I think I was sniffed?
Matthew J. Brodeur
mbrodeur at nexttime.com
Mon Jul 10 14:46:06 EDT 2000
First of all, without the specifics of the spam messages and knowledge
of Harvard.Net's mail server setup it's possible that this was just a case
of mail forging. Someone could have seen your address and decided to use
it to get around the sender check on the mail server. On many servers you
wouldn't need a password to do that, just some knowledge of SMTP commands.
If this was sniffing the most likely case is the POP3 access across the
internet. Anyone with access to a machine on an intermediate segment can
watch traffic going by. There's really no way to prevent that except for
hoping the administrators of those networks are diligent and
ethical. Normal POP3 uses cleartext passwords (read: BAD), and unless the
ISP supports POP-SSL or the SSH workaround hack (see the "Secure POP/SSH
HOWTO") that's just the way it is. I'm not experienced with POP-SSL (or
SSL-POP, I'm not sure) but it sounds like a good idea.
You should use a different password for the laptop, and change it
soon. If you're logging in over the internet you are using some sort of
session encryption (SSH), right?
At this point you should check every available log on the laptop for
anything unusual. Large chunks of missing entries, strange error
messages from daemons, or corrupted files are all bad signs. The
"last" command is especially valuable, since it not only indicates if
someone logged on at a time that you wouldn't be around, but it's also
relatively difficult to edit the wtmp file without making a really obvious
mess.
If you find anything, then use whatever evidence is there to try and
fix any existing holes or added backdoors, and change ALL of the
passwords. A good idea would be to double check for unneeded services and
reinstall known good copies of anything you stil need.
I hope that covers enough.
Matthew J. Brodeur, mbrodeur at NextTime.com
Hostmaster for NextTime.com
http://www.NextTime.com
On Mon, 10 Jul 2000, Ron Peterson wrote:
> My ISP (HarvardNet) just had me change my dial-up password. It seems
> they had been getting SPAM complaints which implicated me. The SPAM
<snip>
> How did they get my password? I use the same password for my user
<snip>
> I'm guessing someone got me on number (2). Which means I'll probably
> stop getting my email except when I have a dial-in connection.
>
> Any other suggestions about what I should do at this point to make sure
> I haven't been further compromised? Let's just say, for the sake of
> argument, that I haven't compiled lists of the suid and guid programs on
> my laptop in a known secured state.
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).
More information about the Discuss
mailing list