For good measure and for forensics take a complete backup before you reflash.

If the hacker made changes to your email settings he could get your new password.

Still, if it's not that simple, could you get wireshark, and dump whatever is sent when you log in? it could help the community identify the problem while we gather rope and soap.

Hi,

I got tcpdump installed so i'll be sure to simulate this again.
Maybe i'll be able to pinpoint it to a specific processes.

And sure i'll make a backup.
I think i'll create a new gmail account, just to log into it, allowing the hacker to sniff it's password.

Thanks for the tip on the gmail security, I verified all the information there, it's all mine, and the new password is hell like. (:

Eitam.

this is pretty sketchy. last thing i want to find out is i have reduced battery life thanks to a spambot on my phone or something... maybe we should write some antivirus or anti-trojan style tools to see what tasks are running and check for suspicous activities like tcp/ip connections and whatever they use in linux to hook the keyboard input.

a) antivirus works on known viruses
b) anti-trojan tools work on known trojans

Before anything is developed, we need to know what does and what. Running tasks are shown via "ps" command. TCP/IP is dumped via several tools, one being above mentioned tcpdump.

c) the nature of Linux architecture makes this quite an undertaking, as keyboard access isn't registered, like in Windows, in order to deny it. I don't think it's even protected. I don't pretend to be an expert, but if "cat" has access to it, anyone has. Also, it doesn't need to be a running process. Viruses and trojans that have their own process aren't worthy of the name. They're all nuissanceware.

d) all programs submitted to repos (AFAICT) are compiled server-side with open components. There is little need to grow an anti-something when code can simply be removed.

e) all we have now (no offense) is anecdotal evidence. When we see some code we'll have a better understanding of what happens and why. Once we see how that data is leaking, we'll have something to grep the sources for.

Agree with all points apart from the first sentence of d).
Not all code is available to the autobuilder. e.g. the non-free packages.

okay, well, i would agree but i actually meant using heuristics to find suspicious running processes. i thought there would be an easy way to see what is logging keys, and tcpdump doesn't give the process id because of a limitation of the libpcap driver it seems. netstat would work but i think it only shows current connections, and a keylogger doesn't usually remain connected i would think. well, i will keep thinking about this.

I assumed Nokia's partners wouldn't steal password. You are, however, technically correct. The best kind of correct.

What bothers me is that we have only one case.

Google has this 2 step verification to prevent your gmail account from being hacked.

Someone attempted to hack mine few months back and good thing I was able to use their 2 step verification. Basically in addition to your regular password, you have to enter a one time code generated on an app on your smartphone (iPhone, Android, blackberry).

For complete and detailed instructions, you can go here http://darktips.com/how-to-protect-y...-from-hackers/