:confused: Recently there is this guy who said he can hack any
e-mail address ending with ".com" within 5-10 minutes.
This happened during IRC-chat. So to prove that he can do it. I gave him my non-improtant e-mail address. the password are in alphanumeric. And the worst part is that within 7 minutes he message me privately and reveal my password.
How does he do it and how can I prevent it.

Your's opinion and help are really neeed. TQ.

did u downloaded any of the picture or opened any page that the guy referred or sent u?

this work can be done easily with a keylogger which installs itself on ur sys once u open/download the malacious page/picture/software.
a keylogger captures all the keystrokes from ur sys and logs them in a file.In this case the guy must have configured the keylogger to send the log to him via mail.
so in this case the SSL is of no use.

u must see all the tasks running in the task manager and if there's any task u don't recognize, end it.
Also remove all the registry entry by that name after that.:)

IT's easy a KEYLOGER!!!!!!

But I did not received/downloaded any mail/file/pic from him.
And i'm using packet filtering firewalls.

Did he boast this to YOU, or to a bunch of people? I would do a heavy-duty virus scan.

Also, this was for a 'real' email server, right? Not Hotmail or something?

why don't u try scanning on ur sys!
may be u find out an open port is not supposed to be open.

may be ur firewalls aren't running properly.or if possible try running an IDS on ur sys.
this way whatever data is going out of ur sys,u can see that.
i don't think there's any other way for the guy to get ur passwd but from ur own sys.

did you use this email address at any time after his boast?

also, download a list of known trojan ports, open a command line prompt, type netstat -a > filename.txt then edit filename.txt and compare the open ports there to the ports on the trojan list

This was a hotmail account, right? Did you check it between when you told him your username and when he gave you the pword? And if you DID check it, was there a mail from him? There was a Jscript hotmail bug in the news a while ago, he might have just taken advantage of it before it was patched. (Has it been patched?)

Dude, Maybe he just has a good crack program. Did you happen to stubble upon this issue during the big hotmail bug..............?

A tip: Don't use hotmail!

Try Postmaster (http://www.postmaster.co.uk/) instead. It's never (fingers crossed!) been hacked, mainly because few people know about it. Hotmail is an obvious target because it's big and it's Micro$oft.

pwaring

it wasn't microsoft when I got my accounts.... :/ 'course that was a long time ago too.

Why? Tell me that!

Take a look at the https://www.hushmail.com for instance: secure, reliable and free. Or https://www.ziplip.com which gives you 5.5MB of space!

Why people even bother using non-secured connections with non-secure emailservers? And where is PGP? Aaaarrrgghhhh!!!! :rolleyes: :D

Or he could of jsut used this proggy--->
http://www.astalavista.com/hacking/password/hotmail1.shtml

Perhaps,
But that exploit doesnt reveal the user's password. (Does it?)
And I didnt think that that bug worked anymore? (Does it?)

What I'd be interested in is whether or not you had talked to the guy before,
He might have already had your password, and just thought that he was all-that.

Another possibility is if your this dude's your friend,
A few years ago I set up a key-logger on my own machine and got everyone's passwords.
That way they cant find out how you did it.

If you want him to shut-up/ find out if he's shittin ya, just give him a pop3 address to hack,
granted he's just some script kiddie then he'll never get it.

- 8trak

There are, despite popular beliefs, excellent crackers. There is one guy I know who used neither a brute forcer [now useless], any trojan/keylogger/virus or any other method other than social engineering. He could be anybody you talked to online, in the past or on IRC. He convinced victims of good intentions and then got enough information off them to get their passwords. He then bored would taunt these people by talking to them as complete strangers and say he could hack them , they would give their e-mail accounts and would like super-elite to the unaware average joe.
This is commen practice men, like it or not.

