LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-27-2012, 05:07 AM   #1
sahm
LQ Newbie
 
Registered: Sep 2012
Location: West Berkshire, UK
Posts: 2

Rep: Reputation: Disabled
Unhappy Possible hacked unbuntu 10.04?


Hi everyone,

I am going to be brave and post this as it is bugging me a bit. I am about to do a clean install of my OS due to the 2 incidents I had this month. Before I do this just wonder if someone could give me some advise or explain what could have happened to me (or computer).

This month, someone have used my bank card to pay a loan company (Wonga.com) a large lum sum over 4 successful transactions (3 failures). These transactions took place shortly after my online payment to another company called zooplus.co.uk who I shopped with. I have windows xp on my notebook and ubuntu 10.04 on my desktop which I mainly use. However, I think I might have used windows to make that payment to zooplus.co.uk due to wireless connectivity problem I had at that time with my ubuntu network manager. Anyway, my Windows Avast! free anti-virus did not find anything after a complete scan of the entire computer.

I understand that it is possible for someone to use the long number of my bank card and the 3 digit codes at the back to make payments so I got myself a card, password changed and hopefully it won't happen again.

Yesterday, someone hacked into my yahoo email account and sent spams. I can only see one email in my sent items that was not sent by me and the trash was empty. I think the hacker (Apparently from Thailand according to yahoo activity log) has picked up all the email addresses I have in my mail box for the last 12 years and sent the spam (may be spoofed my email address?) hence I've got a lot of failure notices from yahoo MAIL-DAEMON.

Again, I understand someone could have got hold of my password which I have never gave to anyone or used for anything else. My password contained 5 letters and 2 numbers, didn't think it was that easy to guess but I suppose not. I have changed it to something more complex now.

I know it could be just 2 separate issues but I can't help to be paranoid!

I must admit that I never installed any anti-virus software on my linux machines until yesterday. So far, on my Ubuntu I have

1. Uninstalled Firefox via Synaptic Package Manager.

2. Installed ClamAv and ran scan on the home directory and no threats found.

3. Installed and ran rkhunter but nothing found.

4. Installed and ran chkrootkit and found the followings but I think it's just false positives.

Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/pymodules/python2.6/.path /usr/lib/pymodules/python2.6/PyQt4/uic/widget-plugins/.noinit

Searching for anomalies in shell history files... Warning: `//home/sthm/.kino-history' is linked to another file



Before I do a clean install of the OS, I wonder if anyone know what could have happened? Sorry if I sound stupid.

Thanks in advance.
 
Old 09-27-2012, 05:47 AM   #2
cliffordw
Member
 
Registered: Jan 2012
Location: South Africa
Posts: 275

Rep: Reputation: 118Reputation: 118
Hi there,

Is there a reason you suspect that these problems started because of a problem on your computer(s)? If so, are you specifically suspecting the Ubuntu machine (which seems to be the machine you want to reload)?

Regarding your bank card details, I would not like to speculate about what happened here, other than to mention that the information might have been intercepted somewhere other than on your machine, i.e. somewhere on the network connection to the website. To avoid this, it is particularly important to ensure you use https connections, and pay attention to the warnings from your browser about the site's certificates.

Regarding your yahoo account, two likely scenarios include:
* If you use this email address and the same password on any other sites, one of those sites might have been hacked to obtain the password. I'd strongly suggest using different passwords for all sites, but particularly for your email account, as I think that is often targeted first.
* In my opinion a 7 character password is way to short these days, as these can be cracked relatively easily, either by guessing or with the help of rainbow tables. I think length is more important than anything else when it comes to password strength. One interesting article on this topic is at http://www.baekdal.com/insights/pass...rity-usability.

Good luck - hope you figure it out!
 
1 members found this post helpful.
Old 09-27-2012, 06:16 AM   #3
k3lt01
Senior Member
 
Registered: Feb 2011
Location: Australia
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,697

Rep: Reputation: 560Reputation: 560Reputation: 560Reputation: 560Reputation: 560Reputation: 560
Yahoo has had some problems since June with emails being taken over by spam bots. My old email address was one such victim, I immediately changed the password and then stopped using that account altogether. My father received an "email" from my account and opened it his email account then sent emails to everyone on his list. We changed his password and then stopped using the account. I suspect this may be similar to what has happened to you. If you are still using that account a simple check of who is in your contacts list will confirm if it is similar because there will be a strange contact that you do not know. The contact name that turned up in mine was just a jumble of letters.

With regard to you bank account that could be any number of things. Change your password to something really strong. If you haven't already contact your bank and see if they can trace it. Also did you get your money back?

There are some pretty smart crooks out there. Some guys carry around a "scanner" and can get details off bank cards merely by swiping the scanner (often disguised as an iPad or other tablet device) past your wallet (in your back pocket is it?). Others have been caught adding extremely small "scanners" to ATMs and they catch every detail of every card that goes through the ATM.

I wouldn't automatically think your PCs are at fault, it could quite literally be any one of a hundred different things. By all means check your PCs but also think about other possibilities (with regards to your bank issue that is).
 
1 members found this post helpful.
Old 09-27-2012, 07:18 AM   #4
sahm
LQ Newbie
 
Registered: Sep 2012
Location: West Berkshire, UK
Posts: 2

Original Poster
Rep: Reputation: Disabled
Thank you

Thanks for all your replies, they are very helpful.

I must admit that I haven't bothered to change my email password for so long, it is considered to be weak these days! I don't actually have any "contacts" saved in my yahoo account neither, I thought it was a good idea not to but it didn't make a difference I guess. Whatever it was just picked up all the email addresses from the mailboxes.

With my bank, you can actually pay something over the phone or online without a password as long as you have the card number and the code at the back! MY bank "refunded" the lost amount and issued me a new card. I changed my pin too just incase.

Just now I found an spoofed spam email in my Spam box sent to myself from myself, I am just hoping it doesn't get bad enough for me to shut my account down!

P.S. Bank sent me a letter to say that they have investigated this incident and has been resolved. Doesn't say what though.

Last edited by sahm; 09-27-2012 at 07:20 AM.
 
Old 09-27-2012, 08:20 AM   #5
OlRoy
Member
 
Registered: Dec 2002
Posts: 304

Rep: Reputation: 86
As was already mentioned, there are skimmers that criminals can attach to ATM machines, gas pumps, and such that will steal the information off your card.

http://i.imgur.com/GDuHz.png

It's also pretty common for Point Of Sale (POS) systems at any store you use your card at to get compromised. There is malware specifically made to steal credit card numbers from POS systems.

Cybercriminals targeting point-of-sale device

Man-in-The-Middle attacks, phishing, a waitress skimmed it, are other possibilities, as well as your actual computer has been compromised. We don't know for sure which. This isn't a Windows forum, but the guys at forums like MalwareBytes, which help people remove Windows malware, pretty much rely on AV scans and HijackThis. There is way more to finding malware than that, but they can be effective so you might want to try a place like that if you're still worried.

Last edited by OlRoy; 09-27-2012 at 08:23 AM.
 
1 members found this post helpful.
Old 09-27-2012, 09:48 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
When faced with a security compromise, it is good that you evaluate your position and take makes to enhance your security posture. Keep in mind that security is an ongoing, perpetual process, not an individual act. This applies to all forms of security, not just computer security. With respect toyour two incidents, it is entirely possible, I would say likely, that they are unrelated. Both Yahoo mail and credit card numbers are under constant threat. With the CC numbers, out of the main 16 numbers, I think it is 8 of them are used to identify the financial institution, which doesn't leave a lot randomness or combinations, even when you factor in four digits for a date and the three for the security code. Having said that, you may find this post I made last week of interest.

With regards to your Ubuntu system, it is pretty unlikely, though not impossible, that you have obtained some form of malware that could have captured your information. Generally speaking as long as you are not running server processes (ports exposed to the Internet), don't download software from untrusted sites, and use moderate browser security (e.g. flash block, ad block, no script), perform regular system updates, etc, your chances of this being your compromise vector are rather small.

It is also good that in response to this incident you engaged in an investigative process to gather potential information. This should always be done prior to taking any sort of recovery action. I would like to mention that this includes doing things that could disrupt the state of the system, like uninstalling Firefox.

Your actions also speak of a Windows security mindset, focusing on viruses, rootkits, plugins, etc. While these are things to check, forensic investigation in Linux requires a different mind set. You need to focus on log file analysis, examine the state of the system by looking at the processes, network connection, verification of system binary files, etcs. The admittedly dated CERT Intruder Detection Checklist covers these items and while not a beginner's document, will give you a better understanding of the types of things to look for. If you desire help in this regard, please let us know.

In your particular case, all things considered, I doubt your Linux system has been compromised. Most likely it was happenstance. I would also be more suspicious of the Windows system than Linux in terms of root kit key logging type malware. Ultimately, if it makes you feel better, the decision to wipe and reinstall your system is an option, but I would suggest attempting to perform a more detailed investigation into the state of the system first, both to determine if your system has been compromised as well as for the experience gain. In any case, if you do format and reinstall, please don't neglect the Windows aspect too.
 
1 members found this post helpful.
Old 09-27-2012, 09:44 PM   #7
jefro
Guru
 
Registered: Mar 2008
Posts: 11,590

Rep: Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419Reputation: 1419
Two issues at or near the same time suggests an odd coincidence.

First is the age of the OS. Don't use 10.04.

Second is rotating and hard/long passwords. Did you keep the same easy password for years? Sadly banks don't enforce enough strength.

Free antivirus is not good enough. You need a complete security suite. If you read the fine print of all the major suppliers they actually don't sell their home type products to be secure for online banking.

The entire computer world seems to be a free for all for crooks. I don't believe any system is secure.
 
1 members found this post helpful.
Old 09-28-2012, 05:49 AM   #8
k3lt01
Senior Member
 
Registered: Feb 2011
Location: Australia
Distribution: Debian Wheezy, Jessie, Sid/Experimental, playing with LFS.
Posts: 2,697

Rep: Reputation: 560Reputation: 560Reputation: 560Reputation: 560Reputation: 560Reputation: 560
Quote:
Originally Posted by jefro View Post
First is the age of the OS. Don't use 10.04.
10.04 is fine to use, it is still actively supported and receives security updates and will continue to until April next year because it is an LTS. If it wasn't supported I wouldn't have posted to rebuff your post but it is so I did in order to let the OP know there is no need whatsoever to change from 10.04 IF he doesn't want to.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
restore unbuntu to 11.04 sugaboo Linux - Desktop 12 09-06-2012 10:24 AM
[SOLVED] My network is hacked for sure. I want to reinstall but it will be hacked again. MsRefusenik Linux - Security 19 10-18-2010 05:02 PM
Dual Boot Unbuntu and Windows XP (Unbuntu Installed First). Mad4Macintosh Linux - Newbie 16 03-20-2009 10:37 AM
unbuntu problem legionvampire Linux - Software 1 07-08-2006 11:43 AM
Unbuntu 4.10 webwolf70 Linux - Distributions 14 10-30-2004 08:35 PM


All times are GMT -5. The time now is 02:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration