# Email unauthorized with 2 factor authentication



## Guywithoutinternet (Jul 8, 2019)

Long story short, installed a malicious software because of time constraints and fatigue.

Did a complete new format for main computer.

I have 2 factor authentication enabled. Got a phone alert that my Gmail had unauthorized access at 2am and 4am. The hacker deleted the critical alert emails which I had google restored, just to make sure it didn't delete other mails. 

It accessed my Gmail with my 2nd computer using the same ip, location, computer and Firefox 65. 

The messed up part was, 2 days later, it accessed my mom's email with her iPad or iPhone , because the unauthorized access is using iOS and safari for her Hotmail.
It wasn't her because she never use safari to check email.

At this point, I shut off all devices in my home network and posting this in Starbucks.

My question is, has my router been comprised? 

Besides factory reset, update firmware, add harder to brute force password, what else can I do ?

Thanks


----------



## lunarlander (Sep 22, 2007)

What devices are on your home network please.

The best thing to do is to backup Only your data on every computer and reinstall the OS from external media, like DVD, USB memory stick. A reset feature like the Windows' feature still uses onboard programs, and a good hacker will have anticipated that move and not leave that untampered. Then re-install applications from freshly downloaded installers. That way, you'll also get the side benefit of updating your outdated applications, which could be missing security patches. The only exception are cell phones, which run as a non-admin user always, and a reset always comes from a non-modifiable memory area. Unless you have rooted your phone, in which case, everything is modifiable.

Update the firmware on the router.
Set a strong passphrase for WPA2. Password attacks are not only via brute force; there are dictionary based attack programs as well. Research has shown that length alone makes these attacks unfeasible. But to make them easier to remember, use pronounceable but non-dictionary words.
Set up mac addresss filtering to allow only known devices. Disable any port forwarding.
Enable logging if there is such a feature, and enable syslog forwarding if there is such a feature. ( you need to set up a syslog server to receive logs from the router ) Syslog forwarding lets you see the full logs in case the attacker deletes logs. An attacker usually tries to delete logs just like he delete the alert emails like you have experienced.

Since the attack was done from inside the network, and bots can be installed on each machine he touches, there is little need to attack the router, as it does not present an obstacle. A bot can call outbound to the attacker's server, therefore NAT and router firewalls means nothing. But you would never know if it could provide a launch platform for re-attacking your re-installed devices inside the network, as all routers are basically a slimmed down Linux OS. And hackers (should) know Linux.

For the best results, go look for 'hardening' guides for each OS you use. ( I have one for Windows 10 listed in my signature below ) Use only 1 computer to do all the searching, and save the html documents. Then, re-install the OS on everything, harden them referring to the saved html without going online. Then make drive images for each OS, saving them as golden images. Then go online and fetch program installers. Never make an image of something that has gone online and call it your golden image, because you risk attacks and modification while online. A golden image is one that comes from a trusted source, like the Windows setup media.

Good luck. If you have any questions, ask.


----------



## Guywithoutinternet (Jul 8, 2019)

I got 4 iOS devices, 2 andorid and 4 win 10 and 1 Linux.

Thanks for the help! Hopefully factory reset and os hardening resolve my issues.


----------

