Bitcoin Forum

Other => Beginners & Help => Topic started by: casperorchids on April 09, 2013, 04:20:05 PM



Title: break in attempt to my blockchain wallet
Post by: casperorchids on April 09, 2013, 04:20:05 PM
I had an email with my wallet confirmation code sent to me saying an attempt to login to my wallet account from I.P. address 95.211.6.197. has been made, whoever did it took off the wallet confirmation code part so now all they would need is the password. So I would thing they have my password. Is there any way to see what this I.P. address is?


Title: Re: break in attempt to my blockchain wallet
Post by: MGUK on April 09, 2013, 04:25:47 PM
Regarding the IP address, it's a TOR exit node so you'll never find out who it is by the IP address alone.


Title: Re: break in attempt to my blockchain wallet
Post by: strikegold on April 09, 2013, 04:26:58 PM
you can lookup an ip add, here
http://whatismyipaddress.com/ip-lookup

but i don't think it will help alot.

 :)


Title: Re: break in attempt to my blockchain wallet
Post by: NothinG on April 09, 2013, 04:28:15 PM
Mind posting the full headers of the email?
http://whatismyipaddress.com/find-headers


Title: Re: break in attempt to my blockchain wallet
Post by: casperorchids on April 09, 2013, 04:31:08 PM
wallet@blockchain.info

Confirmation Required

An attempt has been made to login to your My wallet account from ip address 95.211.6.197. Enter the confirmation code below to access your account. If it was not you who made this login attempt you can ignore this email.


Title: Re: break in attempt to my blockchain wallet
Post by: casperorchids on April 09, 2013, 04:35:04 PM
Mind posting the full headers of the email?
http://whatismyipaddress.com/find-headers


https://mail.google.com/mail/?ui=2&ik=1a9d5620df&view=om&th=13def82e6c8bd100

here are the headers or is the header


Title: Re: break in attempt to my blockchain wallet
Post by: NothinG on April 09, 2013, 04:43:03 PM
Mind posting the full headers of the email?
http://whatismyipaddress.com/find-headers


https://mail.google.com/mail/?ui=2&ik=1a9d5620df&view=om&th=13def82e6c8bd100

here are the headers or is the header
You'll have to post it via the forums, I don't have access to your email account.


Title: Re: break in attempt to my blockchain wallet
Post by: kevinm on April 09, 2013, 07:30:09 PM
Mind posting the full headers of the email?
http://whatismyipaddress.com/find-headers


https://mail.google.com/mail/?ui=2&ik=1a9d5620df&view=om&th=13def82e6c8bd100

here are the headers or is the header
You'll have to post it via the forums, I don't have access to your email account.

Quality    :D


Title: Re: break in attempt to my blockchain wallet
Post by: deepceleron on April 09, 2013, 07:46:46 PM
The first response already identified the IP address as a Tor exit node. Further attempts to identify will be fruitless. You should focus on re-securing your funds, ideally sending all funds to a new blockchain wallet account with a new email address.

Secondly, the email may be a phishing attempt, do not click on any links in the email as they may go to a hacker's site that impersonates blockchain.info and attempts to trick you into putting in your credentials.


Title: Re: break in attempt to my blockchain wallet
Post by: NothinG on April 09, 2013, 07:57:52 PM
The first response already identified the IP address as a Tor exit node. Further attempts to identify will be fruitless.
Quote
an attempt to login to my wallet account from I.P. address 95.211.6.197
It seems like he found that IP from the website, not from the email. I was trying to see if we could figure out if the email was faked and figure out if he needs to worry about phishing.


Title: Re: break in attempt to my blockchain wallet
Post by: casperorchids on April 10, 2013, 04:12:21 AM
I found the IP from the email from blockchain

Delivered-To: casperorchids@gmail.com
Received: by 10.180.77.227 with SMTP id v3csp66822wiw;
        Tue, 9 Apr 2013 08:56:06 -0700 (PDT)
X-Received: by 10.181.11.164 with SMTP id ej4mr20901257wid.29.1365522966205;
        Tue, 09 Apr 2013 08:56:06 -0700 (PDT)
Return-Path: <wallet@blockchain.info>
Received: from mini1.blockchain.info ([91.203.74.106])
        by mx.google.com with ESMTP id u3si37726033eeg.221.2013.04.09.08.56.05;
        Tue, 09 Apr 2013 08:56:06 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning wallet@blockchain.info does not designate 91.203.74.106 as permitted sender) client-ip=91.203.74.106;
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning wallet@blockchain.info does not designate 91.203.74.106 as permitted sender) smtp.mail=wallet@blockchain.info
Received: from 185.7.149.10 ([185.7.149.10])
          by mini1.blockchain.info (JAMES SMTP Server 2.3.2) with SMTP ID 75
          for <casperorchids@gmail.com>;
          Tue, 9 Apr 2013 16:56:05 +0100 (BST)
Date: Tue, 9 Apr 2013 16:56:05 +0100 (BST)
From: wallet@blockchain.info
To: casperorchids@gmail.com
Message-ID: <507199439.6757.1365522963682.JavaMail.admin@server8>
Subject: My Wallet Confirmation Code
MIME-Version: 1.0
Content-Type: multipart/mixed;
   boundary="----=_Part_6756_665728387.1365522963680"

------=_Part_6756_665728387.1365522963680
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable




<!DOCTYPE html>
<html>
<head>
    <style type=3D"text/css">
        .txul li{padding-bottom:5px}table ul{list-style:none;padding:0;marg=
in:0}a:focus{outline:thin dotted}a:hover,a:active{outline:0}a{color:#0069d6=
;text-decoration:none;line-height:inherit;font-weight:inherit}a:hover{color=
:#00438a;text-decoration:underline}table{width:100%;margin-bottom:18px;padd=
ing:0;font-size:13px;border-collapse:collapse}table th,table td{padding:10p=
x 10px 9px;line-height:18px;text-align:left}table th{padding-top:9px;font-w=
eight:bold;vertical-align:middle}table td{vertical-align:top;border-top:1px=
 solid #ddd}table tbody th{border-top:1px solid #ddd;vertical-align:top}.co=
ndensed-table th,.condensed-table td{padding:5px 5px 4px}.bordered-table{bo=
rder:1px solid #ddd;border-collapse:separate;*border-collapse:collapse;-web=
kit-border-radius:4px;-moz-border-radius:4px;border-radius:4px}.bordered-ta=
ble th+th,.bordered-table td+td,.bordered-table th+td{border-left:1px solid=
 #ddd}.bordered-table thead tr:first-child th:first-child,.bordered-table t=
body tr:first-child td:first-child{-webkit-border-radius:4px 0 0 0;-moz-bor=
der-radius:4px 0 0 0;border-radius:4px 0 0 0}.bordered-table thead tr:first=
-child th:last-child,.bordered-table tbody tr:first-child td:last-child{-we=
bkit-border-radius:0 4px 0 0;-moz-border-radius:0 4px 0 0;border-radius:0 4=
px 0 0}.bordered-table tbody tr:last-child td:first-child{-webkit-border-ra=
dius:0 0 0 4px;-moz-border-radius:0 0 0 4px;border-radius:0 0 0 4px}.border=
ed-table tbody tr:last-child td:last-child{-webkit-border-radius:0 0 4px 0;=
-moz-border-radius:0 0 4px 0;border-radius:0 0 4px 0}.table table-striped t=
body tr:nth-child(odd) td,.table table-striped tbody tr:nth-child(odd) th{b=
ackground-color:#f9f9f9}.table table-striped tbody tr:hover td,.table table=
-striped tbody tr:hover th{background-color:#f5f5f5}table .header{cursor:po=
inter}table .header:after{content:"";float:right;margin-top:7px;border-widt=
h:0 4px 4px;border-style:solid;border-color:#000 transparent;visibility:hid=
den}table .headerSortUp,table .headerSortDown{background-color:rgba(141,192=
,219,0.25);text-shadow:0 1px 1px rgba(255,255,255,0.75)}table .header:hover=
:after{visibility:visible}table .headerSortDown:after,table .headerSortDown=
:hover:after{visibility:visible;filter:alpha(opacity =3D 60);-khtml-opacity=
:.6;-moz-opacity:.6;opacity:.6}table .headerSortUp:after{border-bottom:0;bo=
rder-left:4px solid transparent;border-right:4px solid transparent;border-t=
op:4px solid #000;visibility:visible;-webkit-box-shadow:none;-moz-box-shado=
w:none;box-shadow:none;filter:alpha(opacity =3D 60);-khtml-opacity:.6;-moz-=
opacity:.6;opacity:.6}.well{background-color:#f5f5f5;margin-bottom:20px;pad=
ding:19px;min-height:20px;border:1px solid #eee;border:1px solid rgba(0,0,0=
,0.05);-webkit-border-radius:4px;-moz-border-radius:4px;border-radius:4px;-=
webkit-box-shadow:inset 0 1px 1px rgba(0,0,0,0.05);-moz-box-shadow:inset 0 =
1px 1px rgba(0,0,0,0.05);box-shadow:inset 0 1px 1px rgba(0,0,0,0.05)}.well =
blockquote{border-color:#ddd;border-color:rgba(0,0,0,0.15)}
    </style>
</head>
<body style=3D"color: #666 !important; font: 14px 'Helvetica Neue', Arial, =
Helvetica, sans-serif !important; line-height: 1.5 !important;">
<div class=3D"content" style=3D"background-color: #FFF; margin: 4%; padding=
: 2%; border: 1px solid #E5E5E5; float: left; width: 80%; min-width: 800px"=
>
    <img src=3D"http://blockchain.info//Resources/cube39.png" class=3D"logo=
"  style=3D"float: right; margin-top: 10px;" />
    <h1 style=3D"margin: 1.1em 0 1.75em; color: #000; font-weight: bold; fo=
nt-size: 1.4em;">Confirmation Required</h1>

    <p>An attempt has been made to login to your My wallet account from ip =
address 95.211.6.197. Enter the confirmation code below to access your acco=
unt. If it was not you who made this login attempt you can ignore this emai=
l.</p>

    <h1 align=3D"center">8EA57</h1>

    <p>
        2013-04-09 15:56:03
    </p>

    <p style=3D"float:left;clear:both;width: 100%;box-sizing: border-box; p=
adding: 20px 4.8%; border-top: 1px solid #AAD3F0; border-bottom: 1px solid =
#AAD3F0; background-color: #F6F6FD; line-height: 2">
        Your wallet identifier is: <a style=3D"color: #007DCC; font-weight:=
 bold;" href=3D"https://blockchain.info/wallet/62bd1e4e-bc2e-e571-c176-f8ee=
298478bd">62bd1e4e-bc2e-e571-c176-f8ee298478bd</a> - (<a href=3D"https://bl=
ockchain.info/wallet/unsubscribe?guid=3DBwNQIAVVdiQAVFIAIQBUBHIAACEJcwQAJAE=
jUQYBCgAHCVsm">Unsubscribe</a>)
    </p>
</div>
</body>
</html>

------=_Part_6756_665728387.1365522963680--


Title: Re: break in attempt to my blockchain wallet
Post by: casperorchids on April 10, 2013, 04:16:55 AM
if you see an ip 94 something in there, that's mine, I resecured the wallet and fortunately I had no BTC in there when they went into it. Just wondering how they got into it in the first place, I think they got in my email to get the passcode that is generated anytime somebody attempts a login


Title: Re: break in attempt to my blockchain wallet
Post by: 14nicholasse on April 10, 2013, 04:30:53 AM
In the future, try two factor authentication