Hi! I am facing a security issue since this morning, and could use some advice. At about 2pm local time, someone logged into my GMail account, and sent 6 spam emails to my contacts.
The header from one such mail is (single Received header): > Received: from localhost (mcf4036d0.tmodns.net. [208.54.64.207]) > by mx.google.com with ESMTPS id if8sm12773728lab.1.2013.02.06.04.01.28 > (version=TLSv1 cipher=RC4-SHA bits=128/128); > Wed, 06 Feb 2013 04:01:30 -0800 (PST) > Message-ID: <5112461a.286f980a.732b.ffffa...@mx.google.com> I have of course changed my password. But my situation is rather complicated: a) My password was weak. 8 characters consisting of 3 lowercase letters. As much as I would like to believe it was brute-forced and this is over, 8 character long passwords cannot be brute-forced without running into Google's captchas, correct? b) I have stored my password on root-and-exim-readable files on two computers. Furthermore I had enabled SSH by password on the LAN side (this has been rectified), and given my WiFi password (all passwords different) to a neighbour, running Windows and generally ignorant of computers (read: spambot). However /var/log/auth* shows no logins attempts from the LAN side other than my own computers. It could have been tampered with, since I am a sudoer, but how determined was a hacker who only sent advertisements? c) /var/log/auth shows tons of login attempts from the internet side (incorrect usernames), but these could not have succeeded as only certificate authentication was enabled. d) There was also an SMTP server (exim) listening on the LAN side (also rectified) and connected to my GMail, but the complete mail path shown above does not include my computers. e) There is one more device storing my password, an Android phone. f) The software installed on my computers comes from Debian, Debian-multimedia, Tor-project, and only Skype from Microsoft. Firefox and Icedove extensions from Mozilla. g) I have been using hotspots and a 3G connection outside my home, but with my own computer. h) I have used only one non-owned computer, running Windows, to access my GMail account. The owner insists it is not infected. I have notified Google and T-Mobile USA, that this IP seems to belong to. Any advice appreciated. I would also like to hear some advice about how to secure my local network, now that an untrusted party has access to it. Without excluding him of course. Thanks, Panayiotis -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5112dbbf.2050...@gmail.com
