[OT] Compromised Gmail account

To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: [OT] Compromised Gmail account
From: Panayiotis Karabassis <panayk@gmail.com>
Date: Thu, 07 Feb 2013 00:39:59 +0200
Message-id: <[🔎] 5112DBBF.2050403@gmail.com>

Hi!

I am facing a security issue since this morning, and could use some
advice. At about 2pm local time, someone logged into my GMail account,
and sent 6 spam emails to my contacts.

The header from one such mail is (single Received header):

> Received: from localhost (mcf4036d0.tmodns.net. [208.54.64.207])
>         by mx.google.com with ESMTPS id if8sm12773728lab.1.2013.02.06.04.01.28
>         (version=TLSv1 cipher=RC4-SHA bits=128/128);
>         Wed, 06 Feb 2013 04:01:30 -0800 (PST)
> Message-ID: <5112461a.286f980a.732b.ffffa6e1@mx.google.com>

I have of course changed my password. But my situation is rather
complicated:
a) My password was weak. 8 characters consisting of 3 lowercase letters.
As much as I would like to believe it was brute-forced and this is over,
8 character long passwords cannot be brute-forced without running into
Google's captchas, correct?
b) I have stored my password on root-and-exim-readable files on two
computers. Furthermore I had enabled SSH by password on the LAN side
(this has been rectified), and given my WiFi password (all passwords
different) to a neighbour, running Windows and generally ignorant of
computers (read: spambot). However /var/log/auth* shows no logins
attempts from the LAN side other than my own computers. It could have
been tampered with, since I am a sudoer, but how determined was a hacker
who only sent advertisements?
c) /var/log/auth shows tons of login attempts from the internet side
(incorrect usernames), but these could not have succeeded as only
certificate authentication was enabled.
d) There was also an SMTP server (exim) listening on the LAN side (also
rectified) and connected to my GMail, but the complete mail path shown
above does not include my computers.
e) There is one more device storing my password, an Android phone.
f) The software installed on my computers comes from Debian,
Debian-multimedia, Tor-project, and only Skype from Microsoft. Firefox
and Icedove extensions from Mozilla.
g) I have been using hotspots and a 3G connection outside my home, but
with my own computer.
h) I have used only one non-owned computer, running Windows, to access
my GMail account. The owner insists it is not infected.

I have notified Google and T-Mobile USA, that this IP seems to belong
to. Any advice appreciated. I would also like to hear some advice about
how to secure my local network, now that an untrusted party has access
to it. Without excluding him of course.

Thanks,
Panayiotis

Reply to:

Prev by Date: Re: SMTP server does not support authentication
Next by Date: Re: Apache2 issue after migrating from squeeze to wheezy.
Previous by thread: RE: whether to install Squeeze or Wheezy
Next by thread: Re: [OT] Compromised Gmail account
Index(es):
- Date
- Thread