Attempt to Steal Enom Password

[Duke]

My registrar just notified me that someone made an attempt to steal my Enom password. They said the bogus request came from this address:

IP address: 68.101.211.229
Host name: ip68-101-211-229.sd.sd.cox.net

Do any of you techie guys know who to track down where this came from and who it might be?

 

[fizz]

What a bummer. GL tracing the person Duke.

 

[tonyk2000]

You may contact their ISP:

> whois -h whois.arin.net 68.101.211.229
Cox Communications Inc. SD-RDC-68-101-128-0 (NET-68-101-128-0-1)
68.101.128.0 - 68.101.255.255
Cox Communications Inc. COX-ATLANTA-2 (NET-68-96-0-0-1)
68.96.0.0 - 68.110.255.255

# ARIN WHOIS database, last updated 2003-03-05 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
> whois -h whois.arin.net COX-ATLANTA-2

OrgName: Cox Communications Inc.
OrgID: CXA
Address: 1400 Lake Hearn Drive
City: Atlanta
StateProv: GA
PostalCode: 30319
Country: US

NetRange: 68.96.0.0 - 68.110.255.255
CIDR: 68.96.0.0/13, 68.104.0.0/14, 68.108.0.0/15, 68.110.0.0/16
NetName: COX-ATLANTA-2
NetHandle: NET-68-96-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NS.COX.NET
NameServer: NS.EAST.COX.NET
NameServer: NS.WEST.COX.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2002-02-04
Updated: 2003-01-09

TechHandle: IC146-ARIN
TechName: Cox Communications, Inc
TechPhone: +1-404-269-7626
TechEmail: [email protected]

OrgAbuseHandle: IC146-ARIN
OrgAbuseName: Cox Communications, Inc
OrgAbusePhone: +1-404-269-7626
OrgAbuseEmail: [email protected]

OrgTechHandle: SHACK-ARIN
OrgTechName: Shackelford, Scott
OrgTechPhone: +1-404-269-7626
OrgTechEmail: [email protected]

OrgTechHandle: WILLI-ARIN
OrgTechName: Williams, Matt
OrgTechPhone: +1-404-269-7626
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2003-03-05 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
> whois -h whois.arin.net SD-RDC-68-101-128-0

OrgName: Cox Communications Inc.
OrgID: CXA
Address: 1400 Lake Hearn Drive
City: Atlanta
StateProv: GA
PostalCode: 30319
Country: US

NetRange: 68.101.128.0 - 68.101.255.255
CIDR: 68.101.128.0/17
NetName: SD-RDC-68-101-128-0
NetHandle: NET-68-101-128-0-1
Parent: NET-68-96-0-0-1
NetType: Reassigned
Comment:
RegDate: 2002-04-21
Updated: 2003-02-07

OrgAbuseHandle: IC146-ARIN
OrgAbuseName: Cox Communications, Inc
OrgAbusePhone: +1-404-269-7626
OrgAbuseEmail: [email protected]

OrgTechHandle: SHACK-ARIN
OrgTechName: Shackelford, Scott
OrgTechPhone: +1-404-269-7626
OrgTechEmail: [email protected]

OrgTechHandle: WILLI-ARIN
OrgTechName: Williams, Matt
OrgTechPhone: +1-404-269-7626
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2003-03-05 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
>

 

[Lats]

Coming out of San Diego.

 

[RMF]

Maybe the guy comes here?. Maybe get one of the mods to see if that IP# is one of the users here. Then check the username to see if they've posted any of their domains here. Then you can check whois.

RMF

 

[.com.net.org]

Don't ever post enom username here. Use PM or email. Or include your username in paypal message.

 

[Fearless]

I already knew your Enom password. It's "duke", right?

 

[Duke]

Thanks for all of that info guys - very helpful. I will use the info from Tony K & Lats and contact Cox.net as well as RMF's tip to have the IP checked against the member list here. I think it is likely that it would have come from a visitor here. I have never posted my user name publicly.

Another member wrote and told me a thief did successfully steal her password and took over her account. It is believed a user based in Turkey who visited here was the culprit. Enom finally fixed her problem after a long process. I am logged into my account now but am getting an error message when I try to access "My Info" to change my password and make sure no one has changed my registration information. It says my credit card number is not found in the Enom database - try later. I don't know if Enom has locked it since I told them I did not request that they mail me a lost password. I'll try to get hold of them and find out.

My domains are all still there, and it doesn't appear from checking WhoIs for a few domains that anything has been changed. It's funny in a way since one of my editors at DNJ is currently working on a story about domain theft. Hope he is not doing research on my account!

 

[Duke]

Originally posted by gregr
I already knew your Enom password. It's "duke", right?

How did you find out! I didn't think anyone would guess that in a MILLION years!

 

[mole]

eNom rock! 'nough said

 

[QuantumBeam]

Duke,
After you reset your password & all make sure you go to your control panel if using Windows & delete your history files, temporary internet files, folders, & cookies, etc, just to play it safe.
DP

 

[Duke]

Originally posted by DomainProfiles
Duke,
After you reset your password & all make sure you go to your control panel if using Windows & delete your history files, temporary internet files, folders, & cookies, etc, just to play it safe.
DP

Thanks DP - good tip. I am also on a cable modem which leaves you more exposed as it is an always on network (though I do have a strong firewall program in place).

 

[Anthony Ng]

Originally posted by Duke
I am also on a cable modem which leaves you more exposed as it is an always on network ...

I often recommend logging OFF when you KNOW you'll be away from your computer for a fairly long time, say go meeting with a client for at least a couple of hours or taking a nap at night. (You do sleep, don't you?)

 

[DrWho]

Here is a quick trace (see .TXT attachment)

 

[Sharpy]

...what does it al mean Basil?

 

[Duke]

Originally posted by nameslave

I often recommend logging OFF when you KNOW you'll be away from your computer for a fairly long time, say go meeting with a client for at least a couple of hours or taking a nap at night. (You do sleep, don't you?)

Another good tip. I really have been careless about things like that.

Also, thanks for the trace route Dr Who.

 

[Domainaholic]

I thought it was only me

I do get 3 to 5 attempts a day, but just make a new enom account if I'm worried. This is the most persistant (3 to 5 each day) enom password attempt:

This request came from 66.52.151.59

 

[Manic]

This is exactly the kind of security issue I'm concerned about right now.

Specifically with .INFO names, which cannot be locked down.

Does anyone have any ideas to make .INFO's more secure?

What do you do personally?

PM or email me if you would prefer.

dnf AT bangbangbang DOT com

Thanks!

 

[.com.net.org]

Originally posted by Domainaholic
I thought it was only me

I do get 3 to 5 attempts a day, but just make a new enom account if I'm worried. This is the most persistant (3 to 5 each day) enom password attempt:

This request came from 66.52.151.59

WOW, 3 to 5 attempts. I'll move my domains out if I were you.

 

[yesonline]

Originally posted by Domainaholic
I thought it was only me

I do get 3 to 5 attempts a day, but just make a new enom account if I'm worried. This is the most persistant (3 to 5 each day) enom password attempt:

This request came from 66.52.151.59

How do you know how many attemtps and where the requests were from?