**to:c_seegran**

i suggest you not use IRC
IRC is just like using ICQ too many ****ing security flaws in the shit

also about Hushmail *it's to easy to hack*
go with hotmail

microsoft has a whole new security system
i am not saying it's unhackable but it's more secure then yahoo

agentlinux@hotmail.com
http://www.hackers4life.com

Thanks for the advice dude.:)

Originally posted by itsme
did u downloaded any of the picture or opened any page that the guy referred or sent u?

this work can be done easily with a keylogger which installs itself on ur sys once u open/download the malacious page/picture/software

are you saying that someone can send me to look at a certian page on the net and then log all my keypresses? how would i know if that happened? what would i have to do once i got on the page to enable him to do this?:confused:

** for Ivan Kozhedub **

I think what he was trying to say was, pointing you to a place to download a file "disguised" as an image/software, etc, that is actually a keylogger.

like: CoolImage.Jpg.Exe which "might" trick you into thinking that you are downloading an Image, but is actually an Executable

This can be deceptive in Windows if you have "hide known file extensions" in "folder options"... Then the above file would just be displayed as "CoolImage.Jpg". However, if someone is using that trick the icon is different.

Some virii used that trick to "disguise" VBS files as JPG's

! Hope That Helped !

yeah i am aware there are are a few tricks to around to hide or disguise a file extension,if im in any doubt about a file i would probably just check its properties and scan it...

but is it possible to have any sort of secret keylogger installed onto my machine just by going to a web page? or did i misunderstand..

I dont want to say "no" , because anything is possible...

Under normal circumstances I would probably say "no", but I guess someone could, I remember reading several articles along time ago about Micro$oft Office problems, where a website operator could post a certain kind of file (Dont remember what kind though :confused: ), and a visitor with Office & IE installed would unknowingly automatically download the file and execute it. The option to Auto-Download these file could be turned off and I think the vulnerability was patched.. So I guess the only way someone could do that is by expoiting some unknown vulnerability.

I wouldn't be worried about it though! (But if you are, use Netscape (IE is too buggy) with everything turned off (javascript, autoinstall, java, etc)

ok,thanks simon :)

The Nimda worm/virus/trojan used website corruption as a vector for infecting end users.....

see http://www.cert.org/advisories/CA-2001-26.html

excerpts:

"Browser Propagation
As part of the infection process, the Nimda worm modifies all web content files it finds (including, but not limited to, files with .htm, .html, and .asp extensions). As a result, any user browsing web content on the system, whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute the downloaded copy, thereby infecting the browsing system. "

Suggested Workaround (as Simon indicated above)

"Disable JavaScript
End-user systems can become infected with the Nimda worm by browsing web sites hosted by infected servers. This method of infection requires the use of JavaScript to be successful. Therefore, the CERT/CC recommends that end user systems disable JavaScript until all appropriate patches have been applied and anti-virus software has been updated. "

cheers

Brute force is a real bitch to set up but once it's running it's one of the best crack progs around, same as CrAcKwHoRe..Although Ive used both succesfully, Ive never cracked a password that quickly. Sometimes it can take days.......even weeks! Especially when the password is alpha numeric as you stated. If you're positive he didnt use a keylogger than I take my hat off to this cracker and bow before him for he is a far greater man than I!

:thumbsup:

THe person who break into may be using a good cracker(working on the technique BRUTE FORCE), since few of my friends are doing this they can also crack any email password within 10-15 minutes i have tested there skills on hotmail, yahoo, lycos. They were two quick to break it (7-8 min) , i used alphanumeric password.

A single person can crack a password with the tool that my friends have developed in atleast 45-50 minutes depends on the type of password. But if they three work on the password at a time they can do that in 10 minutes, so the person who break into ur email account may not be single otherwise if he was standalone then he is dame cool
:cool:

Last time I checked Hotmail had fixed itself against brute forcer attacks. Check out Munga Bunga's Brute Forcer page.

Hackology (http://www.hackology.com)

They clam that after the success of their brute forcer Microsoft upgraded their security. Check it out.

I'll tell you how to prevent it. Don't give him your e-mail address.:D