Tag: bader2010

Hacked by Bader2010

I  was away  from home for a week and returned back yesterday evening.  As I had a weeks emails pending, the first thing I did after reaching home was to  access gmail. To my horror,  google was telling me that I am providing a wrong password. Then, I tried to log in to my blog. I found out that my blog has been defaced. I was getting the following screens, Some Arabic bymn was played in the background.

bad1

bader2010

This page will give you some more information on how a hacked page look like.    I contacted my web hosting provider  and got the password for the site reset and the site was  back with in my control.

However  gmail id  was my lifeline and I had to recover it at any cost. I tried to  recover my password from the gmail login page as below.

google1

The next page had these options.google2

I selected my account has  been compromised  which gave me the following link.

google4

The account recovery page is here. Have a look at it.  Your scucess in retrieving the  account lies in accurate answers in this page. I filled out the following sections.

google51

google6

Fortunately, I remembered who invited me to gmail.( I  had a gmail account at a time when gmail invites were sold on ebay).   Also, I use filters and labels heavily for handling mail.   There was some fuzziness with dates , still I could approximate it.   I have a couple of blogs linked to the account and an orkut profile. I knew only the url of my blog on blogspot.  I  was very skeptical whether I will get it back. I submitted and waited  any response form google.  About an hour later I recievd the following mail from google.

google7

I reset the password and  retrived my account.  The attaker had tried to capture some of my other  on line assets from the gmail id. Some of  the automated responses had his IP address logged( or it might be a proxy). I traced the attacking  IP  to Saudi Arabia.

Why I lost my account ?

There  may be several reasons. Here are some of my assumptions .

a) I had a weak password. ( 6 letters and that too based on a dictionary word)

b) I had enabled POP3 access for my gmail account, even though I was not using it. There are plenty of scripts like this available on the Internet  for  brute force  attack on gmail accounts via POP3.

c) I had used my account from a friends place last week  on a windows XP machine. May be that machine has a key logger installed and the attacker might have obtained the password via IRC  from there.  I cheeked my home machines  for  any possible root kits,  but I could not find any.   My windows machines do not have internet access.

d) Some one might have stolen the password from one of the machines that I use at college. ( As we are having vacation now , I  can safely rule out this possibility)

What  information one must keep about  google accounts.

1) If some one invited to a gmail account ,  keep the email.  It can save you a lot of trouble.  It will give you some idea about the date of creation  of your account.

2)  If you use labeling and filters , remember the labels.  You can give easy to remember names  and  context relevant labels to your mail.

3)  Even if you are not blogging , create a blog on blogspot . The URL of the blog can be an important information.

4)  Email addresses are not by hearted as phone numbers.  So export the your gmail contact list to a file and keep it. The account recovery page asks for   up to five frequently contacted email ids. ( Click on contacts on the left side of any gmail page and select export to save the contacts.)

5) Set up a secondary email id  and give it a different password.  ( You can use Settings->Accounts->google account settings-change security question for this.)

6) Set up a  security question.  It can save you a lot of trouble.

7) If you use orkut, keep the URL of your orkut profile.

You can obtain it from your orkut home page as shown in the figure below.

orkut

9) Disable POP3 and IMAP if you are not using them.

10 Use a Strong password. This is the most important step.  In the change password page, make sure that your password is strong as shown in the picture  below.

gmialpass