Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It started Sunday afternoon. One of my gmail boxes was randomly sending out mail to everybody, and one of my kids kindly returned it.
No windows in sight, I wasn't using gmail when the mails went out, I certainly wasn't logged in. I will confess to a careless attitude about internet security. The other mailbox seems fine. I'll stick a mail up on
It looks more like script output than spam, but there are my mail contacts being used. Fortunately, that one has more bots and daemons than people as contacts, so humiliation is limited. I don't download dodgy codecs or packages, porn, or crap. I'm not on facebook, twitter, bebo or any social networking site. I'm running slackware-13.1 and firefox-3.6.x. I've killed the offending box just in case. My other one is on slackware64-13.1 and firefox-3.6x :-/. I do mail at home - not out.
Can anyone make sense of this?
Last edited by business_kid; 01-24-2011 at 03:12 AM.
Does your Gmail account use the same password as any other login you have?
Also, Gmail kinda-sorta keeps a "log" of IP addresses used to login. It's at the bottom of Gmail, you should see something like "Last account activity: 4 hours ago", with a "Details" link following.
I couldn't get to the link either. It showed me a Microsoft Live login page.
First thing you do, change your Gmail password to something new, unique, and complex. Do not use that password for anything other than your Goggle account. Then troubleshoot.
Sorry about the links. I know a little about headers, but I didn't see any
I have this in my other gmail account. I did a 'view source', copied & pasted that into OO andedited out my name befiore saving it off as spam.html
It looks like an HTML and Javascript page, or an HTML based email. It is really hard to read in the current non-code-format, but scanning through it I see comments about alerting the user that they need to enable javascript, then lots of links of things like youtube, and other "if you can't access it, click this link", etc. I suspect that it an attempt to get them to go to a URL to obtain some garden variety malware.
If this was coming from your gmail account, there is a good chance that they compromised your gmail password and relayed using your account. Be sure to double check your local logs if you relay through your gmail from home.
Also, is there anyway you can get the "full" header from a message that was sent out? This would help confirm how the compromise happened.
That's what I thought - html-javascript. In fact all that crap is thrown up by gmail. Using the simple view, I still get no meaningful headers:-((. No relaying of mail going on here. I cut my teeth on spamassassin,dcc,Vipul's Razor, and mail servers, and have no wish to suffer that again.
There were 3 different types of spam sent in turn, and these had the same url, so I ran that down and complained there. What's upsetting me is that I used to snicker loudly at my windows users suffering email problems, spam, hacking, & malware. Now I'm the one apologising and it's their turn to laugh :-/. Needless to say, I want to end it. Changing the gmail password was a first step - I also notice the 'always use https' was no longer checked, so I fixed that. Still no clearer what happened.
There is no reason to think that Linux is involved. Public email providers are an easy target for bad guys. Once they get a valid email address they can use a program to continuously try to guess the password. Eventually they succeed on some email accounts. Email account break ins are more widely known about at Yahoo! Mail but any email provider, including your ISP, is susceptible to email account break ins.
Given that it is still wise to judiciously control Java in your web browser by means of NoScript or some other add on. Java is easiest way to get viruses to run on Linux. Web pages and email are the easiest method of delivering them. If you get a Java keylogger running in Firefox and then you log on to your email account then you are compromised.
Given that it is still wise to judiciously control Java in your web browser by means of NoScript or some other add on. Java is easiest way to get viruses to run on Linux. Web pages and email are the easiest method of delivering them. If you get a Java keylogger running in Firefox and then you log on to your email account then you are compromised.
The password was reasonable, but not perfect in terms of security. one letter and a random number string.
I'll chase down that NoScript addon
One of my gmail boxes was randomly sending out mail to everybody
Sorry for simple question, maybe do I not read you correctly, but how do you known this? Is that some people get mails with your email as sender or these posts are in your outbox folder? You known that when sending email everybody can enter any email as sender, even not belonging to him or nonexistent.
eSelix, thank you for reminding us of this fact. One of the missing piece of key information in this thread has been the full email headers. Take for example the snippet from the email header below from one of those pharmacy spam messages that happened to make it past my spam filter. You can see that it claims to be from a yahoo mail, but in fact was not. Given that it was even relayed through a localhost address on the originating server is also noteworthy in that it suggests that this is the machine that is responsible.
Code:
Received: from 186-105-65-5.baf.movistar.cl (unknown [186.105.65.5])
by noway2.net (Postfix) with SMTP id C80616048D
for <invalid@noway2.thruhere.net>; Mon, 24 Jan 2011 08:36:11 -0500 (EST)
Received: from 186-105-65-5.baf.movistar.cl (localhost [127.0.0.1])
by 186-105-65-5.baf.movistar.cl (8.13.4/8.13.4) with SMTP id h4PR4347
for <invalid@noway2.thruhere.net>; Mon, 24 Jan 2011 10:35:54 -0400
(envelope-from GoViagra.CialisOnline9@yahoo.com)
Message-Id: <201101241335.UNWWKY7179@186-105-65-5.baf.movistar.cl>
Subject: Good Day Good Sale !!
To: invalid@noway2.thruhere.net
Mime-Version: 1.0
From: "GoViagra CialisOnline" <GoViagra.CialisOnline9@yahoo.com>
@eSelix: I concluded that my mailbox was sending out randomly when I found 9 spam messages in the sent mail.
@NoWay2: Agreed the headers are a vital piece of spam detection. Unfortunately gmail don't provide any option to give you headers. In this case, as the sent mails were lying in the sent mail of the offending mailbox, I think we can presume gmail sent the mail. After googling gmail help, I came up with the method for viewing headers, i.e.
1. Open the message
2. click on the down arrow beside the "Reply". 'Show Original' is an option - click on that. This gives:
Quote:
Delivered-To: business.kid@gmail.com
Received: by 10.101.6.26 with SMTP id j26cs17653ani;
Sun, 23 Jan 2011 07:34:06 -0800 (PST)
Received: by 10.100.164.2 with SMTP id m2mr2174245ane.146.1295796846747;
Sun, 23 Jan 2011 07:34:06 -0800 (PST)
MIME-Version: 1.0
Return-Path: <>
Received: by 10.100.164.2 with SMTP id m2mr3406716ane.146; Sun, 23 Jan 2011
07:34:06 -0800 (PST)
From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
To: business.kid@gmail.com
X-Failed-Recipients: paul@about.ie
Subject: Delivery Status Notification (Failure)
Message-ID: <0016e645ab2cc05da8049a85368c@google.com>
Date: Sun, 23 Jan 2011 15:34:06 +0000
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Delivery to the following recipient failed permanently:
[SNIP!]
Whether I unknowingly had a gmail tab open, or gmail was compromised I don't know. I think the chance of my password being available elsewhere are remote. The java exploit route seems the most likely to me atm. It's the one explanation that makes sense. Added to this, there is a paypal account with that handle which (lazily) had the same password, but that was untouched.
Unfortunately using the NoScript addon causes a lot of pages to decide Java is not enabled, e.g. youtube. ou learn as you go.
Last edited by business_kid; 01-25-2011 at 07:27 AM.
I'm marking this solved and thank you all for your kind help.
I've learned how to prevent a repeat, and a most probable scenario for what happened
I sent apologies to about 25% of the addresses spammed. I'm sure the spam fooled nobody. It was the mailbox I keep for 'online stuff' so the contacts were 75% subscribe & unsubscribe, something-users lists, bugzillas, lq, and the occasional real person. The Christmas shopping line, or any iphone ad would jar with those who know me. I don't do xmas/saturnalia at all, haven't done for years, and am an android user. That leaves the odd developer spammed on whatever mailbox he had years back :-/. It did prompt a cleanout of dud & ancient contacts, which I would recommend to anyone.
yeah went through the same thing in December... And I am most of the time a privacy paranoid... Someone from Brazil brute forced my pw.. Which was a strong pw.. 9 chars random numbers and letters.. Needless to say, I did the same thing you did, cleaned out ancient contacts, changed all passwords to Stronger num letters upper and lower with special char. Then turned that account into a junk account... Sucks but it happens to the best of us at times. =/
I def applaud Google for it though, because of the info they dumped on me, and did block the sent mail, cause of unusual activity.. So Thumbs up to them..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.