Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I am going to be brave and post this as it is bugging me a bit. I am about to do a clean install of my OS due to the 2 incidents I had this month. Before I do this just wonder if someone could give me some advise or explain what could have happened to me (or computer).
This month, someone have used my bank card to pay a loan company (Wonga.com) a large lum sum over 4 successful transactions (3 failures). These transactions took place shortly after my online payment to another company called zooplus.co.uk who I shopped with. I have windows xp on my notebook and ubuntu 10.04 on my desktop which I mainly use. However, I think I might have used windows to make that payment to zooplus.co.uk due to wireless connectivity problem I had at that time with my ubuntu network manager. Anyway, my Windows Avast! free anti-virus did not find anything after a complete scan of the entire computer.
I understand that it is possible for someone to use the long number of my bank card and the 3 digit codes at the back to make payments so I got myself a card, password changed and hopefully it won't happen again.
Yesterday, someone hacked into my yahoo email account and sent spams. I can only see one email in my sent items that was not sent by me and the trash was empty. I think the hacker (Apparently from Thailand according to yahoo activity log) has picked up all the email addresses I have in my mail box for the last 12 years and sent the spam (may be spoofed my email address?) hence I've got a lot of failure notices from yahoo MAIL-DAEMON.
Again, I understand someone could have got hold of my password which I have never gave to anyone or used for anything else. My password contained 5 letters and 2 numbers, didn't think it was that easy to guess but I suppose not. I have changed it to something more complex now.
I know it could be just 2 separate issues but I can't help to be paranoid!
I must admit that I never installed any anti-virus software on my linux machines until yesterday. So far, on my Ubuntu I have
1. Uninstalled Firefox via Synaptic Package Manager.
2. Installed ClamAv and ran scan on the home directory and no threats found.
3. Installed and ran rkhunter but nothing found.
4. Installed and ran chkrootkit and found the followings but I think it's just false positives.
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
Searching for anomalies in shell history files... Warning: `//home/sthm/.kino-history' is linked to another file
Before I do a clean install of the OS, I wonder if anyone know what could have happened? Sorry if I sound stupid.
Is there a reason you suspect that these problems started because of a problem on your computer(s)? If so, are you specifically suspecting the Ubuntu machine (which seems to be the machine you want to reload)?
Regarding your bank card details, I would not like to speculate about what happened here, other than to mention that the information might have been intercepted somewhere other than on your machine, i.e. somewhere on the network connection to the website. To avoid this, it is particularly important to ensure you use https connections, and pay attention to the warnings from your browser about the site's certificates.
Regarding your yahoo account, two likely scenarios include:
* If you use this email address and the same password on any other sites, one of those sites might have been hacked to obtain the password. I'd strongly suggest using different passwords for all sites, but particularly for your email account, as I think that is often targeted first.
* In my opinion a 7 character password is way to short these days, as these can be cracked relatively easily, either by guessing or with the help of rainbow tables. I think length is more important than anything else when it comes to password strength. One interesting article on this topic is at http://www.baekdal.com/insights/pass...rity-usability.
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Yahoo has had some problems since June with emails being taken over by spam bots. My old email address was one such victim, I immediately changed the password and then stopped using that account altogether. My father received an "email" from my account and opened it his email account then sent emails to everyone on his list. We changed his password and then stopped using the account. I suspect this may be similar to what has happened to you. If you are still using that account a simple check of who is in your contacts list will confirm if it is similar because there will be a strange contact that you do not know. The contact name that turned up in mine was just a jumble of letters.
With regard to you bank account that could be any number of things. Change your password to something really strong. If you haven't already contact your bank and see if they can trace it. Also did you get your money back?
There are some pretty smart crooks out there. Some guys carry around a "scanner" and can get details off bank cards merely by swiping the scanner (often disguised as an iPad or other tablet device) past your wallet (in your back pocket is it?). Others have been caught adding extremely small "scanners" to ATMs and they catch every detail of every card that goes through the ATM.
