Find the answer to your Linux question:
Results 1 to 3 of 3
I would like some advice on how to find out how someone accessed my Fedora 14 machine a couple of days ago. Someone used VNC to run some commands, apparently ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2011
    Posts
    2

    My computer was compromised. How?


    I would like some advice on how to find out how someone accessed my Fedora 14 machine a couple of days ago. Someone used VNC to run some commands, apparently with the intent to install some DDoS software and some IRC file sharing software (iroffer).

    Itís important to me to understand how he (letís assume a ďheĒ) was able to connect, since I donít know if any of my other computers could be compromised.

    This particular system is behind a (Tomato) router that is not set to forward any ports. The system was enabled for desktop/VNC sharing with no password. The software firewall was turned off. The system was probably about a month behind on the security updates.

    My main question is this: did he get on my network (protected by WPA or WPA2) and then connect to the machine? Or was he able to somehow tunnel through my router using some exploit that is specific to this particular machine?

    (I have already disconnected this system from the network.)

  2. #2
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    if your router has no ports open, it couldn't have come from outside the network unless for some reason it has a security issue

    probably someone got onto your network wirelessly

    are you sure you are using WPA/WPA2 and not WEP? WEP is very easy to crack, WPA/WPA2 not so much, but if your key is short and/or not very obfuscated it wouldn't be awful to crack it

    I don't think VNC passwords are particularly that great either, since they are limited to 8 characters it wouldn't take much time to crack that

    I think you should double check your wifi network security settings

  3. #3
    Just Joined!
    Join Date
    Apr 2011
    Posts
    2

    Found it

    Okay, I'm pretty certain I figured it out: my vnc server (vino) basically created a tunnel with a different IP address, so it eliminated the need for port forwarding.

    This can be a nice feature, but I think that vino really should show a big warning message if the user enables this. An attack would be as simple as figuring out which IP addresses vino uses, and then trying to connect with VNC. If the user has no password and uses port 5900, the system is wide open.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •