LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-23-2011, 02:53 PM   #1
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,604

Rep: Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583
Hacked, I suppose - but who? How?


It started Sunday afternoon. One of my gmail boxes was randomly sending out mail to everybody, and one of my kids kindly returned it.

No windows in sight, I wasn't using gmail when the mails went out, I certainly wasn't logged in. I will confess to a careless attitude about internet security. The other mailbox seems fine. I'll stick a mail up on

http://pastebin.com/kb1u4MQU

It looks more like script output than spam, but there are my mail contacts being used. Fortunately, that one has more bots and daemons than people as contacts, so humiliation is limited. I don't download dodgy codecs or packages, porn, or crap. I'm not on facebook, twitter, bebo or any social networking site. I'm running slackware-13.1 and firefox-3.6.x. I've killed the offending box just in case. My other one is on slackware64-13.1 and firefox-3.6x :-/. I do mail at home - not out.

Can anyone make sense of this?

Last edited by business_kid; 01-24-2011 at 04:12 AM.
 
Old 01-23-2011, 09:09 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Sorry, can't read the link, can you post the content of an email including headers ?
 
Old 01-23-2011, 09:27 PM   #3
LVsFINEST
Member
 
Registered: Aug 2006
Posts: 95

Rep: Reputation: 21
I can't get to the link either.

Does your Gmail account use the same password as any other login you have?

Also, Gmail kinda-sorta keeps a "log" of IP addresses used to login. It's at the bottom of Gmail, you should see something like "Last account activity: 4 hours ago", with a "Details" link following.
 
Old 01-23-2011, 10:03 PM   #4
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 8,214

Rep: Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552Reputation: 1552
I couldn't get to the link either. It showed me a Microsoft Live login page.

First thing you do, change your Gmail password to something new, unique, and complex. Do not use that password for anything other than your Goggle account. Then troubleshoot.
 
Old 01-24-2011, 03:58 AM   #5
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,604

Original Poster
Rep: Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583
Sorry about the links. I know a little about headers, but I didn't see any
I have this in my other gmail account. I did a 'view source', copied & pasted that into OO andedited out my name befiore saving it off as spam.html

http://cid-9936144096ff2c07.office.l...se.aspx/Public
Also
http://pastebin.com/kb1u4MQU


There's no 'received from' stuff. It looks like script output. I 'always use https' on gmail. I did a check with rkhunter and that seems fine.

Last edited by business_kid; 01-24-2011 at 04:11 AM.
 
Old 01-24-2011, 05:48 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
It looks like an HTML and Javascript page, or an HTML based email. It is really hard to read in the current non-code-format, but scanning through it I see comments about alerting the user that they need to enable javascript, then lots of links of things like youtube, and other "if you can't access it, click this link", etc. I suspect that it an attempt to get them to go to a URL to obtain some garden variety malware.

If this was coming from your gmail account, there is a good chance that they compromised your gmail password and relayed using your account. Be sure to double check your local logs if you relay through your gmail from home.

Also, is there anyway you can get the "full" header from a message that was sent out? This would help confirm how the compromise happened.
 
Old 01-24-2011, 10:58 AM   #7
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,604

Original Poster
Rep: Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583
That's what I thought - html-javascript. In fact all that crap is thrown up by gmail. Using the simple view, I still get no meaningful headers:-((. No relaying of mail going on here. I cut my teeth on spamassassin,dcc,Vipul's Razor, and mail servers, and have no wish to suffer that again.
There were 3 different types of spam sent in turn, and these had the same url, so I ran that down and complained there. What's upsetting me is that I used to snicker loudly at my windows users suffering email problems, spam, hacking, & malware. Now I'm the one apologising and it's their turn to laugh :-/. Needless to say, I want to end it. Changing the gmail password was a first step - I also notice the 'always use https' was no longer checked, so I fixed that. Still no clearer what happened.
 
Old 01-24-2011, 11:06 AM   #8
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I don't see anything unusual about that html you posted.

I agree with others in that probably your password was cracked. Was it strong ? If not, it's very likely that it was cracked.
 
Old 01-24-2011, 11:14 AM   #9
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
There is no reason to think that Linux is involved. Public email providers are an easy target for bad guys. Once they get a valid email address they can use a program to continuously try to guess the password. Eventually they succeed on some email accounts. Email account break ins are more widely known about at Yahoo! Mail but any email provider, including your ISP, is susceptible to email account break ins.

Given that it is still wise to judiciously control Java in your web browser by means of NoScript or some other add on. Java is easiest way to get viruses to run on Linux. Web pages and email are the easiest method of delivering them. If you get a Java keylogger running in Firefox and then you log on to your email account then you are compromised.
 
1 members found this post helpful.
Old 01-25-2011, 04:07 AM   #10
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,604

Original Poster
Rep: Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583
Quote:
Originally Posted by stress_junkie View Post
Given that it is still wise to judiciously control Java in your web browser by means of NoScript or some other add on. Java is easiest way to get viruses to run on Linux. Web pages and email are the easiest method of delivering them. If you get a Java keylogger running in Firefox and then you log on to your email account then you are compromised.
The password was reasonable, but not perfect in terms of security. one letter and a random number string.
I'll chase down that NoScript addon
 
Old 01-25-2011, 04:46 AM   #11
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,245

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
Quote:
One of my gmail boxes was randomly sending out mail to everybody
Sorry for simple question, maybe do I not read you correctly, but how do you known this? Is that some people get mails with your email as sender or these posts are in your outbox folder? You known that when sending email everybody can enter any email as sender, even not belonging to him or nonexistent.
 
1 members found this post helpful.
Old 01-25-2011, 05:51 AM   #12
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
eSelix, thank you for reminding us of this fact. One of the missing piece of key information in this thread has been the full email headers. Take for example the snippet from the email header below from one of those pharmacy spam messages that happened to make it past my spam filter. You can see that it claims to be from a yahoo mail, but in fact was not. Given that it was even relayed through a localhost address on the originating server is also noteworthy in that it suggests that this is the machine that is responsible.

Code:
Received: from 186-105-65-5.baf.movistar.cl (unknown [186.105.65.5])
     by noway2.net (Postfix) with SMTP id C80616048D
     for <invalid@noway2.thruhere.net>; Mon, 24 Jan 2011 08:36:11 -0500 (EST)
Received: from 186-105-65-5.baf.movistar.cl (localhost [127.0.0.1])
     by 186-105-65-5.baf.movistar.cl (8.13.4/8.13.4) with SMTP id h4PR4347
     for <invalid@noway2.thruhere.net>; Mon, 24 Jan 2011 10:35:54 -0400
     (envelope-from GoViagra.CialisOnline9@yahoo.com)
Message-Id: <201101241335.UNWWKY7179@186-105-65-5.baf.movistar.cl>
Subject: Good Day Good Sale !!
To: invalid@noway2.thruhere.net
Mime-Version: 1.0
From: "GoViagra CialisOnline" <GoViagra.CialisOnline9@yahoo.com>
 
1 members found this post helpful.
Old 01-25-2011, 08:25 AM   #13
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,604

Original Poster
Rep: Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583
@eSelix: I concluded that my mailbox was sending out randomly when I found 9 spam messages in the sent mail.

@NoWay2: Agreed the headers are a vital piece of spam detection. Unfortunately gmail don't provide any option to give you headers. In this case, as the sent mails were lying in the sent mail of the offending mailbox, I think we can presume gmail sent the mail. After googling gmail help, I came up with the method for viewing headers, i.e.
1. Open the message
2. click on the down arrow beside the "Reply". 'Show Original' is an option - click on that. This gives:

Quote:
Delivered-To: business.kid@gmail.com
Received: by 10.101.6.26 with SMTP id j26cs17653ani;
Sun, 23 Jan 2011 07:34:06 -0800 (PST)
Received: by 10.100.164.2 with SMTP id m2mr2174245ane.146.1295796846747;
Sun, 23 Jan 2011 07:34:06 -0800 (PST)
MIME-Version: 1.0
Return-Path: <>
Received: by 10.100.164.2 with SMTP id m2mr3406716ane.146; Sun, 23 Jan 2011
07:34:06 -0800 (PST)
From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
To: business.kid@gmail.com
X-Failed-Recipients: paul@about.ie
Subject: Delivery Status Notification (Failure)
Message-ID: <0016e645ab2cc05da8049a85368c@google.com>
Date: Sun, 23 Jan 2011 15:34:06 +0000
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Delivery to the following recipient failed permanently:
[SNIP!]

Whether I unknowingly had a gmail tab open, or gmail was compromised I don't know. I think the chance of my password being available elsewhere are remote. The java exploit route seems the most likely to me atm. It's the one explanation that makes sense. Added to this, there is a paypal account with that handle which (lazily) had the same password, but that was untouched.

Unfortunately using the NoScript addon causes a lot of pages to decide Java is not enabled, e.g. youtube. ou learn as you go.

Last edited by business_kid; 01-25-2011 at 08:27 AM.
 
Old 01-25-2011, 10:04 AM   #14
business_kid
Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 6,604

Original Poster
Rep: Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583Reputation: 583
I'm marking this solved and thank you all for your kind help.
I've learned how to prevent a repeat, and a most probable scenario for what happened

I sent apologies to about 25% of the addresses spammed. I'm sure the spam fooled nobody. It was the mailbox I keep for 'online stuff' so the contacts were 75% subscribe & unsubscribe, something-users lists, bugzillas, lq, and the occasional real person. The Christmas shopping line, or any iphone ad would jar with those who know me. I don't do xmas/saturnalia at all, haven't done for years, and am an android user. That leaves the odd developer spammed on whatever mailbox he had years back :-/. It did prompt a cleanout of dud & ancient contacts, which I would recommend to anyone.
 
Old 01-25-2011, 10:46 AM   #15
zer0signal
Member
 
Registered: Oct 2010
Location: Cleveland
Distribution: Slackware, Fedora, RHEL (4,5), LFS 6.7, CentOS
Posts: 258

Rep: Reputation: 29
yeah went through the same thing in December... And I am most of the time a privacy paranoid... Someone from Brazil brute forced my pw.. Which was a strong pw.. 9 chars random numbers and letters.. Needless to say, I did the same thing you did, cleaned out ancient contacts, changed all passwords to Stronger num letters upper and lower with special char. Then turned that account into a junk account... Sucks but it happens to the best of us at times. =/

I def applaud Google for it though, because of the info they dumped on me, and did block the sent mail, cause of unusual activity.. So Thumbs up to them..

But a headache worth of work on my end...

Oh well Live and Learn.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
A bug.(i suppose).. harsha101087 Linux - Laptop and Netbook 1 12-16-2007 07:00 PM
what all these are suppose to mean ... alred Puppy 2 10-20-2006 08:34 AM
Are you suppose to be able to run X remotely? abefroman Suse/Novell 15 05-09-2005 04:34 PM
I suppose you Americans have seen this floppywhopper General 9 11-18-2004 02:37 AM
Is a symlink suppose to blink? angmaya Linux - Newbie 5 10-18-2003 01:12 AM


All times are GMT -5. The time now is 03:10 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration