Israeli Hackers? You decide

Hello all. I run Linux, and have a proxy sever, and my computer is very secure. That being said, someone hacked into my sons email last night. I am not aware if it sent out any malware, but I was able to trace the email to here:
Email Header Analysis
IP Address: 87.68.49.36 (87.68.49.36.cable.012.net.il)
IP Address Country: Israel
IP Continent: Asia
IP Address City Location: Jerusalem
IP Address Region: Yerushalayim
IP Address Latitude: 31.78,
IP Address Longtitude: 35.23
Organization: Golden Lines Cable

The email (private server, not yahoo, or hotmail) header had a return to my son's email. I fixed this by disabling his old email, and creating a new one, as it is a sub account.

Just a head's up, folks.

This sounds interesting.

Couple questions ..

1) With "Hacked into my sons email" .. do you mean you're running your own SMPT service, or an Exchange server ?

2) You say you traced them back, what precisely did you do to obtain this IP address ? Did they send a backdoor by email to your son and then accessed the mails stored on his PC ?

given its a generic ip address given to an isp its more than likely someone just used it as a proxy to commit the act rather than be an israeli goverment sanctioned hack so its basically part of a bot net thats probably been sold off to make some money

reply to post by autowrench


curious... did your son make any critical remarks of Israel or Zionism recently?

Add an entry to the address book for a false email address.

If a worm ever tries to spread via your account.....you will receive an email for the false address - that the email has bounced.

Well it's certainly looking like a private DSL line to me, but I wouldn't expect the Mossad to use static IP's of the government then too.


Let's do a bit foo ..

Let's check the whois output for further details:

foxx@ech3lon:/$ whois 87.68.49.36

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See www.ripe.net...

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '87.68.48.0 - 87.68.59.255'

inetnum: 87.68.48.0 - 87.68.59.255
netname: GOLDENLINES-CABLE
descr: Please Send Abuse/SPAM complaints To [email protected]
country: IL
admin-c: DR5299-RIPE
tech-c: DR5299-RIPE
status: ASSIGNED PA
mnt-by: AS9116-MNT
mnt-lower: AS9116-MNT
source: RIPE # Filtered

role: DNS REG
remarks: Hostmaster and LIR
remarks: 012 Smile Communications Ltd.
address: Hasivim 25 Petach-Tikva,Israel
nic-hdl: DR5299-RIPE
admin-c: KI373-RIPE
tech-c: KI373-RIPE
admin-c: IZ443-RIPE
tech-c: IZ443-RIPE
admin-c: PT5956-RIPE
tech-c: PT5956-RIPE
mnt-by: AS9116-MNT
source: RIPE # Filtered
abuse-mailbox: [email protected]

% Information related to '87.68.48.0/20AS9116'

route: 87.68.48.0/20
descr: PROVIDER Local Registry
descr: Golden Lines International Communication Services Ltd.
origin: AS9116
mnt-by: AS9116-MNT
mnt-routes: AS9116-MNT
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.6.12 (WHOIS1)

Okay there's an abuse address, you should give that a try, probably won't come much from it but that's the first thing I'd do.

Looks like a normal DSL line to me, impossible to tell whether it's a dynamic IP

Let's see if it's responding to ICMP ... knock knock !

foxx@ech3lon:/$ ping 87.68.49.36
PING 87.68.49.36 (87.68.49.36) 56(84) bytes of data.
.........
.........
--- 87.68.49.36 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1000ms

Aww no-one there ... or they're hiding behind a firewall and blocking Ping requests .. well, I'd do that too !

Let's try some more advanced toys ..

foxx@ech3lon:/$ nmap -A -T3 -PN -v 87.68.49.36

Starting Nmap 5.00 ( nmap.org... ) at 2012-04-17 21:44 CEST
NSE: Loaded 30 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 21:44
Completed Parallel DNS resolution of 1 host. at 21:44, 0.00s elapsed
Initiating Connect Scan at 21:44
Scanning 87.68.49.36.cable.012.net.il (87.68.49.36) [1000 ports]
Discovered open port 4662/tcp on 87.68.49.36
Completed Connect Scan at 21:45, 22.53s elapsed (1000 total ports)
Initiating Service scan at 21:45
Scanning 1 service on 87.68.49.36.cable.012.net.il (87.68.49.36)
Completed Service scan at 21:45, 0.19s elapsed (1 service on 1 host)
NSE: Script scanning 87.68.49.36.
NSE: Script Scanning completed.
Host 87.68.49.36.cable.012.net.il (87.68.49.36) is up (0.11s latency).
Interesting ports on 87.68.49.36.cable.012.net.il (87.68.49.36):
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
4662/tcp open tcpwrapped


Service detection performed. Please report any incorrect results at nmap.org... .
Nmap done: 1 IP address (1 host up) scanned in 22.83 seconds

Yup, they're up and running and hiding. And it looks like they're running an emule or other filesharing server.

I'll leave it at that for now, could after all be just some innocent Israeli conspiracy nut, reading this thread as we speak

reply to post by H1ght3chHippie


nvm

reply to post by H1ght3chHippie


I use Time Warner, they use a switching proxy server and a wide array of IP addresses that update every few hours, plus a proxy on my computer, Squid, which is a catching server using Apache and I-Tables Chains, and AutoProxy on my Firefox. Safe to say, I am pretty secure.

Just go HERE, paste in the email header, I use Mozilla Thunderbird. Just click on "other actions," and "View Source."

reply to post by Maxatoria

The range of the IP address includes the following IP addresses:
en.ntunhs.net...

