Security Breached

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I have a typical home network that looks like this:

machine type     connection type
------------     --------------
desktop pc 1     wired
desktop pc 2     wireless
laptop           wireless
network printer  wired

dlink dir 655 router
Time-warner "surfboard" cable modem

I run Fedora 11, fully updated, on all computers.

I have the vnc port blocked at the router so I presumed it was safe to
leave my vnc passwords open on machines on my local network.

Also, due to a wireless network adapter card that's not very
well-suported under Fedora 11, I was forced to run WEP security on my
wireless network. Yeah yeah, I know - that's no security at all.

Well, some stranger vnc'ed into my laptop. I was there when it happened
and the vnc server i'm using (fedora 11) displays the connection's ip
address and it was

If the reported address of the intruder was a typical local, private
network address like 192.168.x.y, I'd just chalk it up to a neighbor
that hacked my network. But is a public IP address
somewhere in Asia. So I'm thinking he must have come in over the WAN

But if he came in over the WAN port (e.g., over ssh), he would have had
to make a hop via my desktop pc since that's where ssh is NATed to.
Further, the desktop PC's ssh port was non-standard, root access is
disabled, and the main account password is quite long and secure.

So I feel it is highly unlikely he came in over the WAN port, but if he
came in over the wireless, I don't see how he could have a public
address in Asia.

Any theories on how my security was breached would be appreciated.
Randy Yates                      % "My Shangri-la has gone away, fading like
Digital Signal Labs              %  the Beatles on 'Hey Jude'"
mailto://          % % 'Shangri-La', *A New World Record*, ELO

Re: Security Breached

Quoted text here. Click to load it

Hi Randy, long time no chat.  Sorry to reacquaint in these

Quoted text here. Click to load it

How updated is that dlink?

Have you checked its configuration lately?  Any possibility it's been
compromised and, say, you have a PC or too sitting mysteriously in the
DMZ of the router instead of on the LAN?   Any port forwards you
didn't put in there yourself?

Quoted text here. Click to load it

Is that to say you had no vnc passwords set?  If so, any one point
compromised on your lan, then finding vnc into anything would be
trivial of course.

Has that laptop ever ventured outside of your friendly LAN to a public
wireless network perchance?

Quoted text here. Click to load it

Oy... that's ... pretty bad.  

Quoted text here. Click to load it

Yikes.  That sucks.   Any router logs to speak of?

Quoted text here. Click to load it

I'd vote WAN attack as well.

Now the interesting question is how the hell did someone outside vnc
into that box and vnc be reporting that external IP... because had
they done it port forwarding over SSH (if your assumption of only SSH
is coming in was valid), then VNC would report the LAN IP of your
desktop PC as the client IP address.  That it's reporting a foreign IP
is suggesting either a direct inbound connection (i.e. modification of
your router's port forwarding) or... more likely,  something client
side initiated a reverse VNC session from your VNC server to a
waiting/listening client at that 119. ip address.     The trigger for
that reverse vnc initiation could have been a flash or pdf file being
viewed, or any client-side exploit.  

Quoted text here. Click to load it

Though I doubt this was the path due to the issues above, I'll comment
that ssh port non-standard is immaterial, as it would be cheerfully
mapped to there by the NAT router's port forward, so the only trick
would be to find the listening ssh server on the router from the
outside.  However, if your ssh server is up to date, and your password
very long that'd suggest that someone brute forcing the sshd to be
rather unlikely.

There is a rumored openssh 0day out there for the past month, but I
don't think it's ever been corroborated.

In addition, there are javascript and cross site scripting payloads
out there that implement port scanners inside the browser, so if you
happen upon a vulnerable website that's been XSS'd by a bad guy, and
suddenly you're running bad guy's javascript in your browser, badguy
could be port scanning your internal network from our
computer/browser, and sending results off in the form of http requests
out from your browser.    Escalation to a shell from there relies on
finding some sort of browser vulnerability, unfortunately of which
there have been many many recently.  There are even now signed java
applets an attacker can inject once inside your browser that can
cheerfully drop a rootkit or metasploit meterpreter payload.  If
lucky, you might be prompted to accept the java applet, but as it'd
have been signed by something tha tlooked trusted, you may not have

Quoted text here. Click to load it

It could be a simply explained most simply as a client-side attack.
Infected attachment in email or a drive by attack on a website with
infected content (how diligent have you been updating Acrobat Reader
and Adobe Flash or Firefox in the past 6 months? They've all had quite
a TON of issues, some unfixed for decent chunks of time since the
0days were spotted in the wild).  

Todd H. /

Re: Security Breached (Todd H.) writes:

Quoted text here. Click to load it

Hi Todd. I sent an email to you asking you to phone me - I guess
you didn't get it.

Quoted text here. Click to load it

Version: 1.21
Date: 2008/09/11

Quoted text here. Click to load it

Not that I can see, on both the DMZ and port forward questions.

Quoted text here. Click to load it

Yes, that's true. I presumed that my security was so tight I didn't
need one. That assumes the router's security is good, of course.

Quoted text here. Click to load it

Yes, at NCSU via their wireless system. But the last time I was there
was a year ago.

Quoted text here. Click to load it

Marvell drivers aren't provided for that Netgear card...

Quoted text here. Click to load it

Unfortunately, not any more. I didn't have the "mail log to my account
when log is full" option set, and the event got scrolled off the log
before I had a chance to view it.

Quoted text here. Click to load it

Well, I suppose that is a possiblity.

Quoted text here. Click to load it


I heard about that too, but according to the folks on the #fedora
irc channel, it's already been patched/updated in the fedora repos,
so if your system is up-to-date, you're good to go on that one.
And mine is:

[root@localhost ~]# yum info openssh-server
Loaded plugins: refresh-packagekit
Installed Packages
Name       : openssh-server
Arch       : x86_64
Version    : 5.2p1
Release    : 2.fc11
Size       : 553 k
Repo       : installed
Summary    : An open source SSH server daemon
URL        :
License    : BSD
Description: OpenSSH is a free version of SSH (Secure SHell), a program for
           : into and executing commands on a remote machine. This package
           : the secure shell daemon (sshd). The sshd daemon allows SSH clients
           : securely connect to your SSH server.

Quoted text here. Click to load it

That's scary.

Well, I installed via the Adobe repo, so when it has updates, I'd
install them usually within a couple of days. Still, what about the
time before the update?

Thanks for your ideas, Todd.
Randy Yates                      % "She has an IQ of 1001, she has a jumpsuit
Digital Signal Labs              %            on, and she's also a telephone."
mailto://          % %        'Yours Truly, 2095', *Time*, ELO  

Site Timeline