ParanoidWannaBdeCoder Posted June 13, 2014 Posted June 13, 2014 (edited) Ok, here goes...for the past three years I have been tormented personally and professionally. I've suffered significant legal, financial, and social losses due to this torment. Its clear to me that an individual/s have been intercepting my electronic communications and tracking my whereabouts. Before I found this forum I thought the leaking of my private conversations, my whereabouts, and other's knowledge of my businesses inside information were a mere coincidence. Since I found Hak5 several months back, I've been sniffing my internet traffic on my phone and pc. The problem I have is that I have no clue how to analyze all of the information that I've captured. I've tried, thru internet searches, to find a piece of data that might give me a clue as to whether these happenings are real or just some paranoid delusions. Till a few days ago, sadly, I had NOTHING! Then came a strange email from my Ex, who coincidently has benifited greatly from my recent demise. After I researched bits of the header I was lead directly to Hak5. I'm a little concerned about posting this header but here are some portions/excerpts that lead me to believe that something might be a awry. Whether there is or not, I know one thing for certain, there is nothing more that I want to do more than be like you guys! Seriously, even though I are totally clueless in this field, I am HOOKED. Delivered-To: mxxxxx@gmail.comReceived: by 10.70.27.1 with SMTP id p1csp198900pdg; Tue, 10 Jun 2014 22:13:07 -0700 (PDT)X-Received: by 10.140.51.172 with SMTP id u41mr45291631qga.69.1402463586430; Tue, 10 Jun 2014 22:13:06 -0700 (PDT)Return-Path: <mmscadm@pixmbl.com>Received: from mx.messaging.sprintpcs.com (smtp1a.mo.sprintpcs.com. [66.1.208.6]) by mx.google.com with ESMTP id 19si29220183qgm.95.2014.06.10.22.13.05 for <mxxxxx@gmail.com>; Tue, 10 Jun 2014 22:13:06 -0700 (PDT)Received-SPF: none (google.com: mmscadm@pixmbl.com does not designate permitted sender hosts) client-ip=66.1.208.6;Authentication-Results: mx.google.com; spf=neutral (google.com: mmscadm@pixmbl.com does not designate permitted sender hosts) smtp.mail=mmscadm@pixmbl.comReceived: from musreb17.nmcc.sprintspectrum.com (lxnsmssf5-vip.nmcc.sprintspectrum.com [10.25.157.71]) by mx.messaging.sprintpcs.com (Postfix) with ESMTP id 16CB26073 for <mxxxxx@gmail.com>; Wed, 11 Jun 2014 00:11:07 -0500 (CDT)Resent-Date: Wed, 11 Jun 2014 05:13:05 GMTResent-From: mxxxxx@gmail.comResent-To: mxxxxx@gmail.comReceived: by pixmbl.com ; Wed, 11 Jun 2014 05:13:05 GMTContent-Type: multipart/related;boundary=1_5397E55F_D4B138;type="text/html"Date: Wed, 11 Jun 2014 05:13:03 GMTTo: mxxxxx@gmail.comFrom: 602xxxxxxx@pm.sprint.comMessage-ID: <AHNtnLhj4yZuEUm84@musreb17.nmcc.sprintspectrum.com>Mime-Version: 1.0 --1_5397E55F_D4B138Content-Type: text/html;charset="UTF-8"Content-Transfer-Encoding: base64 PEhUTUw+CiAgICAgICAgPEhFQUQ+CiAgICAgICAgICAgICAgICA8VElUTEU+PC9USVRMRT4KICAgICAgICA8L0hFQUQ+CiAgICAgICAgPEJPRFk+CiAgICAgICAgICAgICAgICA8UCBhbGlnbj0ibGVmdCI+PEZPTlQgZmFjZT0iVmVyZGFuYSIgY29sb3I9IiNjYzAwMDAiIHNpemU9IjIiPlNlbnQgZnJvbSBteSBtb2JpbGUuCiAgICAgICAgICAgICAgICA8QlI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzwvRk9OVD48L1A+CgogICAgICAgICAgICAgICAgPFBSRT4KCgpHbiBMZXdpCgo8L1BSRT4KICAgICAgICA8L0JPRFk+CjwvSFRNTD4K --1_5397E55F_D4B138-- Can someone tell me how I can educate myself on analyzing these email headers? Edited June 13, 2014 by ParanoidWannaBdeCoder Quote
digininja Posted June 13, 2014 Posted June 13, 2014 This should tell you everything you need to understand the headers. http://kb.mediatemple.net/questions/892/Understanding+an+email+header From looking at the sender, pixmbl.com is a service which allows you to send photos to your phone, this article says it is Virgin Mobile but the whois says Sprint http://whois.domaintools.com/pixmbl.com https://answers.yahoo.com/question/index?qid=20110329031423AAsLLmF And the message just says "Sent from my mobile" and "Gn Lewi" Quote
ParanoidWannaBdeCoder Posted June 13, 2014 Author Posted June 13, 2014 When I researched the components of the header, I found this line to be the most interesting: Return-Path: <mmscadm@pixmbl.com> When I did a bing search on this line, I came up with a result, albeit the Hak5 Forum, that was almost identical to my email header. Can someone please explain the correlation? https://forums.hak5.org/index.php?/topic/30769-support-smser/page-2 Quote
THCMinister Posted June 13, 2014 Posted June 13, 2014 (edited) The link to the hak5 post you're referring to, is for the SMSer infusion. You read the topic you will see that yes the header info you are seeing is identical. The Sprint servers create this. I believe that you may be over paranoid and there may in fact be a simpler explanation as to how your private info is getting out there. Have you changed your password to your email, is it something that your ex could guess? Edited June 13, 2014 by THCMinister Quote
