Attempted hacking

[Seenkao]

Всем привет!
Я понимаю, что может быть бесполезно сюда писать. Но может это кому-то поможет.

Мне уже неоднократно приходят на почту письма о том, что я меняю свой пароль на данном форуме и предоставляют ссылку для перехода по ней. В последний раз это было полгода назад, а теперь вот снова всё началось.

О чём бы я хотел вас предупредить, не переходите по ссылке, если вы не пытались сами лично менять пароли. Некоторые люди по неосторожности могут перейти по ссылке и вероятнее всего, ваш аккаунт таким образом будет взломан.
Просто, будьте внимательнее!

-------------------------------------------------------------
Google translate:
Hello everyone!
I understand that it may be useless to write here. But maybe it will help someone.

I have repeatedly received emails telling me to change my password on this forum and they provide a link to follow. The last time was six months ago, and now it has started again.

What I would like to warn you about is that do not follow the link if you have not tried to change passwords yourself. Some people may follow the link through carelessness and most likely, your account will be hacked this way.
Just be careful!

[AlexTP]

I never got such emails for the forum. For my personal site - yes, several times.

[marcov]

I also got one. I also got one for a Microsoft account. Probably they are trying passwords obtained from dataleaks.

Make sure you use complex and unique passwords for each site.

[BeniBela]

Actually I received three spam mails to the email address I used to register here. First one in 2020. I don't think i used that address  anywhere else.

maybe the forum was hacked

[Martin_fr]

Actually I received three spam mails to the email address I used to register here. First one in 2020. I don't think i used that address  anywhere else.

maybe the forum was hacked

I have 2 emails (2 accounts / one for testing) here, one of the emails is used elsewhere, the other isn't. Neither has yet received anything (and neither has an active spam filter).

However, neither of my account has "Allow users to email me" enabled (so when you look at contacting me, you can PM me, but not sent an email).
While that feature does not show the email address, I do not know if SMF can be tricked, or if an email could be malformed to trick someones receiving email server to sent an error back that may reveal the target address. And even if not, if you or anyone did exchange emails related to the forum, those are in the other person email/address book, and could be hacked from there too. (I do get other spam, the content of which clearly knows e.g. what I have mailed to someone 10 years ago).

But then I can only speculate. The "admin" pos is only admin the SMF functions (boards, menus, moderation), not installing, nor the server itself.

[BeniBela]

However, neither of my account has "Allow users to email me" enabled (so when you look at contacting me, you can PM me, but not sent an email).
While that feature does not show the email address, I do not know if SMF can be tricked, or if an email could be malformed to trick someones receiving email server to sent an error back that may reveal the target address.

maybe they used that

But if someone sends me an email with it, it would have to show in the emails that it was sent via the forum, right?

There was no mention of it in it and the emails were in German

And even if not, if you or anyone did exchange emails related to the forum

I didn't do that, just private messages in the forum

[Martin_fr]

It seems to carry little extra info. The from header:

Code: Text  [Select][+][-]

1. From: "foo@bar.com" <forumadmin@lazarus-ide.org>

And a reply-to header.

Didn't get any real info, other than the name in the From field. Not sure what options smf has.... Have to forward that question

[marcov]

I seem to have gotten a genuine password reset reminder from the forum.

In that message is also the IP that triggered the forgotten password mail, that traces to Yekaterinburg, Russia. (where I'm not at, obviously)

[Thaddy]

@marcov
I just - right now - got one of those and surprisingly, traced to the same (Well, Sverdlovsk oblast area, where Yekaterinburg is). That means it is also a bit amateurish if it is indeed from that province..
(Doesn't mean I changed my 20 year old password anyway, but through my profile, not the link.)

[BeniBela]

It seems to carry little extra info. The from header:

Code: Text  [Select][+][-]

1. From: "foo@bar.com" <forumadmin@lazarus-ide.org>

And a reply-to header.

the emails did not have this headers

[duralast]

Make sure you use complex and unique passwords

This is not necessary.

NIST guidance recommends that a password should be at least 15 characters long. At 100 billion guesses per second, it would take a computer more than five hundred years to guess all the possible combinations of 15 lowercase letters.

NIST recommends avoiding the mandatory inclusion of special characters, uppercase letters, or symbols in passwords. Instead, the focus shifts to encouraging users to create long, memorable phrases.

NIST uses an example of a sufficiently secure password as "cassette lava baby" since it is 18 characters long.
Stanford University recommends pass phrases of no less than 15 characters and no more than 25 characters.

fluffy monkeys racing walnuts is just as secure as 7Hu&/3bwI!_Oa@q and is also more memorable. NIST and Stanford also no longer recommend changing passwords every 90 days and say only to change it if it's been compromised.

[Seenkao]

I seem to have gotten a genuine password reset reminder from the forum.

In that message is also the IP that triggered the forgotten password mail, that traces to Yekaterinburg, Russia. (where I'm not at, obviously)

Последний IP:
94.140.136.12 (Екатеринбург, Россия)

IP которые были в июне месяце (оказывается и полгода не прошло):
IP: 2001:41d0:a:58d1::168f:ec53 (франция)
IP: 51.79.22.176 (Канада, дважды)

Не уверен что это как-то поможет.

---------------------------------------------------
Google translate:
Last IP:
94.140.136.12 (Ekaterinburg, Russia)

IPs that were in June (it turns out that not even half a year has passed):
IP: 2001:41d0:a:58d1::168f:ec53 (France)
IP: 51.79.22.176 (Canada, twice)

I'm not sure if this will help.