Re: Security Breached
- From: Randy Yates <yates@xxxxxxxx>
- Date: Wed, 12 Aug 2009 10:46:00 -0400
comphelp@xxxxxxxxx (Todd H.) writes:
Randy Yates <yates@xxxxxxxx> writes:
I have a typical home network that looks like this:
machine type connection type
desktop pc 1 wired
desktop pc 2 wireless
network printer wired
Hi Randy, long time no chat. Sorry to reacquaint in these
Hi Todd. I sent an email to you asking you to phone me - I guess
you didn't get it.
dlink dir 655 router
How updated is that dlink?
Have you checked its configuration lately? Any possibility it's been
compromised and, say, you have a PC or too sitting mysteriously in the
DMZ of the router instead of on the LAN? Any port forwards you
didn't put in there yourself?
Not that I can see, on both the DMZ and port forward questions.
Time-warner "surfboard" cable modem
I run Fedora 11, fully updated, on all computers.
I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.
Is that to say you had no vnc passwords set? If so, any one point
compromised on your lan, then finding vnc into anything would be
trivial of course.
Yes, that's true. I presumed that my security was so tight I didn't
need one. That assumes the router's security is good, of course.
Has that laptop ever ventured outside of your friendly LAN to a public
wireless network perchance?
Yes, at NCSU via their wireless system. But the last time I was there
was a year ago.
Also, due to a wireless network adapter card that's not very
well-suported under Fedora 11, I was forced to run WEP security on my
wireless network. Yeah yeah, I know - that's no security at all.
Oy... that's ... pretty bad.
Marvell drivers aren't provided for that Netgear card...
Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was 188.8.131.52.
Yikes. That sucks. Any router logs to speak of?
Unfortunately, not any more. I didn't have the "mail log to my account
when log is full" option set, and the event got scrolled off the log
before I had a chance to view it.
If the reported address of the intruder was a typical local, private
network address like 192.168.x.y, I'd just chalk it up to a neighbor
that hacked my network. But 184.108.40.206 is a public IP address
somewhere in Asia. So I'm thinking he must have come in over the WAN
I'd vote WAN attack as well.
Now the interesting question is how the hell did someone outside vnc
into that box and vnc be reporting that external IP... because had
they done it port forwarding over SSH (if your assumption of only SSH
is coming in was valid), then VNC would report the LAN IP of your
desktop PC as the client IP address. That it's reporting a foreign IP
is suggesting either a direct inbound connection (i.e. modification of
your router's port forwarding) or... more likely, something client
side initiated a reverse VNC session from your VNC server to a
waiting/listening client at that 119. ip address. The trigger for
that reverse vnc initiation could have been a flash or pdf file being
viewed, or any client-side exploit.
Well, I suppose that is a possiblity.
But if he came in over the WAN port (e.g., over ssh), he would have
had to make a hop via my desktop pc since that's where ssh is NATed
to. Further, the desktop PC's ssh port was non-standard, root
access is disabled, and the main account password is quite long and
Though I doubt this was the path due to the issues above, I'll comment
that ssh port non-standard is immaterial, as it would be cheerfully
mapped to there by the NAT router's port forward, so the only trick
would be to find the listening ssh server on the router from the
outside. However, if your ssh server is up to date, and your password
very long that'd suggest that someone brute forcing the sshd to be
There is a rumored openssh 0day out there for the past month, but I
don't think it's ever been corroborated.
I heard about that too, but according to the folks on the #fedora
irc channel, it's already been patched/updated in the fedora repos,
so if your system is up-to-date, you're good to go on that one.
And mine is:
[root@localhost ~]# yum info openssh-server
Loaded plugins: refresh-packagekit
Name : openssh-server
Arch : x86_64
Version : 5.2p1
Release : 2.fc11
Size : 553 k
Repo : installed
Summary : An open source SSH server daemon
URL : http://www.openssh.com/portable.html
License : BSD
Description: OpenSSH is a free version of SSH (Secure SHell), a program for logging
: into and executing commands on a remote machine. This package contains
: the secure shell daemon (sshd). The sshd daemon allows SSH clients to
: securely connect to your SSH server.
out there that implement port scanners inside the browser, so if you
happen upon a vulnerable website that's been XSS'd by a bad guy, and
could be port scanning your internal network from our
computer/browser, and sending results off in the form of http requests
out from your browser. Escalation to a shell from there relies on
finding some sort of browser vulnerability, unfortunately of which
there have been many many recently. There are even now signed java
applets an attacker can inject once inside your browser that can
cheerfully drop a rootkit or metasploit meterpreter payload. If
lucky, you might be prompted to accept the java applet, but as it'd
have been signed by something tha tlooked trusted, you may not have
So I feel it is highly unlikely he came in over the WAN port, but if
he came in over the wireless, I don't see how he could have a public
address in Asia.
Any theories on how my security was breached would be appreciated.
It could be a simply explained most simply as a client-side attack.
Infected attachment in email or a drive by attack on a website with
infected content (how diligent have you been updating Acrobat Reader
and Adobe Flash or Firefox in the past 6 months? They've all had quite
a TON of issues, some unfixed for decent chunks of time since the
0days were spotted in the wild).
Well, I installed via the Adobe repo, so when it has updates, I'd
install them usually within a couple of days. Still, what about the
time before the update?
Thanks for your ideas, Todd.
Randy Yates % "She has an IQ of 1001, she has a jumpsuit
Digital Signal Labs % on, and she's also a telephone."
http://www.digitalsignallabs.com % 'Yours Truly, 2095', *Time*, ELO