Silk Road forums
Discussion => Security => Topic started by: ejoyc on January 12, 2013, 04:08 pm
-
Hi all,
I have checked my yahoo activity log and 2 weeks ago someone hacked in to my account. That day I received this mail from MAILER-DAEMON@yahoo.com titled Failure Notification.
It contains the IP (110.138.227.177) of the malicious user that logged in my account and the email address of one of the contacts I found on my yahoo chat without I added them... since I use a (think) clean Linux and never clicked on suspect links, how did they do ?
Sorry, we were unable to deliver your message to the following address.
<playfulmo0nstar0@yahoo.com>:
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (playfulmo0nstar0@yahoo.com) [0] - mta1372.mail.gq1.yahoo.com [BODY]
--- Below this line is a copy of the message.
Received: from [212.82.105.245] by nm6.bullet.mail.ird.yahoo.com with NNFMP; 27 Dec 2012 01:19:14 -0000
Received: from [212.82.108.135] by tm17.bullet.mail.ird.yahoo.com with NNFMP; 27 Dec 2012 01:19:14 -0000
Received: from [127.0.0.1] by omp1040.mail.ird.yahoo.com with NNFMP; 27 Dec 2012 01:19:14 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 188342.42706.bm@omp1040.mail.ird.yahoo.com
Received: (qmail 93270 invoked by uid 60001); 27 Dec 2012 01:19:14 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.it; s=s1024; t=1356571154; bh=peHmDdENfdohc50yjgnrbEt/hwL/Rvd69sF6PuwaLJA=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=xylycVOK+azEiK0UOVp/vgpQhx4xXWsvpYcYaveDdRw+3PuoI1uo5Ah/T6SpluirRsx3kb5dcO6K6A6PXPBah4gokhdH/wUVN3e4Jj/hX0W9MW/btnhLF7nH2XsSL1yHXRrF0bzeYjB0ROpEIgrscS/tydErZrJQs0fxuhCDymE=
Received: from [110.138.227.177] by web132102.mail.ird.yahoo.com via HTTP; Thu, 27 Dec 2012 01:19:13 GMT
X-Rocket-MIMEInfo: 001.001,aHR0cDovL3NoYXp1ci5jb20vd3AtY29udGVudC9wbHVnaW5zLzZzY2FuLXByb3RlY3Rpb24vbGliLnBocAEwAQEBAQ--
X-Mailer: YahooMailWebService/0.8.129.483
Message-ID: <1356571153.71736.YahooMailNeo@web132102.mail.ird.yahoo.com>
Date: Thu, 27 Dec 2012 01:19:13 +0000 (GMT)
From: Ddd Dfdd <myaddress@yahoo.de>
Reply-To: Ddd Dfdd <myaddress@yahoo.de>
To: playfulmo0nstar0@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1972604429-521387806-1356571153=:71736"
--1972604429-521387806-1356571153=:71736
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
http://shazur.com/wp-content/plugins/6scan-protection/lib.php
--1972604429-521387806-1356571153=:71736
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><body><div style=3D"color:#000; background-color:#fff; font-family:ti=
mes new roman, new york, times, serif;font-size:12pt"><div><a name=3D"zgglv=
geloj" title=3D"jvzwktwt" href=3D"http://shazur.com/wp-content/plugins/6sca=
n-protection/lib.php">http://shazur.com/wp-content/plugins/6scan-protection=
/lib.php</a></div></div></body></html>
--1972604429-521387806-1356571153=:71736--
-
Hi all,
I have checked my yahoo activity log and 2 weeks ago someone hacked in to my account. That day I received this mail from MAILER-DAEMON@yahoo.com titled Failure Notification.
It contains the IP (110.138.227.177) of the malicious user that logged in my account and the email address of one of the contacts I found on my yahoo chat without I added them... since I use a (think) clean Linux and never clicked on suspect links, how did they do ?
Sorry, we were unable to deliver your message to the following address.
<playfulmo0nstar0@yahoo.com>:
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (playfulmo0nstar0@yahoo.com) [0] - mta1372.mail.gq1.yahoo.com [BODY]
--- Below this line is a copy of the message.
Received: from [212.82.105.245] by nm6.bullet.mail.ird.yahoo.com with NNFMP; 27 Dec 2012 01:19:14 -0000
Received: from [212.82.108.135] by tm17.bullet.mail.ird.yahoo.com with NNFMP; 27 Dec 2012 01:19:14 -0000
Received: from [127.0.0.1] by omp1040.mail.ird.yahoo.com with NNFMP; 27 Dec 2012 01:19:14 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 188342.42706.bm@omp1040.mail.ird.yahoo.com
Received: (qmail 93270 invoked by uid 60001); 27 Dec 2012 01:19:14 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.it; s=s1024; t=1356571154; bh=peHmDdENfdohc50yjgnrbEt/hwL/Rvd69sF6PuwaLJA=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:To:MIME-Version:Content-Type; b=xylycVOK+azEiK0UOVp/vgpQhx4xXWsvpYcYaveDdRw+3PuoI1uo5Ah/T6SpluirRsx3kb5dcO6K6A6PXPBah4gokhdH/wUVN3e4Jj/hX0W9MW/btnhLF7nH2XsSL1yHXRrF0bzeYjB0ROpEIgrscS/tydErZrJQs0fxuhCDymE=
Received: from [110.138.227.177] by web132102.mail.ird.yahoo.com via HTTP; Thu, 27 Dec 2012 01:19:13 GMT
X-Rocket-MIMEInfo: 001.001,aHR0cDovL3NoYXp1ci5jb20vd3AtY29udGVudC9wbHVnaW5zLzZzY2FuLXByb3RlY3Rpb24vbGliLnBocAEwAQEBAQ--
X-Mailer: YahooMailWebService/0.8.129.483
Message-ID: <1356571153.71736.YahooMailNeo@web132102.mail.ird.yahoo.com>
Date: Thu, 27 Dec 2012 01:19:13 +0000 (GMT)
From: Ddd Dfdd <myaddress@yahoo.de>
Reply-To: Ddd Dfdd <myaddress@yahoo.de>
To: playfulmo0nstar0@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1972604429-521387806-1356571153=:71736"
--1972604429-521387806-1356571153=:71736
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
http://shazur.com/wp-content/plugins/6scan-protection/lib.php
--1972604429-521387806-1356571153=:71736
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable
<html><body><div style=3D"color:#000; background-color:#fff; font-family:ti=
mes new roman, new york, times, serif;font-size:12pt"><div><a name=3D"zgglv=
geloj" title=3D"jvzwktwt" href=3D"http://shazur.com/wp-content/plugins/6sca=
n-protection/lib.php">http://shazur.com/wp-content/plugins/6scan-protection=
/lib.php</a></div></div></body></html>
--1972604429-521387806-1356571153=:71736--
In order to have your email hacked, your computer need not be hacked. All an attacker has to do is exploit some vulnerability server-side.
Now, that said, getting a bounce message does not necessarily mean that your email account was hacked. I've occasionally gotten bounce messages to my clearnet account, listing emails that I never sent. All it takes to have this happen is for someone to spoof an email as coming form your address, with your return address appearing in the email somewhere. That way, when the email bounces, it goes back to the only address it has: yours.
If you must, change your password(s) to longer, more secure ones. Keep an eye on the account, but don't panic.
Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
-
I know my account was hacked because Yahoo alerted me of an unrecognized device that accessed my mail with IP address wrote in my 1 post... what I dont know is how did they do and if I'm fine now
-
If you access your account while on Tor it will show a funky IP address, but I notice the bounceback included the message text "http://shazur.com/wp-content/plugins/6scan-protection/lib.php" (I would NOT click that if I were you). A Google search of that shows someone else recently complaining of the exact same problem on a hacker forum. He was advised:
I'm sure he Remote Administrator Trojaned you, To get his IP Address open Command Prompt and type in Netstat -n
And look at the section where there's open IP's and Ports example 231.231.435.232:1604.
(no idea if the advice is any good)
-
Probably just someone that spoofed your address to send spam. Doesn't mean you got hacked.
-
I know my account was hacked because Yahoo alerted me of an unrecognized device that accessed my mail with IP address wrote in my 1 post... what I dont know is how did they do and if I'm fine now
Yahoo accounts are literally notorious for being hacked. Personally, I wouldn't touch a Yahoo account with a barge-pole.
I am given to understand that there is a link that you can click to inform the admins that your account has been compromised, to allow them to change your password, if you answer the secret questions correctly. Aside from that, I'm not sure what else you can do to ensure that your account isn't compromised again.
Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
-
Personally, I wouldn't touch a Yahoo account with a barge-pole.
Follow this gentleman's advice.
-
Probably just someone that spoofed your address to send spam. Doesn't mean you got hacked.
Read reply #2....
I am given to understand that there is a link that you can click to inform the admins that your account has been compromised, to allow them to change your password, if you answer the secret questions correctly. Aside from that, I'm not sure what else you can do to ensure that your account isn't compromised again.
I have already changed password by myself. I just would like to understand what's the link between that failure mail from yahoo daemon and the actual account violation since it contains the same IP that hacked my mail and I received it at the same time they accessed my mail ...
-
Maintaining multiple passwords securely is a pain but important unless you don't much care.
Seconded. Use KeePass or LastPass and a fresh password for every login.
-
Lots of people reuse the same password in multiple places. Even the US LE takes advantage of this, getting your email password from your email provider and trying that password for your account elsewhere. I think that google at least only stores a hash of your password which is the only acceptable thing to do in my opinion. On some shit websites I've created accounts and they've actually emailed me my own password that I set after creating the account which is unacceptable.
Maintaining multiple passwords securely is a pain but important unless you don't much care.
Right but how can bot contacts add to my yahoo messenger and get confirmed if I gave that address to nobody ?