dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
8241
share rss forum feed

garywk

join:2001-03-06
Clarkston, WA
reply to KodiacZiller

Re: Ubuntu computer hijacked by hacker

It seems you haven't understood everything you've read.

The computer in question has a private IP address on a LAN behind a combination router/switch/firewall. No one outside the LAN should have been able to access VNC as vue666 was using VNC internally on the LAN, not accessing it from the internet. vue666 never opened a firewall port so any attempt to use it that originated outside the LAN should have been dropped by the firewall.



JohnInSJ
Premium
join:2003-09-22
Aptos, CA

said by garywk:

It seems you haven't understood everything you've read.

The computer in question has a private IP address on a LAN behind a combination router/switch/firewall. No one outside the LAN should have been able to access VNC as vue666 was using VNC internally on the LAN, not accessing it from the internet. vue666 never opened a firewall port so any attempt to use it that originated outside the LAN should have been dropped by the firewall.

So is it possible that some exploit in Transmission allowed local user access (essentially opening a tunnel into the machine) and via that tunnel the bad guy forwarded the local vnc port out, thus gaining vnc access?

vnc should probably be run with a password, as a last gasp defense.
--
My place : »www.schettino.us

mich

join:2008-08-30

3 edits
reply to garywk

Nope, it seems _you_ haven't understood everything you've read (or haven't read everything what has been written).

According to discussion linked by KZ, ubuntu *by default* tries to get port redirection from local router using UPnP. If vue666's router supports UPnP (@vue666 - does it?) then literally everybody with Internet access can connect to this box over VNC and do with it whatever he likes. And yes, this includes installing VISTA (viruses, spyware, ...) so even though it seems that this particular guy has done it only for teh lulz, if it was my box I'd rather do a clean install.

And before anybody says "he didn't have root" - you don't need it to install keylogger on the compromised account starting together with every X session. And there is this nice thing called "local root exploits".



vue666
I love Lanny Barbie
Premium
join:2007-12-07
Halifax, NS
kudos:1

Yes, my router supports UPnP.... Should I need to disable this?



JohnInSJ
Premium
join:2003-09-22
Aptos, CA
reply to vue666

uPnP firewalls are evil


mich

join:2008-08-30

1 recommendation

reply to vue666

Well, you should know about it.

Basically, UPnP allows any program running in your LAN to change port mappings to it's liking. If you don't mind having to manually forward ports for applications which need them, you may disable it. But if want this to happen automagically and leave UPnP enabled, you cannot assume that NAT is going to "protect" you from connections incoming from the Internet.

IMHO the best solution is to disable UPnP (because I somehow don't like the idea of arbitrary program manipulating port mappings on my router behind my back) *and* don't assume that NAT is going to "protect" you because it simply isn't - for example some NATs can be tricked into forwarding arbitrary ports using their ability to track FTP connections. I think I've even read about somebody demonstrating this hack using a java applet running in web browser.



vue666
I love Lanny Barbie
Premium
join:2007-12-07
Halifax, NS
kudos:1
reply to garywk

said by garywk:

said by vue666:

Sorry... I'm a He not a She... the avatar is of my favorite newscaster Marcia MacMillan...

I did a port scan at GRC.COM but it only scans the first 1004 ports... Since a compute has aprrox 65,535 and I can only scan 64 ports at a time is there a faster way then scanning

1005-1069
1070-1134
1134....
....65,535

???

Cheers

Sorry about that, on both counts. The avatar threw me. Second, I haven't used grc's sheilds up in a long time and I see he's really limited the number of ports you can scan at one time. It didn't used to be that way.

Here's another site that will scan all your ports. »labs.programming-designs.com/portscanner/

It will take a while to scan them all, but I think it's worth the time to do.

Thanks for the link. The link did a port scan of my router and showed no open ports. I did from 1 - 65535, took better part of the night...

So can I assume it was a combo of the open desktop sharing and Torrenting that allowed the hacker in?

mich

join:2008-08-30

Stupid question - were you running this VNC server during the scan?



vue666
I love Lanny Barbie
Premium
join:2007-12-07
Halifax, NS
kudos:1

No... I wiped my Ubuntu computer and reinstalled Ubuntu 10.10...

I was running the port scan from my Windows Home 7....


mich

join:2008-08-30

Well, it's good to hear than nothing you don't know about listens for incoming connections on your router, but it certainly doesn't rule out the possibility that VNC _used_to_ listen for them before.

You definitely *can* assume that somebody exploited transmission, found out that you have VNC running on your system and connected to it, but I'm almost sure that your assumption is wrong because it was much easier to find this VNC with a simple port scan. Provided that Ubuntu really is that stupid

You may check it yourself if you want by re-enabling VNC (with good password, of course ), enabling UPnP on the router (if you have already disabled it) and running new scan in 5900-6000 range.


garywk

join:2001-03-06
Clarkston, WA

said by mich:

Well, it's good to hear than nothing you don't know about listens for incoming connections on your router, but it certainly doesn't rule out the possibility that VNC _used_to_ listen for them before.

Ummm.... Say what? Where do you get the idea that a port listening on a computer connected to a LAN behind a firewall causes a port to listen on the WAN side of the firewall/router that is acting as the gateway for the LAN? It's just not going to happen.


vue666
I love Lanny Barbie
Premium
join:2007-12-07
Halifax, NS
kudos:1
reply to mich

said by mich:

Well, it's good to hear than nothing you don't know about listens for incoming connections on your router, but it certainly doesn't rule out the possibility that VNC _used_to_ listen for them before.

You definitely *can* assume that somebody exploited transmission, found out that you have VNC running on your system and connected to it, but I'm almost sure that your assumption is wrong because it was much easier to find this VNC with a simple port scan. Provided that Ubuntu really is that stupid

You may check it yourself if you want by re-enabling VNC (with good password, of course ), enabling UPnP on the router (if you have already disabled it) and running new scan in 5900-6000 range.

Thanks kindly... My router has upnp enabled by default and there doesn't appear to be way to disable it via the web configuration page. Router is an Airlink101 AR504...

It has the latest firmware... Maybe it's time for a new router...

garywk

join:2001-03-06
Clarkston, WA
reply to vue666

said by vue666:

Thanks for the link. The link did a port scan of my router and showed no open ports. I did from 1 - 65535, took better part of the night...

So can I assume it was a combo of the open desktop sharing and Torrenting that allowed the hacker in?

Either that or your Windows 7 machine has been compromised and is running some type of malware that opens a connection from inside your lan and that's how whoever it was got access to your Ubuntu machine. Both scenarios are possible.

If you've reinstalled Ubuntu install nmap on that machine and run a full port scan on your Windows machine, both tcp and udp ports. That will tell you if you have any ports open on it that shouldn't be. I believe that Ubuntu has a gui with their version of nmap, or a gui available in a separate package, so you shouldn't have to learn all the flags used in the text version.

mich

join:2008-08-30
reply to garywk

said by garywk:

Ummm.... Say what? Where do you get the idea that a port listening on a computer connected to a LAN behind a firewall causes a port to listen on the WAN side of the firewall/router that is acting as the gateway for the LAN? It's just not going to happen.

I've never claimed that. That's why i said "nothing is listening _on_your_router_". Maybe it wasn't entirely clear, but what I meant was "noting is listening on ports forwarded from the router", like this VNC probably was.

garywk

join:2001-03-06
Clarkston, WA

Well, I guess I misunderstood then, but I'm still not sure of your point. How could the vncserver be listening on a firewall port if the firewall port is closed and no port forwarding is enabled? UPNP is not supported by by tightvnc in any documentation that I can find so that is most probably not a possible vector of attack.

The port would have to be open then and now unless either the router itself is compromised, or one of the machines in the LAN is compromised so that the bad guy has access to the network at all times and can originate traffic from inside the network and/or reconfigure the router at will.

It would seem to me that it's a pretty tall order for a cracker to get you to download an executable using a Linux bittorrent client, and then chmod the file so that it has execute permissions once it's on the hard drive so he can use that malware to access the remote desktop. I've never heard of bittorrent being mis-used that way. I can see how it would work in Windows as MS ties read and execute permissions together, but no Linux.


mich

join:2008-08-30

It seems that GNOME dudes have hacked together their own server:
»www.debianadmin.com/remote-deskt···ntu.html

And here goes the scary stuff:
»bugzilla.gnome.org/show_bug.cgi?id=578767

Status: RESOLVED FIXED



KodiacZiller
Premium
join:2008-09-04
73368
kudos:2

1 recommendation

said by mich:

It seems that GNOME dudes have hacked together their own server:
»www.debianadmin.com/remote-deskt···ntu.html

And here goes the scary stuff:
»bugzilla.gnome.org/show_bug.cgi?id=578767

Status: RESOLVED FIXED

Yikes. There's our problem, just as I suspected. VNC opens a port automatically on the router.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


EUS
Kill cancer
Premium
join:2002-09-10
canada

1 recommendation

UPnP is Eeeevil!


equivocal

join:2008-01-23
USA
reply to KodiacZiller

Evidence that all the effort to make linux just as good as windows is really paying off.

But I'm glad I ran across this discussion. I know it's something I'll need to remember...hey is that a shinny object...



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL
reply to vue666

said by vue666:

Thanks kindly... My router has upnp enabled by default and there doesn't appear to be way to disable it via the web configuration page. Router is an Airlink101 AR504...

It has the latest firmware... Maybe it's time for a new router...

Yes

OR third party firmware for your router (if that is even possible). DD-WRT, Tomato..
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.

garywk

join:2001-03-06
Clarkston, WA

1 recommendation

reply to mich

Thanks, that was news to me. I hadn't used tightvnc or remote desktop sharing in a long time, but when I did it wasn't opening up a port via upnp.

Why do these idiot developers do this stupid stuff? They know their protocol isn't secure. They know some people will use remote desktop on only their internal LAN. So, they open firewall ports without telling anyone. They must be Microsoft developers at heart where security vulnerabilities == features.

The strange thing about this is that I fired up wireshark, enabled desktop sharing, and saw no network traffic related to this.



aefstoggaflm
Open Source Fan
Premium
join:2002-03-04
Bethlehem, PA
kudos:7
Reviews:
·PenTeleData
·Verizon Online DSL

said by garywk:

Why do these idiot developers do this stupid stuff? They know their protocol isn't secure. They know some people will use remote desktop on only their internal LAN. So, they open firewall ports without telling anyone. They must be Microsoft developers at heart where security vulnerabilities == features.

I agree, what you suspect , they are/were MS developers.

I guess that they were thinking, that people are lazy.
--
Please use the "yellow (IM) envelope" to contact me and please leave the URL intact.


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to aefstoggaflm

said by aefstoggaflm:

said by vue666:

Thanks kindly... My router has upnp enabled by default and there doesn't appear to be way to disable it via the web configuration page. Router is an Airlink101 AR504...

It has the latest firmware... Maybe it's time for a new router...

Yes

OR third party firmware for your router (if that is even possible). DD-WRT, Tomato..

Be warned that upnp is turned on by default in the Tomato firmware. You will have to turn it off manually.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


Selenia
I love Debian
Premium
join:2006-09-22
Fort Smith, AR
kudos:2
reply to firephoto

If it's just a switch, it does not employ NAT like a router. Thus, your service would be visible from the outside. Due to the control demonstrated over your X11 session and the cliche terminal entry that followed, I would wager it was your vnc. Simple solution is to be more careful about leaving services open. Your symptoms are not consistent with a buffer overflow exploit. So, relax and firewall and/or password services, as warranted.

Edit: Oops, reply was for OP
--
The new Sony rootkit-Using the ability to remove features you paid for. What's next? Boycott Sony products »[Rant] ps3 update = no more Linux

»It's a Sony (once and forever)



vue666
I love Lanny Barbie
Premium
join:2007-12-07
Halifax, NS
kudos:1

Thanks kindly... It's an Airlink101 AR504 router... Sadly it is not supported by the Tomato firmwire or other 3rd parties...