Martin wrote:
I use suse 9.3 pro on home network. Boxed retail DVD set. Suse firewall. Security updates are current. KDE Konqueror and / or Firefox. Comcast cable internet service provider. No alias.
Everyday I am seeing spam email which is a reflection of complex sensitive key word phrases I had typed into google just a few days previously.
That is *very* spooky. Of course I don't know what is happening, but here are some possibilities: * Coincidence: Are you sure that the spams are resulting from your google queries? Or just that you are getting spam on topics that you are interested in? * Malicious web sites: If you typed the queries into google, you presumably then went to click on the links google produced. The sites you visited can read your e-mail address from your web browser (if you told your web browser your e-mail address) and thus the destination sites may be producing the spam. * You've been hacked: Such spyware is common on Windows, but I have never heard of it on Linux.
What are the security implications of this? How do I configure what I have to stop this? What additional measures might be appropriate? Is this spying for commercial purposes or could it be US Government spying? The linux network worm?
It is very unlikely to be government spying. Securely cleaning spyware is very difficult, because the places spyware can hide is near infinite. Here are a range of options for verifying and cleaning your system: * Verify your RPMs: do an "rpm -V" on all of your packages. This is a lot of work, as you likely have thousands of packages. Read the RPM man page to interpret the verbose output. * Verify your RPMs from clean media: Do the above, but do it with respect to the .rpm files on your DVD, in case the spyware has changed your RPM meta-data on your system. * Verify your RPMs from rescue media: the spyware may have installed a kernel rootkit that makes all verification invalid, so to be really sure you have to boot from rescue media instead of the installed kernel, and then do these RPM verification steps. All of which is a lot of work. You may find it easier to do a clean re-install of your OS. Upgrade to SUSE 10 while you are at it :) So all of your remediation steps are a lot of work. Therefore, it would be worth while to test the "malicious web site" theory first. 1. Make up 2 obscure search terms that you *never* would use. 2. Enter one of them into google. 3. Go visit the resulting web sites. 4. See if you get spam. 5. Enter the other search term into google 6. Do *not* visit any of the resulting web sites. 7. See if you get spam. If you get spam from both obscure search terms, then perhaps you have spyware, and you should re-install. If you get spam only from the first obscure search term, then it is likely the web sites doing it to you. But that is quite surprising, as it doesn't happen to me. If you get no spam for the obscure search terms, then I suspect coincidence, and someone is just spamming you on topics you commonly search for.
Aliasing? Fire wall configuration? Stop always connected cable internet and go back to using on demand dialup.?
Going to dialup is unlikely to help, as all suspected cases here have to do with client interaction, not hosted services. Firewall configuration will not help, as you will configure your firewall to allow out HTTP and DNS, and spyware can send its stuff out those ports. I don't know what you mean by "Aliasing".
My first reactions are to look into aliasing. Or go back to on demand dialup.
But if keystrokes are being detected then there is no security. Very alarming.
To be secure against this stuff, I would recommend a clean install of SUSE 10.0 or 10.1, and add AppArmor profiles to all of the client applications that you use (Firefox, Konqueror, Evolution, KMail, Thunderbird, Gaim, etc.). That should prevent re-installation of the suspected spyware. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering, Novell http://novell.com Olympic Games: The Bi-Annual Festival of Corruption