Not sure where to post this - Possible machine hack

I’m running OpenSuse 12.2 KDE 4.10.5 with KDE PIM 3. Too long I know but was waiting for 13.3 and didn’t realise that it wasn’t going to happen. Oddly I was preparing to update when this happened.

Essentially my machine may have been hacked. Some one pretended to be me on a live chat with Amazon claiming that they had problems with a rather expensive camera lens I had bought and arranged a replacement. They gave my correct name and phone number and a totally different address in Milton Keynes. I contacted Amazon and they cancelled the replacement lens immediately. Handled very quickly too. It seem what would have happened is that they would have sent a replacement and would have expected the faulty one to be returned. I suppose some one might have a faulty one but it’s more likely that one wouldn’t be returned and Amazon would initially pester me for a return and eventually charge me for the item again.

My name and phone number has been sent to numerous people over the years and is in the phone book anyway. I don’t click on links in emails etc. I also don’t leave any applications running over night but do leave the machine connected to the internet. I have also mentioned buying the lens and the software I run on the internet, Even what browser I prefer. Currently a mix of Opera and Chromium.

Anyway enough on the long winded explanation for this question. I have never ever had anything like this happen during 16 years plus using Linux and KDE. I only run fairly well known open source software so this leaves me wondering how this happened but more importantly** how I find out what has been done or how it has been done.** I see that as more preferable to just saying oh well and re installing.

Amazon’s view is that I must have left some device logged in. At 9pm when it happened I would have been logged in to Amazon and Ebay on my Linux machine. Unusual for Amazon, normal for Ebay. I did order one item via an iPad, even receiving an email telling me that I had not used my usual platform. This was a while ago and having checked it’s not logged in so that just leaves my Linux machine.

While I have been using Linux for a long time I am not proficient in the console. When I need to do anything there I google and promptly forget.

John

This should have been posted in the security forum.

Oops! There isn’t a security forum. Actually, most “security” questions are related to specific application, and having a separate “security” forum would probably just confuse things. So how you posted seems okay.

I’m not sure what you are looking for. Nobody has the information which would explain the issue.

Amazon, like many sites, requires that you answer some “security” question, such as “where were you born” or “what is your favorite color”. These “security” questions should really be called “insecurity questions”. If you answer them with publically accessible information, then hackers can possibly use them to break into your Amazon account.

I don’t know if that happened. But, given what little information you have provided, that’s one possibility.

I can’t see why you would blame the machine or OS?
Sounds like a weak point in the Amazon process to me

Do you use WiFi? is it secure?

People on windows in particular have been know to get things like keyboard sniffers installed - usually via installing free software that isn’t OS. Something take care of by being certain about where I am downloading applications from. In my case the repo or the build service and maybe some compiling from source from the originating site. So I can’t see this being the problem but how could I tell if it was?

Just about all platforms have remote management / desktop use one way or the other. Not something I personally would enable but say some one did that for me some how. Looking this doesn’t seem to be enabled.

The main aspect is that Amazon do check who they are connected to and this person used a chat window from what to them seems to be my browser. Or used my password for amazon and actually for Ebay as well by the look of it. Neither would be easy to guess so I have extreme doubts about my passwords being used from another machine.

John

I connect directly to the router via wire. Others use wifi and it is set correctly, pasword only and I would wish some one luck in guessing what that is. The power levels are very low too. :wink: I do get complaints about that. Wifi only works in one room if the door is open,

The only wifi I use is a cherry keyboard and mouse. Milton Keynes is a long way from Birmingham.

John

On Thu, 14 Jan 2016 14:56:01 +0000, John 82 wrote:

> Essentially my machine may have been hacked. Some one pretended to be me
> on a live chat with Amazon claiming that they had problems with a rather
> expensive camera lens I had bought and arranged a replacement. They gave
> my correct name and phone number and a totally different address in
> Milton Keynes. I contacted Amazon and they cancelled the replacement
> lens immediately. Handled very quickly too. It seem what would have
> happened is that they would have sent a replacement and would have
> expected the faulty one to be returned. I suppose some one might have a
> faulty one but it’s more likely that one wouldn’t be returned and Amazon
> would initially pester me for a return and eventually charge me for the
> item again.

If they were having it shipped to an address that isn’t yours, then
presumably you have the perp’s address - I’d turn it over to local law
enforcement.

From the machine standpoint, chances are low that it was your machine
that was compromised (on your router, you probably haven’t configured
port forwarding for anything, have you? Or set up a DMZ that forwards
everything to your machine?)

Assuming that you haven’t forwarded, for example, the ssh port to your
system, what I would be inclined to do, as a precaution, is run something
like rkhunter to see if the machine was rooted.

But as nrickert and others said, it’s more likely that they either hacked
your account using password reset questions, or obtained your login
credentials through some other means (maybe a brute force attack or using
credentials for another site that were compromised - one of the dangers
of using the same password on multiple sites, if you do that).

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Looking further the firewall was off. Something I wouldn’t do and would assume that install activated it from day one. To long ago to remember if I checked that. Not that these help really if people know what port number to probe and it is active. All they need is an IP. I reboot the router now and again to make sure that changes. Once a week usually.

I decided to change the root password and noticed nobody of the nobody group is there and it seems that this name could log in as there is a password - no way to see what it is though. This is something I wouldn’t have touched. I set the passwords when I install.

Could this or anything similar be a weakness?

I don’t use sudo. I just su, password, do what ever and then su me. I would usually have a root desktop account but looks like I haven’t on this install and haven’t needed it. I just set up to run a file browser and editor as root.

Under sudo Yast shows users-root hosts-all, run as-(all), nopasswd-no, commands-all. also ALL,ALL,(ALL),No,ALL for others. Seems odd that root needs sudo as if logged in then it’s root anyway. The only person that should use sudo is me. As I don’t use it I’d rather disable anyway but if I click edit I get messages stating that these settings are needed for the system to work.

:wink: I tried Kunbutu for a couple of days once, set up a root account and found it didn’t work as they insist on sudo. It did waste my time allowing me to set up the account.

John

Even with the software firewall off (which BTW is default in Ubuntu’s), you should still be behind the hardware firewall of your router, which is why Jim mentioned about if you had opened up ports for remote access via such as ssh?

Personally I’m sure you are suspect of the wrong things

I tend to agree with this assessment. I seriously doubt your machine was hacked, at least remotely.

Now, if you let someone physically muck around with it, that might be another matter.

Look into log files in /var/log/ Their names change from time to time, so I cannot tell the exact names.

Also look into log of the home router. I have seen once an attacker going through a firewall of a router, or at least that was the impression I got. Most likely, he exploited bugs in router’s firmware, and/or had router reconfigured. The logs of the router maintained traces of hacking activity.

If you think you were hacked at home, then likely it was malware installed by you or activated during web browsing. Adobe Flash is a prime suspect. But in practice one does not encounter viruses in Linux, although they certainly exist. I have never seen clamav finding traces of viruses in Linux-only files.

But avenues of attack are multiple. I can easily list twenty of them.

Amazon think I have suffered from some sort of phishing attack. I’m pretty careful about that and either type or use book marks that should be ok as I will have typed the address myself. Not totally impossible though but when I used the net for a short period without worrying about that was many months ago and I didn’t buy anything.

There is some signs of a router problem. Unbeknown to me I have been using net names that identify my isp and some sort of remote firmware update was enabled. This was password protected. The only way I could get into the router was by using the reset button on it. They do fall over now and again though.

This may have been the problem - hacked firmware.

I had been using a pp0e 10baseT router via a bridge modem but any time I have problems the ISP can’t check it so have been using one of theirs for around 12 months. It set itself up.

I do use the flash player but generally only on youtube and it is out of date. I have been looking at what to do to update that but I suspect it will have to wait for a system upgrade. I use chromium but wonder about using google’s chrome which I understand would take care of this.

John