dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
33
garywk
join:2001-03-06
Clarkston, WA

garywk to mich64

Member

to mich64

Re: Ubuntu computer hijacked by hacker

said by mich64:

Well, it's good to hear than nothing you don't know about listens for incoming connections on your router, but it certainly doesn't rule out the possibility that VNC _used_to_ listen for them before.

Ummm.... Say what? Where do you get the idea that a port listening on a computer connected to a LAN behind a firewall causes a port to listen on the WAN side of the firewall/router that is acting as the gateway for the LAN? It's just not going to happen.
mich64
join:2008-08-30

mich64

Member

said by garywk:

Ummm.... Say what? Where do you get the idea that a port listening on a computer connected to a LAN behind a firewall causes a port to listen on the WAN side of the firewall/router that is acting as the gateway for the LAN? It's just not going to happen.

I've never claimed that. That's why i said "nothing is listening _on_your_router_". Maybe it wasn't entirely clear, but what I meant was "noting is listening on ports forwarded from the router", like this VNC probably was.
garywk
join:2001-03-06
Clarkston, WA

garywk

Member

Well, I guess I misunderstood then, but I'm still not sure of your point. How could the vncserver be listening on a firewall port if the firewall port is closed and no port forwarding is enabled? UPNP is not supported by by tightvnc in any documentation that I can find so that is most probably not a possible vector of attack.

The port would have to be open then and now unless either the router itself is compromised, or one of the machines in the LAN is compromised so that the bad guy has access to the network at all times and can originate traffic from inside the network and/or reconfigure the router at will.

It would seem to me that it's a pretty tall order for a cracker to get you to download an executable using a Linux bittorrent client, and then chmod the file so that it has execute permissions once it's on the hard drive so he can use that malware to access the remote desktop. I've never heard of bittorrent being mis-used that way. I can see how it would work in Windows as MS ties read and execute permissions together, but no Linux.
mich64
join:2008-08-30

mich64

Member

It seems that GNOME dudes have hacked together their own server:
»www.debianadmin.com/remo ··· ntu.html

And here goes the scary stuff:
»bugzilla.gnome.org/show_ ··· d=578767

Status: RESOLVED FIXED

KodiacZiller
Premium Member
join:2008-09-04
73368

1 recommendation

KodiacZiller

Premium Member

said by mich64:

It seems that GNOME dudes have hacked together their own server:
»www.debianadmin.com/remo ··· ntu.html

And here goes the scary stuff:
»bugzilla.gnome.org/show_ ··· d=578767

Status: RESOLVED FIXED

Yikes. There's our problem, just as I suspected. VNC opens a port automatically on the router.

EUS
Kill cancer
Premium Member
join:2002-09-10
canada

1 recommendation

EUS

Premium Member

UPnP is Eeeevil!
equivocal
join:2008-01-23
USA

equivocal to KodiacZiller

Member

to KodiacZiller
Evidence that all the effort to make linux just as good as windows is really paying off.

But I'm glad I ran across this discussion. I know it's something I'll need to remember...hey is that a shinny object...
garywk
join:2001-03-06
Clarkston, WA

1 recommendation

garywk to mich64

Member

to mich64
Thanks, that was news to me. I hadn't used tightvnc or remote desktop sharing in a long time, but when I did it wasn't opening up a port via upnp.

Why do these idiot developers do this stupid stuff? They know their protocol isn't secure. They know some people will use remote desktop on only their internal LAN. So, they open firewall ports without telling anyone. They must be Microsoft developers at heart where security vulnerabilities == features.

The strange thing about this is that I fired up wireshark, enabled desktop sharing, and saw no network traffic related to this.

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA
Linksys E4200
ARRIS SB6141

aefstoggaflm

Premium Member

said by garywk:

Why do these idiot developers do this stupid stuff? They know their protocol isn't secure. They know some people will use remote desktop on only their internal LAN. So, they open firewall ports without telling anyone. They must be Microsoft developers at heart where security vulnerabilities == features.

I agree, what you suspect , they are/were MS developers.

I guess that they were thinking, that people are lazy.