Originally posted by seenavv
reply to post by autowrench

 

curious... did your son make any critical remarks of Israel or Zionism recently?

edit on 17-4-2012 by seenavv because: (no reason given)

I can neither confirm, or deny. I do know that I myself have spoken out against the Zionists, Mossad, and Rich Elite, such as the Rothschild Dynasty. I also am against monetary or military help by the United States to Israel. So if it's anybody they would be after, it would me me. My email is secure, so far.

Originally posted by seenavv
reply to post by autowrench

 

curious... did your son make any critical remarks of Israel or Zionism recently?

edit on 17-4-2012 by seenavv because: (no reason given)

I dont know who is crazier... him or you... WOW!

Originally posted by autowrench

Originally posted by seenavv
reply to post by autowrench

 

curious... did your son make any critical remarks of Israel or Zionism recently?

edit on 17-4-2012 by seenavv because: (no reason given)

I can neither confirm, or deny. I do know that I myself have spoken out against the Zionists, Mossad, and Rich Elite, such as the Rothschild Dynasty. I also am against monetary or military help by the United States to Israel. So if it's anybody they would be after, it would me me. My email is secure, so far.

I have no doubt that email may have been compromised but to suggest a higher conspiracy is ambitious at best. What possible motive could TPTB have by tapping into the daily news of joe 6 pack ? Nothing is secure regardless of what measures you have in place, just the perception that's all.

There just doesn't appear to be a valid reason for why I guess is what I'm saying.

brill

reply to post by autowrench


Thank you for the reply.

I guess I've seen an email header before, and there's no need for an online tool in order to extract the sender IP

But again the question of how they "hacked the emails" and what the email you extracted the IP from has got to do with the hackers. I mean they didn't send an email "We h4ck3d j00", or did they ?

So again, did they send an email with a backdoor ? I'm still not getting the picture of the whole thing. Where's this ominous email coming from and what precisely do you mean by "Hacked the email" did they read it, and if so how would you even know ? Please elaborate.

I am not sure how they did it. I received an email from him yesterday morning. From HIS email address. So, I had him log in to it, and check the "sent." folder. Nothing there, and I know he did not send it, because he was in bed asleep. So, I checked the header, traced it down, and posted here.

Originally posted by autowrench
I am not sure how they did it. I received an email from him yesterday morning. From HIS email address. So, I had him log in to it, and check the "sent." folder. Nothing there, and I know he did not send it, because he was in bed asleep. So, I checked the header, traced it down, and posted here.

Then that most likely means they did not hack his e-mail, they just forged his header which they could have gotten from anywhere he uses his e-mail address to sign in, so I wouldn't worry about them being in his computer.

Actually, it is my computer we are talking about here. And, as a matter of fact, after he clicked on the link to open Firefox, I checked my Download folder and found an EXE file that looked like a game installer, and a text file with what looked like source code. I deleted both. Then I ran CheckRootKit and it found a positive. I took some drastic steps after that. Erased the hard drive completely using a reverse algorithm pattern, changed out my network card, reversed my Memory Sticks, and cleared the computer BIOS. Then I installed the new Fedora 17 BETA, and secured it up last night. Fedora has a masked MAC address, and I can run Squid, and TOR on it no problem.

I don't care, this does not change my views on the Israelis, and the Mossad, and the Zionists, and the Rothschild Banking Cartel, and nothing else I think about them. Or anyone else either. Attack my computer all you like, you can only shut me up in one way, and you know what that is, and what it would cost you do do it.

the exe cannot run on linux and chkrootkit needs to be run from a live cd to work correctly,
rkhunter may have been the better option,

these only need to be run if you are installing stuff from unknown sources and everyone has root access

i think you have gone a bit overboard with the install

Originally posted by autowrench
Actually, it is my computer we are talking about here. And, as a matter of fact, after he clicked on the link to open Firefox, I checked my Download folder and found an EXE file that looked like a game installer, and a text file with what looked like source code. I deleted both. Then I ran CheckRootKit and it found a positive. I took some drastic steps after that. Erased the hard drive completely using a reverse algorithm pattern, changed out my network card, reversed my Memory Sticks, and cleared the computer BIOS. Then I installed the new Fedora 17 BETA, and secured it up last night. Fedora has a masked MAC address, and I can run Squid, and TOR on it no problem.

I don't care, this does not change my views on the Israelis, and the Mossad, and the Zionists, and the Rothschild Banking Cartel, and nothing else I think about them. Or anyone else either. Attack my computer all you like, you can only shut me up in one way, and you know what that is, and what it would cost you do do it.

Again, they are noton his computer, the EXE probably came from the e-mail sent to you which means it came from Israel not your son's computer, as for Rootkit detection, on Linux, no go unless your account is root. And as the one above stated, using the one you did probably gave you a false positive if it wasn't run from a boot CD. I may be a windows guy, but I know enough about linux to agree with the above poster, what you did was overkill for a file that could not have run/hurt your system at all, all you really needed to do is erase it.

Maybe I did go the over kill path, but I have been hacked before, and badly, and so has everyone on my contact list at the time. I was sweating it anyway, I feel vulnerable running with an encrypted hard drive anyway. Fedora 17 is so fast I can hardly keep up with it, so think I will keep running an OS that is safe. I would not run Windows if Microsoft gave me the entire company. Why support a billionaire company?

reply to post by autowrench


Apparently there's nothing wring with your security setup, you can lower your defcon. Scan your servers with Nessus on a regular base to find vulnerabilities.

Anyone can send you an email saying it comes from [email protected] within the next 2 minutes.

That doesn't mean they hacked into his emails.

Google SMPT server / Third Party Relay, and learn how to configure your mail server to reject mails with spoofed headers, and dangerous files like executables as well.