Around 5pm-7pm EDT tonight, a bunch of mail was sent from my yahoo mail account that I did not authorize.
At first, I thought my primary Windows PC had been compromised. After updating to the latest virus
software and scanning my system, I do not believe that to be the case.
I examined the headers of one of the unauthorized emails and found the following:
Received: from 127.0.0.1 (HELO outbound-ss-18.bluehost.com) (22.214.171.124) by
mta1031.mail.ac4.yahoo.com with SMTP; Fri, 18 Jun 2010 14:33:19 -0700
Received: (qmail 30150 invoked by uid 0); 18 Jun 2010 21:33:19 -0000
Received: from unknown (HELO box479.bluehost.com) (126.96.36.199) by
sfproxy1.bluehost.com with SMTP; 18 Jun 2010 21:33:19 -0000
Received: from n13.bullet.mail.ac4.yahoo.com ([188.8.131.52]) by box479.bluehost.com
with smtp (Exim 4.69) (envelope-from <firstname.lastname@example.org>)
id 1OPjBe-0004oE-NB for email@example.com; Fri, 18 Jun 2010 15:33:18 -0600
Received: from [184.108.40.206] by n13.bullet.mail.ac4.yahoo.com with NNFMP; 18 Jun 2010 21:33:18 -0000
Received: from [220.127.116.11] by t8.bullet.mail.ac4.yahoo.com with NNFMP; 18 Jun 2010 21:33:18 -0000
Received: from [127.0.0.1] by omp112.mail.ac4.yahoo.com with NNFMP; 18 Jun 2010 21:33:18 -0000
Received: (qmail 65615 invoked by uid 60001); 18 Jun 2010 21:33:16 -0000
Received: from [18.104.22.168] by web65602.mail.ac4.yahoo.com via HTTP; Fri, 18 Jun 2010 14:33:16 PDT
Date: Fri, 18 Jun 2010 14:33:16 -0700 (PDT)
X-Apparently-To: firstname.lastname@example.org via 22.214.171.124; Fri, 18 Jun 2010 14:33:20 -0700
I have an account with bluehost.com, which hosts taskboy.com. It looks like the mail service there was compromized from there. The spam mail was sent from that box, but not from my account there.
What I can't figure out is how this happened. The hosting box does not have mail credentials for yahoo, but it does forward @taskboy.com to it. I don't send mail from this box so that the yahoo credentials could be caught be a packet sniffer.
It does look like the mail was sent through the forwarder program using my account, but I cannot understand how that happened. The attacker would need to get into my bluehost account and then know my yahoo credentials.
And that's pretty scary if all of those bits were compromised.
However, if you look at the Received header, that IP does not match anything on bluehost. It's a wireless router and I do believe that may have been compromised.
But how that figures into the rest of the attack doesn't make sense to me.
All the other Received lines make it look like a command line program run from my bluehost account using my yahoo account to spam all my contacts in yahoo.
I do not see a login on that bluehost box that would account for this nor do I see a line in .bash_history that looks out of place. If the root account on that box was compromised, one could impersonate my account, but one would still need my yahoo credentials. It is clear, at least, that those were exposed somehow.
If you can help me determine the vector of attack, I'd be much obliged.