Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Account hijacked 2x in 1 week

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    3

    Account hijacked 2x in 1 week

    What happened:
    My hotmail account was hijacked ( this is not a please help me get the password to " blank " account ) - password and secret question changed - after I recently opened it... So, I opened a new account, this one with the answer to the secret question and the personal access data inaccurate so to keep out anyone that knows me personally.... And that account was hijacked also... But this is only in Hotmail.. my other web based email accounts I've had for years are un-molested..
    What I have done:
    Now I run a stand alone desktop, I live alone, and no-one can have access to my pc without me knowing it, and no-one has for months. There is no way someone can see see my key strokes thru the window, and I do not, and have never kept passwords on a post-it note anywhere, and I always use passwords that have #s,_, etc w/ no personal relevency... If anyone were splicing into my phone line I'd know it.
    Now, mentioning key stokes, I use AV and a firewall up-dated almost everyday and run every day. I put the computer down, and in safe-mode ran my just that minute up-dated AV (AVG) on the system... nothing, no loggers, no trojans, back doors, worms, virii, etc.. No alerts from the firewall for known or unknown progs trying to access the internet in anyway ( ZA configured so nothing has permission to connect w/o request )
    One potentail weakness I'm aware of is that I use MSN to chat with friends in different countries... However, my AV checks all files DLed this way as soon as they arrive. I only use MSN with my contacts, I never waste time in chat rooms...
    I know there used to be progs for brute-force/dictionary attacks on Hotmail, but to my knowledge non of these types of attack is effective since Hotmail, Yahoo and other web-based email carriers implimented the policy of temporary account access disabling after x# of failed password attempts... The only other thing I can think is there is some form of a page redirect tool being used, but wouldn't that still entail access to my IP session(s) while I connected to my account, and thus my other webased email accounts, etc?
    So finally, does anyone have an idea how someone could be doing this to me? Have I missed some obvious "Doh!" type of detail here, or is there some new Hotmail (/Yahoo/Aim/ etc) hacker program out there? What havn't I done, what could I do to to prevent this?
    TIA, Websword
    Oderint dum metuant.

  2. #2
    Senior Member
    Join Date
    Feb 2004
    Posts
    270

    You got us.

    Well if i read your post right. Your computer is nice and safe so I came up with this very farfetch theory.

    DUMB LUCK :P

    I mean it.

    Or (but this is guessing since it's been some time and i don't use hotmail) is it possible that someone saved a page of you in hotmail. I don't know if it work but I tested this with yahoo yust now.

    If you open a page that you saved maybe you could bypass the login. I know it worked about a year ago because someone at my school had saved a page on a local disk of one of the public computers. (but this is mostley guesswork though.)
    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

  3. #3
    Senior Member OverdueSpy's Avatar
    Join Date
    Nov 2002
    Posts
    556
    Hve you specifically tried a Spyware detecting application, such as Spybot or AdAware, as opposed to just anti-virus? Sometimes the internet tracking programs are just as bad as a trojan for gathering keystrokes, but are not detected as a virus, i.e. gator, comet cursor. I would also run a "netstat -a" command from your command prompt and inspect what ports are listening and/or have established external connections. If you have any unexpected connections start digging deeper.
    The mentally handicaped are persecuted in this great country, and I say rightfully so! These people are NUTS!!!!

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Your AV won't be very good at detecting trojans and some other malware. The quick way to determine whether you have some kind of malware/keylogger that would be very difficult to find is to take your firewall and disable the outbound access of ALL programs that you have set on permanently allow. Then as you use the different programs allow access that time only, not permanently. That way, if anything you usually use, (browser, email, messenger etc.), is sneaking out messages behind your back you will get a popup telling you that something is trying to access the internet. Well.... If you aren't initiating the program at that moment it should be the clue you need to track it down. If you can't track it down or mitigate at that point then the old reformat/reinstall would be the next logical step.

    Good luck.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    yeah my first thought was keylogger too.. as Tiger said, your firewall should tell you that.

    However, I'd really like to see a hijackthis log..
    Even though it's primary purpose is to fix hijacked browsers, it also shows entries in the registry of things that startup.. which might be hidden to even your task manager.
    I've found a few trojans and wierd things on a few peoples boxes with it..
    So if you wouldn't mind, please post a log (or attach it)

    http://mjc1.com/mirror/hjt/

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sumdum: The reason I suggested my course of action is because some of the more sophisticated keyloggers are devilishly good at hiding themselves within legitimate processes as an new and hidden thread.

    I'm not saying you aren't right with your suggestion, just that the Hijack This could be "beaten" but a process attempting to talk to the "world" is more likely to be intercepted intact..... That's my story and I'm sticking to it...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    I hear ya buddy.. it very well might not show up.. then again, it might.
    I'm a curious sort of guy.. so I'll throw a few tools at whatever problem I face.
    some trojan scanners do an ok job with keyloggers as well.. TDS-3 might catch it.

  8. #8
    Just because you have a trojan doesnt mean your AV or Firewall will pick it up, it could be using a common port and maybe a specialy or unknow tojan. Tojans these days can be very undetectable could bind itself to another windows proccess or if you use ntfs file system it could be hiding in an ads

    you should try scanning with TDS-3 http://tds.diamondcs.com.au/ got it a few weeks ago, already love it
    Signature image is too tall!

  9. #9
    Junior Member
    Join Date
    Apr 2004
    Posts
    3
    Hello and thanks all!!!
    To respond in order to you all:
    Zetaphor and MoonWolf... I'm not sure of a IE exploit/spoof that would get under my rader, and I'm guessing that a saved page would not be enough, I mean does that not also need a cookie/GUId of some sort?
    OverdueSpy and Tiger Shark: Well, yes, I have X-Cleaner, SpyBot and AdAware which all get run 1nce a week >< ( I HATE spy/adware ) and they have shown nothing to this date... And I do keep an eye out with netstat, nothing out of sort there. I have always kept *all* progs insystem disabled. Everybody's gotta ask permission to go weewee....

    Sumdumguy: Ok, here's the log attached, I'm sure I know just about everything on it.. Although why it says I'm using default options in IE when I'm not... You'll see I've recently visited, count 'em.., 3 online AV scanners.. The Zinio reader is for online magasines I get. The one suspicious entry is the http://httpsinfogateway.com the URl is a blank page, this appears to be a dialer planter.... I'm thinking to delete this unit with extreame predjudice!

    OK, ScripterX, I have a trojan finder/remover or 2, but I'll give TDS-3 a spin..

    On a final interesting note, last night, ZA asked permission for IE to connect out of the blue.. a close look determined that this was coming out of a port in the low 14000s I didn't catch exactly which one as I was focused on the fact that the process was claiming it self to be MS TV/Vidio connection, which while sounds semi-plausible, I've never seen it nor had it ask for access to the internet prior to that moment, and it wanted to go to IP 3.0.0.2/255.255.255.255...!! WTF is that, some "special" microsoft domain?
    Anyway, thanks everyone for all the imput!!
    Oderint dum metuant.

  10. #10
    Junior Member
    Join Date
    Jan 2004
    Posts
    20
    While reading your post i couldn't help to wonder what kind of ISP you are using and what kind of network your sitting on. I know this might be far fetched but could somebody be sniffing your packets. I had a friend working at a BIG ISP and they sometimes during lonely and boring night started sniffing packets and checking what people where doing and you could get a lot of passwords that way.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •