hermann
Alessandra
cntgeif
Vitasha
utvekz
fghjcbymz
atjljhf
niqi
alexinka
Johneve
Loppok
xura
Balladonara
genius
genous
Celen
frcf
hemule
Nataliya
nfbcm.irf
Ballagar
gelina
rjkzif
vfhby
fynf
ybksx
lecz
nyuta
petra
efrosin
sledge
Fordrern
Vitana
fktif
sanyura
fybrbnbx
vfhktcz
Keron
fyfcnfcm.irf
ybrekf
Malanra
gtneif
yfcnif
evdunya
vbfcz
gfykz
Guercio
Drelandis
genule
Bogra
venedictushka
whale
Eynttoh
svetlanich
petraka
Lairius
htyz
Babeser
Lavrushka
bjfyy
emka
Beabor
nbvf[f
Katyusha
lavruha
amala
maxian
djkz
lyudaha
ahjc.irf
fhnyz
Qunorrar
Groran
Amelyan
NtenQag
Vasyana
stepanka
fhvtybq
Akinohn
Emilia
ljyzf
gtnrf
dtlz
uthecz
bjfyyf
gasha
darina
Irunya
angelina
petukha
tdljrbvsx
all-round
Quemal
arsenia
egorka
dfcbkmrj
emelyasha
fuhbgrf
Serenya
vtkfym.irf
dctdjkjlsx
Orielomy
alexaha
yfcnfctz
bhfblrf
hjvf
Silverweaver
emmanuilych
polinary
Agatius
cthueyz
alexania
Niebla
Anabor
Hagenbuch
diya
uekz
Christoper
dfcbkbccf
matthewka
kf
apollinaris
nfkbyf
fdljrtz


IP address of the failed login attempt: 46.161.11.89

[Ian.M]

*None* of the user names I've tried to search for from the above list are valid.  Try some yourself.  https://www.eevblog.com/forum/mlist/?sa=search

Maybe that just shows our moderator team are excellent at bouncing malicious users, but IMHO it would be a *VERY* good idea to verify the email you received is genuine, in case RJH is correct and someone is trying to set you up to try to scam you for your EEVblog login.  To do so you need the help of a moderator by PM to advise how to submit the email for Dave or Gnif to examine the raw email headers and body, and match it to the server logs.  *DON*T post the headers anywhere public!

[T3sl4co1l]

Could also be VPNs, though maybe I'd expect a few random legit users are using random VPNs so maybe there should be a few results in that case (or maybe not, there are a lot of VPN servers out there?).

Tim

[boB]

Yep, those names do look bogus, don't they ?  Not sure why.

The return address "says" it is from do_not_reply@eevblog.com

I would think that there are plenty of folks here that understand more than I do about this.

A partial part of the header says received from :

from [192.200.109.226] ([192.200.109.226:44348] helo=cpanel1.eevblog.com) by smtp14.gate.ord1d.rsapps.net (envelope-from <eevblog@eevblog.com>) (ecelerity 4.2.38.62370 r() with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 98/18-16649-28E11A26; Wed, 08 Jun 2022 18:11:14 -0400

Doing a Trace Route I get...

C:\Users\boBWin10Fast>tracert 192.200.109.226

Tracing route to cpanel1.eevblog.com [192.200.109.226]
over a maximum of 30 hops:

  1     2 ms     2 ms     2 ms  router.asus.com [192.168.50.1]
  2    22 ms    20 ms    17 ms  10.61.243.130
  3    14 ms    24 ms    11 ms  24.153.84.237
  4     9 ms    10 ms     9 ms  69.139.162.214
  5    10 ms    10 ms    10 ms  69.139.160.245
  6    10 ms    10 ms    12 ms  24.124.128.249
  7    13 ms    12 ms    16 ms  24.124.128.122
  8    11 ms    11 ms    10 ms  be-36121-cs02.seattle.wa.ibone.comcast.net [68.86.93.5]
  9    10 ms    11 ms    23 ms  be-2201-pe01.seattle.wa.ibone.comcast.net [96.110.39.206]
 10     *        *        *     Request timed out.
 11    20 ms    14 ms     *     port-channel4.core2.pdx1.he.net [184.105.64.138]
 12    40 ms    39 ms     *     port-channel1.core2.slc1.he.net [184.105.80.114]
 13    40 ms    39 ms    42 ms  100ge1-1.core1.slc1.he.net [184.105.80.113]
 14    40 ms    40 ms    39 ms  webnx-inc.100gigabitethernet0-25.switch2.slc1.he.net [64.71.130.42]
 15    40 ms    41 ms    41 ms  104-250-156-210.static.gorillaservers.com [104.250.156.210]
 16    41 ms    39 ms    41 ms  cpanel1.eevblog.com [192.200.109.226]

Trace complete.


So, from this at least, it looks legit.  I don't know how good people can spoof these days but I have a feeling this is correct.

gorillaservers.com   was another name I saw when doing a whois on an IP in the header so that makes sense.

Comcast/xfinity  is my internet provider here north of Seattle and those are the first several hops.

boB

[Ian.M]

Yep, those names do look bogus, don't they ?  Not sure why.

Too many look like 'alphabet soup', as one would expect of a spambot using character level random name generation.  I checked several of the more human sounding ones.

Gorillaservers are in the dedicated server business, and as of 2021, was/is the EEVBLOG datacenter provider (Ref: https://www.eevblog.com/forum/chat/the-big-eevblog-server-fire/ ), so the IP address you tracerted is almost certainly one of the genuine EEVblog servers.  However that doesn't tell you much as email is routed via a series of 'hops' any one of which could theoretically inject fake headers and content, so without access to the server logs, or other known genuine emails from the same source (hint: turn on some notifications) you have to trace back up the chain of Received: headers checking each is valid for the organization it purports to be a mail server of, rather than being some random user-land IP pool address with a box pwned by a botnet on it.  If you've got known good headers to compare to, look closely at the differences in the Received: headers chain.

See https://alyninc.com/2018/11/10/email-headers-what-can-they-tell-the-forensic-investigator/ for a quick intro to the details.

*DONT* post more of the headers publicly here as having genuine headers to spoof would significantly help any intelligent 'black hat' spear phishing EEVblog members in your region, and can give away far too many clues to your real identity.

[Halcyon]

I searched for some of those users and they appear in the banned/blocked list. Mostly because they registered an account but they got blocked by the spam trap.

When spammers can't successfully register, they might try to access the accounts of legitimate users.

My advice is:
1. Use a good password not used anywhere else (and one that hasn't previously been involved in a data leak, check here: https://haveibeenpwned.com/Passwords)
2. Enable multi-factor authentication on your forum account (Profile > Summary > Modify Profile > Two-Step Authentication).

[boB]

I searched for some of those users and they appear in the banned/blocked list. Mostly because they registered an account but they got blocked by the spam trap.

Yes !   That makes total sense !

I see the same kind of random-ish names on my company's web forum that I have banned.

Thank you

boB  🌜