Results 1 to 5 of 5

Thread: denial of service = gmail compromise?

  1. #1
    Just burned their ISO
    Join Date
    Mar 2009
    Posts
    18

    Default denial of service = gmail compromise?

    If this is in the wrong forum, I apologize.
    Over the last few weeks, I noticed a drop in my connection, which I didn't think anything of, until recently. So, I decided to run etherape during the last few dropouts, and it lit up like a christmas tree. I was being connected to by IPs from all over the world in a few seconds.

    Well, this evening, my gmail was hacked. From what I can tell, it was only for 8 minutes, but it was enough time for some kind of spambot to hit my address book. I'm thinking that my firefox profile was compromised, but to tell the truth, I'm a little out of my depth. I'm running linux, if that helps you experts out any.

    My question is: wtf? does this sound like anything anyone here is familiar with? Is there any way to gauge how bad I'm screwed? I must have a billion logins, and I'd really hate to track down and change everything.... Not to mention, how do I seal this up?

    Any help or guidance is appreciated

  2. #2
    Member CKing's Avatar
    Join Date
    Mar 2010
    Location
    downtown, riverfront
    Posts
    83

    Default Re: denial of service = gmail compromise?

    This is definitely not the right forum because (a) it has nothing to do with backtrack and (b) its not even close to an expert topic... but I'm in a helpful mood, and bored, so I'll offer my thoughts. First off prevent future attacks by changing all your passwords, and make sure your system is secure. Info on your operating system(Ubuntu? version?), connection type(wireless?), and services running(file sharing, remote desktop?) would help me suggest security measures to implement. I can't think of any connection between a ddos(which it seems you're suggesting, but connections from all over the world are more likely do to file sharing in my opinion) and a system compromise. The fact that spam was sent from your account(I'm assuming) to all your contacts sounds like come sort of malware to me since an individual attacking your system would have little to gain by spamming your buddies. Send me a private message containing your IP address if you would like me to do a quick scan to see if you have any obvious vulnerabilities. Or better yet, download Backtrack and attempt the scan yourself if you have confidence in your linux skills.

  3. #3
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: denial of service = gmail compromise?

    First of all Id ask if you have experience in interpreting the results of Etherape. Are you sure all those IPs were connecting to you and not the other way around? Do you have a listening service on your system for them to connect to, because if you don't then there is no way for this to happen. And if you do... why are you offering up listening services to the Internet? Get your firewall rules sorted, and check to make sure someone else hasn't started a listening service on your system on your behalf... for guidance, SANs have some good intruder checklists you should check out.

    Regards the GMail thing - have you accessed your GMail account from an untrusted computer, or clicked a link in a strange email and then been prompted for your Gmail username and password? Do you follow safe browsing practices? If you use Linux and only Linux and don't do things like leaving ssh open to the world its unlikely you have been caught by a password stealing trojan or other direct compromise of your PC and more likely that you have fallen victim to some web based attack like XSS, XSRF, phishing, etc. If you've ever accessed your GMail account from a Windows box that isn't managed in an incredibly secure fashion Id say that it was probably "trojaned up" and that is the most likely cause of your compromised account. And when I say "incredibly secure" I mean NOT like how about 80% of the world, including most businesses, run their Windows PCs.

    As mentioned above, some sort of mass pwnage scenario is most likely given the nature of the attack (spamming). Spamming is pretty unlikely to be the result of a manual break in, and much more likely to be a symptom of automated malware of some sort.

    However it happened though your best response is to just change your passwords and start computing securely. Theres no reasonable way for someone to properly determine whats gone on in your case without direct access and a fair amount of skill, so all you can do is just clean up and concentrate on making your system defensible against future attacks.
    Last edited by lupin; 06-16-2010 at 12:31 PM. Reason: Writing like a spaz today...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #4
    Just burned their ISO
    Join Date
    Mar 2009
    Posts
    18

    Default Re: denial of service = gmail compromise?

    I do have some open ports, for certain applications, and yes ssh is one of them. My bad. but here's the thing; I don't open any email that isn't from someone I know, and I only run linux at home. At work, let's just say its probably as secure as a windows box can be. What I didn't realize, is that apparently Trojans work in wine. I had no idea, and never really bothered to be careful with windows stuff. After the initial break in, I wiped out all of my hidden home directories, and reformatted, and so far, that seems to have done the trick. Since I had no idea how bad it was, I just deleted everything suspicious, so I guess I'll never know what the source was. I don't even know if what I was seeing with my internet drops was related to the gmail compromise.

    I've scanned my ports a few times, but do I really have to seal everything up? I actually use ssh. Now when I say that they're open, I mean forwarded. I don't know if that actually translates to real open ports on my box.

  5. #5
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: denial of service = gmail compromise?

    Quote Originally Posted by ndrwgn View Post
    I've scanned my ports a few times, but do I really have to seal everything up? I actually use ssh. Now when I say that they're open, I mean forwarded. I don't know if that actually translates to real open ports on my box.
    Forwarded/open - same difference. It still allows remote access to the service running on that port.

    ssh isn't too bad, as long as you are not running a vulnerable version and you can deal with automated password guessing attempts (account lockouts, detection and blocking of bad IP addresses, etc). You may want to forward it from a different port (not 22), use a good password and allow ssh access only to non obvious account names to fool the dumber scanners.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Similar Threads

  1. Tracking origin of an email sent via Gmail
    By Magnet in forum Experts Forum
    Replies: 11
    Last Post: 07-29-2010, 04:17 PM
  2. Hydra & Gmail not an pop3 protocol or service shutdown
    By zana41 in forum Beginners Forum
    Replies: 1
    Last Post: 04-09-2010, 03:50 PM
  3. POP3 gmail
    By abacaba in forum OLD Newbie Area
    Replies: 0
    Last Post: 02-13-2010, 02:07 AM
  4. Gmail and .dat extension
    By loop4me in forum OLD General IT Discussion
    Replies: 3
    Last Post: 10-20-2009, 06:02 PM
  5. Gmail login failure with sslstrip
    By imported_waxgibbons in forum OLD Newbie Area
    Replies: 6
    Last Post: 09-13-2009, 10:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •