Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How Concerned Should I Be?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How Concerned Should I Be?

ihadpihadp Member
edited November 2016 in General

KqZNl5.png

I looked up the IP address and its showing as coming back to UK Ministry of Defence...

Source: whois.ripe.netIP Address: 25.162.130.149
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '25.0.0.0 - 25.255.255.255'

% Abuse contact for '25.0.0.0 - 25.255.255.255' is '[email protected]'

inetnum:        25.0.0.0 - 25.255.255.255
netname:        UK-MOD-19850128
country:        GB
org:            ORG-DMoD1-RIPE
admin-c:        MN1891-RIPE
tech-c:         MN1891-RIPE
status:         LEGACY
mnt-by:         UK-MOD-MNT
mnt-domains:    UK-MOD-MNT
mnt-routes:     UK-MOD-MNT
mnt-by:         RIPE-NCC-LEGACY-MNT
created:        2005-08-23T10:27:23Z
last-modified:  2016-04-14T09:56:26Z
source:         RIPE # Filtered

organisation:   ORG-DMoD1-RIPE
org-name:       UK Ministry of Defence
org-type:       LIR
address:        Not Published
address:        Not Published
address:        Not Published
address:        UNITED KINGDOM
phone:          +44(0)3067700816
admin-c:        MN1891-RIPE
abuse-c:        MH12763-RIPE
mnt-ref:        RIPE-NCC-HM-MNT
mnt-ref:        UK-MOD-MNT
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         UK-MOD-MNT
created:        2004-04-17T12:18:23Z
last-modified:  2016-10-06T11:09:40Z
source:         RIPE # Filtered

person:         Mathew Newton
address:        Network Technical Authority
address:        UK Ministry of Defence
phone:          +44 (0)00 000 00000
abuse-mailbox:  [email protected]
nic-hdl:        MN1891-RIPE
created:        2005-03-18T10:42:04Z
last-modified:  2016-09-22T10:16:55Z
source:         RIPE # Filtered
mnt-by:         UK-MOD-MNT

% Information related to '25.160.0.0/11AS203665'

route:          25.160.0.0/11
descr:          UK Ministry of Defence
origin:         AS203665
mnt-by:         UK-MOD-MNT
created:        2015-11-25T11:02:00Z
last-modified:  2015-11-25T11:02:00Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.88 (HEREFORD)

I checked the email headers, everything looks completely legitimate too..

Comments

  • It's not surprising, it's the U.K. after all...

    Yes, be very concerned.

  • @GCat said:
    It's not surprising, it's the U.K. after all...

    Yes, be very concerned.

    I am personally not from the UK nor have I ever visited.

  • raindog308raindog308 Administrator, Veteran

    Pfft, microsoft.com, who cares.

    Now if that had been your lowendtalk.com login...

    Thanked by 1netomx
  • @raindog308 said:
    Pfft, microsoft.com, who cares.

    Now if that had been your lowendtalk.com login...

    Nice.

  • Well, it's either that or 'random Chinese university' network these days

    Thanked by 1netomx
  • @vimalware said:
    Well, it's either that or 'random Chinese university' network these days

    My concern is according to that email they had my password, right?

    Which seems a bit of a stretch unless of course lastpass has been breached in which case...fuck me.

  • Is it Hilary's email account?

    Thanked by 2jar Gravely
  • I thought I was the only having that one. What's more concerning is it does not show up in the recent activity feed under their Security. And I'm not even close to the UK.

  • AnthonySmithAnthonySmith Member, Patron Provider

    Yep that's the mod range alright, however you need to keep in mind that every workstation goes on an actual IP as well, so you have hundreds of thousands of squaddies using them, maybe someone's email/ms account is the similar to yours.

    Could be that simple.

    It's not that sinister if it was you would not have even got the email :) Microsoft work for the MOD as part of the Atlas consortium

  • blackblack Member
    edited November 2016

    That IP does belong to UK Ministry of Defence but it's unroutable (does not appear in routing tables via BGP) which means it's impossible to establish a TCP connection so I'm not sure how they would've logged into your email address. For something like this to happen, there needs to be some big players involved.



    I checked BGPlay and there hasn't been any routing information since the 19th to now. Maybe microsoft just derp'd? Better email them and ask.

  • HarambeHarambe Member, Host Rep

    I had one of these with Google Apps tonight, and it looks legit as well. To be safe I didn't click the link, just went into my profile normally and swapped passwords/reset 2FA.

    However it appeared to be someone in India trying to hack an old account, not the ministry of defence trying to get my Brazzers login.

  • Always have 2FA enabled for your most sensitive data, until you lose or break your phone.

  • @AnthonySmith said:
    Yep that's the mod range alright, however you need to keep in mind that every workstation goes on an actual IP as well, so you have hundreds of thousands of squaddies using them, maybe someone's email/ms account is the similar to yours.

    Could be that simple.

    It's not that sinister if it was you would not have even got the email :) Microsoft work for the MOD as part of the Atlas consortium

    The email suggests they had both my email and password, no? It notes Microsoft performed additional verification which to me means they logged in and hit the 2 step verification.

    The password was also a randomly generated one of over 20 characters and symbols...kinda hard to believe they didn't get my password from somewhere.

    @TheOnlyDK said:
    Always have 2FA enabled for your most sensitive data, until you lose or break your phone.

    Indeed, I do have it enabled, always have.

    @CasualCanvas said:
    I thought I was the only having that one. What's more concerning is it does not show up in the recent activity feed under their Security. And I'm not even close to the UK.

    It doesn't show in my activity log either...

    Maybe something hiccuped on Microsoft's side, but having the IP it did in the email doesn't make that any more reassuring...

  • ManofServerManofServer Member
    edited November 2016

    Maybe next month we see you in the Ecuadorian Embassy in London with the Albino Wizard?

    Thanked by 1Peroni
  • @IHaveADarkPassenger said:

    @GCat said:
    It's not surprising, it's the U.K. after all...

    Yes, be very concerned.

    I am personally not from the UK nor have I ever visited.

    The UK will visit you then.

    Thanked by 3MrPsycho netomx Yura
  • AnthonySmithAnthonySmith Member, Patron Provider

    black said: it's impossible to establish a TCP connection so I'm not sure how they would've logged into your email addres

    It is all proxied out

    IHaveADarkPassenger said: The email suggests they had both my email and password, no? It notes Microsoft performed additional verification which to me means they logged in and hit the 2 step verification.

    fair one, i missed that.

  • IHaveADarkPassenger said: I checked the email headers, everything looks completely legitimate too..

    Any chance you logged in from a MoD IP?

    Thanked by 1netomx
  • IkoulaIkoula Member, Host Rep

    What Mod IP stands for ? if it is like mobile device ip i though about that too because i experienced it. One day i went into mailbox account settings and discover ips outside of France logging into my mailbox after a small research i discovered ip block was held by my mobile operator + i remembered i was on my mails over the phone at that moments.

  • In this case MOD means Ministry of Defence.

    @Ikoula said:
    What Mod IP stands for ? if it is like mobile device ip i though about that too because i experienced it. One day i went into mailbox account settings and discover ips outside of France logging into my mailbox after a small research i discovered ip block was held by my mobile operator + i remembered i was on my mails over the phone at that moments.

    Thanked by 1Ikoula
  • I've had a similar problem and saw ips from that range. It was due I was running Hamachi which uses that range for private networks. Maybe you are running Hamachi and that ip was somehow mixed with your public one.

  • AnthonySmithAnthonySmith Member, Patron Provider

    Vita said: Hamachi which uses that range for private networks

    wow, that's ridiculous :)

  • @IHaveADarkPassenger said:

    @AnthonySmith said:
    Yep that's the mod range alright, however you need to keep in mind that every workstation goes on an actual IP as well, so you have hundreds of thousands of squaddies using them, maybe someone's email/ms account is the similar to yours.

    Could be that simple.

    It's not that sinister if it was you would not have even got the email :) Microsoft work for the MOD as part of the Atlas consortium

    The email suggests they had both my email and password, no? It notes Microsoft performed additional verification which to me means they logged in and hit the 2 step verification.

    The password was also a randomly generated one of over 20 characters and symbols...kinda hard to believe they didn't get my password from somewhere.

    @TheOnlyDK said:
    Always have 2FA enabled for your most sensitive data, until you lose or break your phone.

    Indeed, I do have it enabled, always have.

    @CasualCanvas said:
    I thought I was the only having that one. What's more concerning is it does not show up in the recent activity feed under their Security. And I'm not even close to the UK.

    It doesn't show in my activity log either...

    Maybe something hiccuped on Microsoft's side, but having the IP it did in the email doesn't make that any more reassuring...

    Not sure how long Microsoft will have that hiccup though since I've had that notification for at least 3 - 4 times from what I can remember on that same IP but never showed on my activity log.

  • Perhaps a sophisticated phishing attempt?

  • the mod would not log in like that anyway they would use backdoors or goto the ISP themself

Sign In or Register to comment.