Re: Security Breached



comphelp@xxxxxxxxx (Todd H.) writes:

Randy Yates <yates@xxxxxxxx> writes:
Hi,

I have a typical home network that looks like this:

machine type connection type
------------ --------------
desktop pc 1 wired
desktop pc 2 wireless
laptop wireless
network printer wired


Hi Randy, long time no chat. Sorry to reacquaint in these
circumstances.

Hi Todd. I sent an email to you asking you to phone me - I guess
you didn't get it.

dlink dir 655 router

How updated is that dlink?
http://news.softpedia.com/news/Symantec-Suspects-D-Link-Routers-for-Bot-Attack-Vulnerability-81730.shtml

Version: 1.21
Date: 2008/09/11
Latest

Have you checked its configuration lately? Any possibility it's been
compromised and, say, you have a PC or too sitting mysteriously in the
DMZ of the router instead of on the LAN? Any port forwards you
didn't put in there yourself?

Not that I can see, on both the DMZ and port forward questions.

Time-warner "surfboard" cable modem

I run Fedora 11, fully updated, on all computers.

I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.

Is that to say you had no vnc passwords set? If so, any one point
compromised on your lan, then finding vnc into anything would be
trivial of course.

Yes, that's true. I presumed that my security was so tight I didn't
need one. That assumes the router's security is good, of course.

Has that laptop ever ventured outside of your friendly LAN to a public
wireless network perchance?

Yes, at NCSU via their wireless system. But the last time I was there
was a year ago.

Also, due to a wireless network adapter card that's not very
well-suported under Fedora 11, I was forced to run WEP security on my
wireless network. Yeah yeah, I know - that's no security at all.

Oy... that's ... pretty bad.

Marvell drivers aren't provided for that Netgear card...


Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was 119.205.217.141.

Yikes. That sucks. Any router logs to speak of?

Unfortunately, not any more. I didn't have the "mail log to my account
when log is full" option set, and the event got scrolled off the log
before I had a chance to view it.

If the reported address of the intruder was a typical local, private
network address like 192.168.x.y, I'd just chalk it up to a neighbor
that hacked my network. But 119.205.217.141 is a public IP address
somewhere in Asia. So I'm thinking he must have come in over the WAN
port.

I'd vote WAN attack as well.

Now the interesting question is how the hell did someone outside vnc
into that box and vnc be reporting that external IP... because had
they done it port forwarding over SSH (if your assumption of only SSH
is coming in was valid), then VNC would report the LAN IP of your
desktop PC as the client IP address. That it's reporting a foreign IP
is suggesting either a direct inbound connection (i.e. modification of
your router's port forwarding) or... more likely, something client
side initiated a reverse VNC session from your VNC server to a
waiting/listening client at that 119. ip address. The trigger for
that reverse vnc initiation could have been a flash or pdf file being
viewed, or any client-side exploit.

Well, I suppose that is a possiblity.

But if he came in over the WAN port (e.g., over ssh), he would have
had to make a hop via my desktop pc since that's where ssh is NATed
to. Further, the desktop PC's ssh port was non-standard, root
access is disabled, and the main account password is quite long and
secure.

Though I doubt this was the path due to the issues above, I'll comment
that ssh port non-standard is immaterial, as it would be cheerfully
mapped to there by the NAT router's port forward, so the only trick
would be to find the listening ssh server on the router from the
outside. However, if your ssh server is up to date, and your password
very long that'd suggest that someone brute forcing the sshd to be
rather unlikely.

Right.

There is a rumored openssh 0day out there for the past month, but I
don't think it's ever been corroborated.
http://isc.sans.org/diary.html?storyid=6742

I heard about that too, but according to the folks on the #fedora
irc channel, it's already been patched/updated in the fedora repos,
so if your system is up-to-date, you're good to go on that one.
And mine is:

[root@localhost ~]# yum info openssh-server
Loaded plugins: refresh-packagekit
Installed Packages
Name : openssh-server
Arch : x86_64
Version : 5.2p1
Release : 2.fc11
Size : 553 k
Repo : installed
Summary : An open source SSH server daemon
URL : http://www.openssh.com/portable.html
License : BSD
Description: OpenSSH is a free version of SSH (Secure SHell), a program for logging
: into and executing commands on a remote machine. This package contains
: the secure shell daemon (sshd). The sshd daemon allows SSH clients to
: securely connect to your SSH server.

In addition, there are javascript and cross site scripting payloads
out there that implement port scanners inside the browser, so if you
happen upon a vulnerable website that's been XSS'd by a bad guy, and
suddenly you're running bad guy's javascript in your browser, badguy
could be port scanning your internal network from our
computer/browser, and sending results off in the form of http requests
out from your browser. Escalation to a shell from there relies on
finding some sort of browser vulnerability, unfortunately of which
there have been many many recently. There are even now signed java
applets an attacker can inject once inside your browser that can
cheerfully drop a rootkit or metasploit meterpreter payload. If
lucky, you might be prompted to accept the java applet, but as it'd
have been signed by something tha tlooked trusted, you may not have
known.

That's scary.

So I feel it is highly unlikely he came in over the WAN port, but if
he came in over the wireless, I don't see how he could have a public
address in Asia.

Any theories on how my security was breached would be appreciated.

It could be a simply explained most simply as a client-side attack.
Infected attachment in email or a drive by attack on a website with
infected content (how diligent have you been updating Acrobat Reader
and Adobe Flash or Firefox in the past 6 months? They've all had quite
a TON of issues, some unfixed for decent chunks of time since the
0days were spotted in the wild).

Well, I installed via the Adobe repo, so when it has updates, I'd
install them usually within a couple of days. Still, what about the
time before the update?

Thanks for your ideas, Todd.
--
Randy Yates % "She has an IQ of 1001, she has a jumpsuit
Digital Signal Labs % on, and she's also a telephone."
mailto://yates@xxxxxxxx %
http://www.digitalsignallabs.com % 'Yours Truly, 2095', *Time*, ELO
.



Relevant Pages

  • Re: "Dont panic"?
    ... > I'm not sure what you mean by "public access through ssh". ... But I don't think reporting port scans is a clear win for anyone. ... >> port scan reports back to an ISP a lot of people time and network bandwidth ...
    (comp.security.ssh)
  • Re: Security Breached
    ... I have a typical home network that looks like this: ... I have the vnc port blocked at the router so I presumed it was safe to ... they done it port forwarding over SSH (if your assumption of only SSH ...
    (alt.computer.security)
  • ssh, firewall, port forwarding
    ... I have a bit of trouble with ssh, hopefully you will have some tips ... Behind that device I have a private network of 10.0.0.x. ... the internet connection on both PCs works fine. ... We configured port forwarding on the DSL modem, ...
    (comp.unix.bsd.freebsd.misc)
  • Re: VNC outside network help
    ... > have a network set up as follows: ... The server is Windows XP professional. ... > reports that the port is open and available for VNC. ...
    (alt.linux)
  • Re: Redirect domain to specific port
    ... network that run VNC server that folks then access from outside our ... address with the port number for their machine, ... isn't that much security in the VNC architecture (especially with the ...
    (Fedora)