Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: I've been hacked

  1. #1
    Join Date
    Jun 2008
    Beans
    4

    I've been hacked

    My Ubuntu machine was hacked yesterday: as I watched, a fresh tab was opened in Chrome, taken to moneygram.com, and then the details for a transfer to Romania were typed in. I moved the cursor to another box while the hacker was typing and they noticed, deleted the characters and went back to the original box. I then unplugged my router.

    How can I find out if this is wardriving or a hack via ssh or some other way? I've changed my wifi passkey and I switch the router off when it's not being used, but how can I protect against an internet connection intrusion?

    Is one form of attack more likely given that my computer was being remotely controlled in this way?

    Thanks for any help you can give me.

    Michael

  2. #2
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    5,836
    Distro
    Xubuntu 15.04 Vivid Vervet

    Re: I've been hacked

    I think you most likely left the VNC service enabled. It's a remote desktop setting somewhere (can't remember where though). The dangerous thing is a checkbox that says to allow the internet to connect, but doesn't warn you that this will actually use UPnP to reconfigure your router to forward incoming connections to your PC.

    You can verify which ports on your computer are accepting connections with the command:
    Code:
    netstat -lt
    vnc will show up as port 5900 if it's accepting calls.
    Last edited by CharlesA; June 3rd, 2012 at 04:03 AM. Reason: replaced quote tags with code tags

  3. #3
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I've been hacked

    Also, check your firewall status...
    Code:
    #If you haven't already done so, enable ufw
    sudo ufw enable
    #Now show what ports are open and to whom
    sudo ufw status verbose
    #If remote desktop is the problem, turn off all incoming connections
    sudo ufw default deny
    #Or just the standard SSH port
    sudo ufw deny 22
    #If extra paranoid, turn off PING
    gksudo gedit /etc/ufw/before.rules
    #Go to the bit that is commented "ok icmp codes", and edit it to say:
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j DENY
    -A ufw-before-input -p icmp --icmp-type source-quench -j DENY
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j DENY
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j DENY
    -A ufw-before-input -p icmp --icmp-type echo-request -j DENY
    Hopefully that will solve your problem.

    EDIT: @The Cog. I've just noticed that command is in QUOTE tags. In case there is any confusion.
    Last edited by 0011235813; June 2nd, 2012 at 02:30 PM.
    Read my technology blog at: http://penguincampaigner.wordpress.com

  4. #4
    Join Date
    Jun 2008
    Beans
    4

    Re: I've been hacked

    Thank you both so much for your replies. Yes, the remote desktop was on and without a password required! I've switched it off and set those firewall rules.

    Thank you!

  5. #5
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: I've been hacked

    If you notice any similar issues, don't hesitate to post it. You may want to mark this thread as solved by clicking on Thread Tools- Mark This Thread as Solved.
    Read my technology blog at: http://penguincampaigner.wordpress.com

  6. #6
    Join Date
    Oct 2005
    Location
    Al Ain
    Beans
    8,159

    Re: I've been hacked

    Cangratulations! There are many tales of VNC woe on these forums and you have joined the club.

    The moral of the story is: Don't play with a daemon before reading up on what it does and how it works and when you are done playing, disable it.

  7. #7
    Join Date
    Jun 2008
    Beans
    4

    Re: I've been hacked

    Yes, it was very spooky. I'm just glad I was there to stop it. I don't know if they'd've been able to use my account details or if they were going to use my machine with someone else's account to hide their IP address.

    I've been using Ubuntu for years - I'm not a noob. I can't remember ever leaving the VNC server open with no password! Surely I wouldn't do anything that dumb...

  8. #8
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: I've been hacked

    Keep in mind - if you have had VNC enabled for a while and only saw someone using the machine when you were at it, it may have been used when you were not at it.

    Personally I would backup your home folder, wipe the machine and restore my files from backups.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  9. #9
    Join Date
    Oct 2008
    Location
    /var/log/uk :-)
    Beans
    212
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: I've been hacked

    I'm with Charles on this, if this was the first time they had been on the machine, surely they would of had a look around and not open a tab straight away?

    Might be worth having a look back at /var/log/auth.log and see if there is anything in there, they might of been on your machine for months.

    Backup your data, format and re-install, also untick upnp on your router.

  10. #10
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: I've been hacked

    Better yet, don't use VNC.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •