LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-01-2012, 09:08 PM   #1
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 8.04.1 desk; Red Hat 9.0 server
Posts: 298

Rep: Reputation: 30
Question hacked email?


Friends--

This is not strictly linux, but I don't know where to post this question, and I know several of you are knowledgeable about such matters.

Every once in a while I have been getting emails that have a recognizable name in the from line. Usually they are not my friend's email address. (For instance, their usual address is comcast.net and this one comes from noname.tv.)

Today I got one that is from the person's real email address and there is to: (not sure how I even got a copy, unless as a bcc) naming someone else who is someone I know, with their correct email address. I am pretty sure these two people do not know each other.

The entire text of the email reads: "wow this is pretty crazy you should look into it http://www.local9newsia.net/work/?alert=25026"

Googling this local9 etc seems to be a current hacker out there, but nobody is reporting on it.

So I am wondering if I have been hacked? I do not store my address book anyplace online. I use Thunderbird 15.0.1, CompuServe imap for incoming mail, Comcast smtp for outgoing.

How can I check this out?

Thanks!
 
Old 10-02-2012, 02:20 PM   #2
etech3
Senior Member
 
Registered: Jul 2009
Location: Virginia
Distribution: Debian Stable Testing Sid Slackware CentOS
Posts: 1,055
Blog Entries: 2

Rep: Reputation: 44
Do a control s to save this email.

open it up with a text editor and read through the headers.

That will give you some ideas.
 
Old 10-02-2012, 03:26 PM   #3
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,569
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by dgermann View Post
...
Every once in a while I have been getting emails that have a recognizable name in the from line. ...
This person use Windows by any chance?

Why would you thing you are hacked?
 
Old 10-02-2012, 09:44 PM   #4
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 8.04.1 desk; Red Hat 9.0 server
Posts: 298

Original Poster
Rep: Reputation: 30
Question

etech3--

When I view the message source, I see nothing that appears to be a clue to me as to where they got my email, nor those of my correspondents. Any suggestions of where to look in the source?

Habitual--

Why do I suspect I might have been hacked? Because I am the common factor between these two people who are from different "worlds."

Windows? Why would you ask? In any case, the X-Mailer closest to the bottom of the source is YahooMailWebService/0.8.121.434, so it is not clear.

Thanks!
 
Old 10-03-2012, 12:07 AM   #5
JaseP
Senior Member
 
Registered: Jun 2002
Location: Eastern PA, USA
Distribution: K/Ubuntu 10.04/12.04, Scientific Linux 6.3, Android-x86, Maemo
Posts: 1,658

Rep: Reputation: 138Reputation: 138
The mail server could have been hacked. That's just as, if not more, likely than you getting hacked. Do you run any services that allow you to connect remotely, like remote desktop or a web server??? Do you ssh into the machine, and if yes have you restricted. root logins and/or changed the port from 22???
 
Old 10-03-2012, 12:22 AM   #6
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,569
Blog Entries: 1

Rep: Reputation: Disabled
I did NOT say you were/are hacked. I asked you how come YOU think you are hacked?
Where did you get that I said "you are hacked"?
Quote:
Originally Posted by dgermann View Post
So I am wondering if I have been hacked?
So I can conclude from your statements that you are using Windows, correct?
Quote:
Originally Posted by dgermann View Post
This is not strictly linux
I did Hosting support for years. This is a very common scenario for Windows users who visit spurious site(s), or clicks an email link and then some JavaScript code grabs all their stored passwords. NOTE: I am NOT saying you clicked a link in a "wow" email, but someone you know might have.

Quote:
Originally Posted by dgermann View Post
"Because I am the common factor between these two people who are from different "worlds."".
So? You know every contact of every person you know? I doubt it. Ever heard of the Six Degrees of Kevin Bacon?

Quote:
Originally Posted by dgermann View Post
Googling this local9 etc seems to be a current hacker out there, but nobody is reporting on it.
Incorrect. About 2,650,000 results for "wow this is pretty crazy you should look into it virus" dating back months.

The domain link in these email will be different depending on the "campaign" of the hacker-made script that generates the spam email. A "campaign" is hack terminology for driving traffic to a site. This one happens to be "work from home" garbage.

If you use Windows and the YahooMail service subscriber, CHANGE YOUR YAHOO EMAIL PASSWORD NOW. Hey, even if you aren't "hacked" it is still a good idea to change passwords every 60 to 90 days.

Open the "wow" email in Tbird and press Ctrl+U and Paste the email headers into this link and report back the result.

Good Luck.
 
Old 10-03-2012, 12:25 AM   #7
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,569
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by JaseP View Post
The mail server could have been hacked. That's just as, if not more, likely than you getting hacked. Do you run any services that allow you to connect remotely, like remote desktop or a web server??? Do you ssh into the machine, and if yes have you restricted. root logins and/or changed the port from 22???
He hasn't said he uses Linux.
 
Old 10-03-2012, 09:26 AM   #8
JaseP
Senior Member
 
Registered: Jun 2002
Location: Eastern PA, USA
Distribution: K/Ubuntu 10.04/12.04, Scientific Linux 6.3, Android-x86, Maemo
Posts: 1,658

Rep: Reputation: 138Reputation: 138
Quote:
Originally Posted by Habitual View Post
He hasn't said he uses Linux.
His public profile, below his user name, says Ubuntu & RedHat...

Oh,... and if I may expand on your previous post (which I agree with)... When he chooses a new password for online email services, he should make sure to use as many characters as the service permits and he can reasonably remember,...

I refer to the excellent XKCD cartoon on the subject;
http://xkcd.com/936/
 
Old 10-03-2012, 09:56 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
As an aside IMHO it is always good in this kind of situation to not take what someones vBB OS icon or CP OS details says for granted and explicitly ask if microsoft products (and possibly web-based email) is involved.
 
Old 10-03-2012, 04:27 PM   #10
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,569
Blog Entries: 1

Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
...not take what someones vBB OS icon or CP OS details says for granted...
I never even looked as his details. I used his replies as clues and "This is not strictly linux" is pretty vague, or at the very least not very explicit.

Windows users come here too!
 
Old 10-03-2012, 08:59 PM   #11
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 8.04.1 desk; Red Hat 9.0 server
Posts: 298

Original Poster
Rep: Reputation: 30
Question

JaseP--

No, I do not run those services (ssh, etc) for checking email. Run Thunderbird from desktop through a router. Plain vanilla stuff.

Habitual--

Sorry, I did not mean to imply you said I had been hacked.

No my system is strictly Linux (Ubuntu). Tbird has Windoze flavors is what I meant.

JaseP & unSpawn--

I do not use webmail services. CIS has a Webmail portal, which I do not use for my email. If any of that makes a difference.

Thanks for your help, folks. I will check out that link.
 
Old 10-03-2012, 10:32 PM   #12
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Undecided
Posts: 3,569
Blog Entries: 1

Rep: Reputation: Disabled
Doug:

No worries. Now with this new information, I can say with a fair amount of confidence that you are probably "good to go".

Someone on your contact list is in trouble however. Their email credentials are "out there" and are being used to send forged headers email with the "wow..." message and sending it through some email system with stolen email credentials.

Edit: and I say "fair amount of confidence" because trojans/worms/other nasties almost always never send email to the owner of the system, they prefer stealth.

I hope this helps.

JJ of c9

Last edited by Habitual; 10-03-2012 at 10:33 PM.
 
Old 10-04-2012, 10:29 AM   #13
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 8.04.1 desk; Red Hat 9.0 server
Posts: 298

Original Poster
Rep: Reputation: 30
Question

Habitual--

Thanks!

Did run the headers through the recommended site with these results:

Quote:
Source:

The source IP address is 91.192.159.186.

Geo-Location Information
Country Ukraine
State/Region 05
City Mariupol
Latitude 47.1057
Longitude 37.5331
Area Code
Any further clues there?

Thanks!
 
  


Reply

Tags
email, hack


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Spam mail from Yahoo email account, have I been hacked? nappy501 Linux - Newbie 4 12-11-2010 03:29 PM
[SOLVED] My network is hacked for sure. I want to reinstall but it will be hacked again. MsRefusenik Linux - Security 19 10-18-2010 06:02 PM
Command based email client to send email through secure smtp havolinec Linux - Newbie 2 07-27-2010 08:40 AM
run a shell script/cronjob when any email arrive to specific email address ikillu Linux - General 3 05-30-2009 09:18 AM


All times are GMT -5. The time now is 09:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration