[opensuse] Have I been hacked?
I'm running 13.2 x64 on this particular box. I use thunderbird email. I got a couple of email delivery errors this morning, yet I had sent no emails for some time from this box. I know it's not uncommon for an email address to be spoofed by spammers. I've not had this happen before, at least not like this. I'm sending this email from my box at work BTW. The details of the delivery error are below. ------ This is a copy of the headers of the original message. ------ Return-Path: <mhounschell@cfl.rr.com> Authentication-Results: cdptpa-oedge01 smtp.user=mhounschell@cfl.rr.com; auth=pass (LOGIN) Received: from [107.14.174.248] ([107.14.174.248:54575] helo=cdptpa-web08) by cdptpa-oedge01 (envelope-from <mhounschell@cfl.rr.com>) (ecelerity 3.5.0.35861 r(Momo-dev:tip)) with ESMTPA id 8F/AC-28519-02975355; Mon, 20 Apr 2015 22:09:37 +0000 Message-ID: <20150420220937.WA9D0.77936.root@cdptpa-web08> Date: Mon, 20 Apr 2015 18:09:36 -0400 From: <mhounschell@cfl.rr.com> To: david@dieselmanor.com, drussellelectric@bellsouth.net, utterpower@gmail.com, rhounschell@cfl.rr.com, jim@pantherconcealment.com, rick.scott@eog.myflorida.com, matt.kucala@gmail.com, shane.cook@southpointe.us, user2user@gunbroker.com, morrowaudio.larry@gmail.com Subject: hey there MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal X-Originating-IP: from 93.168.159.108 by webmail.roadrunner.com; Mon, 20 Apr 2015 22:09:36 +0000 X-RR-Connecting-IP: 107.14.168.118:2525 X-Cloudmark-Score: 0 OK, whois says that "X-Originating-IP: from 93.168.159.108" is from Saudi Telecom Company JSC. OK, no big surprise there. And it didn't appear to actually come from my box. But the "To:" list is what scares me. These are addresses from my thunderbird address book. How can this be? Some of them I haven't sent an email to in years. Others, recently. But never an email to more than one of them at a time. Dazed and confused Mark -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, The email is sent from an authenticated user, so he knows your username and password for webmail.roadrunner.com. Are you sure that these addresses are not in your web mail account ? Regards, I. Petrov On 04/21/2015 08:36 PM, Mark Hounschell wrote:
I'm running 13.2 x64 on this particular box. I use thunderbird email. I got a couple of email delivery errors this morning, yet I had sent no emails for some time from this box. I know it's not uncommon for an email address to be spoofed by spammers. I've not had this happen before, at least not like this. I'm sending this email from my box at work BTW. The details of the delivery error are below.
------ This is a copy of the headers of the original message. ------
Return-Path: <mhounschell@cfl.rr.com> Authentication-Results: cdptpa-oedge01 smtp.user=mhounschell@cfl.rr.com; auth=pass (LOGIN) Received: from [107.14.174.248] ([107.14.174.248:54575] helo=cdptpa-web08) by cdptpa-oedge01 (envelope-from <mhounschell@cfl.rr.com>) (ecelerity 3.5.0.35861 r(Momo-dev:tip)) with ESMTPA id 8F/AC-28519-02975355; Mon, 20 Apr 2015 22:09:37 +0000 Message-ID: <20150420220937.WA9D0.77936.root@cdptpa-web08> Date: Mon, 20 Apr 2015 18:09:36 -0400 From: <mhounschell@cfl.rr.com> To: david@dieselmanor.com, drussellelectric@bellsouth.net, utterpower@gmail.com, rhounschell@cfl.rr.com, jim@pantherconcealment.com, rick.scott@eog.myflorida.com, matt.kucala@gmail.com, shane.cook@southpointe.us, user2user@gunbroker.com, morrowaudio.larry@gmail.com Subject: hey there MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal X-Originating-IP: from 93.168.159.108 by webmail.roadrunner.com; Mon, 20 Apr 2015 22:09:36 +0000 X-RR-Connecting-IP: 107.14.168.118:2525 X-Cloudmark-Score: 0
OK, whois says that "X-Originating-IP: from 93.168.159.108" is from Saudi Telecom Company JSC. OK, no big surprise there. And it didn't appear to actually come from my box.
But the "To:" list is what scares me. These are addresses from my thunderbird address book. How can this be? Some of them I haven't sent an email to in years. Others, recently. But never an email to more than one of them at a time.
Dazed and confused Mark -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBCAAGBQJVNp/AAAoJEH8sJoKRFRU59Z4P/izK3jjFZuYvx3hE2DixqGOw iul1OwhorZ1XN/Se7mceYZ+RmLzEwEKymfr5B0YxARO+OrA6eaj3E+lSCyQo7KBg zG0iFPx4JM9Ezc+iZIxhL5bTPw+Eb4vfoQtSL8ZF+FLGNcTmsTgYd7DanEILJY30 Svx0c2L6C6W3iZGXAsx5XZpJSavEJsKEX3GiAb8akwS0Y9fgHXCjYiHGN/qfny+5 TjIPR0sHT5vYhsudQMAVbasijrdUhm/Xm3pgALPz+fpJxjFTucS2Frlryh9krJyf QeTgMqwfhXP0PoqHg+E9Kxn6aG463oc2MIupyZCcT1v80Yj2dgkfD+HjagH4Vr2g 28W/5zWuraPWcgYBJIzxD7pPideNT1Ym+dSVPcgNNGP3x2vWEV1JtAN5tLFoBV2B HE4R+mWZwxg5UHTKal7iNgk1PzLJiil0ZJeyxUgxOijTHCTyrCf6ETPJYkFtEHmy q0Bzk4RLxN2weCLHjmBxC/3jf1Pwwu8LqIoReItyqwi86a7CHCEisug4oGQBDnOx YBHyEO1wcgut0C1ca4JCD4r8SNvaI7CgSsR97A8+O+K9pzJjzMMO2x8ZvgTLzOmI lS1T5phTuti9P5O6uaj5ipIar2Z4ZbaXwXuWf4iW3tpEmXp0eOPK6oAr5U7mNZN2 cqkMD2dLytItHZzDpxLC =de4U -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/21/2015 12:06 PM, I.Petrov wrote:
Hello,
The email is sent from an authenticated user, so he knows your username and password for webmail.roadrunner.com. Are you sure that these addresses are not in your web mail account ?
Regards, I. Petrov
Agreed. If as you surmise, someone has compromised his roadrunner account, the addresses might have been harvested from any old mails on roadrunner. Roadrunner appears to support imap, which means a great deal of mail could have been harvested from there. Obviously a password change at roadrunner is both important and too late. - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlU2obcACgkQv7M3G5+2DLK4GwCdGYFcZNTiebswlqYsFwJn3JOu 7nQAoIzpMoh6bRVYA707noVRzHrkeyUO =7g39 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2015 03:15 PM, John Andersen wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/21/2015 12:06 PM, I.Petrov wrote:
Hello,
The email is sent from an authenticated user, so he knows your username and password for webmail.roadrunner.com. Are you sure that these addresses are not in your web mail account ?
Regards, I. Petrov
Agreed.
If as you surmise, someone has compromised his roadrunner account, the addresses might have been harvested from any old mails on roadrunner. Roadrunner appears to support imap, which means a great deal of mail could have been harvested from there.
Obviously a password change at roadrunner is both important and too late.
I have never actually sent any email using the web interface and use POP3/SMTP for this account at home. There are no emails left on the roadrunner server once I "get mail". Those email addresses are NOT "held" anywhere but on my box. I do frequently use the web interface while at work to browse any messages that I will be getting in the morning and there I do enter a password. Or rather I have Firefox remember it. But that does not explain those email addresses. A couple of them in the list have not been used for 2-3 years. It's almost as if my machine has been compromised somehow. Is it possible that running Firefox on the box at home could somehow be allowing someone access to my machine. I do use the pipelight pluggin for Netflix and Amazon videos occasionally. Pipelight uses wine to run Windows pluggins? I suspect this occurred on my box at home somehow because of those email addresses only being held in the address book on my box. The passwords for webmail.roadrunner.com and the POP/SMTP servers are the same. Do Linux users now have to worry about browsing the web like Windows users do? ???? Mark -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
web interface and use POP3/SMTP
So you believe that using pop leaves no emails on the server? This is not always the case. Especially when the mail is set up to allow access from more than one client. (Such as the web client AND your box). You might want to double check this. But if you COULD use the web interface if you chose to, its entirely possible that mail is retained on the server. Being POP does not automatically assure you that mail is deleted. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2015 04:09 PM, John Andersen wrote:
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
web interface and use POP3/SMTP
So you believe that using pop leaves no emails on the server? This is not always the case. Especially when the mail is set up to allow access from more than one client. (Such as the web client AND your box).
You might want to double check this. But if you COULD use the web interface if you chose to, its entirely possible that mail is retained on the server.
Being POP does not automatically assure you that mail is deleted.
Well, before I "get mail" I can log into the web interface and see the emails. Then after "getting mail" they are no longer there via the web interface. I suppose that's not to say they are not being held "somewhere"? As we all know, the US gov is sucking in everything on the wire these days. But it is those email addresses that really concern me. I can see no way for them to have been gathered via the web interface without several years of constant monitoring/collecting. As I said, a couple of them have not been used for 2-3 years. Mark -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Apr 21, 2015 at 4:18 PM, Mark Hounschell <markh@compro.net> wrote:
On 04/21/2015 04:09 PM, John Andersen wrote:
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
web interface and use POP3/SMTP
So you believe that using pop leaves no emails on the server? This is not always the case. Especially when the mail is set up to allow access from more than one client. (Such as the web client AND your box).
You might want to double check this. But if you COULD use the web interface if you chose to, its entirely possible that mail is retained on the server.
Being POP does not automatically assure you that mail is deleted.
Well, before I "get mail" I can log into the web interface and see the emails. Then after "getting mail" they are no longer there via the web interface. I suppose that's not to say they are not being held "somewhere"? As we all know, the US gov is sucking in everything on the wire these days. But it is those email addresses that really concern me. I can see no way for them to have been gathered via the web interface without several years of constant monitoring/collecting. As I said, a couple of them have not been used for 2-3 years.
And the sent folder at RR? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2015 04:20 PM, Greg Freemyer wrote:
On Tue, Apr 21, 2015 at 4:18 PM, Mark Hounschell <markh@compro.net> wrote:
On 04/21/2015 04:09 PM, John Andersen wrote:
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
web interface and use POP3/SMTP
So you believe that using pop leaves no emails on the server? This is not always the case. Especially when the mail is set up to allow access from more than one client. (Such as the web client AND your box).
You might want to double check this. But if you COULD use the web interface if you chose to, its entirely possible that mail is retained on the server.
Being POP does not automatically assure you that mail is deleted.
Well, before I "get mail" I can log into the web interface and see the emails. Then after "getting mail" they are no longer there via the web interface. I suppose that's not to say they are not being held "somewhere"? As we all know, the US gov is sucking in everything on the wire these days. But it is those email addresses that really concern me. I can see no way for them to have been gathered via the web interface without several years of constant monitoring/collecting. As I said, a couple of them have not been used for 2-3 years.
And the sent folder at RR?
Ah, the sent folder. That was it. Every email on that list was found in an email in the sent folder. It only contained about 15 emails. Thank you so much for that suggestion. I was wondering if I was going to have to rebuild my Linux box there for a bit. Now to figure out how they got my password. I can't even remember it. That's why I let Firefox remember it for me. Thanks again ALL Regards Mark -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2015 01:46 PM, Mark Hounschell wrote:
Ah, the sent folder. That was it. Every email on that list was found in an email in the sent folder. It only contained about 15 emails. Thank you so much for that suggestion. I was wondering if I was going to have to rebuild my Linux box there for a bit.
Now to figure out how they got my password. I can't even remember it. That's why I let Firefox remember it for me.
Thanks again ALL
Regards Mark
Roadrunner has a log in tracker facility that might help you figure out where / when it was hacked into. You might report it as well to their security people. Might I recommend a password vault. You aren't getting any younger and the mind is the second thing to go. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 21 Apr 2015 22:46, Mark Hounschell wrote:
On 04/21/2015 04:20 PM, Greg Freemyer wrote:
On Tue, Apr 21, 2015 at 4:18 PM, Mark Hounschell wrote:
On 04/21/2015 04:09 PM, John Andersen wrote:
On 04/21/2015 12:49 PM, Mark Hounschell wrote: [snip] And the sent folder at RR?
Ah, the sent folder. That was it. Every email on that list was found in an email in the sent folder. It only contained about 15 emails. Thank you so much for that suggestion. I was wondering if I was going to have to rebuild my Linux box there for a bit.
Now to figure out how they got my password. I can't even remember it. That's why I let Firefox remember it for me.
There is a Add-on for that >-} : https://addons.mozilla.org/firefox/addon/saved-password-editor/ - Yamaban. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-04-21 22:46, Mark Hounschell wrote:
Ah, the sent folder. That was it. Every email on that list was found in an email in the sent folder. It only contained about 15 emails. Thank you so much for that suggestion. I was wondering if I was going to have to rebuild my Linux box there for a bit.
Now to figure out how they got my password. I can't even remember it. That's why I let Firefox remember it for me.
Maybe you used http instead of https. Also, many mail providers do not encrypt pop/imap/smtp connections, so they can be sniffed. Or you connected using a free wifi sometime... - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlU2zIcACgkQja8UbcUWM1yEmAD/dDhA9XJZnvU0c1tGGV2K+1gm RSNkjoi687XnsC2YsukA/jA6bs5I2mLVS5ajAgdILXDs//THDhvSyANyzOkh3Y7u =8pYS -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Mark Hounschell <markh@compro.net> [2015-04-21 15:46]:
On 04/21/2015 04:20 PM, Greg Freemyer wrote:
And the sent folder at RR?
Ah, the sent folder. That was it. Every email on that list was found in an email in the sent folder. It only contained about 15 emails. Thank you so much for that suggestion. I was wondering if I was going to have to rebuild my Linux box there for a bit.
Now to figure out how they got my password. I can't even remember it. That's why I let Firefox remember it for me.
There are password guessers running literally all the time essentially everywhere by my personal experience, generally from other, compromised "drone" systems. I manage a few small email servers and have encountered successful password guessing attacks a number of times (as per the evidence in the log files). It's always a chore to keep on top of the users to choose and use strong passwords. --Phil -- Philip Amadeo Saeli psaeli@zorodyne.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 21 Apr 2015 22:18, Mark Hounschell wrote:
On 04/21/2015 04:09 PM, John Andersen wrote:
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
web interface and use POP3/SMTP
So you believe that using pop leaves no emails on the server? This is not always the case. Especially when the mail is set up to allow access from more than one client. (Such as the web client AND your box).
You might want to double check this. But if you COULD use the web interface if you chose to, its entirely possible that mail is retained on the server.
Being POP does not automatically assure you that mail is deleted.
Well, before I "get mail" I can log into the web interface and see the emails. Then after "getting mail" they are no longer there via the web interface. I suppose that's not to say they are not being held "somewhere"? As we all know, the US gov is sucking in everything on the wire these days. But it is those email addresses that really concern me. I can see no way for them to have been gathered via the web interface without several years of constant monitoring/collecting. As I said, a couple of them have not been used for 2-3 years.
Mark
In the web interface, check the "addressbook" / "contacts", some ISP do a automatic collection of addresses from the incoming mail, and check your "settings" / "preferences" in the web interface for such a collection. And, even if it is "too late", change your password for the mail-service. - Yamaban -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Apr 21, 2015 at 4:09 PM, John Andersen <jsamyth@gmail.com> wrote:
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
web interface and use POP3/SMTP
So you believe that using pop leaves no emails on the server? This is not always the case. Especially when the mail is set up to allow access from more than one client. (Such as the web client AND your box).
You might want to double check this. But if you COULD use the web interface if you chose to, its entirely possible that mail is retained on the server.
Being POP does not automatically assure you that mail is deleted.
More importantly, pop does NOTHING to remove emails from the sent folder of the server. Make sure you don't have years of emails sitting in there. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2015 01:19 PM, Greg Freemyer wrote:
On Tue, Apr 21, 2015 at 4:09 PM, John Andersen <jsamyth@gmail.com> wrote:
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
web interface and use POP3/SMTP
So you believe that using pop leaves no emails on the server? This is not always the case. Especially when the mail is set up to allow access from more than one client. (Such as the web client AND your box).
You might want to double check this. But if you COULD use the web interface if you chose to, its entirely possible that mail is retained on the server.
Being POP does not automatically assure you that mail is deleted.
More importantly, pop does NOTHING to remove emails from the sent folder of the server.
Make sure you don't have years of emails sitting in there.
Greg
And: Google search points coughs up some hits: http://www.techsupportforum.com/forums/f138/road-runner-internet-storing-old... Lastly I have to ask, the OP: are you sure this email address you were concerned with existed ONLY on this Linux machine? Are you sure your address book hasn't been stored on another computer, an iphone or andorid phone? On on a Apple account? Have you, ever used Facebook and allowed it access to your address book on any computer of phone? Do you have any friends that might have that address in their phone books" True story: There are idiots in the world who choose to use facebook as their email addressbook, without realizing that Facebook will mine all of their addressbook entries and send those people "Facebook Invites". -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
Do Linux users now have to worry about browsing the web like Windows users do?
I forgot to answer this bit.... The chances of you linux box being hacked is dramatically smaller than is the chance that roadrunner is hacked. Infinitesimally smaller in my opinion. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2015 01:12 PM, John Andersen wrote:
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
Do Linux users now have to worry about browsing the web like Windows users do? I forgot to answer this bit.... The chances of you linux box being hacked is dramatically smaller than is the chance that roadrunner is hacked. Infinitesimally smaller in my opinion.
This might be a good topic: Has your Linux install ever been hacked? In my case, yes. Here are the particulars. SuSE 5.3, installed at home on a cable modem. The documentation at that time was partially in German, including the instructions for the host-based firewall. I figured I'd work on the firewall at some later date. Alas, someone hacked in using a mountd vuln (yes, I was running NFS). I noticed it when they renamed /etc/hosts.allow to /etc/host.allow. Another hack leveraged a vuln in ssh-1.2. This was in a corporate environment that lacked a firewall (it was a different time). This was in the late 1990's I think. A third time was only two years ago on a dedicated host at a remote noc. I'm not sure how they got in, ssh was the only open port. But I did just enable username/password logins so that the noc techs could do some maintenance, and I think that possibly someone guessed the root password or that one of the noc techs was hacked and had the password in a file on their own host. Yes, I was running sshguard too. I normally allow only ssh public-key authentication. Over the decades I've received LOTS of email (T-bird) and visited LOTS of web sites without any known issues. I wouldn't worry about it if one keeps their box up-to-date and runs behind a firewall. But has anyone ever been hacked through Flash, acroread, or Java? Any others? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2015 01:41 PM, Lew Wolfgang wrote:
But has anyone ever been hacked through Flash, acroread, or Java? Any others?
Odd that you mention those, because for all the hype about their vulnerabilities I've never seen any evidence getting hacked by Acroread or Java or flash. Although a windows machine did get a virus from a PDF once. The only time I've been hacked was when I was running and old Red Hat, which (at that time) installed with a boat load of open ports. This was just around the end of the Pleistocene as I recall. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On April 21, 2015 4:41:51 PM EDT, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
On 04/21/2015 12:49 PM, Mark Hounschell wrote:
Do Linux users now have to worry about browsing the web like Windows users do? I forgot to answer this bit.... The chances of you linux box being hacked is dramatically smaller
On 04/21/2015 01:12 PM, John Andersen wrote: than is the chance that roadrunner
is hacked. Infinitesimally smaller in my opinion.
This might be a good topic: Has your Linux install ever been hacked?
In my case, yes. Here are the particulars.
SuSE 5.3, installed at home on a cable modem. The documentation at that time was partially in German, including the instructions for the host-based firewall. I figured I'd work on the firewall at some later date. Alas, someone hacked in using a mountd vuln (yes, I was running NFS). I noticed it when they renamed /etc/hosts.allow to /etc/host.allow.
Another hack leveraged a vuln in ssh-1.2. This was in a corporate environment that lacked a firewall (it was a different time). This was in the late 1990's I think.
A third time was only two years ago on a dedicated host at a remote noc. I'm not sure how they got in, ssh was the only open port. But I did just enable username/password logins so that the noc techs could do some maintenance, and I think that possibly someone guessed the root password or that one of the noc techs was hacked and had the password in a file on their own host. Yes, I was running sshguard too. I normally allow only ssh public-key authentication.
Over the decades I've received LOTS of email (T-bird) and visited LOTS of web sites without any known issues. I wouldn't worry about it if one keeps their box up-to-date and runs behind a firewall.
But has anyone ever been hacked through Flash, acroread, or Java? Any others?
Regards, Lew
I'm aware of at least 2 Macs being hacked the last few months. This is also common on Windows PCs I gather it is a combination of a drive by and social engineering. The user happens across a corrupted site from what I can tell and there machine starts to have issues. After a period of time (minutes to weeks) they get a pop up they advises they have a problem, please call xxx-xxx-xxxx for support and get the problem resolved. The "support" company has been Apple Support, McAfee, and once just a lesser known IT support company. Only "McAfee" employed a foreign helpdesk team when called. The others had typical American accents. The support people quickly say they can fix the issue but need remote access. Once granted who knows what they do. In all the cases I have helped with, after the remote access is granted the user is also asked for their credit card info to pay for the support. I don't know how the first part of the attack works, but at a minimum any decent web coder can pop up a dialog window saying you should call xxx-xxx-xxxx immediately to resolve issues with your computer. If this isn't happening with opensuse users, it is a testament to the awareness of our users, not the inherent security of Linux. Greg -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-04-22 14:51, greg.freemyer@gmail.com wrote:
If this isn't happening with opensuse users, it is a testament to the awareness of our users, not the inherent security of Linux.
Oh yes, it happened to me. At least they tried. :-) But you see, they said that I had a problem in my Windows. I did not phone, they did. And I got no popup. There were several strange things. One, they were speaking to me in English (bad English), and I live in Spain. They knew my name. And they did not know how to cope when I said that I had no Windows, but Linux. They insisted, so I hanged the phone. (ie, their "staff" were not trained to cope with Linux systems) Apparently, they had a list of Spanish phone subscribers with English names, and they phoned them. Many of those (I think) are folk that come to Spain for retirement, so they are old, supposedly easy prey. They were phoning from India or thereabouts. I asked in the forum and they told me that it was a quite common occurrence, only that they were now going round Spain. They tried me several times, then the calls stopped. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlU3uZEACgkQja8UbcUWM1xsuAD9FNPaRtnaFieNABKlMpJaSHG0 D3G3j9XSitpjM0aLD6cA/1tNTmupuyEUSUHdbTa4Ylt4BFdNXfGnYEpfrBvgEnIN =EKoT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/22/2015 10:09 AM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-04-22 14:51, greg.freemyer@gmail.com wrote:
If this isn't happening with opensuse users, it is a testament to the awareness of our users, not the inherent security of Linux. Oh yes, it happened to me. At least they tried. :-)
But you see, they said that I had a problem in my Windows. I did not phone, they did. And I got no popup.
There were several strange things. One, they were speaking to me in English (bad English), and I live in Spain. They knew my name. And they did not know how to cope when I said that I had no Windows, but Linux. They insisted, so I hanged the phone.
(ie, their "staff" were not trained to cope with Linux systems)
Apparently, they had a list of Spanish phone subscribers with English names, and they phoned them. Many of those (I think) are folk that come to Spain for retirement, so they are old, supposedly easy prey.
They were phoning from India or thereabouts. I asked in the forum and they told me that it was a quite common occurrence, only that they were now going round Spain.
They tried me several times, then the calls stopped.
We mess with those stupid people. Tracie had one ready to get a technician to "fix" our tornado's. It was stormy day and there were tornado's about so she said we didn't have any windows but we had some bad tornado's, could they fix them. -- A cat is a puzzle with no solution. Cats are tiny little women in fur coats. When you get all full of yourself try giving orders to a cat. _ _... ..._ _ _._ ._ ..... ._.. ... .._ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-04-22 17:27, Billie Walsh wrote:
We mess with those stupid people. Tracie had one ready to get a technician to "fix" our tornado's. It was stormy day and there were tornado's about so she said we didn't have any windows but we had some bad tornado's, could they fix them.
ROTFL! X'-) - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlU3wMUACgkQja8UbcUWM1xmYAD/Q860TEYc9IEvFPyg8FbX0GLX /8SGruGKs6Ez6MwZ5Y4A/2ZHKyXqLQL/ZZ70sKQK14r9NCaOaPgJWldOFbQ5jIay =F8hs -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 22.04.2015 um 17:09 schrieb Carlos E. R.:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-04-22 14:51, greg.freemyer@gmail.com wrote:
If this isn't happening with opensuse users, it is a testament to the awareness of our users, not the inherent security of Linux.
Oh yes, it happened to me. At least they tried. :-)
But you see, they said that I had a problem in my Windows. I did not phone, they did. And I got no popup.
There were several strange things. One, they were speaking to me in English (bad English), and I live in Spain. They knew my name. And they did not know how to cope when I said that I had no Windows, but Linux. They insisted, so I hanged the phone.
(ie, their "staff" were not trained to cope with Linux systems)
Apparently, they had a list of Spanish phone subscribers with English names, and they phoned them. Many of those (I think) are folk that come to Spain for retirement, so they are old, supposedly easy prey.
They were phoning from India or thereabouts. I asked in the forum and they told me that it was a quite common occurrence, only that they were now going round Spain.
They tried me several times, then the calls stopped.
This happened just a few weeks ago to a friend of my mama, in Switzerland. She was called from "Microsoft" and told, that she has more than 1000 viruses on her computer (which, b.t.w. seems average to me for a win pc that has run for more than 30 minutes...). They asked her for access data and ... she gave it! Next day her PC was unusable, everything deleted. Only then she realized that she had to change all her online passwords for banks etc., to her luck her accounts stayed untouched... My mother received an e-mail with an .exe-file (within a zip) and opened it, because the message said: we just charged your bank account for 2000 Swiss Francs. Because exe-files don't execute on her linux box, she called me desperate "But I had to click it, when they take so much money from my account!". ... I guess there are two generations that are easy to cheat: the elder ones who only use a PC that their children or grand children have installed for them, and the very young ones who do not have any idea what happens inside a box. They just touch their screens and think they are computer geniuses. -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/22/2015 09:23 AM, Daniel Bauer wrote:
I guess there are two generations that are easy to cheat: the elder ones who only use a PC that their children or grand children have installed for them, and the very young ones who do not have any idea what happens inside a box. They just touch their screens and think they are computer geniuses.
And neither one of those two groups should be running windows. I'm blaming you Daniel ;-) Seriously, friends don't let naive friends run windows. And, the best thing you can do for these people is get them a Gmail account, because, whatever you think about Google in general, Gmail's spam filtering is close to perfect. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 22.04.2015 um 21:48 schrieb John Andersen:
On 04/22/2015 09:23 AM, Daniel Bauer wrote:
I guess there are two generations that are easy to cheat: the elder ones who only use a PC that their children or grand children have installed for them, and the very young ones who do not have any idea what happens inside a box. They just touch their screens and think they are computer geniuses.
And neither one of those two groups should be running windows. I'm blaming you Daniel ;-)
Seriously, friends don't let naive friends run windows. And, the best thing you can do for these people is get them a Gmail account, because, whatever you think about Google in general, Gmail's spam filtering is close to perfect.
I take the blame on me... I tried, but I was not capable to convince the friends of my mother for Linux. You know, I'm the crazy artist, and so my computer must be crazy, too :-) -- Daniel Bauer photographer Basel Barcelona http://www.daniel-bauer.com room in Barcelona: https://www.airbnb.es/rooms/2416137 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22/04/15 16:09, Carlos E. R. wrote:
They were phoning from India or thereabouts. I asked in the forum and they told me that it was a quite common occurrence, only that they were now going round Spain.
They tried me several times, then the calls stopped.
Happens all the time here (UK). Like Billie, I just string them along, pretend to be worried, obey their instructions, then when my computer doesn't behave as they expect it to, I finally mention 'Linux'. This kind of attack depends on human gullibility, rather than technical know-how. A few years ago I found that ssh port 22 was under sustained attack from various countries - US, China, Brazil etc. They always failed as I use private key-public key matching and not passwords, but it prompted me to move my ssh port to an unused high number port. Thanks to David Rankin for his help at the time. Bob - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlU3zboACgkQ0Sr7eZJrmU79PwCcDlMkqQkggtwZ8W03HLYi8QyM N7UAniGorByehKJ/c2b0by/yPDhxWyFg =rxBh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Apr 21, 2015 at 10:36 AM, Mark Hounschell <m...@example.com> wrote:
I'm running 13.2 x64 on this particular box. I use thunderbird email. I got a couple of email delivery errors this morning, yet I had sent no emails for some time from this box. I know it's not uncommon for an email address to be spoofed by spammers. I've not had this happen before, at least not like this. I'm sending this email from my box at work BTW. The details of the delivery error are below.
------ This is a copy of the headers of the original message. ------
Return-Path: <m...@example.com> Authentication-Results: example.com smtp.user=m...@example.com; auth=pass (LOGIN) Received: from [127.0.0.1] ([127.0.0.1:00000] helo=@example.com) by example.com (envelope-from <m...@example.com>) (ecelerity 3.5.0.35861 r(Momo-dev:tip)) with ESMTPA id 8F/AC-28519-02975355; Mon, 20 Apr 2015 22:09:37 +0000 Message-ID: <20150420220937.WA9D0.77936.root@example.com> Date: Mon, 20 Apr 2015 18:09:36 -0400 From: <m...@example.com> To: d...@example.com, d...@example.com, u...@example.com, r...@example.com, jim@example.com, r...@example.com, m...@example.com, s...@example.com, u...@example.com, m...@example.com Subject: hey there MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Sensitivity: Normal X-Originating-IP: from 127.0.0.1 by example.com; Mon, 20 Apr 2015 22:09:36 +0000 X-RR-Connecting-IP: 127.0.0.1 X-Cloudmark-Score: 0
OK, whois says that "X-Originating-IP: from 93.168.159.108" is from Saudi Telecom Company JSC. OK, no big surprise there. And it didn't appear to actually come from my box.
But the "To:" list is what scares me. These are addresses from my thunderbird address book. How can this be? Some of them I haven't sent an email to in years. Others, recently. But never an email to more than one of them at a time.
Dazed and confused Mark --
I'm sorry I'm replying to this posting so long after it was made, but I was occupied elsewhere at the time. Besides the mistake made by the Original Poster is something that can't be undone once made. This is merely for the enlightenment of all us humans here. Mark Hounschell, by neglecting to obfuscate the email addresses in the copied headers in the posting, you have provided another source for email harvesters[1]. When I noticed this, I checked the archived copy of the posting[2], I was glad to see the mailing list software has its obfuscation option turned on. That is not always the case. Please, before posting a request for help, PAUSE, take a deep breath, and consider how the posted data can be used by those interested in other uses. Obfuscation is our only defense. It's not easy to do well without destroying its utility in solving the problem, but the consequences are less than desirable. I'm glad you were able to receive some help from this community. Here's to better skills in obtaining that assistance. (I usually only know about such errors because they have embarrassed me in the past.) 1. http://en.wikipedia.org/wiki/Email_address_harvesting 2. http://lists.opensuse.org/opensuse/2015-04/msg00617.html -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* PatrickD Garvey <patrickdgarveyt@gmail.com> [04-26-15 20:50]: [...]
Mark Hounschell, by neglecting to obfuscate the email addresses in the copied headers in the posting, you have provided another source for email harvesters[1].
When I noticed this, I checked the archived copy of the posting[2], I was glad to see the mailing list software has its obfuscation option turned on. That is not always the case.
Please, before posting a request for help, PAUSE, take a deep breath, and consider how the posted data can be used by those interested in other uses. Obfuscation is our only defense. It's not easy to do well without destroying its utility in solving the problem, but the consequences are less than desirable.
And you are not able to access email headers and "harvest" the same information? Are you one that believes that attributions should also be obfucated? Do you believe that one cannot obtain the same information merely by "looking" at email headers which somehow seem to accompany every post? Obfusication only helps for information that is not readily available. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-04-27 03:26, Patrick Shanahan wrote:
And you are not able to access email headers and "harvest" the same information?
No, they are addresses of people that do not post in this list. Private addresses of third parties. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlU9kv0ACgkQja8UbcUWM1zPhgD9F45Oo3X7owNvPsqW0ghVkZgA FQHoOKx3068JlrhYPv0A/3rpcgqBKcesPnVt4azoA3xwLUgtCpi6CnveG5V0d/0W =4Cup -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Apr 26, 2015 at 6:26 PM, Patrick Shanahan <paka@opensuse.org> wrote:
* PatrickD Garvey <patrickdgarveyt@gmail.com> [04-26-15 20:50]: [...]
Mark Hounschell, by neglecting to obfuscate the email addresses in the copied headers in the posting, you have provided another source for email harvesters[1].
When I noticed this, I checked the archived copy of the posting[2], I was glad to see the mailing list software has its obfuscation option turned on. That is not always the case.
Please, before posting a request for help, PAUSE, take a deep breath, and consider how the posted data can be used by those interested in other uses. Obfuscation is our only defense. It's not easy to do well without destroying its utility in solving the problem, but the consequences are less than desirable.
And you are not able to access email headers and "harvest" the same information? Are you one that believes that attributions should also be obfuscated? Do you believe that one cannot obtain the same information merely by "looking" at email headers which somehow seem to accompany every post?
Obfuscation only helps for information that is not readily available.
I was describing the data that Mark extracted from a bounced email and included in his post as the subject of our discussion, not the headers of the posting itself. I'm sorry that was not clear from my wording. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (14)
-
Billie Walsh -
Bob Williams -
Carlos E. R. -
Daniel Bauer -
Greg Freemyer -
greg.freemyer@gmail.com
-
I.Petrov -
John Andersen -
Lew Wolfgang -
Mark Hounschell -
Patrick Shanahan -
PatrickD Garvey -
Philip Amadeo Saeli -
Yamaban