Ubuntu 12.04 - Hacker Typing on My Screen

[dsurfer21]

I am 100% certain my machine was hacked. I am running Ubuntu 12.04 and had skype open (no connection with anyone) and Firefox, gmail and gchat in the firefox window and someone started type commands in my window and in my chat with a friend on my gchat account. They even typed an obscenity in my chat window!

I opened a command window pressing Alt CTRL T to try and reboot real fast because when i tried to move the mouse to restart he or she kept moving it away. In the terminal window the person kept trying to type this in: punapmep p-a

I just rebooted my machine. Is there anything I should do right now? Reformatting is not an option at this moment because I am traveling right now and I need a computer to check email consistently. How can I find out where the security breach is and how can I stop it right now?


Eventually I just pressed the power button to turn it off and rebooted.

Any advice on what I can or should do?
Thanks

[QIII]

Are you using an unsecured WiFi hotspot?

[dsurfer21]

No, not at the moment this happened. I am using a Wifi connection at a university.

[Irihapeti]

Also, is remote desktop enabled?

[dsurfer21]

Thanks! I believe remote desktop is enabled. How can I check?

A few weeks or longer ago I had used remote desktop to log in to an embedded system I was testing for a robotics project.
Is this likely how this hacker got control of my machine?

[Irihapeti]

Type "vino" in a terminal (without the quotes) and it should open the remote desktop control panel. If you're using unity, "remote desktop" or "desktop sharing" should do the same thing. Alternatively, choose desktop sharing preferences (or similar wording) in preferences. I'm a little vague about this because it's one of the first things I remove after doing an install.

This link, although for 11.04, will show you what to look for. http://www.unixmen.com/how-to-use-re...top-in-ubuntu/ In your case, you don't want sharing enabled.

From what you've described, I wouldn't be at all surprised to find that you've somehow enabled it.

[QIII]

You should consider your machine well and truly compromised. Who knows how long you were sidejacked and what session info someone got. You need to immediately change all passwords all over the web -- AFTER you have a secure, preferably wired, connection on a different machine.

[dsurfer21]

Thanks!

When I run vino I see:

D-ubuntu:~$ vino
No command 'vino' found, did you mean:
Command 'pino' from package 'pino' (universe)
Command 'dino' from package 'dino' (universe)
Command 'bino' from package 'bino' (universe)
Command 'kino' from package 'kino' (universe)
Command 'vina' from package 'autodock-vina' (universe)
Command 'vinfo' from package 'radiance' (universe)
vino: command not found

When I go into desktop sharing, i did see that enable others to control and see my desktop were selected. I disabled this right now.

I definitely need desktop sharing to interface with my robotics prototypes that are running ubuntu on embedded processors. I was using Remmina to do this. I am assuming I can still do this succesfully, even after disabling the desktop sharing on this laptop?

Thanks.

[1clue]

About the security at the time of this incident:

1. Were you in a public space? Meaning, did somebody have a chance to see your screen as this happened, and/or could they have seen you type the password to your computer?
2. Is your password easily guessable by somebody who knows who you are?
   
   1. Some part of your name, or the name of someone important to you?
   2. Otherwise based on personal information or favorite themes?
   3. A simple word?
   
   
3. Could there have been a witness from a previous session who could see the screen, or who knows the password to your RDP?

What is the output of netstat -tunlp

By needing desktop sharing, you mean you use this machine to access others using remote desktop, or that other machines access your machine? In any of this, do you have an unprotected password or saved password?

[dsurfer21]

Thanks 1clue.

Basically I have some ebedded processors running on some robotic hardware. I want to see the camera feed that is on the robot so I use desktop sharing and remmina to login from my laptop and see the screen on the robot's ubuntu setup and to see the video feed in the desktop. I do not need for the embedded processors to access my laptop's desktop. Therefore I am guessing that disabling the desktop sharing as I just did , will still allow me to control the embedded processor's desktop.


Nobody would have seen my password in person or guessed it easily. Over the last week and a half I was in a hotel using the wifi, and then at starbucks briefly. Since then I have used wifi in a university office room.

I will look for a wired connection here at the university and change all my web passwords just to be careful. I'm not sure what else I can or should do? I was hoping to avoid a reformat. Is this necessary?

I think this happened today as far as someone accesing my machine. They were fooling around and typing messages in my gchat session with my friend like "suck my ****" and other immature things. I wonder if they were not really trying to do anything harmful other than fool around but I don't know. I am not sure if this person likely is on the wifi network here at the university and is just fooling around? This happened while I was on the university's wifi network this afternoon.

I am running skype right now.

Here is what netstat -tunlp shows:

@D-ubuntu:~$ netstat -tunlp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:44052 0.0.0.0:* LISTEN 3793/skype
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3350 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:3389 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
udp 0 0 0.0.0.0:44471 0.0.0.0:* -
udp 0 0 0.0.0.0:44052 0.0.0.0:* 3793/skype
udp 0 0 127.0.0.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 127.0.0.1:52400 0.0.0.0:* 3793/skype
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp6 0 0 :::55253 :::* -
udp6 0 0 :::5353 :::* -