dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
12270
garywk
join:2001-03-06
Clarkston, WA

garywk to mich64

Member

to mich64

Re: Ubuntu computer hijacked by hacker

said by mich64:

Well, it's good to hear than nothing you don't know about listens for incoming connections on your router, but it certainly doesn't rule out the possibility that VNC _used_to_ listen for them before.

Ummm.... Say what? Where do you get the idea that a port listening on a computer connected to a LAN behind a firewall causes a port to listen on the WAN side of the firewall/router that is acting as the gateway for the LAN? It's just not going to happen.
vue666 (banned)
Let's make Canchat better!!!
join:2007-12-07

vue666 (banned) to mich64

Member

to mich64
said by mich64:

Well, it's good to hear than nothing you don't know about listens for incoming connections on your router, but it certainly doesn't rule out the possibility that VNC _used_to_ listen for them before.

You definitely *can* assume that somebody exploited transmission, found out that you have VNC running on your system and connected to it, but I'm almost sure that your assumption is wrong because it was much easier to find this VNC with a simple port scan. Provided that Ubuntu really is that stupid

You may check it yourself if you want by re-enabling VNC (with good password, of course ), enabling UPnP on the router (if you have already disabled it) and running new scan in 5900-6000 range.

Thanks kindly... My router has upnp enabled by default and there doesn't appear to be way to disable it via the web configuration page. Router is an Airlink101 AR504...

It has the latest firmware... Maybe it's time for a new router...
garywk
join:2001-03-06
Clarkston, WA

garywk to vue666

Member

to vue666
said by vue666:

Thanks for the link. The link did a port scan of my router and showed no open ports. I did from 1 - 65535, took better part of the night...

So can I assume it was a combo of the open desktop sharing and Torrenting that allowed the hacker in?

Either that or your Windows 7 machine has been compromised and is running some type of malware that opens a connection from inside your lan and that's how whoever it was got access to your Ubuntu machine. Both scenarios are possible.

If you've reinstalled Ubuntu install nmap on that machine and run a full port scan on your Windows machine, both tcp and udp ports. That will tell you if you have any ports open on it that shouldn't be. I believe that Ubuntu has a gui with their version of nmap, or a gui available in a separate package, so you shouldn't have to learn all the flags used in the text version.
mich64
join:2008-08-30

mich64 to garywk

Member

to garywk
said by garywk:

Ummm.... Say what? Where do you get the idea that a port listening on a computer connected to a LAN behind a firewall causes a port to listen on the WAN side of the firewall/router that is acting as the gateway for the LAN? It's just not going to happen.

I've never claimed that. That's why i said "nothing is listening _on_your_router_". Maybe it wasn't entirely clear, but what I meant was "noting is listening on ports forwarded from the router", like this VNC probably was.
garywk
join:2001-03-06
Clarkston, WA

garywk

Member

Well, I guess I misunderstood then, but I'm still not sure of your point. How could the vncserver be listening on a firewall port if the firewall port is closed and no port forwarding is enabled? UPNP is not supported by by tightvnc in any documentation that I can find so that is most probably not a possible vector of attack.

The port would have to be open then and now unless either the router itself is compromised, or one of the machines in the LAN is compromised so that the bad guy has access to the network at all times and can originate traffic from inside the network and/or reconfigure the router at will.

It would seem to me that it's a pretty tall order for a cracker to get you to download an executable using a Linux bittorrent client, and then chmod the file so that it has execute permissions once it's on the hard drive so he can use that malware to access the remote desktop. I've never heard of bittorrent being mis-used that way. I can see how it would work in Windows as MS ties read and execute permissions together, but no Linux.
mich64
join:2008-08-30

mich64

Member

It seems that GNOME dudes have hacked together their own server:
»www.debianadmin.com/remo ··· ntu.html

And here goes the scary stuff:
»bugzilla.gnome.org/show_ ··· d=578767

Status: RESOLVED FIXED

KodiacZiller
Premium Member
join:2008-09-04
73368

1 recommendation

KodiacZiller

Premium Member

said by mich64:

It seems that GNOME dudes have hacked together their own server:
»www.debianadmin.com/remo ··· ntu.html

And here goes the scary stuff:
»bugzilla.gnome.org/show_ ··· d=578767

Status: RESOLVED FIXED

Yikes. There's our problem, just as I suspected. VNC opens a port automatically on the router.

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

1 recommendation

EUS

Premium Member

UPnP is Eeeevil!
equivocal
join:2008-01-23
USA

equivocal to KodiacZiller

Member

to KodiacZiller
Evidence that all the effort to make linux just as good as windows is really paying off.

But I'm glad I ran across this discussion. I know it's something I'll need to remember...hey is that a shinny object...

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA
Linksys E4200
ARRIS SB6141

aefstoggaflm to vue666

Premium Member

to vue666
said by vue666:

Thanks kindly... My router has upnp enabled by default and there doesn't appear to be way to disable it via the web configuration page. Router is an Airlink101 AR504...

It has the latest firmware... Maybe it's time for a new router...

Yes

OR third party firmware for your router (if that is even possible). DD-WRT, Tomato..
garywk
join:2001-03-06
Clarkston, WA

1 recommendation

garywk to mich64

Member

to mich64
Thanks, that was news to me. I hadn't used tightvnc or remote desktop sharing in a long time, but when I did it wasn't opening up a port via upnp.

Why do these idiot developers do this stupid stuff? They know their protocol isn't secure. They know some people will use remote desktop on only their internal LAN. So, they open firewall ports without telling anyone. They must be Microsoft developers at heart where security vulnerabilities == features.

The strange thing about this is that I fired up wireshark, enabled desktop sharing, and saw no network traffic related to this.

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA
Linksys E4200
ARRIS SB6141

aefstoggaflm

Premium Member

said by garywk:

Why do these idiot developers do this stupid stuff? They know their protocol isn't secure. They know some people will use remote desktop on only their internal LAN. So, they open firewall ports without telling anyone. They must be Microsoft developers at heart where security vulnerabilities == features.

I agree, what you suspect , they are/were MS developers.

I guess that they were thinking, that people are lazy.

KodiacZiller
Premium Member
join:2008-09-04
73368

KodiacZiller to aefstoggaflm

Premium Member

to aefstoggaflm
said by aefstoggaflm:

said by vue666:

Thanks kindly... My router has upnp enabled by default and there doesn't appear to be way to disable it via the web configuration page. Router is an Airlink101 AR504...

It has the latest firmware... Maybe it's time for a new router...

Yes

OR third party firmware for your router (if that is even possible). DD-WRT, Tomato..

Be warned that upnp is turned on by default in the Tomato firmware. You will have to turn it off manually.

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia to firephoto

Premium Member

to firephoto
If it's just a switch, it does not employ NAT like a router. Thus, your service would be visible from the outside. Due to the control demonstrated over your X11 session and the cliche terminal entry that followed, I would wager it was your vnc. Simple solution is to be more careful about leaving services open. Your symptoms are not consistent with a buffer overflow exploit. So, relax and firewall and/or password services, as warranted.

Edit: Oops, reply was for OP
vue666 (banned)
Let's make Canchat better!!!
join:2007-12-07

vue666 (banned)

Member

Thanks kindly... It's an Airlink101 AR504 router... Sadly it is not supported by the Tomato firmwire or other 3rd parties...