One of the boards I used regularly sent me an email.
Account suspended through 5 failed logon attempts. It wasn't me, I was not even in the house !).
Attempted logon came from 62.252.64.31 which is
lutn-cache-10.server.ntli.net
the DCHP server I am actually using is close to the address (.21) and is
lutn-sacmdhcp-1b.server.ntli.net
My IP address is, of course, miles away from either of these (and the lease has been valid from 11 a.m today).

This is all very strange - and slightly worrying...

Any light anyone ?

(please bear in mind I am not a network bod.)

(its my day for creating threads apparently...)

P.S. yep have run the usual checks for naughty software virii etc.

Somone just tried accessing your account entering passwords they thought were right, just contact the board and explain. All will be well :)

Somone just tried accessing your account entering passwords they thought were right, just contact the board and explain. All will be well :)

Yes but from the same ISP and from a cache machine....(by the looks of it)...

never had this happen before and have not upset anyone on that board (that I know of of course...)


colour me suspicious...

It's not impossible though, i'd leave it this time round, but if it happens again then definitely get worried.

I know there have been 'issues' with NTL proxies - not sure what these issues have been but maybe its worth a poke around about this.... hmmm

As for security - I don't wait for the second hit before investigating. Big fan of Root Cause Analysis.

Any NTL techno bods on here care to comment on this ?? please ? ? ?

All of NTL's web connections go through proxies, someone on the Luton Proxy server got their password wrong 5 times in a row, simple as that.

All of NTL's web connections go through proxies, someone on the Luton Proxy server got their password wrong 5 times in a row, simple as that.

sounds more like someone tried to access the OP's account 5 times

ah yes, just re-read. Spot on Wicked

Just to show my lack of network know how...
How on earth would that register as a logon attempt from the IP address of the proxy - and not the Ip address of the person attemting the logon.
I thought that cacheing proxies were transparent.
If they were not then every user going through that proxy would register as on that same IP address on every website they accessed (not to mention for every ftp they attempted)...and that can't be 'working as designed'.

any Net Heads out there ? ? ? ?

Yep, that's how it works with websites that aren't coded to find the users IP, they rather record the Proxies IP address instead.

It has been known to cause problems with sites like rapidshare.

Simply because vBulletin by default isn't set to register the proxy IP

Point !

am chasing up the recording 'ability' of the board in question with the Mods there.
Will get back when I find out.

Mods on the board in question came back. Their board is coded correctly, it does not record the ISP proxy address, it records the 'real' user IP address.
Hence, currently, this points to 'something' happening at the NTL proxy.

any NTL clues ? ? ?

Well obviously it's not for the login attempts, if it's default vBulletin it doesn't, it takes a fair bit of hacking to get it detecting a real IP Address over the entire board.

Zaph,
You are quick ! many thanks.

Not vBulletin defaults. The board in question is coded correctly to record real IP addresses not the cacheing proxy address I am told.
5 invalid passwords and the auto e-mail gets fired off - thats what happened.

later today I will perform a simple practical test which will confirm that board in question is working like this.

will get back with results after testing.

One of the boards I used regularly sent me an email.
Account suspended through 5 failed logon attempts. It wasn't me, I was not even in the house !).
Attempted logon came from 62.252.64.31 which is
lutn-cache-10.server.ntli.net
the DCHP server I am actually using is close to the address (.21) and is
lutn-sacmdhcp-1b.server.ntli.net
My IP address is, of course, miles away from either of these (and the lease has been valid from 11 a.m today).

This is all very strange - and slightly worrying...
.


Actually, the proxy you posted this from is 62.252.64.32 according to our records.

To eliminate the proxy, just try another..

You can manually specify one using the instructions at : http://www.cableforum.co.uk/forum/article.php?a=21

There is a list of proxies at: http://www.cableforum.co.uk/forum/article.php?a=10

Stuart,
You a Mod from the board in question ? ? (there is a Stuart there too).

Curiouser and curiouser...though

Paste of email contents-----
"Your account on XXXX Forums has been locked because someone has tried to log into the account with the wrong password more than 5 times. You will be able to attempt to log in again in another 15 minutes.

The person trying to log into your account had the following IP address: 62.252.64.31

Don't forget that the password is case sensitive. Forgotten your password? Use the link below:"
----------------------------
not the .32 address. But then again I doubt that NTL run just one proxy, at least I hope so.

I did a practical test on the board in question and used invalid passwords enough to suspend myself. The automated e-mail promptly arrived and it shows the NTL cacheing proxy as the source address, NOT my real IP address. Changing my proxy will not alter this.
Advice from the board in question was obviously off-target. It does not record the real IP address. Sorry I passed on the misleading statement - at least I checked and have corrected things now.
Kudos to the guys here who nailed it.

Stuart,
You a Mod from the board in question ? ? (there is a Stuart there too).




Nope, only mod this forum... Unless Digital Spy, mybulldoghell or VForum have promoted me without telling me.