i8igmac Posted June 13, 2014 Posted June 13, 2014 (edited) Is this your private network? Are u on windows? Do u know how to use nmap? If you are on windows you should restart your computer and then run in cmd 'netstat -nb' this will print out applications established connections... always monitor your applications out going traffic... post the output here plz... run the command every few minuts... I'm sure if someone is spying on u. We can find it... Or did I miss understand your post? Edit; The chunck of data base64: can be decoded paste that chunk into a online decodér Check google 'online base64 decoder' Edited June 13, 2014 by i8igmac Quote
digininja Posted June 13, 2014 Posted June 13, 2014 I already posted the content of the base64 blob in the first reply and please don't start posting random, out of context, netstat output, it will mean nothing and gain nothing. Quote
i8igmac Posted June 13, 2014 Posted June 13, 2014 I feel that if application ex-girlfriend.exe is established a connection, should be the first place you look. I would bet ex girlfriend had direct access to this machine... Quote
digininja Posted June 13, 2014 Posted June 13, 2014 I'll leave you to run forensics on that then, good luck, you'll need it. Quote
Mr-Protocol Posted June 13, 2014 Posted June 13, 2014 I'll just leave this right here: http://tools.ietf.org/html/rfc2821 Quote
ParanoidWannaBdeCoder Posted June 14, 2014 Author Posted June 14, 2014 C:\>netstat -nb Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:1036 127.0.0.1:7112 ESTABLISHED [vprot.exe] TCP 127.0.0.1:7112 127.0.0.1:1036 ESTABLISHED [loggingserver.exe] TCP 192.168.1.21:3106 208.83.136.19:80 CLOSE_WAIT [cdswin.exe] TCP 192.168.1.21:3277 74.125.192.99:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3281 74.125.227.192:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3286 74.125.227.216:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3291 74.125.227.213:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3292 31.13.66.160:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3293 31.13.66.160:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3297 31.13.66.160:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3298 31.13.66.160:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3302 192.0.80.241:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3306 72.21.91.111:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3307 74.125.227.204:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3314 31.13.66.160:443 ESTABLISHED [chrome.exe] C:\> Quote
ParanoidWannaBdeCoder Posted June 14, 2014 Author Posted June 14, 2014 Excellent information and suggestions so far...I'm certain she must have had access to my other laptops over the years. I just started using this one last week. I would be almost certain she has/had access to my cellular phone data as well. So while I'm doing my due diligence on my electronic devices....I want to flip the script on her and find out what's going on with her Apple iPhone 5s. Any advice? I need to work until 6 pm tonight, Thanks again! I want to get started on this right away. Quote
ParanoidWannaBdeCoder Posted June 14, 2014 Author Posted June 14, 2014 C:\>netstat -nb Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:1036 127.0.0.1:7112 ESTABLISHED [vprot.exe] TCP 127.0.0.1:7112 127.0.0.1:1036 ESTABLISHED [loggingserver.exe] TCP 192.168.1.21:3106 208.83.136.19:80 CLOSE_WAIT [cdswin.exe] TCP 192.168.1.21:3277 74.125.192.99:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3281 74.125.227.192:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3286 74.125.227.216:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3291 74.125.227.213:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3292 31.13.66.160:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3293 31.13.66.160:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3297 31.13.66.160:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3298 31.13.66.160:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3302 192.0.80.241:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3306 72.21.91.111:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3307 74.125.227.204:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3314 31.13.66.160:443 ESTABLISHED [chrome.exe] C:\>netstat -nb Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:1036 127.0.0.1:7112 ESTABLISHED [vprot.exe] TCP 127.0.0.1:7112 127.0.0.1:1036 ESTABLISHED [loggingserver.exe] TCP 192.168.1.21:3106 208.83.136.19:80 CLOSE_WAIT [cdswin.exe] TCP 192.168.1.21:3277 74.125.192.99:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3281 74.125.227.192:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3291 74.125.227.213:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3302 192.0.80.241:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3306 72.21.91.111:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3307 74.125.227.204:443 ESTABLISHED [chrome.exe] TCP 192.168.1.21:3332 31.13.66.128:443 ESTABLISHED [chrome.exe C:\>netstat -nb Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:1036 127.0.0.1:7112 ESTABLISHED [vprot.exe] TCP 127.0.0.1:7112 127.0.0.1:1036 ESTABLISHED [loggingserver.exe] TCP 192.168.1.21:3106 208.83.136.19:80 CLOSE_WAIT [cdswin.exe] TCP 192.168.1.21:3379 31.13.66.128:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3380 31.13.66.128:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3383 31.13.66.128:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3384 31.13.66.128:443 ESTABLISHED [FacebookMessenger.exe] TCP 192.168.1.21:3387 192.0.80.242:443 ESTABLISHED [chrome.exe] Quote
cooper Posted June 14, 2014 Posted June 14, 2014 I don't get it. You're dumping all this data in here not unlike how a child that went to camp for a week dumps his dirty clothes at his parents feet assuming they'll sort this mess out for him/her. That's not what this forum is about. We'll help you come to grips with what you're seeing but unless you make a bit of effort to try to comprehend what it is you're doing, what the output of programs means and how you can make use of this, you're not going to achieve anything here. From what you've posted so far, you claim that your ex has intel on you. Dude, I ditched my girlie 6 months ago and if I wanted I could make life in general complete and utter hell for her, not because I'm good at that sort of thing, but after a 6 year relationship I know what makes her tick: - password generation and remembrance techniques - things she would have an account on - websites she's likely to access - the company that she's got a long-term cell-phone contract with, her phone number and all personal details they might want to know about before they're willing to change anything And that's not counting all the account info I already got to know about simply because half the time I did all that crap for het or looked over her shoulder as she was doing it. If you're worried about your machine having a rootkit or a keylogger, bottom line is you don't trust that machine anymore. Solution? Reinstall. It's that simple. Format and start over. There is NO alternative. From that point on, work your way out. Make a list of sites/fora you frequent and basically change *everything*. Your username if possible, most certainly your password and walk yourself through the 'forgot password' dialogue. For all questions posed ask yourself: would anybody other than me know this? If the answer is yes, you should try to change that info. Those common 'what's your pet's name' or 'what's your mother's maiden name' type questions. If you can't change it, drop the account. Create a new one with, I donno, a different birthdate or something. Something that's asked in the 'forgotten password' flow which someone else that knows you well enough also knows. Change it or drop it and move on. How long has it been since you parted? How much time are you still spending on her. Is it really worth it? Move on. Even if you get to feel like you 'got her' by getting in her face, you only end up wasting your time on that woman. If you play your cards wrong (and since you don't know what you're doing I guarantee you that you will) you could wind up in jail. Is she really worth all that trouble to you? If you can't prevent running into her, stay calm and collected. Put yourself above the situation. Yes, I'm sure she's caused you plenty of pain and I'm sure she will feel exactly the same about you. If she gets in your face, just tell (still calm and collected) her to accept the situation and get over it, then walk away. If she keeps hounding you, tell her (calm and collected) that the only thing she's doing is proving she's still not over you, but you're not interested anymore, and walk away. Things will calm down eventually. Don't talk smack about her behind her back either. Avoid the subject, even amongst your friends. Just say to anybody that asks that that chapter in your life is over and you've moved on with your life. If she finds someone else, GOOD, FUCK HER! Gives her someone else to focus on. Just pick up the pieces of your life and make do. You'll be much happier way sooner than if you didn't. Quote
digininja Posted June 14, 2014 Posted June 14, 2014 I want to see i8igmac interpret the netstat output and conclude something useful from them. Quote
xrad Posted June 15, 2014 Posted June 15, 2014 (edited) Jeez.......do what Cooper suggested............reinstall.......change your passwords, new email, new phone number.......Life is too short to be stressing over silly crap. Edited June 15, 2014 by xrad Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.