I wouldn't automatically think your PCs are at fault, it could quite literally be any one of a hundred different things. By all means check your PCs but also think about other possibilities (with regards to your bank issue that is).
Thanks for all your replies, they are very helpful.
I must admit that I haven't bothered to change my email password for so long, it is considered to be weak these days! I don't actually have any "contacts" saved in my yahoo account neither, I thought it was a good idea not to but it didn't make a difference I guess. Whatever it was just picked up all the email addresses from the mailboxes.
With my bank, you can actually pay something over the phone or online without a password as long as you have the card number and the code at the back! MY bank "refunded" the lost amount and issued me a new card. I changed my pin too just incase.
Just now I found an spoofed spam email in my Spam box sent to myself from myself, I am just hoping it doesn't get bad enough for me to shut my account down!
P.S. Bank sent me a letter to say that they have investigated this incident and has been resolved. Doesn't say what though.
Man-in-The-Middle attacks, phishing, a waitress skimmed it, are other possibilities, as well as your actual computer has been compromised. We don't know for sure which. This isn't a Windows forum, but the guys at forums like MalwareBytes, which help people remove Windows malware, pretty much rely on AV scans and HijackThis. There is way more to finding malware than that, but they can be effective so you might want to try a place like that if you're still worried.
When faced with a security compromise, it is good that you evaluate your position and take makes to enhance your security posture. Keep in mind that security is an ongoing, perpetual process, not an individual act. This applies to all forms of security, not just computer security. With respect toyour two incidents, it is entirely possible, I would say likely, that they are unrelated. Both Yahoo mail and credit card numbers are under constant threat. With the CC numbers, out of the main 16 numbers, I think it is 8 of them are used to identify the financial institution, which doesn't leave a lot randomness or combinations, even when you factor in four digits for a date and the three for the security code. Having said that, you may find this post I made last week of interest.
With regards to your Ubuntu system, it is pretty unlikely, though not impossible, that you have obtained some form of malware that could have captured your information. Generally speaking as long as you are not running server processes (ports exposed to the Internet), don't download software from untrusted sites, and use moderate browser security (e.g. flash block, ad block, no script), perform regular system updates, etc, your chances of this being your compromise vector are rather small.
It is also good that in response to this incident you engaged in an investigative process to gather potential information. This should always be done prior to taking any sort of recovery action. I would like to mention that this includes doing things that could disrupt the state of the system, like uninstalling Firefox.
Your actions also speak of a Windows security mindset, focusing on viruses, rootkits, plugins, etc. While these are things to check, forensic investigation in Linux requires a different mind set. You need to focus on log file analysis, examine the state of the system by looking at the processes, network connection, verification of system binary files, etcs. The admittedly dated CERT Intruder Detection Checklist covers these items and while not a beginner's document, will give you a better understanding of the types of things to look for. If you desire help in this regard, please let us know.
In your particular case, all things considered, I doubt your Linux system has been compromised. Most likely it was happenstance. I would also be more suspicious of the Windows system than Linux in terms of root kit key logging type malware. Ultimately, if it makes you feel better, the decision to wipe and reinstall your system is an option, but I would suggest attempting to perform a more detailed investigation into the state of the system first, both to determine if your system has been compromised as well as for the experience gain. In any case, if you do format and reinstall, please don't neglect the Windows aspect too.
Two issues at or near the same time suggests an odd coincidence.
First is the age of the OS. Don't use 10.04.
Second is rotating and hard/long passwords. Did you keep the same easy password for years? Sadly banks don't enforce enough strength.
Free antivirus is not good enough. You need a complete security suite. If you read the fine print of all the major suppliers they actually don't sell their home type products to be secure for online banking.
The entire computer world seems to be a free for all for crooks. I don't believe any system is secure.
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Originally Posted by jefro
First is the age of the OS. Don't use 10.04.
10.04 is fine to use, it is still actively supported and receives security updates and will continue to until April next year because it is an LTS. If it wasn't supported I wouldn't have posted to rebuff your post but it is so I did in order to let the OP know there is no need whatsoever to change from 10.04 IF he doesn't want to.