Important security notice about your CodeWalrus account

[brentmaas]

90.11.159.131 and 80.119.166.103 were located as Billère and Tarbes to me, both southern france/pyrenées

[Dream of Omnimaga]

Strange that WHOIS info is different for two of us

Where did you get that info Brentmaas? I used http://iptrace.in

[Keoni29]

A smart attacker would try to leave no trace back to his own ip. These suspicious ip's in the logs come from attacks carried out by infected machines, via a vpn or the attacker is not smart.

[Dream of Omnimaga]

But how would an infected machine carry out such large scale attack without human intervention?

[Keoni29]

Usually these infected machines are listening on an IRC channel waiting for the command to attack.

[brentmaas]

Strange that WHOIS info is different for two of us

Where did you get that info Brentmaas? I used http://iptrace.in

http://yougetsignal.com
It has a couple of tools which are free to use.

[alexgt]

Do you think the attacker will be able to breach CW or no?

EDIT: it may be a little off topic but it was said in the first post something about a contest?

[novenary]

I don't think so, hopefully we reacted fast enough to change all of our passwords, at least for those who used the same as on omni. We should be fine.

As for the contest, yes, there is an upcoming contest.

[alexgt]

I thought so but is kinda weird that someone would go through all that effort just to get at the calc community. They must really hate us

[Ivoah]

I'm definitively thinking that 24.144.160.11 was a legit user (Ivoah most likely). It might be a public internet hotspot from which Ivoah is unable to post, which could explain why he has no single post on record from there. Pennsylvania seems plausible, considering where Ivoah comes from (not too far from Pennsylvania, New York and New Jersey AFAIK, and I heard from New York Rangers/Islanders fans that it doesn't take long to commute between those areas). So his account is safe.

But yeah, from what I recall, the main attacker IP is from Toulouse, Midi-Pyrenées, while the second is from Paris, Ile-de-France, both located in France.

That was probably me trying to log into my account on my dad's iPad while on a car trip to a college in Pensylvania

[Dream of Omnimaga]

Thanks for checking that out Ivoah.

[Dream of Omnimaga]

WARNING: I think HP Museum was also hit, but I am not sure.

Someone has changed my forum account there and it's entirely possible that I was using the same password there as I did on Omnimaga.

It took me multiple password reset attempts before the password reset tool finally works


You might want to check your HP Museum accounts at http://www.hpmuseum.org/forum/ in case you were attacked.

[Dream of Omnimaga]

@Streetwalrus ever since we updated login security, I notice an increase in failed login attempts in the logs from legit users/IP addresses. @rwill also reported that he got incorrect password errors even when entering the right password until a few tries and while the latter might be due to Holidays, online users in the last 7 days have decreased from 70 to 50 in less than a week. Mind notifying @Sorunome so he investigates in case his mod might be the culprit?

[Sorunome]

[...]
Mind notifying @Sorunome so he investigates in case his mod might be the culprit?

In order to debug if it is related to the mod i'd need network logs of these failed login attempts, including timestamps and stuff. The password should be encrypted anyways but feel free to strip out the encrypted password on top of that.

[Dream of Omnimaga]

* DJ Omnimaga pokes @Juju and @Streetwalrus to share the logs, then.