OT; IP address?

In article , Tim W writes

If you don't complain then you can't expect things to get any better. Similarly, if you don't report a crime then you can't expect it to be resolved.

Keep it short, keep it sweet, keep it factual and you'd be surprised how positively abuse departments respond.

Report the IP address and report the date and time of the attempt as the time of the notification of the change email.

Purely as a matter of interest...why the rider on the 172.16.x.x range?

Bob Eager wibbled on Monday 23 November 2009 23:54

Only because it's a /12 so it should be 172.16-31.x.x. That's one range I can never remember, other than I use 172.16.0.x as a local route between my ADSL router and the firewall box. I had to Wikipedia it just to answer you(!)

I like 10/8 - simple, short, large, easy to remember, so I tend to use that for my internal net. I don't like 192.168.x.x because that tends to be the default for all manner of widgets when they have their firmware/config reset (despite DHCP).

I'm hopeless with memorising numbers - I'm going to have brainfailure when I eventually configure my IPv6 block into everything... Due to Andrews and Arnold being very helpful with my house move WRT to DSL, I seem to have a merged collection of 3 IPv4 blocks, misc single addresses and two IPv6 blocks all routed to my line here.

Just sorting that out so I can relinquish the redundant ones...

OT: I like the new Shorewall firewall and it's ability to cross compile a script. I used to run Shorewall on my OpenWRT router but it took >10minutes to cope with a reload. The new one compiles happily on my laptop and the resultant script needs no stuff other than iptables and friends and runs in a few seconds :)

which resolves to a Virginmedia Gillingham UBR so as a guess your Windows are compromised. 

77-96-243-253.cable.ubr13.gill.blueyonder.co.uk

Not sure how helpful that is, gill.blueyonder appears to be more internal Virginmedia domains.

Owain

Assuming that is the case - I have Norton 360 installed, how would it happen & what can I do to stop it?

Any idea how 'they' got your password?

Ah, OK...I never use that range either.

I use real IPs everywhere here at home so I don't go near the

192.168.xx.xx range anyway except on small test networks.

I just have two IP blocks from them...plus the IPv6 one, which I really must get on with.

Something along those lines. TMH is posting from

94.168.74.108 which is cpc2-gill16-2-0-cust619.basl.cable.virginmedia.com and the password email is from: 77.96.243.253 which is 77-96-243-253.cable.ubr13.gill.blueyonder.co.uk

The former looks like an ex-NTL address in Gillingham, while the latter is ex-Telewest in Gillingham. Or have Virgin Media renumbered ex-BY customers into the namespace formerly occupied by NTL? Or is basl.cable.virginmedia.com Basildon? Is there a big cable under the Thames at that point?

Another thought for TMH... did you log in to your eBay account from anyone else's computer? Or perhaps take your computer to someone else's network connection?

Theo

Not a clue. Its not something you could guess either. Now changed to something so obscure its ridiculous.

No to both.

But a keylogger would already have them. And that may have been how it all happened in the first place. :-(

As someone who receives abuse complaints from the internet, I fully agree.

Short and to the point. Don't bother explaining the full story - just that ebay report that this address was invovled in fraudulantly listing items (or whatever).

Include *all* emails you have had from ebay about this - just because the

10.x.x.x addresses are meaningless on the internet doesn't mean they are not handy to the abuse dept.

Forward the email if possible - people rekeying or picking the important bits from emails like this are generally a pain (let the abuse team work out which bits are relevant).

Also, don't go on about how you have the worlds best antivirus program or how you are fantastic at running large networks and understand security as you've got 4 machines and once used linux - abuse depts don't care, trust me :-)

Darren

Errr....

gill.blueyonder?

Gillingham?

Medway handyman - in Gillingham?....

Are your PCs completely clean Dave (full scan with decent upto date virus scanner etc etc)?

Darren

Probably makes no difference if they managed to find out your first one - they could do the same with the new one.

and are you using unencrypted wireless in your house?

Thats the easiest one. Someone parks a van outside with a laptop, and watches the keystrokes..then logs in as you, and off he goes.

Any site taking a password is https these days, especially the likes of ebay, so that's not going to work.

My money's on phishing.

I have no idea how prevalent internal fraud is in banks, but in the retail sector, it is reckoned that losses through staff pilferage are on average several times higher than losses through shoplifting by "customers".

unless they're snooping on the signal between the keyboard and the computer...

Yeah, mine too. There are folk out there who are very good at crafting the emails so that they look genuine. I make sure I have my client set to show HTML emails as plain text, which weeds out nearly all of the shit - and I just ignore anything completely that looks like it's from a bank, ebay or paypal.

cheers

Jules