Did I just get hacked? What do I need to do?

[Eruditass]

I just received 5 emails with the title:

Delivery Status Notification (Failure)

Sent to some random (and some dictionary words) addresses at one domain. Body was some advertisement from "LRWatches", which seems to be some Chinese watch maker with a link to a base website address.

I was logged in, and did not notice until 40 minutes later. I then promptly changed my password and signed out all other accounts. Gmail said there was no other accounts logged in, and did not report any activity on the ip address that sent the mail.

I have the whole header from the delivery failure message. Nothing is in the sent mail. The header:

Received: by 10.236.125.130 with SMTP id z2mr26303175yhh.94.1329951863039;
Wed, 22 Feb 2012 15:04:23 -0800 (PST)
Received: by 10.236.125.130 with SMTP id z2mr26303172yhh.94.1329951862986;
Wed, 22 Feb 2012 15:04:22 -0800 (PST)
Return-Path: <[email protected]>
Received: from 236.137.167.190.d.dyn.codetel.net.do ([190.167.137.236])
by mx.google.com with SMTP id c9si26748951qao.50.2012.02.22.15.04.02;
Wed, 22 Feb 2012 15:04:22 -0800 (PST)
Received-SPF: neutral (google.com: 190.167.137.236 is neither permitted nor denied by domain of [email protected]) client-ip=190.167.137.236;
Authentication-Results: mx.google.com; spf=neutral (google.com: 190.167.137.236 is neither permitted nor denied by domain of [email protected]) [email protected]
Received: from c3-ssha-a2529.accounts.china-fpa.org ([190.167.137.236])
(authenticated bits=0)
by smtpa02.isq.pt (smtpa02) with ESMTP id q1MGB7Sd002856
(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO)
for <[email protected]>; Wed, 22 Feb 2012 18:04:02 -0500
Received: from C3-SSHA-A1090.accounts.china-fpa.org ([190.167.137.236]) by c3-ssha-a2529.accounts.china-fpa.org with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 22 Feb 2012 18:04:02 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----_=_NextPart_001_01CCF17C.B30ACE29"
Subject: Show me the difference
Date: Wed, 22 Feb 2012 18:04:02 -0500
X-ASG-Orig-Subj: Show me the difference
Message-ID: <F6E2B9DD52B5CE4AA37737CAEDED9C60030B9D0A@C3-SSHA-A1090.accounts.china-fpa.org>
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic: Show me the difference
thread-index: AczxfLI6kKUDtue6RbSbdpUuALwAgA==
From: "LRWatches" <[email protected]>
To: <[email protected]>

Authed in mexico? Received from china, ip in Dominican Republic?

Is there anything else I should do? How can I figure out how this happened? I always use google with https, and my passwords are salted.

 

[adam30k]

This could have happened in many different ways. You were right to change your password and check the access records. People who fall victim to this don't always have spyware on their computer but it wouldn't hurt to scan your computer with Malware Bytes and or a similar program.

 

[l3thal6]

The first thing I would do is change every password to any service/application that you may have accessed from your computer. I would also take your computer offline and do a comprehensive virus scan as well as use some anti-rootkit tools found on the Hirens boot cd.


Finally visit this link: http://support.google.com/mail/bin/answer.py?hl=en&answer=50270

 

[colinstu]

This was with your gmail account? Then yep. Change your password, Also while on the gmail webpage, click the gear icon to go into settings, go to the "Forwarding and POP/IMAP" tab and make sure IMAP and POP stuff is disabled (unless you were already using it). Also find a button somewhere to sign out of all your current sessions (I can't seem to find this page, but I was linked to it when google noticed my account could've been compromised).

Follow this guide too: https://support.google.com/mail/bin/static.py?hl=en&page=checklist.cs&tab=29488

 

[AcidBurn]

Do all that and then setup two step authentication

 

[techie81]

Same thing happened to my wife and I. You should be fine as long as you change your password. Also, enable the two step verification system they have.

 

[Brak710]

What are the last few IPs from the gmail access log? (Censor out yours, ofc)

 

[Eruditass]

What are the last few IPs from the gmail access log? (Censor out yours, ofc)

All the IP addresses in the gmail log are mine. Perhaps they used the smtp server?

 

[Exavior]

You can change every password you want but you won't stop anything. I'm guessing nobody else that posted knows much about how email works or didn't look at the headers, or both.

Authentication-Results: mx.google.com; spf=neutral (google.com: 190.167.137.236 is neither permitted nor denied by domain of [email protected]) [email protected]
Received: from c3-ssha-a2529.accounts.china-fpa.org ([190.167.137.236])

The emails did not come through gmail, they came from somebody in china. They just used your email address to send out spam. When you send through a mail server as long as you are authenticated to send from that server you can send as whoever you want. If you own a mail server then that means you have free rain to send out as whoever you want. I could send you an email right now and have it show up as being from you without a problem. Doesn't mean that I have your password or hacked our account, that just means that is who I used to send as.

You are fine, you weren't hacked, Somehow your email address got picked up by somebody and was being used to send out spam, you can't stop that. we had that issue at work a few years back where about 10 of our employees got onto some list and received about 5000 of these a day for a few weeks. Closest thing to prevent that from happening is for an owner of a domain to set up SPF to say which servers have your permission to send on your behalf. Then you have to hope that the people receiving have their server setup to check SPF to see if the sending SMTP server has permission to be sending on behalf of a domain for all mail. As you can see from what I quoted it stated there that the china server was neither allowed or denied so it was allowed through. Which just means that Google doesn't setup SFP for gmail and allow everyone to send on their behalf instead of forcing you to send through their servers. However if the domain you use is setup like that and doesn't care who sends out on their behalf you can't stop it. If the receiving server isn't setup to check SPF then it wouldn't matter even if you did say that a server couldn't send on your domain's behalf as the receiving server wouldn't know not to accept it.

 

[Jay_2]

I agree with the above, looking at the header you have not been hacked.

Received: from c3-ssha-a2529.accounts.china-fpa.org ([190.167.137.236])

 

[NCFireRescu]

I had no idea about the last activity option on the account. So i clicked on it and I see two entries for Texas and I'm in NC. The IP for the NC listings all start with 174 as well but are different after that.

Do you think there is cause for concern or could the IP range be listed incorrectly? I did setup the two step authentication and actually had google create one of their odd passwords for the mobile device.

Mobile United States (TX) (174.253.70.172) Feb 22 (19 hours ago)
Mobile United States (TX) (174.253.68.197) 12:41 pm (12 minutes ago)

 

[Jagger100]

You can change every password you want but you won't stop anything. I'm guessing nobody else that posted knows much about how email works or didn't look at the headers, or both.



The emails did not come through gmail, they came from somebody in china. They just used your email address to send out spam. When you send through a mail server as long as you are authenticated to send from that server you can send as whoever you want. If you own a mail server then that means you have free rain to send out as whoever you want. I could send you an email right now and have it show up as being from you without a problem. Doesn't mean that I have your password or hacked our account, that just means that is who I used to send as.

You are fine, you weren't hacked, Somehow your email address got picked up by somebody and was being used to send out spam, you can't stop that. we had that issue at work a few years back where about 10 of our employees got onto some list and received about 5000 of these a day for a few weeks. Closest thing to prevent that from happening is for an owner of a domain to set up SPF to say which servers have your permission to send on your behalf. Then you have to hope that the people receiving have their server setup to check SPF to see if the sending SMTP server has permission to be sending on behalf of a domain for all mail. As you can see from what I quoted it stated there that the china server was neither allowed or denied so it was allowed through. Which just means that Google doesn't setup SFP for gmail and allow everyone to send on their behalf instead of forcing you to send through their servers. However if the domain you use is setup like that and doesn't care who sends out on their behalf you can't stop it. If the receiving server isn't setup to check SPF then it wouldn't matter even if you did say that a server couldn't send on your domain's behalf as the receiving server wouldn't know not to accept it.

Someone impersonating their e-mail address was my first thought, but didn't know whether anything in the header confirmed or refuted that.

 

[Exavior]

I had no idea about the last activity option on the account. So i clicked on it and I see two entries for Texas and I'm in NC. The IP for the NC listings all start with 174 as well but are different after that.

Do you think there is cause for concern or could the IP range be listed incorrectly? I did setup the two step authentication and actually had google create one of their odd passwords for the mobile device.

Mobile United States (TX) (174.253.70.172) Feb 22 (19 hours ago)
Mobile United States (TX) (174.253.68.197) 12:41 pm (12 minutes ago)

you log in from your phone? If so you can't go based on that location. I am in Indiana but the blocks the AT&T uses for my iphone make me appear to be in Pennsylvania. That is just where their block came from.

That 174.253.x.x block belongs to Verizon is that the wireless carrier you would have used?

 

[NCFireRescu]

you log in from your phone? If so you can't go based on that location. I am in Indiana but the blocks the AT&T uses for my iphone make me appear to be in Pennsylvania. That is just where their block came from.

That 174.253.x.x block belongs to Verizon is that the wireless carrier you would have used?

I have a Droid and setup my gmail account on it with the gmail app and I am with Verizon. Most of the entries in the log show the location NC by the IP address but there were two that said TX.

 

[jubalskeiki]

I know when I access the net via my phone it appears as though I'm in TX, but I'm in NorCal. You changed your password, but as someone said above, they were basically just spoofing your email, you weren't hacked. Go ahead and run scans, never hurts to check, but I wouldn't freak out too much.

 

[Exavior]

I have a Droid and setup my gmail account on it with the gmail app and I am with Verizon. Most of the entries in the log show the location NC by the IP address but there were two that said TX.

Probably just the range you got dropped into that day.

 

[e2g]

I had no idea about the last activity option on the account. So i clicked on it and I see two entries for Texas and I'm in NC. The IP for the NC listings all start with 174 as well but are different after that.

Do you think there is cause for concern or could the IP range be listed incorrectly? I did setup the two step authentication and actually had google create one of their odd passwords for the mobile device.

Mobile United States (TX) (174.253.70.172) Feb 22 (19 hours ago)
Mobile United States (TX) (174.253.68.197) 12:41 pm (12 minutes ago)

Yeah, It is good that you noticed this. I would also look up how mobile IP works as it may explain a little more about these IP address. My guess is that is where your "home agent" resides (TX)? Someone more knowledgeable than I can correct me.

 

[Exavior]

Yeah, It is good that you noticed this. I would also look up how mobile IP works as it may explain a little more about these IP address. My guess is that is where your "home agent" resides (TX)? Someone more knowledgeable than I can correct me.

that is what a few of us are thinking is most likely the case. as I said above I'm in Indiana but show up with IPs that would show me being in other states. Had me concerned here a few weeks ago. Had somebody from another country attacking our SBC for our softswitch, while looking through to see how often the same range gets black listed for attacks I kept noticing that there was a range from another state that kept showing up as getting a few errors with us every now and then. Which is odd as our VoIP service is only for our customers in our WISP. At the same time that weekend my VPN server got beat on by somebody trying for about an hour to brute force their way in. I locked down our firewall a little better on that machine and started noticing that the same range that was getting errors with our SBC was showing up connecting to our VPN server. Was going through with some other guys about this other ISP having a lot of people that are trying to get into our stuff. Then somebody through how they had looked at their phone once and it's IP was showing up as coming from that area. so I loaded up http://www.whatismyip.com and sure enough the my phone was getting an IP from that range. So what I thought where attacks where just employees trying to use soft phones that were getting errors every now and then, and employees being blocked from logging into VPN since I blocked PPTP ports and some of them where still trying to use them.

when you are dealing with larger ISPs (ether cell phones or dsl) you can't always go based on what you see as the location of your IP. Think it was Verizon when they were in the area (before selling of the Frontier in our area) your IP would always make you show up as being in Virginia or something like that.

For the OP, that is good to play attention to that list and pay attention to anything that seems odd. but you can't go solely on the change of a state like that. First off you need to check your phone's ip to see if it is ever in that range. you also need to look at the times that the people log in. Does that line up with times that you probably / could have been logging in? Those emails being sent that you posted about in the start did NOT come from your account, they didn't go through google's server. the went through an exchange server in China. So nobody accessed your account to sent out anything. IF somebody accessed your account from Texas they did so twice with a cell phone on the same network that you are on.