|
|
|
|
08-12-2009, 09:15 AM
|
#1 |
Re: Security Breached
Randy Yates <> writes:
> Hi, > > I have a typical home network that looks like this: > > machine type connection type > ------------ -------------- > desktop pc 1 wired > desktop pc 2 wireless > laptop wireless > network printer wired > Hi Randy, long time no chat. Sorry to reacquaint in these circumstances. > dlink dir 655 router How updated is that dlink? http://news.softpedia.com/news/Syman...ty-81730.shtml Have you checked its configuration lately? Any possibility it's been compromised and, say, you have a PC or too sitting mysteriously in the DMZ of the router instead of on the LAN? Any port forwards you didn't put in there yourself? > Time-warner "surfboard" cable modem > > I run Fedora 11, fully updated, on all computers. > > I have the vnc port blocked at the router so I presumed it was safe to > leave my vnc passwords open on machines on my local network. Is that to say you had no vnc passwords set? If so, any one point compromised on your lan, then finding vnc into anything would be trivial of course. Has that laptop ever ventured outside of your friendly LAN to a public wireless network perchance? > Also, due to a wireless network adapter card that's not very > well-suported under Fedora 11, I was forced to run WEP security on my > wireless network. Yeah yeah, I know - that's no security at all. Oy... that's ... pretty bad. > Well, some stranger vnc'ed into my laptop. I was there when it happened > and the vnc server i'm using (fedora 11) displays the connection's ip > address and it was 119.205.217.141. Yikes. That sucks. Any router logs to speak of? > If the reported address of the intruder was a typical local, private > network address like 192.168.x.y, I'd just chalk it up to a neighbor > that hacked my network. But 119.205.217.141 is a public IP address > somewhere in Asia. So I'm thinking he must have come in over the WAN > port. I'd vote WAN attack as well. Now the interesting question is how the hell did someone outside vnc into that box and vnc be reporting that external IP... because had they done it port forwarding over SSH (if your assumption of only SSH is coming in was valid), then VNC would report the LAN IP of your desktop PC as the client IP address. That it's reporting a foreign IP is suggesting either a direct inbound connection (i.e. modification of your router's port forwarding) or... more likely, something client side initiated a reverse VNC session from your VNC server to a waiting/listening client at that 119. ip address. The trigger for that reverse vnc initiation could have been a flash or pdf file being viewed, or any client-side exploit. > But if he came in over the WAN port (e.g., over ssh), he would have > had to make a hop via my desktop pc since that's where ssh is NATed > to. Further, the desktop PC's ssh port was non-standard, root > access is disabled, and the main account password is quite long and > secure. Though I doubt this was the path due to the issues above, I'll comment that ssh port non-standard is immaterial, as it would be cheerfully mapped to there by the NAT router's port forward, so the only trick would be to find the listening ssh server on the router from the outside. However, if your ssh server is up to date, and your password very long that'd suggest that someone brute forcing the sshd to be rather unlikely. There is a rumored openssh 0day out there for the past month, but I don't think it's ever been corroborated. http://isc.sans.org/diary.html?storyid=6742 In addition, there are javascript and cross site scripting payloads out there that implement port scanners inside the browser, so if you happen upon a vulnerable website that's been XSS'd by a bad guy, and suddenly you're running bad guy's javascript in your browser, badguy could be port scanning your internal network from our computer/browser, and sending results off in the form of http requests out from your browser. Escalation to a shell from there relies on finding some sort of browser vulnerability, unfortunately of which there have been many many recently. There are even now signed java applets an attacker can inject once inside your browser that can cheerfully drop a rootkit or metasploit meterpreter payload. If lucky, you might be prompted to accept the java applet, but as it'd have been signed by something tha tlooked trusted, you may not have known. > So I feel it is highly unlikely he came in over the WAN port, but if > he came in over the wireless, I don't see how he could have a public > address in Asia. > > Any theories on how my security was breached would be appreciated. It could be a simply explained most simply as a client-side attack. Infected attachment in email or a drive by attack on a website with infected content (how diligent have you been updating Acrobat Reader and Adobe Flash or Firefox in the past 6 months? They've all had quite a TON of issues, some unfixed for decent chunks of time since the 0days were spotted in the wild). -- Todd H. http://www.toddh.net/ Todd H. |
|
|
 |
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Computer Security Information and What You Can Do To Keep Your SystemSafe! | Ann.Anderson.group.com@gmail.com | A+ Certification | 0 | 12-06-2007 01:55 AM |
| Computer Security | aldrich.chappel.com.use@gmail.com | A+ Certification | 0 | 11-27-2007 02:11 AM |
| Computer Security Information (Free Articles and eBooks) | aditya.jaiswal.com.use@gmail.com | DVD Video | 0 | 10-10-2007 04:53 AM |
| Re: Mac Security vs. Windows Security | Tony Sivori | A+ Certification | 0 | 10-28-2003 06:23 AM |
| Re: Mac Security vs. Windows Security | Jerry | A+ Certification | 0 | 10-27-2003 09:32 PM |
