Spam?

[Paolo]

Hello,

I have recieved right now this message :

This mail was sent because the 'forgot password' function has been applied to your account. To set a new password, click the following link:

Is it really sent by Lazaus admin ?

[PascalDragon]

I got the same (twice). Maybe someone tries to get access to the user accounts? 🤔

[rvk]

Same. Also twice.
https://forum.lazarus.freepascal.org/index.php/topic,73810.0.html

[Paolo]

Yes, twice

[Paolo]

Is there the risk after several failed login attempt my account is blocked ? 

[dbannon]

Yes, me too. But I don't know what their angle is. The link they want me to click looks genuine -

Code: [Select]

https://forum.lazarus.freepascal.org/index.php?action=reminder;sa=setpassword;u=60561;code=....and clearly my account has not been reset (or I could not post this).

Header looks sensible (coming from server.lazarus-ide.org [37.97.187.115]).

So, what do they gain by me clicking on that link, have they compromised the lazarus infrastructure ? A logger in the reset code ...

Edit : maybe someone is just scanning for weak passwords ?
 
Davo

[440bx]

So, what do they gain by me clicking on that link, have they compromised the lazarus infrastructure ? A logger in the reset code ...

Edit : maybe someone is just scanning for weak passwords ?
 
Davo

That's a possibility another is that there may be a hidden logger in your system just waiting for that password change screen to be used.

[dbannon]

That's a possibility another is that there may be a hidden logger in your system just waiting for that password change screen to be used.
[/quote]

Hmm, maybe. But unlikely, given a number of other users are also seeing same issue at present. OK, what if we have all tried some binary posted here in the forum recently ?  Seriously, I cannot think of one I have run ...

Fresnal ?  Has a precompiled library. (Honestly, not suggesting that seriously).

Davo

[440bx]

I just thought it would be worth mentioning that the coin has two sides and, the reason I thought considering the second side (the presence of a key logger in the system) is because not all forum members have gotten such a link (I haven't.)  IOW, maybe a hidden key logger is what the few users that have received the link have in common.  I don't know if that's the case but, I believe it's a possibility to consider.

[dbannon]

Yes, I was (partly) agreeing with you 440, some users of the forum get this message, that indicates the forum is a common factor (or fpc/lazarus is). Is that mechanism -

• A downloaded application posted to the forum ? "Please test this binary and report what you see".
• Similar but riskier, "please compile and run this code ..."
• Please test the application at this link http:....."

In each case, the trojan would start a logger, running as e.g. me. It would need to send my ID back home and then, trigger a bogus email. Fail if my local ID differs from the one on the forum.

Seems like a lot of trouble to break into my non-privileged account on the forum. But they might get lucky a hit an admin who uses same credentials to commit to, eg, FPC. Perhaps ?

More likely some one trying to guess a password, when the offer to reset was made, they thought "why not ?".

Either way, a lame sort of attempt IMHO. I have nothing unexpected in my ~/.config/autostart/ directory, think I will reboot and forget about it.

Davo



 

[rvk]

In each case, the trojan would start a logger, running as e.g. me. It would need to send my ID back home and then, trigger a bogus email. Fail if my local ID differs from the one on the forum.

I would expect the trigger for the mail then to be originated from my IP. It isn't.

Dear rvk,
This mail was sent because the 'forgot password' function has been applied to your account. To set a new password, click the following link:
https://forum.lazarus.freepascal.org/index.php?action=xxx

IP: 185.125.171.218
Username: rvk

Regards,
The Lazarus Team.

That's not my IP.

[dbannon]

Nor is it my IP (and my message mentioned the same (ipv4) address), I assumed its the fpc/lazarus server. But it is from gigahost in Norway ?  Is that right ?

Davo

[rvk]

I found a reference to this IP as being used in attacking a website once.

It should be the IP from which the password-reset request originated.

[dbannon]

I found a reference to this IP as being used in attacking a website once.

Gigahost is a significant hosting and data center mob. Be surprising if none of their customers tried something nasty at some stage.
 

It should be the IP from which the password-reset request originated.

Should it ? Still consistent with the theory someone tried to reset our passwords. IMHO.
Davo

[440bx]

But it is from gigahost in Norway ?  Is that right ?

Davo

That's also what I get from whois.