Well, I got an email 30 mins ago saying that my account was locked down because 74.53.243.34 had been trying to log into my account. After doing a WHOIS lookup on them, I found that they had tried it with somebody else's account too: http://and-novikoff.livejournal.com/90592.html .

Hmm.

If you visit them on port 80 you get a password request. They're also running Microsoft FTP server. Anonymous isn't open. Hmm.

i got the same mail

I got the same email too

I got an "Hello, I'm new here and just wanted to say "hi" " pm.

I got an "Hello, I'm new here and just wanted to say "hi" " pm.

I got that one too!

Yeah I got the Hi PM as well with a load of SPAM.

I'm at work at the moment so I'm not going to bust out and check out the ip like I would if I was at home, but I just wanted to add my two cents. If this IP has been used to attack other accounts and other sites, and yet for some reason is running an ftp server and a server of some sort on port 80, the computer at that ip has probably been hacked itself and is being used to remotely attack sites.

I got an "Hello, I'm new here and just wanted to say "hi" " pm.

I got that PM as well.

I got that PM also, it must somehow be related to this email I have received TWICE! Please, delete his account and ban his IP.

Dear brianez21,

Your account on Internet Tablet Talk Forums has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 74.53.243.34

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:
http://www.internettablettalk.com/forums/login.php?do=lostpw

All the best,
Internet Tablet Talk Forums

me too. the PM. 2 emails. same IP.

Well, I got an email 30 mins ago saying that my account was locked down because 74.53.243.34 had been trying to log into my account. After doing a WHOIS lookup on them, I found that they had tried it with somebody else's account too: http://and-novikoff.livejournal.com/90592.html .

Hmm.

Me too, what on earth do they think that they can gain from this type of attack?

yet another.

what would this guy gain from having my lame forum account?

This site isn't exactly known for the most proactive administration. The ip needs to get banned immediately and reported to the ISP. Reverse DNS reveals it to be a static ip provided by a hosting company called "The Planet" in Texas. It is likely a compromised rented server, but equally possible it could be a rented server which some script kitty is using for hacking purposes. I sure hope they didn't rent that server on daddy's credit card, cause if they did, they are in for a world of hurt.

I got the same ******** email also..."Hi i am new here blah blah blah..."
I thought it was a joke, because of a thread i started that was being attack on the basis that it was thought to be spam.
but i guess not.

i happen to be a member at forums.remote-exploit.org and both sites gave me that email. seems like there is something more than meets the eye going on here.

I'm starting to think this might be a fully automated attack, this box might just be trying to brute force forums in general, not for the forum accounts but for the passwords. Logic possibly being that people have a tendency to use the same username and password across multiple websites, and the person behind this is probably hoping that your PayPal account is the same thing as your ITT account. So. Make sure it isn't.

Sounds like 2 things going on here...

1. Brute force attack.
Likely rotating usernames with the passwords in an attempt to keep from getting locked out, but obviously running into dupes too quickly (causing the temporary lockouts).

2. Social engineering(?)
The guy I got the same lame private message from called himself "einstein2".
I'm not sure if there might be something embedded in the message (I didn't bother reading through the HTML), but it did include a link to http://stein.freehostia.com (which is blocked by our proxy). I would not recommend following the link, as it may host malware.

I'm investigating the problem and have just blocked the IP from the firewall.

Thanks.

same, i got an email from einstein2

Hello,
I'm new here and just wanted to say "hi"

How's it going?

"Buddhism has the characteristics of what would be expected in a cosmic religion for the future: it transcends a personal God, avoids dogmas and theology; it covers both the natural & spiritual, and it is based on a religious sense aspiring from the experience of all things as a meaningful unity" - Albert Einstein

---
einstein2
http://stein.freehostia.com

same, i got an email from einstein2

I got that mail too, Luke. I deleted it as I thought someone was playing a joke on me.
Looking a bit further at the link at the end of the message:

'Site stein.freehostia.com blocked; this is a known spyware/adware website.'

So don't visit.

I just got this private message from "einstein2", too. Let's see how soon my account is locked...

I got the message this morning.

I reported this activity to abuse@theplanet.com yesterday.

I got the "Hi" message once on July 7th. My account was not locked.